955cafb96504cbc14aec61936f3354dc4460e0743901f187e6b6b1603deaea2d

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe
Size

180KB
MD5

4326dee944bcc8c239eb01e4928c0058
SHA1

c7cca13f118e4eeba6b885e0d20f314fa38722a3
SHA256

955cafb96504cbc14aec61936f3354dc4460e0743901f187e6b6b1603deaea2d
SHA512

ee6aaee7ce0a9fc49fae6e12cb5cf3d4959ca7f0bf218e77e4fcb0352c26439d85a42f8c13eead0200472105f0e8fa2b47b820c4b90b2dc22dab45522520c930
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120e1-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012251-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001552e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27AB5269-DE96-4aff-A603-F956671E6897}	{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5973D92B-BF85-465c-A50D-03ADA01A20B0}\stubpath = "C:\\Windows\\{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe"	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}\stubpath = "C:\\Windows\\{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe"	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDDD68F-D520-4f66-BA7A-C958D17B046A}	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDDD68F-D520-4f66-BA7A-C958D17B046A}\stubpath = "C:\\Windows\\{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe"	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C975C402-48F7-49a0-B331-B17F5D058BC2}\stubpath = "C:\\Windows\\{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe"	{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}\stubpath = "C:\\Windows\\{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe"	{31402769-6119-44be-BD61-F3F6F99886AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}\stubpath = "C:\\Windows\\{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe"	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EC794F4-40AB-48a6-A940-8B84CC374AA0}\stubpath = "C:\\Windows\\{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe"	{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C975C402-48F7-49a0-B331-B17F5D058BC2}	{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27AB5269-DE96-4aff-A603-F956671E6897}\stubpath = "C:\\Windows\\{27AB5269-DE96-4aff-A603-F956671E6897}.exe"	{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31402769-6119-44be-BD61-F3F6F99886AA}\stubpath = "C:\\Windows\\{31402769-6119-44be-BD61-F3F6F99886AA}.exe"	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}	{31402769-6119-44be-BD61-F3F6F99886AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D0109EF-B1AD-4ead-A008-1F488B585FFF}	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D0109EF-B1AD-4ead-A008-1F488B585FFF}\stubpath = "C:\\Windows\\{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe"	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5973D92B-BF85-465c-A50D-03ADA01A20B0}	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31402769-6119-44be-BD61-F3F6F99886AA}	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}\stubpath = "C:\\Windows\\{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe"	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EC794F4-40AB-48a6-A940-8B84CC374AA0}	{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe

Deletes itself 1 IoCs

pid	Process
1896	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe
2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe
2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe
2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe
1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe
2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe
916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe
2504	{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe
1516	{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe
1156	{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe
2004	{27AB5269-DE96-4aff-A603-F956671E6897}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe
File created	C:\Windows\{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe
File created	C:\Windows\{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe
File created	C:\Windows\{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe
File created	C:\Windows\{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe
File created	C:\Windows\{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe	{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe
File created	C:\Windows\{31402769-6119-44be-BD61-F3F6F99886AA}.exe	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe
File created	C:\Windows\{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	{31402769-6119-44be-BD61-F3F6F99886AA}.exe
File created	C:\Windows\{27AB5269-DE96-4aff-A603-F956671E6897}.exe	{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe
File created	C:\Windows\{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe
File created	C:\Windows\{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe	{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe
Token: SeIncBasePriorityPrivilege	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe
Token: SeIncBasePriorityPrivilege	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe
Token: SeIncBasePriorityPrivilege	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe
Token: SeIncBasePriorityPrivilege	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe
Token: SeIncBasePriorityPrivilege	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe
Token: SeIncBasePriorityPrivilege	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe
Token: SeIncBasePriorityPrivilege	2504	{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe
Token: SeIncBasePriorityPrivilege	1516	{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe
Token: SeIncBasePriorityPrivilege	1156	{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1720	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	28
PID 1204 wrote to memory of 1720	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	28
PID 1204 wrote to memory of 1720	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	28
PID 1204 wrote to memory of 1720	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	28
PID 1204 wrote to memory of 1896	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	29
PID 1204 wrote to memory of 1896	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	29
PID 1204 wrote to memory of 1896	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	29
PID 1204 wrote to memory of 1896	1204	2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe	29
PID 1720 wrote to memory of 2672	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	30
PID 1720 wrote to memory of 2672	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	30
PID 1720 wrote to memory of 2672	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	30
PID 1720 wrote to memory of 2672	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	30
PID 1720 wrote to memory of 2728	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	31
PID 1720 wrote to memory of 2728	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	31
PID 1720 wrote to memory of 2728	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	31
PID 1720 wrote to memory of 2728	1720	{31402769-6119-44be-BD61-F3F6F99886AA}.exe	31
PID 2672 wrote to memory of 2532	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	35
PID 2672 wrote to memory of 2532	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	35
PID 2672 wrote to memory of 2532	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	35
PID 2672 wrote to memory of 2532	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	35
PID 2672 wrote to memory of 2588	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	34
PID 2672 wrote to memory of 2588	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	34
PID 2672 wrote to memory of 2588	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	34
PID 2672 wrote to memory of 2588	2672	{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe	34
PID 2532 wrote to memory of 2496	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	36
PID 2532 wrote to memory of 2496	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	36
PID 2532 wrote to memory of 2496	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	36
PID 2532 wrote to memory of 2496	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	36
PID 2532 wrote to memory of 656	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	37
PID 2532 wrote to memory of 656	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	37
PID 2532 wrote to memory of 656	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	37
PID 2532 wrote to memory of 656	2532	{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe	37
PID 2496 wrote to memory of 1620	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	38
PID 2496 wrote to memory of 1620	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	38
PID 2496 wrote to memory of 1620	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	38
PID 2496 wrote to memory of 1620	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	38
PID 2496 wrote to memory of 2796	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	39
PID 2496 wrote to memory of 2796	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	39
PID 2496 wrote to memory of 2796	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	39
PID 2496 wrote to memory of 2796	2496	{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe	39
PID 1620 wrote to memory of 2896	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	41
PID 1620 wrote to memory of 2896	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	41
PID 1620 wrote to memory of 2896	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	41
PID 1620 wrote to memory of 2896	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	41
PID 1620 wrote to memory of 1676	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	40
PID 1620 wrote to memory of 1676	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	40
PID 1620 wrote to memory of 1676	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	40
PID 1620 wrote to memory of 1676	1620	{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe	40
PID 2896 wrote to memory of 916	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	42
PID 2896 wrote to memory of 916	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	42
PID 2896 wrote to memory of 916	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	42
PID 2896 wrote to memory of 916	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	42
PID 2896 wrote to memory of 1280	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	43
PID 2896 wrote to memory of 1280	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	43
PID 2896 wrote to memory of 1280	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	43
PID 2896 wrote to memory of 1280	2896	{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe	43
PID 916 wrote to memory of 2504	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	44
PID 916 wrote to memory of 2504	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	44
PID 916 wrote to memory of 2504	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	44
PID 916 wrote to memory of 2504	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	44
PID 916 wrote to memory of 1520	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	45
PID 916 wrote to memory of 1520	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	45
PID 916 wrote to memory of 1520	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	45
PID 916 wrote to memory of 1520	916	{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_4326dee944bcc8c239eb01e4928c0058_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\{31402769-6119-44be-BD61-F3F6F99886AA}.exe
  C:\Windows\{31402769-6119-44be-BD61-F3F6F99886AA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe
    C:\Windows\{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9514F~1.EXE > nul
      4⤵
      PID:2588
  - - C:\Windows\{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe
      C:\Windows\{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe
        
        C:\Windows\{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe
        
        C:\Windows\{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5973D~1.EXE > nul
        7⤵
        
        PID:1676
        
        C:\Windows\{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe
        
        C:\Windows\{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe
        
        C:\Windows\{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe
        
        C:\Windows\{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe
        
        C:\Windows\{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EC79~1.EXE > nul
        11⤵
        
        PID:2332
        
        C:\Windows\{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe
        
        C:\Windows\{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C975C~1.EXE > nul
        12⤵
        
        PID:548
        
        C:\Windows\{27AB5269-DE96-4aff-A603-F956671E6897}.exe
        
        C:\Windows\{27AB5269-DE96-4aff-A603-F956671E6897}.exe
        12⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFDDD~1.EXE > nul
        10⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD859~1.EXE > nul
        9⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{827E4~1.EXE > nul
        8⤵
        
        PID:1280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D010~1.EXE > nul
        6⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C90BC~1.EXE > nul
        5⤵
        
        PID:656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31402~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D0109EF-B1AD-4ead-A008-1F488B585FFF}.exe

Filesize
180KB

MD5
d4b97ab8ca5eea2a89ad77beb3153b13

SHA1
d1537f9089a32e8731fd191508dba03160db85af

SHA256
ba05e0b034d282122c833686ba08060aaabeb8a92600e975944ec4b41a386311

SHA512
9d847a7271c4387fdf60d75cb26bab3dbc735db056a9d5061210ea9e91e6d8b6c292776ad5696fc8c56e0dbd0bc85d7c0e2ba138a3311c016173c2589eb07b57

Download Submit
C:\Windows\{27AB5269-DE96-4aff-A603-F956671E6897}.exe

Filesize
180KB

MD5
98c514fbf5e953839dbfc0d4165e1bee

SHA1
895ac697ef4e1a59f4eb2184c84e639a145fec46

SHA256
041f520f30e5d60369c216858b5af4d65a9bc291d0293e94801d07bb566c63bf

SHA512
2ab76f9de22797d5aa2d92d3de586fa7d5d2221be03259fc44b9fa05464ca45649626b0e3b3ede3ae9412aa21c0b45bb27a31aafacddd713f1c6b67e1f497d69

Download Submit
C:\Windows\{2EC794F4-40AB-48a6-A940-8B84CC374AA0}.exe

Filesize
180KB

MD5
dc054551f59359569aee53ad1e73d1fc

SHA1
88620f290a4b0650051f76a30f356127807669f7

SHA256
866b06a3e25839605c36862f19a8fccc180328968dad6f47d2a4195a1d9360bd

SHA512
228a60e596960398c37c7c2ac676d6112a5ecc72345481de61709309f22ab818a8beae83df5f7f5f1c5b760f5a28ead14478176bac4b29c33791542d905cc6f3

Download Submit
C:\Windows\{31402769-6119-44be-BD61-F3F6F99886AA}.exe

Filesize
180KB

MD5
e15df787b666fb9d47624f03ffd97d17

SHA1
0d7a22dd4037bbaeb70fbabaf9851243171dc5be

SHA256
7d5a146f2d9cdbf6356e05e5568483a636cec4562399079f14e01ee57da88d1a

SHA512
a513ea7710c86c8c8ab864789dfe5d71e4ebf62fa158f66acf2b846bbd8a2ce83997a144de044c69e7a7f90230a29e17d0fbb8285189bd0d29ba58123b48ff28

Download Submit
C:\Windows\{5973D92B-BF85-465c-A50D-03ADA01A20B0}.exe

Filesize
180KB

MD5
86224e66fae626816c7ee68a10e4ffa4

SHA1
49222c4ccfcc57c7b9e635fb9f899af88f9fcf62

SHA256
a635448242b064311c746b165e56a96824c3938b8d9110c2ce3169ecf315c5c6

SHA512
eb1340b0c371dc44105779206cb5e45944558e73db3a57f883b44ec9bf221f76b7712384bef29bf3b6070f285ac73a8470964cf555c97c60be1633f818e7447e

Download Submit
C:\Windows\{827E40D4-9F33-40fd-9C74-4DB159B4AA5D}.exe

Filesize
180KB

MD5
3da03324a2d77303359f6203f67253f6

SHA1
c0500a4920921d8cdc8fbc1a76245f129e27a60d

SHA256
e177793cd19ba49da11ac4ca8c4e7e6599747b17e80a1470489e09998ccccc40

SHA512
40aea126ad7d8c18f0e3dfa422d4cf9c7df6f148e2278e2a9ce454f488b364613dfbb472062df1e69579e5d2cd76dfc34ed6505be6988096b448857d9d8c978a

Download Submit
C:\Windows\{9514F414-45BD-4f5c-B9E9-64C6CC5D07E7}.exe

Filesize
180KB

MD5
ee52c2b3a0b5026bf10144200ec7d827

SHA1
3c664e61a1aebe8de8db000dd6ccdc89e2e8d754

SHA256
9cc345c2d59cb1700e8652f769ff65569423059f0d5b9c4dcb9ad9e432682351

SHA512
c74a6e2aaefa577f5801a32a234062fa562eabc96cdca16c0c23a8d8fe03d0e7142a88f58c0b79ae1ef32f8a587f0583198c3661d469cd4dd25a12012106f55c

Download Submit
C:\Windows\{BFDDD68F-D520-4f66-BA7A-C958D17B046A}.exe

Filesize
180KB

MD5
0e435cbeaffcc2cdb78f0e3b4a455ef0

SHA1
c45771b611922fa99efe31a9c184e22c3fd0ee90

SHA256
1398b2bd0fca4c03e09ff23ad10a45deef364c03197fe4ce1efd8b43c196d6d8

SHA512
167e257678d8db01ca2ee3326351749b7482b5c978e6cd8249b9ceb6a16a891211a059b0e156a4ef0a76d853dd1257fb030c175463f5968c8b65981431a313b6

Download Submit
C:\Windows\{C90BC142-FEC0-43ec-B2D1-3F17298CC93B}.exe

Filesize
180KB

MD5
e1e64dd5d713e784f5db878047dce8c5

SHA1
2dec6fee74126f91569e1613db4f7696ac140b99

SHA256
d1c9bde041033bbb1c60a5ffb1586e0e0dd36e7cbb378cf628b245fa52672881

SHA512
1f44af11514b515467a9570427fad5e1fdfec6b2ee8f361abcef27d39b934639488db42a4360d8086705ea65c88163c5905cc35e92882ba77ed5f6f2d8f17284

Download Submit
C:\Windows\{C975C402-48F7-49a0-B331-B17F5D058BC2}.exe

Filesize
180KB

MD5
12e6989e632539e46cb033fdbea684d6

SHA1
c8a4a3619eb8f5b490531bffe1b03081ecf18bdd

SHA256
892125023f617cc2aa32eca2185c4f5ba01c5495530dfe6c33cfaf852be9dddf

SHA512
7baae4ddbaf51e23b7856f0b9e37a2803726c4542f3e549d5fdc20a5310af271f821f17d7190135facd8b9be36f1e4ac19edd54419e2f580e5ae62dda4e2f0ce

Download Submit
C:\Windows\{DD859E09-3AB9-4c1d-9780-A5FEE3D5552F}.exe

Filesize
180KB

MD5
0b664fa7c411d20521c8aab5ef866f1a

SHA1
b686da43ccf6c5d521eac50e6eed9ee84558d308

SHA256
4d3e689fd40d07c7feb5d7046f3e1406a4e0a1a78bae7fb42c37403979ba7f12

SHA512
f583455495a4ae09c25b5f8d90e397e65bc31b58e632555d0da9ccf6729a81a949d1eec6db18353cc389446e45f730cc9913f9cb628799e11acfe8d839ab1ee1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads