1ae5bd86edc6f4a7a712bb7d54d7c1372c0f5bb54feac840e48d1ee35a7299d1

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Size

380KB
MD5

adc3dbf65584279e11da53aac8740bcf
SHA1

0a2018db9ecfef5036cbd8c0388ea405de574e1f
SHA256

1ae5bd86edc6f4a7a712bb7d54d7c1372c0f5bb54feac840e48d1ee35a7299d1
SHA512

65ece10a67c59fe2507aac0e7e67be4ea71ceb3bc905a45d2a9d7fb675076fa13ac5d51942ae2fb902a6da68b748c8b15f7107268d70685f318c8110408a8e2f
SSDEEP

3072:mEGh0oMlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGSl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a1a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001410b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000142cc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a1a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a1a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a1a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}\stubpath = "C:\\Windows\\{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe"	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E76E135E-41FD-46ec-AD56-DDB6A510F112}	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}\stubpath = "C:\\Windows\\{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe"	{89977E08-EBAA-42db-9537-187BEA72A913}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}	{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64C28A2-C8CE-454e-A1BD-363CACFEA003}\stubpath = "C:\\Windows\\{B64C28A2-C8CE-454e-A1BD-363CACFEA003}.exe"	{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF56B0EC-076F-4638-97AE-CCF9C40174D1}\stubpath = "C:\\Windows\\{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe"	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}\stubpath = "C:\\Windows\\{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe"	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E251AD96-197F-4c93-B02B-95806AD8B2FC}	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}	{89977E08-EBAA-42db-9537-187BEA72A913}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}\stubpath = "C:\\Windows\\{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe"	{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64C28A2-C8CE-454e-A1BD-363CACFEA003}	{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E76E135E-41FD-46ec-AD56-DDB6A510F112}\stubpath = "C:\\Windows\\{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe"	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF56B0EC-076F-4638-97AE-CCF9C40174D1}	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}\stubpath = "C:\\Windows\\{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe"	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89977E08-EBAA-42db-9537-187BEA72A913}\stubpath = "C:\\Windows\\{89977E08-EBAA-42db-9537-187BEA72A913}.exe"	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF2B1AE3-C828-4505-8368-9035ABCC04C1}	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF2B1AE3-C828-4505-8368-9035ABCC04C1}\stubpath = "C:\\Windows\\{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe"	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E251AD96-197F-4c93-B02B-95806AD8B2FC}\stubpath = "C:\\Windows\\{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe"	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89977E08-EBAA-42db-9537-187BEA72A913}	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe
2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe
2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe
3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe
2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe
1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe
2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe
1544	{89977E08-EBAA-42db-9537-187BEA72A913}.exe
1376	{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe
700	{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe
580	{B64C28A2-C8CE-454e-A1BD-363CACFEA003}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe
File created	C:\Windows\{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe
File created	C:\Windows\{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe
File created	C:\Windows\{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe
File created	C:\Windows\{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe
File created	C:\Windows\{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe	{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe
File created	C:\Windows\{B64C28A2-C8CE-454e-A1BD-363CACFEA003}.exe	{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe
File created	C:\Windows\{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
File created	C:\Windows\{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe
File created	C:\Windows\{89977E08-EBAA-42db-9537-187BEA72A913}.exe	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe
File created	C:\Windows\{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe	{89977E08-EBAA-42db-9537-187BEA72A913}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe
Token: SeIncBasePriorityPrivilege	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe
Token: SeIncBasePriorityPrivilege	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe
Token: SeIncBasePriorityPrivilege	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe
Token: SeIncBasePriorityPrivilege	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe
Token: SeIncBasePriorityPrivilege	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe
Token: SeIncBasePriorityPrivilege	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe
Token: SeIncBasePriorityPrivilege	1544	{89977E08-EBAA-42db-9537-187BEA72A913}.exe
Token: SeIncBasePriorityPrivilege	1376	{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe
Token: SeIncBasePriorityPrivilege	700	{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3016	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	28
PID 2156 wrote to memory of 3016	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	28
PID 2156 wrote to memory of 3016	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	28
PID 2156 wrote to memory of 3016	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	28
PID 2156 wrote to memory of 3028	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	29
PID 2156 wrote to memory of 3028	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	29
PID 2156 wrote to memory of 3028	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	29
PID 2156 wrote to memory of 3028	2156	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	29
PID 3016 wrote to memory of 2704	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	31
PID 3016 wrote to memory of 2704	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	31
PID 3016 wrote to memory of 2704	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	31
PID 3016 wrote to memory of 2704	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	31
PID 3016 wrote to memory of 2624	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	30
PID 3016 wrote to memory of 2624	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	30
PID 3016 wrote to memory of 2624	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	30
PID 3016 wrote to memory of 2624	3016	{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe	30
PID 2704 wrote to memory of 2872	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	33
PID 2704 wrote to memory of 2872	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	33
PID 2704 wrote to memory of 2872	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	33
PID 2704 wrote to memory of 2872	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	33
PID 2704 wrote to memory of 2828	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	32
PID 2704 wrote to memory of 2828	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	32
PID 2704 wrote to memory of 2828	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	32
PID 2704 wrote to memory of 2828	2704	{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe	32
PID 2872 wrote to memory of 3056	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	37
PID 2872 wrote to memory of 3056	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	37
PID 2872 wrote to memory of 3056	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	37
PID 2872 wrote to memory of 3056	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	37
PID 2872 wrote to memory of 2084	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	36
PID 2872 wrote to memory of 2084	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	36
PID 2872 wrote to memory of 2084	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	36
PID 2872 wrote to memory of 2084	2872	{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe	36
PID 3056 wrote to memory of 2776	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	39
PID 3056 wrote to memory of 2776	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	39
PID 3056 wrote to memory of 2776	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	39
PID 3056 wrote to memory of 2776	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	39
PID 3056 wrote to memory of 2712	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	38
PID 3056 wrote to memory of 2712	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	38
PID 3056 wrote to memory of 2712	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	38
PID 3056 wrote to memory of 2712	3056	{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe	38
PID 2776 wrote to memory of 1480	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	40
PID 2776 wrote to memory of 1480	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	40
PID 2776 wrote to memory of 1480	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	40
PID 2776 wrote to memory of 1480	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	40
PID 2776 wrote to memory of 2184	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	41
PID 2776 wrote to memory of 2184	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	41
PID 2776 wrote to memory of 2184	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	41
PID 2776 wrote to memory of 2184	2776	{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe	41
PID 1480 wrote to memory of 2836	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	42
PID 1480 wrote to memory of 2836	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	42
PID 1480 wrote to memory of 2836	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	42
PID 1480 wrote to memory of 2836	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	42
PID 1480 wrote to memory of 2840	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	43
PID 1480 wrote to memory of 2840	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	43
PID 1480 wrote to memory of 2840	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	43
PID 1480 wrote to memory of 2840	1480	{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe	43
PID 2836 wrote to memory of 1544	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	44
PID 2836 wrote to memory of 1544	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	44
PID 2836 wrote to memory of 1544	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	44
PID 2836 wrote to memory of 1544	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	44
PID 2836 wrote to memory of 1928	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	45
PID 2836 wrote to memory of 1928	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	45
PID 2836 wrote to memory of 1928	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	45
PID 2836 wrote to memory of 1928	2836	{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe
  C:\Windows\{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D23E~1.EXE > nul
    3⤵
    PID:2624
- - C:\Windows\{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe
    C:\Windows\{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E76E1~1.EXE > nul
      4⤵
      PID:2828
  - - C:\Windows\{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe
      C:\Windows\{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF56B~1.EXE > nul
        5⤵
        
        PID:2084
    - - C:\Windows\{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe
        
        C:\Windows\{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FD72~1.EXE > nul
        6⤵
        
        PID:2712
      - C:\Windows\{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe
        
        C:\Windows\{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe
        
        C:\Windows\{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe
        
        C:\Windows\{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{89977E08-EBAA-42db-9537-187BEA72A913}.exe
        
        C:\Windows\{89977E08-EBAA-42db-9537-187BEA72A913}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe
        
        C:\Windows\{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C42DA~1.EXE > nul
        11⤵
        
        PID:704
        
        C:\Windows\{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe
        
        C:\Windows\{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D1A4~1.EXE > nul
        12⤵
        
        PID:564
        
        C:\Windows\{B64C28A2-C8CE-454e-A1BD-363CACFEA003}.exe
        
        C:\Windows\{B64C28A2-C8CE-454e-A1BD-363CACFEA003}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89977~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E251A~1.EXE > nul
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB456~1.EXE > nul
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF2B1~1.EXE > nul
        7⤵
        
        PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{89977E08-EBAA-42db-9537-187BEA72A913}.exe

Filesize
380KB

MD5
85fde188bb75ae4db23be01bd75e6b0d

SHA1
807177fed510a47185b278b0f5bf1e6825a9d928

SHA256
28a4df73370a507b8374d3455d034a47fd01b5782c0f78caf3b428246697acf4

SHA512
d77690854f2d40d039d60ed0c400bcc0ce8539ed23d1ac372decc4b256476daaeeafb51662827584eb746908235fb7a02671dc14197674a12b6f6c55523608fb

Download Submit
C:\Windows\{8D1A4BC6-7B3F-4184-9447-00E40A4831C2}.exe

Filesize
380KB

MD5
17b53ee3316928150ab9ba506068d2ca

SHA1
664f74690d0ead25eb42607872c34ff53035b1c1

SHA256
d59637e6bbde8ff7e3020248e2dfc916e97ca0ab3f876b26c2966a5cd0213e0a

SHA512
392469716857fd51ceca586a54e8502a9365efb14fdddd75b9bfa6e299ce2308a000936f39948995e9eefe58eb7de4331548abb6c0b98a0333c6f80ccb6184af

Download Submit
C:\Windows\{9D23E58B-AE2C-4f5d-8490-4CDDE50B4855}.exe

Filesize
380KB

MD5
83ab3747d290b1be2905c84dcfcfa6c5

SHA1
10c5b203607d59ac78a7f1fd95a38c7fc81d98dd

SHA256
829492af1817eb4a23152ea64054aacf618fe5670febc322473f58b946d18165

SHA512
f1245a16ee2818d8a0aaae21ebca33e67e669480de9c768d88aa957a0a6b37a82cd948380590af53c42fc2d80d8d464421006a714f8c9fc7c934afc5a7cae3f4

Download Submit
C:\Windows\{9FD7261F-BA3C-4d17-9D2D-7153F63A0415}.exe

Filesize
380KB

MD5
2b5f1198af47322c6d493e37af33a541

SHA1
023dbbb8092be78c666a9c68608d6038203df6be

SHA256
a9faa17e6d5413460b69ab05979fa8c2aaa714c0ecbc8f435d5f7aa7976bfcbb

SHA512
6e0dd4fea556ca29202290872caea5541296ec402704bcbafa76e9fe022ee51b4e7c56d73b60b7277c21cedbef04cd497e06cf1889c03c77d6e4d9cc0d3db764

Download Submit
C:\Windows\{B64C28A2-C8CE-454e-A1BD-363CACFEA003}.exe

Filesize
380KB

MD5
38b1938f87a9546137c0bf036f6260ff

SHA1
5760e4e9ddca038aec50ecb7aa87964ce284b179

SHA256
644548d9c0f73ebb69be1ca286dd3029ce5c2984fba62eb6a43c85113168438d

SHA512
83b3becc902177291a7802d1878d3b3579862b8fe9365eb30a69206bb6030c6511fedc81307418821f527c5d8746753f363a051f1fb6667399c2caf67bd4c37c

Download Submit
C:\Windows\{C42DAB2B-9018-4b2a-8AEF-4F856CE7BA37}.exe

Filesize
380KB

MD5
79b7d8ba4bce9317caff2e285ea9c89c

SHA1
4bf7032d837d38b5549d56757a661b57d424f550

SHA256
85719330fe961001219fa752106e135c451e51e30f1fc126d2309bb5c0d17958

SHA512
1f26b3823aa1cbd75ab6aef377ab7926a65153d63f1d67b5e3cb010d832ba8106cea6f9b3d802732b57e4295aa2529caa37a29bda5a15d7e6502e66209a0870d

Download Submit
C:\Windows\{E251AD96-197F-4c93-B02B-95806AD8B2FC}.exe

Filesize
380KB

MD5
c04da0a87f3d2f189ea2380aea3a7472

SHA1
fa04686f57e261f79089c45901be5e005abc38f1

SHA256
8cc008661de5b9d81f79bfc6818fe46fecbb2d437c66c08636d9fc1292f752d1

SHA512
aafd0c447699e50de8b3edf32197c52a615d7158031e2e77f084b8256fb140100411a9aeb8530a075dca2e5e5d376958855cf0e0908e6097e69ef849edf13b63

Download Submit
C:\Windows\{E76E135E-41FD-46ec-AD56-DDB6A510F112}.exe

Filesize
380KB

MD5
8eead9dba75ce67df0b412094eabcdcb

SHA1
acbc76791b2633a791a56fd700df040ef32ff41f

SHA256
0bff2d6322a8938c7c7219af577a4bf59ebe71c613b7c94cfdd6606fbd3c1e89

SHA512
5bca3371751e4f4f11bd05f2b3becfb72bdbb14b737f135c4a7b8c2a0ef5fc060d5a12b380ff262319db05bfea0bdbdb37b8339fbe87a1d060191e9ee7b358b4

Download Submit
C:\Windows\{EB456C22-E42F-4515-9B1F-3ABBD4D7CAC4}.exe

Filesize
380KB

MD5
c2e7c12219d4575f2cb407f565ce862a

SHA1
d74c023940fdccdd8fba3b3865104d820c714881

SHA256
b4051623d534806d159c8e4fd214b40ed22a98eea9469db81de4777ad4925720

SHA512
17ac38a0cd688446056ac8b40415d9d344129c059e51b5f10a226df881a89b8bc4aa71f5ba41229b217935f5ba333a5cdc3e06e6e8f24756f972b59069d4ab0a

Download Submit
C:\Windows\{EF2B1AE3-C828-4505-8368-9035ABCC04C1}.exe

Filesize
380KB

MD5
a959d773b95c1dd14b9239c6b48e3ade

SHA1
0c2e1b81f313986aa0b1eb1c8af053b5b3da8410

SHA256
19d3f3fba77ad584a38deebe87b9eff086a0e9916ed4ca9e95021515f9587050

SHA512
b8c9438ef0e6fcad5603db9c5cf7f5fa88b9084b9bfb3471dd83df50962324c80b3f12a345d0751807374561a43bab695eb1a2b384707418793997cd712ffa2c

Download Submit
C:\Windows\{FF56B0EC-076F-4638-97AE-CCF9C40174D1}.exe

Filesize
380KB

MD5
4bb8fde06cf58c24bb37a59630c29865

SHA1
8739d9c44811020d31a389a525fed1152ac81d96

SHA256
848836d1331a5e0fd1b3ca5db765de4a7bacfd82117809aad0801f25cd164c60

SHA512
c41e479725f2837102678dddf2f5f1536d4739b9ee6b145e682a5b9e733cf99eda2c698fb33971447483151104d3cdaf4c4442de50f8acb78a6c2cf4ed5582e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads