0910745bd01af359946bf17db619b615d00eaa9bf70d952151662e814b0b9a48

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Size

204KB
MD5

7ca0161aca2ca34ff0309b7161b36f19
SHA1

a5c0bccd468bf3c5374148a8f2daace8a9617bf8
SHA256

0910745bd01af359946bf17db619b615d00eaa9bf70d952151662e814b0b9a48
SHA512

3ff6fdff816ddd958834cffbadbf5a9fc3f95a4f9e4b2b5f2ca8f3424fd013b24bed92e3a577a32d24069e11202e69a500ea5c45dc3d3e8eae95e742a6e298ac
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000014f57-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015662-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014f57-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000158d9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014f57-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014f57-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014f57-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}\stubpath = "C:\\Windows\\{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe"	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C70997AD-E440-41f9-B0D2-4F7D43AF481E}\stubpath = "C:\\Windows\\{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe"	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E449432-FD46-4d9a-8932-68898FA74C03}	{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E449432-FD46-4d9a-8932-68898FA74C03}\stubpath = "C:\\Windows\\{0E449432-FD46-4d9a-8932-68898FA74C03}.exe"	{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}\stubpath = "C:\\Windows\\{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}.exe"	{0E449432-FD46-4d9a-8932-68898FA74C03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3702E756-8F18-4525-9A8D-DA0725610CC9}	{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}\stubpath = "C:\\Windows\\{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe"	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1351C9C8-393D-4d21-A897-1F5D2097FA1C}\stubpath = "C:\\Windows\\{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe"	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45851560-5262-4ccf-B470-B92554B07702}	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45851560-5262-4ccf-B470-B92554B07702}\stubpath = "C:\\Windows\\{45851560-5262-4ccf-B470-B92554B07702}.exe"	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}	{45851560-5262-4ccf-B470-B92554B07702}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}\stubpath = "C:\\Windows\\{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe"	{45851560-5262-4ccf-B470-B92554B07702}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8993661-E794-4cba-9A2A-43ED6C902857}\stubpath = "C:\\Windows\\{F8993661-E794-4cba-9A2A-43ED6C902857}.exe"	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C70997AD-E440-41f9-B0D2-4F7D43AF481E}	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3702E756-8F18-4525-9A8D-DA0725610CC9}\stubpath = "C:\\Windows\\{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe"	{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}	{0E449432-FD46-4d9a-8932-68898FA74C03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8993661-E794-4cba-9A2A-43ED6C902857}	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A27A879-878E-4403-8A95-BDDB40D01FFD}	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A27A879-878E-4403-8A95-BDDB40D01FFD}\stubpath = "C:\\Windows\\{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe"	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1351C9C8-393D-4d21-A897-1F5D2097FA1C}	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe

Deletes itself 1 IoCs

pid	Process
1988	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe
2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe
2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe
1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe
2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe
400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe
1588	{45851560-5262-4ccf-B470-B92554B07702}.exe
2600	{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe
2760	{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe
2200	{0E449432-FD46-4d9a-8932-68898FA74C03}.exe
1404	{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe	{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe
File created	C:\Windows\{0E449432-FD46-4d9a-8932-68898FA74C03}.exe	{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe
File created	C:\Windows\{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}.exe	{0E449432-FD46-4d9a-8932-68898FA74C03}.exe
File created	C:\Windows\{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
File created	C:\Windows\{45851560-5262-4ccf-B470-B92554B07702}.exe	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe
File created	C:\Windows\{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe	{45851560-5262-4ccf-B470-B92554B07702}.exe
File created	C:\Windows\{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe
File created	C:\Windows\{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe
File created	C:\Windows\{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe
File created	C:\Windows\{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe
File created	C:\Windows\{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe
Token: SeIncBasePriorityPrivilege	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe
Token: SeIncBasePriorityPrivilege	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe
Token: SeIncBasePriorityPrivilege	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe
Token: SeIncBasePriorityPrivilege	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe
Token: SeIncBasePriorityPrivilege	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe
Token: SeIncBasePriorityPrivilege	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe
Token: SeIncBasePriorityPrivilege	2600	{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe
Token: SeIncBasePriorityPrivilege	2760	{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe
Token: SeIncBasePriorityPrivilege	2200	{0E449432-FD46-4d9a-8932-68898FA74C03}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2740	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	28
PID 2904 wrote to memory of 2740	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	28
PID 2904 wrote to memory of 2740	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	28
PID 2904 wrote to memory of 2740	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	28
PID 2904 wrote to memory of 1988	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	29
PID 2904 wrote to memory of 1988	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	29
PID 2904 wrote to memory of 1988	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	29
PID 2904 wrote to memory of 1988	2904	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	29
PID 2740 wrote to memory of 2536	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	30
PID 2740 wrote to memory of 2536	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	30
PID 2740 wrote to memory of 2536	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	30
PID 2740 wrote to memory of 2536	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	30
PID 2740 wrote to memory of 2960	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	31
PID 2740 wrote to memory of 2960	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	31
PID 2740 wrote to memory of 2960	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	31
PID 2740 wrote to memory of 2960	2740	{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe	31
PID 2536 wrote to memory of 2416	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	32
PID 2536 wrote to memory of 2416	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	32
PID 2536 wrote to memory of 2416	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	32
PID 2536 wrote to memory of 2416	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	32
PID 2536 wrote to memory of 2564	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	33
PID 2536 wrote to memory of 2564	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	33
PID 2536 wrote to memory of 2564	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	33
PID 2536 wrote to memory of 2564	2536	{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe	33
PID 2416 wrote to memory of 1556	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	36
PID 2416 wrote to memory of 1556	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	36
PID 2416 wrote to memory of 1556	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	36
PID 2416 wrote to memory of 1556	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	36
PID 2416 wrote to memory of 1508	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	37
PID 2416 wrote to memory of 1508	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	37
PID 2416 wrote to memory of 1508	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	37
PID 2416 wrote to memory of 1508	2416	{F8993661-E794-4cba-9A2A-43ED6C902857}.exe	37
PID 1556 wrote to memory of 2640	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	38
PID 1556 wrote to memory of 2640	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	38
PID 1556 wrote to memory of 2640	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	38
PID 1556 wrote to memory of 2640	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	38
PID 1556 wrote to memory of 2620	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	39
PID 1556 wrote to memory of 2620	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	39
PID 1556 wrote to memory of 2620	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	39
PID 1556 wrote to memory of 2620	1556	{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe	39
PID 2640 wrote to memory of 400	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	40
PID 2640 wrote to memory of 400	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	40
PID 2640 wrote to memory of 400	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	40
PID 2640 wrote to memory of 400	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	40
PID 2640 wrote to memory of 1904	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	41
PID 2640 wrote to memory of 1904	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	41
PID 2640 wrote to memory of 1904	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	41
PID 2640 wrote to memory of 1904	2640	{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe	41
PID 400 wrote to memory of 1588	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	42
PID 400 wrote to memory of 1588	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	42
PID 400 wrote to memory of 1588	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	42
PID 400 wrote to memory of 1588	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	42
PID 400 wrote to memory of 2160	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	43
PID 400 wrote to memory of 2160	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	43
PID 400 wrote to memory of 2160	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	43
PID 400 wrote to memory of 2160	400	{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe	43
PID 1588 wrote to memory of 2600	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	44
PID 1588 wrote to memory of 2600	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	44
PID 1588 wrote to memory of 2600	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	44
PID 1588 wrote to memory of 2600	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	44
PID 1588 wrote to memory of 1456	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	45
PID 1588 wrote to memory of 1456	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	45
PID 1588 wrote to memory of 1456	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	45
PID 1588 wrote to memory of 1456	1588	{45851560-5262-4ccf-B470-B92554B07702}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe
  C:\Windows\{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe
    C:\Windows\{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{F8993661-E794-4cba-9A2A-43ED6C902857}.exe
      C:\Windows\{F8993661-E794-4cba-9A2A-43ED6C902857}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe
        
        C:\Windows\{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe
        
        C:\Windows\{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe
        
        C:\Windows\{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{45851560-5262-4ccf-B470-B92554B07702}.exe
        
        C:\Windows\{45851560-5262-4ccf-B470-B92554B07702}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe
        
        C:\Windows\{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe
        
        C:\Windows\{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{0E449432-FD46-4d9a-8932-68898FA74C03}.exe
        
        C:\Windows\{0E449432-FD46-4d9a-8932-68898FA74C03}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}.exe
        
        C:\Windows\{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E449~1.EXE > nul
        12⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3702E~1.EXE > nul
        11⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3EDE~1.EXE > nul
        10⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45851~1.EXE > nul
        9⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1351C~1.EXE > nul
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A27A~1.EXE > nul
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7099~1.EXE > nul
        6⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8993~1.EXE > nul
        5⤵
        
        PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A67CD~1.EXE > nul
      4⤵
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{41403~1.EXE > nul
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E449432-FD46-4d9a-8932-68898FA74C03}.exe

Filesize
204KB

MD5
f1cd97d7f0abb01a645acd32bb4d79d2

SHA1
77b411fd16b2840cbf06b8024ed171534dcf65b7

SHA256
7078c73a69ed0743e4ae7052d77ab5362a858875d84cd09477bc7da2a9c7f1f4

SHA512
fd37234f197c673bbcf1a082dc932bc9b9461df890bb904d1d28eb81862b411796924d4b1482e0fc39b343db38d0cab11f22bdbc111e17264d7f327c060bf5d5

Download Submit
C:\Windows\{1351C9C8-393D-4d21-A897-1F5D2097FA1C}.exe

Filesize
204KB

MD5
e73ed90735c1cd44d2c2dc9f607dbd2c

SHA1
3eb6d70a78aa2c0c75068687af69d867519a22f9

SHA256
2e17985647ced83bb12d3b0ad971ffddafe604e9b482f75a92d6d49a2153b5f4

SHA512
a7920202f9930c92139a02887bd8f51cca70bc5af61f47752a5ec41195c7ba2250351154f2bfed823d4ae0044c3b0e2f0ed1ac9d9849e292267a923a19e90868

Download Submit
C:\Windows\{3702E756-8F18-4525-9A8D-DA0725610CC9}.exe

Filesize
204KB

MD5
ecb17f18a558a01bdefb09b26f1df7a6

SHA1
1d34c5d695a7b661b4a02ba628c5c1ced50ad1c2

SHA256
c602a3b836301877f4d061a87753e6280a9a1b8ed5d9c3177bc8d8bf1430aaa5

SHA512
aa1f4709ecb40bef0d2c2384a84c0225224c769aad37dcbc204cebdcaaa2bfe86e7bfa467b2e43b3973cefd1de93587a74e76600dec782dff43052f1bd8b349d

Download Submit
C:\Windows\{41403F5D-4CE9-4e91-BB79-21C39CDFF8E4}.exe

Filesize
204KB

MD5
ec2836159ba53d9d0ac68e8fd7e69e81

SHA1
ec9a4fcf1e78e2911ec7319fd1398e85fc309394

SHA256
fbc7c473e362af26874635357aea14d002e1e9c79edee14566aed361709fef1e

SHA512
4ef4f39a57590f2ccaac8b38de3ce4b06f6a5851d3acdbc814f490d67ef4c81606e9c6317fceaff85e2d6d3e98dfb8ae2210f66a9b377a08d713b89dbf3480a1

Download Submit
C:\Windows\{45851560-5262-4ccf-B470-B92554B07702}.exe

Filesize
204KB

MD5
7884bdffca14562a63771cfdc5463b8e

SHA1
d81612341b3b4c8ca9be511cddcbc5a900daaee2

SHA256
7b81dd09d771d051d5d269d826a3b6dbeca78af56365376cf63c33d28a8d12cb

SHA512
b8b2ba34284c52b1bc4343cb8404b2a0ecb5bc909615c58c5f1010a6dbedb1388f495e4fe76748558b8b540e2784fcdbddb540707c4df170b65c3f3d895579ea

Download Submit
C:\Windows\{9A27A879-878E-4403-8A95-BDDB40D01FFD}.exe

Filesize
204KB

MD5
d9369a89b229b1ca83e88d22a4bbc0ad

SHA1
071aec66a78dc9ceb5ee201796386727ddb6cae4

SHA256
8a896f4968ba4faa1f0086091f9aac126798492f91d3e114d3bbb505c0f3d84e

SHA512
d686411e3e3584b4ec14cdf111a02edb66c0d42a010e8c544f6c6f3c5c1f61e063428022eafa490edf3b5666bf652a953b216dca5c687bbd4954c99dda43ca52

Download Submit
C:\Windows\{A3EDEFF1-5C6D-4d50-B3F4-A3660525B648}.exe

Filesize
204KB

MD5
63a563c2dd059c13f74fe3ac696f5c98

SHA1
487f6abd509939011fdf99d8ae7a54f6f807f10a

SHA256
fa48fdef65ceca4b23547ebcaed57f5d7a1b6d1769fda431b758b95c816a879d

SHA512
24237b3e0731bbe418d7604e1e34c61b6e7ada8e090a9b99a8e23bf0881f0e9ff5271df34028206369a0758c3f71a8d04264c476392d3adf68f4b4691aadb239

Download Submit
C:\Windows\{A67CDEB5-F280-4190-AB6D-1ABD7E909AEC}.exe

Filesize
204KB

MD5
dc7b8cfce7fbfbcfac246580817338c0

SHA1
b2adc8207a3726858311fb37bad7a54938e8df03

SHA256
32f28dce1df7c0c35619cb928634cd5e78c9848ea6c415f59389aa56328d5ad7

SHA512
3f072097b1514783299894a0ad617b6f3310d41fa383cb9737932b15ef71c5d045332875b7e8528192fb4e2edb90f2dd2445a3ebe18a4e2101a51bb8a8f7764c

Download Submit
C:\Windows\{B1BB87FD-E834-4615-ACC5-AC468F0EF74F}.exe

Filesize
204KB

MD5
e31f4ad5cb014792ba81102d395d8ced

SHA1
ba11ee34bbe591b1b20edfd2f628c074c22c6f7a

SHA256
10015b0944cb04e79b698ce9bc907e60421a7e01ee3b19171e36a3eafbcc423e

SHA512
4ca4ed0204c29d09f291aeaa90b32f3e26143a321a59fcb37d54acaa8595e92173e1eda4ab95304a0f1be42eabd1f06cdc5603a942a05ca04d611e3bd837e5ad

Download Submit
C:\Windows\{C70997AD-E440-41f9-B0D2-4F7D43AF481E}.exe

Filesize
204KB

MD5
89ead88de67a424dddd1f7fbdb19159a

SHA1
a765c5b734d6548dd47889e9e9356d56c4c382a1

SHA256
844345928567aa78b0bddb9ce0c4b1be0ee2aa3404331f7aab3ae56cd1765397

SHA512
aa19cfd82381dbab37e1c247eee6d38ec96d554696c4b422ec2febd9706b71220a0e31045c9610e880dbf1ada85c84b0ea126fb978dde8e2d1e84fc5e983c8ba

Download Submit
C:\Windows\{F8993661-E794-4cba-9A2A-43ED6C902857}.exe

Filesize
204KB

MD5
5161963981ccb1d89b9ad844a5878337

SHA1
0cf60a2f38c7a309d4967df58c574c289071c9c9

SHA256
78b2726f4b0ca0e6b86e6229789c88a063ac5f750757d6033ec0ad8498f14ebf

SHA512
b7b1d95c68149873de71ea9aa6199d1b33bf56880a9c215366bdddc1847c68764fffa96b130c7322a88bbbabd7e6b0568062c3109c6ec4d2e8b7605022fd6104

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads