65e660aed041b047967a7f7080d604850ce9391563b3653e4622ead92e5d1d8f

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe
Size

372KB
MD5

11f2e05270591fb8a0ace3bcbdc751a0
SHA1

eab4bb9ca4110833fd1d7309637dcd9c49834fe2
SHA256

65e660aed041b047967a7f7080d604850ce9391563b3653e4622ead92e5d1d8f
SHA512

9d18c84493f6971e27f9b209fa46fd5685c4253befbae476ffb3ae741e166cb11aa812055525af69d5750a6dd6aa8cbba300bc7e94e13b022c888a455f7bbc5f
SSDEEP

3072:CEGh0ojlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGplkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012185-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122e4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015c6f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015c6f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015c9f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015dbb-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015c9f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015dbb-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e09-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1422DC77-6B61-42de-BA85-A971897AABBA}	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111B5848-4A41-4bd2-9102-E16DBB680164}\stubpath = "C:\\Windows\\{111B5848-4A41-4bd2-9102-E16DBB680164}.exe"	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01A6313E-5B93-4f25-BC10-C5ACC94CF827}\stubpath = "C:\\Windows\\{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe"	{111B5848-4A41-4bd2-9102-E16DBB680164}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2710770-A131-49aa-8C76-B0F63DAD0906}\stubpath = "C:\\Windows\\{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe"	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B07085-C885-462e-AA7D-BFB1AB5BC159}\stubpath = "C:\\Windows\\{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe"	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A4360DE-C922-4f88-9395-8059056FEAE4}\stubpath = "C:\\Windows\\{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe"	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01A6313E-5B93-4f25-BC10-C5ACC94CF827}	{111B5848-4A41-4bd2-9102-E16DBB680164}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8914023-123D-4df8-8E00-0F87DC3389F1}	{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8914023-123D-4df8-8E00-0F87DC3389F1}\stubpath = "C:\\Windows\\{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe"	{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}\stubpath = "C:\\Windows\\{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}.exe"	{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}\stubpath = "C:\\Windows\\{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe"	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1422DC77-6B61-42de-BA85-A971897AABBA}\stubpath = "C:\\Windows\\{1422DC77-6B61-42de-BA85-A971897AABBA}.exe"	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B07085-C885-462e-AA7D-BFB1AB5BC159}	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56A922E6-BF27-4769-AB3F-3132D5107600}\stubpath = "C:\\Windows\\{56A922E6-BF27-4769-AB3F-3132D5107600}.exe"	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{111B5848-4A41-4bd2-9102-E16DBB680164}	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}	{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2710770-A131-49aa-8C76-B0F63DAD0906}	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}\stubpath = "C:\\Windows\\{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe"	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A4360DE-C922-4f88-9395-8059056FEAE4}	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56A922E6-BF27-4769-AB3F-3132D5107600}	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe
2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe
3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe
1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe
1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe
2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe
1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe
1880	{111B5848-4A41-4bd2-9102-E16DBB680164}.exe
1444	{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe
1848	{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe
2276	{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe	{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe
File created	C:\Windows\{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}.exe	{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe
File created	C:\Windows\{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe
File created	C:\Windows\{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe
File created	C:\Windows\{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe	{111B5848-4A41-4bd2-9102-E16DBB680164}.exe
File created	C:\Windows\{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe
File created	C:\Windows\{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe
File created	C:\Windows\{111B5848-4A41-4bd2-9102-E16DBB680164}.exe	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe
File created	C:\Windows\{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe
File created	C:\Windows\{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe
File created	C:\Windows\{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe
Token: SeIncBasePriorityPrivilege	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe
Token: SeIncBasePriorityPrivilege	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe
Token: SeIncBasePriorityPrivilege	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe
Token: SeIncBasePriorityPrivilege	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe
Token: SeIncBasePriorityPrivilege	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe
Token: SeIncBasePriorityPrivilege	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe
Token: SeIncBasePriorityPrivilege	1880	{111B5848-4A41-4bd2-9102-E16DBB680164}.exe
Token: SeIncBasePriorityPrivilege	1444	{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe
Token: SeIncBasePriorityPrivilege	1848	{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2128	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	28
PID 2432 wrote to memory of 2128	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	28
PID 2432 wrote to memory of 2128	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	28
PID 2432 wrote to memory of 2128	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	28
PID 2432 wrote to memory of 2748	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	29
PID 2432 wrote to memory of 2748	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	29
PID 2432 wrote to memory of 2748	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	29
PID 2432 wrote to memory of 2748	2432	2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe	29
PID 2128 wrote to memory of 2668	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	30
PID 2128 wrote to memory of 2668	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	30
PID 2128 wrote to memory of 2668	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	30
PID 2128 wrote to memory of 2668	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	30
PID 2128 wrote to memory of 2784	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	31
PID 2128 wrote to memory of 2784	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	31
PID 2128 wrote to memory of 2784	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	31
PID 2128 wrote to memory of 2784	2128	{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe	31
PID 2668 wrote to memory of 3068	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	34
PID 2668 wrote to memory of 3068	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	34
PID 2668 wrote to memory of 3068	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	34
PID 2668 wrote to memory of 3068	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	34
PID 2668 wrote to memory of 2056	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	35
PID 2668 wrote to memory of 2056	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	35
PID 2668 wrote to memory of 2056	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	35
PID 2668 wrote to memory of 2056	2668	{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe	35
PID 3068 wrote to memory of 1396	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	36
PID 3068 wrote to memory of 1396	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	36
PID 3068 wrote to memory of 1396	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	36
PID 3068 wrote to memory of 1396	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	36
PID 3068 wrote to memory of 1168	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	37
PID 3068 wrote to memory of 1168	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	37
PID 3068 wrote to memory of 1168	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	37
PID 3068 wrote to memory of 1168	3068	{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe	37
PID 1396 wrote to memory of 1780	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	38
PID 1396 wrote to memory of 1780	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	38
PID 1396 wrote to memory of 1780	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	38
PID 1396 wrote to memory of 1780	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	38
PID 1396 wrote to memory of 2768	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	39
PID 1396 wrote to memory of 2768	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	39
PID 1396 wrote to memory of 2768	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	39
PID 1396 wrote to memory of 2768	1396	{1422DC77-6B61-42de-BA85-A971897AABBA}.exe	39
PID 1780 wrote to memory of 2920	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	40
PID 1780 wrote to memory of 2920	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	40
PID 1780 wrote to memory of 2920	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	40
PID 1780 wrote to memory of 2920	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	40
PID 1780 wrote to memory of 1856	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	41
PID 1780 wrote to memory of 1856	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	41
PID 1780 wrote to memory of 1856	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	41
PID 1780 wrote to memory of 1856	1780	{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe	41
PID 2920 wrote to memory of 1468	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	43
PID 2920 wrote to memory of 1468	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	43
PID 2920 wrote to memory of 1468	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	43
PID 2920 wrote to memory of 1468	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	43
PID 2920 wrote to memory of 1264	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	42
PID 2920 wrote to memory of 1264	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	42
PID 2920 wrote to memory of 1264	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	42
PID 2920 wrote to memory of 1264	2920	{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe	42
PID 1468 wrote to memory of 1880	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	44
PID 1468 wrote to memory of 1880	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	44
PID 1468 wrote to memory of 1880	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	44
PID 1468 wrote to memory of 1880	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	44
PID 1468 wrote to memory of 2004	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	45
PID 1468 wrote to memory of 2004	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	45
PID 1468 wrote to memory of 2004	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	45
PID 1468 wrote to memory of 2004	1468	{56A922E6-BF27-4769-AB3F-3132D5107600}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_11f2e05270591fb8a0ace3bcbdc751a0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe
  C:\Windows\{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe
    C:\Windows\{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe
      C:\Windows\{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\{1422DC77-6B61-42de-BA85-A971897AABBA}.exe
        
        C:\Windows\{1422DC77-6B61-42de-BA85-A971897AABBA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe
        
        C:\Windows\{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe
        
        C:\Windows\{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A436~1.EXE > nul
        8⤵
        
        PID:1264
        
        C:\Windows\{56A922E6-BF27-4769-AB3F-3132D5107600}.exe
        
        C:\Windows\{56A922E6-BF27-4769-AB3F-3132D5107600}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{111B5848-4A41-4bd2-9102-E16DBB680164}.exe
        
        C:\Windows\{111B5848-4A41-4bd2-9102-E16DBB680164}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe
        
        C:\Windows\{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01A63~1.EXE > nul
        11⤵
        
        PID:1152
        
        C:\Windows\{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe
        
        C:\Windows\{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}.exe
        
        C:\Windows\{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8914~1.EXE > nul
        12⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{111B5~1.EXE > nul
        10⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56A92~1.EXE > nul
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B07~1.EXE > nul
        7⤵
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1422D~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCC06~1.EXE > nul
        5⤵
        
        PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{015DF~1.EXE > nul
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2710~1.EXE > nul
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{015DFAE4-ECDE-4ea9-8703-1D1008EB0BE8}.exe

Filesize
372KB

MD5
d2a049c478d42750ee59a162ba373c5c

SHA1
a88e1cdb656706c461b6d8336aafaa5ef9a2d62f

SHA256
3335109038cff8129c164d5ac533300d4291ddc3fcf0ed7682ea26957c47c1e0

SHA512
1bd82b037179262c491fe71472503e4dc8750e33a4d790f8da5a59a91a797af890a0ca91e5408eb4b9b06488ad877ba6f406013d3ed1ee562b71bf0a53c36461

Download Submit
C:\Windows\{01A6313E-5B93-4f25-BC10-C5ACC94CF827}.exe

Filesize
372KB

MD5
d6f21cc5c65a33a9fdb80381b1f26725

SHA1
cdd972c4ff698eaf3cd4cd361c6815829a0c477f

SHA256
241acce03b1c4ed5b5d189ef1d674ba6fbc8b8a3431f75652aa2c4b4ab012e6a

SHA512
3605c84b01381173e2e9ead46bb0cea84957eb559c025649f65fba83f9eddfead5dce24b176092cf86de5855a20a0c2fcecc950b23c0ba91ff5c94c37ac4976f

Download Submit
C:\Windows\{111B5848-4A41-4bd2-9102-E16DBB680164}.exe

Filesize
372KB

MD5
2406a4493ce071ace830463c64febef6

SHA1
2db7d4a06b0bb54400b83a7093d0eca43f6e09fc

SHA256
9f6a8d0b31cb6756ade7fc978b2c23e583e59dc071005c99b0467fc903d9d9e2

SHA512
7c6fccf7a6297af958386a9c361d84b25be46f06a5dd9c8483a223723eb46da24789d9e7dd4bd1c8456610ddee458a05c719f30ec353e6df81610ac021ffc71b

Download Submit
C:\Windows\{1422DC77-6B61-42de-BA85-A971897AABBA}.exe

Filesize
372KB

MD5
1a28ebab4fb963491f894dd4621c8fde

SHA1
1dccb517a57b0f21367f3920c70679aa231cd531

SHA256
3fed4f22efaa25ab4448ae833956b6acc440f2f8ab1483909c18e5bea39d6cf3

SHA512
19af1b4a148a6dd09c8c971249b89d68bb74c7902ff440509a2d43eaa1ffe42e54823407a033d95493f27a94f68dd1bdf71b0cfb5f0f1a6dcecd30f03695fe34

Download Submit
C:\Windows\{2D76AA7B-39F7-4e67-ABE6-4AA93D9F0BBD}.exe

Filesize
372KB

MD5
9d185e4ecf8738e74b94c6e9d7bb0a6e

SHA1
eaf9083735d282981938ca443bf4ad5434d1c7bd

SHA256
a77df42665fe8dfe43b9b668927f86627a963450c59d49faf7bf26e51b433f86

SHA512
ebd962bb0249cf3b0ed0760de2d32e502ae3b846be690bb4eff1980965a15f0a4f4bc2a13ae17866df4d8be8ecb138568b747cbb3ea4bd82a4d4ff070ffc4805

Download Submit
C:\Windows\{3A4360DE-C922-4f88-9395-8059056FEAE4}.exe

Filesize
372KB

MD5
e6cbfdad46d34ef936b5156da7a4377f

SHA1
41b0ef49b82559aa23ba864bd50e0a8c457ed8d8

SHA256
a8b26ffa7ca5a3e2411f7f774a6d3d94a7d7d23bd1f79ab9432ebf9996364561

SHA512
16d88b1fbe63307b80b57ce6268cb5d2bd27d0f836d8ccabdeb723184d6c2c0e6975e4d82400f78aa13407738bd20742bf5383667c51d37af3fd2d630a0e0685

Download Submit
C:\Windows\{56A922E6-BF27-4769-AB3F-3132D5107600}.exe

Filesize
372KB

MD5
767b31ed489cc2e3beec11884cd8059e

SHA1
d20f5c5207d9e369a92220da4389e127d321fc79

SHA256
1ee7729dc4a0cd24e2e3decc4174a466b4a805a3f015c07baff525b40cccf317

SHA512
c1d5deafcebd56869b1de663aae6315a5d92a37144a89299aca0aaef79cc6715e04bb4c082a68d20de087c23cd0b33efff6677e7b62c6361641b734def94c45d

Download Submit
C:\Windows\{92B07085-C885-462e-AA7D-BFB1AB5BC159}.exe

Filesize
372KB

MD5
5281652eaa89e2b5b36623d18b08e838

SHA1
e91c0d55a11bbf2c61e0ffbc4c453b73b89027f7

SHA256
52b6ad768a0ec7f6a0ce65f39a2994a2cddd6c6f127fb551eeb9760c696f645f

SHA512
42fc629448f0b1e89c4be15a2f85fefc5e27475d711309b94cb13dac77bbf4cc91f77b474a2fa2656126de5f2301791cf1e9d468239bb3619ce3bc79e5310538

Download Submit
C:\Windows\{C8914023-123D-4df8-8E00-0F87DC3389F1}.exe

Filesize
372KB

MD5
17f5a1132fdbceae51b0cb9378ce4232

SHA1
912d3253e13b8771e7de32c36118273411084ebb

SHA256
1e41d0fd74c0f09c20c4d62a8f124dabe06223d16b7e40824f051f19afef86e6

SHA512
cdafebcc857b10a0b5c7a6a3b2682f9b2ca12c5a5aa340ebf8cb1a961766561dd854b17b53dbadbc52cdf0afdf6442e33885cc014e585a210c60290de85700e1

Download Submit
C:\Windows\{D2710770-A131-49aa-8C76-B0F63DAD0906}.exe

Filesize
372KB

MD5
c6e4c8439268691304cb9c86b0671f3a

SHA1
4549ed05827e8a84e79d581b67066dcfd2597b27

SHA256
ba08c435ee1730759b4989416f9b7c84b1068e6bc7d97ea078dcf7389d050159

SHA512
22d3969dc8b1f6fda210ef49b38488d39bf237a1849324a256d657e5d977f526502458bcec433e9abbc17afdf8a025e26adc306548701c9cf619ce267fb7ca70

Download Submit
C:\Windows\{DCC06796-C2C0-431e-9CBD-CE5A7207BAF4}.exe

Filesize
372KB

MD5
e3e70f8e5771ffd355449353cbefd874

SHA1
77df9b2cb62ffb14fd7830225982716790c9c4d5

SHA256
87f4d1a4564d312ec0b1a938e41eebf5f7e1f417d00de53dcf052ceff7b8b9f3

SHA512
7ba39c5c7f006c79b0b6502a02e5baa5b0d02e617e237530b4fde715ee94f40dc913fa7d6f5ec558761e1e6b79aced8a59ba4dd98bf37b5e29ddd3ab830e5ee1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads