873298caaab5f66428b7da694331eccdac983aaedabd5367b9ee34766d5ddf3c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe
Size

408KB
MD5

75f0a416dee4b25b86e00edf3ce81a0f
SHA1

3fdd25e12717e492cbe0f43e93031aac7eebc879
SHA256

873298caaab5f66428b7da694331eccdac983aaedabd5367b9ee34766d5ddf3c
SHA512

d2690ebf8b242cdbad4f65db142401ee2a1c4fcae20ec3e1e788b6235ccb92c34d4d0f86f027308649a965d0e52706cfea3f9cf8acab79c87993231297ac35d1
SSDEEP

3072:CEGh0o/l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG5ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122c9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00300000000146c8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}\stubpath = "C:\\Windows\\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe"	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}	{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}\stubpath = "C:\\Windows\\{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}.exe"	{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC951BDF-7C03-49af-98A3-1598978ED678}\stubpath = "C:\\Windows\\{EC951BDF-7C03-49af-98A3-1598978ED678}.exe"	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAACB4BD-8DCD-4767-A60B-1FF89D710582}	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}\stubpath = "C:\\Windows\\{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe"	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAACB4BD-8DCD-4767-A60B-1FF89D710582}\stubpath = "C:\\Windows\\{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe"	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F06CAA30-F84A-455d-933A-FD61F1F6D725}\stubpath = "C:\\Windows\\{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe"	{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}	{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F50688-710A-4322-8247-D8CC313C1329}\stubpath = "C:\\Windows\\{44F50688-710A-4322-8247-D8CC313C1329}.exe"	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC951BDF-7C03-49af-98A3-1598978ED678}	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}\stubpath = "C:\\Windows\\{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe"	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E25C3BC-AE4B-4445-989A-CE1D57A74006}\stubpath = "C:\\Windows\\{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe"	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}\stubpath = "C:\\Windows\\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe"	{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F06CAA30-F84A-455d-933A-FD61F1F6D725}	{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FF0375-BB46-4cba-9E23-44BB3DEBC147}\stubpath = "C:\\Windows\\{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe"	{44F50688-710A-4322-8247-D8CC313C1329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E25C3BC-AE4B-4445-989A-CE1D57A74006}	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F50688-710A-4322-8247-D8CC313C1329}	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FF0375-BB46-4cba-9E23-44BB3DEBC147}	{44F50688-710A-4322-8247-D8CC313C1329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe

Executes dropped EXE 11 IoCs

pid	Process
2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe
2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe
2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe
2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe
2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe
2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe
1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe
2192	{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe
2276	{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe
2980	{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe
1012	{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe	{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe
File created	C:\Windows\{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}.exe	{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe
File created	C:\Windows\{44F50688-710A-4322-8247-D8CC313C1329}.exe	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe
File created	C:\Windows\{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe
File created	C:\Windows\{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe
File created	C:\Windows\{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe
File created	C:\Windows\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe
File created	C:\Windows\{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	{44F50688-710A-4322-8247-D8CC313C1329}.exe
File created	C:\Windows\{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe
File created	C:\Windows\{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe
File created	C:\Windows\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe	{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe
Token: SeIncBasePriorityPrivilege	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe
Token: SeIncBasePriorityPrivilege	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe
Token: SeIncBasePriorityPrivilege	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe
Token: SeIncBasePriorityPrivilege	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe
Token: SeIncBasePriorityPrivilege	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe
Token: SeIncBasePriorityPrivilege	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe
Token: SeIncBasePriorityPrivilege	2192	{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe
Token: SeIncBasePriorityPrivilege	2276	{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe
Token: SeIncBasePriorityPrivilege	2980	{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2476	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	28
PID 2128 wrote to memory of 2476	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	28
PID 2128 wrote to memory of 2476	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	28
PID 2128 wrote to memory of 2476	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	28
PID 2128 wrote to memory of 2544	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	29
PID 2128 wrote to memory of 2544	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	29
PID 2128 wrote to memory of 2544	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	29
PID 2128 wrote to memory of 2544	2128	2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe	29
PID 2476 wrote to memory of 2852	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	31
PID 2476 wrote to memory of 2852	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	31
PID 2476 wrote to memory of 2852	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	31
PID 2476 wrote to memory of 2852	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	31
PID 2476 wrote to memory of 2960	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	30
PID 2476 wrote to memory of 2960	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	30
PID 2476 wrote to memory of 2960	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	30
PID 2476 wrote to memory of 2960	2476	{44F50688-710A-4322-8247-D8CC313C1329}.exe	30
PID 2852 wrote to memory of 2860	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	33
PID 2852 wrote to memory of 2860	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	33
PID 2852 wrote to memory of 2860	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	33
PID 2852 wrote to memory of 2860	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	33
PID 2852 wrote to memory of 2624	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	32
PID 2852 wrote to memory of 2624	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	32
PID 2852 wrote to memory of 2624	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	32
PID 2852 wrote to memory of 2624	2852	{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe	32
PID 2860 wrote to memory of 2452	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	37
PID 2860 wrote to memory of 2452	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	37
PID 2860 wrote to memory of 2452	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	37
PID 2860 wrote to memory of 2452	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	37
PID 2860 wrote to memory of 2648	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	36
PID 2860 wrote to memory of 2648	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	36
PID 2860 wrote to memory of 2648	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	36
PID 2860 wrote to memory of 2648	2860	{EC951BDF-7C03-49af-98A3-1598978ED678}.exe	36
PID 2452 wrote to memory of 2900	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	39
PID 2452 wrote to memory of 2900	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	39
PID 2452 wrote to memory of 2900	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	39
PID 2452 wrote to memory of 2900	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	39
PID 2452 wrote to memory of 2908	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	38
PID 2452 wrote to memory of 2908	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	38
PID 2452 wrote to memory of 2908	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	38
PID 2452 wrote to memory of 2908	2452	{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe	38
PID 2900 wrote to memory of 2336	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	41
PID 2900 wrote to memory of 2336	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	41
PID 2900 wrote to memory of 2336	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	41
PID 2900 wrote to memory of 2336	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	41
PID 2900 wrote to memory of 2200	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	40
PID 2900 wrote to memory of 2200	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	40
PID 2900 wrote to memory of 2200	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	40
PID 2900 wrote to memory of 2200	2900	{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe	40
PID 2336 wrote to memory of 1816	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	43
PID 2336 wrote to memory of 1816	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	43
PID 2336 wrote to memory of 1816	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	43
PID 2336 wrote to memory of 1816	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	43
PID 2336 wrote to memory of 1196	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	42
PID 2336 wrote to memory of 1196	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	42
PID 2336 wrote to memory of 1196	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	42
PID 2336 wrote to memory of 1196	2336	{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe	42
PID 1816 wrote to memory of 2192	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	44
PID 1816 wrote to memory of 2192	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	44
PID 1816 wrote to memory of 2192	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	44
PID 1816 wrote to memory of 2192	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	44
PID 1816 wrote to memory of 1336	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	45
PID 1816 wrote to memory of 1336	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	45
PID 1816 wrote to memory of 1336	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	45
PID 1816 wrote to memory of 1336	1816	{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_75f0a416dee4b25b86e00edf3ce81a0f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\{44F50688-710A-4322-8247-D8CC313C1329}.exe
  C:\Windows\{44F50688-710A-4322-8247-D8CC313C1329}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44F50~1.EXE > nul
    3⤵
    PID:2960
- - C:\Windows\{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe
    C:\Windows\{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{92FF0~1.EXE > nul
      4⤵
      PID:2624
  - - C:\Windows\{EC951BDF-7C03-49af-98A3-1598978ED678}.exe
      C:\Windows\{EC951BDF-7C03-49af-98A3-1598978ED678}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC951~1.EXE > nul
        5⤵
        
        PID:2648
    - - C:\Windows\{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe
        
        C:\Windows\{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E894~1.EXE > nul
        6⤵
        
        PID:2908
      - C:\Windows\{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe
        
        C:\Windows\{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAACB~1.EXE > nul
        7⤵
        
        PID:2200
        
        C:\Windows\{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe
        
        C:\Windows\{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E25C~1.EXE > nul
        8⤵
        
        PID:1196
        
        C:\Windows\{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe
        
        C:\Windows\{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe
        
        C:\Windows\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe
        
        C:\Windows\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe
        
        C:\Windows\{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}.exe
        
        C:\Windows\{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F06CA~1.EXE > nul
        12⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C86~1.EXE > nul
        11⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1C9A~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BA2D~1.EXE > nul
        9⤵
        
        PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E8944FD-0CBF-4ae6-838F-38DA2EFB42F8}.exe

Filesize
408KB

MD5
33990d2529d49fc88bf714ff94d3c77d

SHA1
b568108431729677e35c8dc651ce55ffe96b2cf2

SHA256
3deb028fe0c474557e1788411c0a03aea18a00f5143bdbe4eccaf04158544ccb

SHA512
bc455929dd1a2486739cfa2c09a95fb695b25718473d2b426407efd87b182267f0ba4eb49d2f1c6a7ed925baf9fa53793d189e69a5d7a34130c9c4711308302f

Download Submit
C:\Windows\{3E25C3BC-AE4B-4445-989A-CE1D57A74006}.exe

Filesize
408KB

MD5
f5b8d2bd591453a76d5d45430b32afe5

SHA1
d4ed69dab8fb545a72b9af9df6a8f9652ec390fb

SHA256
236d855e9155bbd22d86749efd111c69bc6cde00638660059a619b7b63d4a88a

SHA512
4d286888db7bcbef378bc58bc82c21443eb2d63d8985b6e5b2d7e0685c9356bd90096d60d2676696436a167f2d0560c335b53fa09c85d1cecf277c5e78bb5916

Download Submit
C:\Windows\{44F50688-710A-4322-8247-D8CC313C1329}.exe

Filesize
408KB

MD5
a613b7e1381e1c27f9bae8d437147d23

SHA1
c7722cb865ececc3791e9d8bb07c3b9c5d21102a

SHA256
63e568de243be326779fe6ef4e1699b88944fec167ce78ce6c96d5a0e87fcdba

SHA512
3d959f4efecfd9986107d0db8886db7d76020326c804256514a18481c982e63f93c68a9b9b8edd27d4d6766d538a875f3dacb56234ebb33fbbaefd68173ad104

Download Submit
C:\Windows\{44F50688-710A-4322-8247-D8CC313C1329}.exe

Filesize
132KB

MD5
302e42936c0741a9e42770f27290e122

SHA1
2b22192620c17c8bce4e1a3000fb2a0854047ba9

SHA256
a2a09e16304a9eb958017f3a3a2e80e6b6395b15d1b5b3db7f3f013bb368c1d8

SHA512
843b2accf1bc5d6a7f3446d7a94a50379cc144b452de936f25f50cc6b7b7b616cd608e27f8048100ab04ebbb41f8c8bcb9c83ab9bab723442bd5339406c462b2

Download Submit
C:\Windows\{4BA2D607-29E0-4327-A0A1-542D7A59E2C8}.exe

Filesize
408KB

MD5
4cee487086a71f947e35d95e8f18562d

SHA1
171d0ce546b5184dd873b43e6aea334719d8f658

SHA256
4e03e64bd54d58a1e64f2112ebf2e5760a6fc5b0ca1c5988432c6557f27b1c7a

SHA512
3114f31a95199cfe0a9eedc20bcd2380fd78c405e239905396d4fabe9222d67396b436b94f2989f7bfd1a558fa60502e6dedc293f431c5afa970ea7aca6b7610

Download Submit
C:\Windows\{8250053C-C7AD-4bad-BD9F-7EF66CE454F3}.exe

Filesize
408KB

MD5
8046bdc1d1c1c393b26ec1aa32913eac

SHA1
b74fedc3d0a6650e23a9d0963e27f980ce3b868a

SHA256
2aec71c35a5814f1e7d6a53f2a2372c2165c326bc82412bfc86cd548df8e2b12

SHA512
7c416a692e94ebf041983993a0b35abb7f26e21eb08128176d729a06a98702230e4f4887a3937e5b99f51101b65d381aaa95f037b5c14a96205145c0247c0be3

Download Submit
C:\Windows\{92FF0375-BB46-4cba-9E23-44BB3DEBC147}.exe

Filesize
408KB

MD5
76c842026e91b8c0bf2e86b151eaa729

SHA1
df559063c87e0d3bb4ad715ba4d04245ebad6fbf

SHA256
849bb7c0d04f938819e091f3f36044da3b7c9aae4293e8731007fa4f8ab3618e

SHA512
2cbcf5439deacb5a1228896e307e6ca1734b188584c6eed5f358152706af2e3a5e9dd77c7d37932db903ee4558e0cc4d9c5f8bcaa9bac1ff92f4c42dc1e60771

Download Submit
C:\Windows\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe

Filesize
408KB

MD5
fb2f6fbd29838a087dff6fb78a0a20bf

SHA1
52151c4629fab7598a478073f4e2966f80a39860

SHA256
a9b1c8222beb33a0413e9233ae2355916e9b40b92812d22efa89f890332ff246

SHA512
a2b7c1a78e002f2462ae3fe104e0d47c225bcbcd424015ffb620fdbccc1915b352e83d75a82ab9fced2677652df601bbdb235c70238ba92d70799e42a1d523d3

Download Submit
C:\Windows\{B1C9A43D-FE1D-495c-B345-0929AA08EFC4}.exe

Filesize
45KB

MD5
4ce50dc3c665cf826a3c193edb2e6c87

SHA1
3dbc024008af13163d6f5f02ea89c177dd00f7cb

SHA256
a50e4d3c0ac127b8e72e729216fa0c63db5584f6e556baf70c619539f592a8d8

SHA512
d3b8633a7d9ef9f4141bc71eda3b1303dcd79dd1df0bff4c2c3443b2c9383f68ae20f559ba31ba6d2c3723a771cef0130c7b3a91c3b21963d72a46f3a4c2218a

Download Submit
C:\Windows\{CAACB4BD-8DCD-4767-A60B-1FF89D710582}.exe

Filesize
408KB

MD5
ccd9f9c983939ab26dc504b0a2eb5cb2

SHA1
2967fe71647fa6453927ebaf44a113cb9a247351

SHA256
9ff805a8ecef12abbf915db67f6f344003263f03f681a412fde60eda28ba4377

SHA512
a0c46963b39dd9a1d705be65dfd041e75f441e981b529f72a0c30c1a31ca4f99ab7de0ca83479810629c13f08bd0320291d8cb9edb03a8951cb8dd25764a8198

Download Submit
C:\Windows\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe

Filesize
159KB

MD5
c5fcf9657e2ded0378f7f444781b6496

SHA1
e7cc5310b184e27da7cb3c59b6ed9b478bc93f82

SHA256
2980051378ab25f30d33222ddf15c4aa42b791377a9a302948ffa654953f84d6

SHA512
71275eb54eabb19025d5c8d4ac305b714c4355e8c93fe98908326386fea2c653c67df260b36be66bf1e49779c2daeb1e2d961767f7df423f7d88633286f64173

Download Submit
C:\Windows\{E2C8618C-8D06-4e59-864F-0B9F0792FEDF}.exe

Filesize
408KB

MD5
cf282d151ee85034156d85c35acf8445

SHA1
c17b009cae5042b37a28ae1740fd263fbf1b632e

SHA256
f9a0c7f5b863b34df2bd47f36956ef508c5a616c8dcc24ea1b98ae919fd00014

SHA512
a1bc2aa323334d291ce22cc15490203241dd79c0109ced1f427b8f5b95db6b2ad9ccc4bad762d5facfaf30931071d030fc030a7333783740e705a7c85c733fb2

Download Submit
C:\Windows\{EC951BDF-7C03-49af-98A3-1598978ED678}.exe

Filesize
408KB

MD5
417a32f479c00e07f2b9634c7cbbfa36

SHA1
37c24fb022d919c75d711930663179b0d1da3b6a

SHA256
b3192428f96e1efad8daa6f206375bd411c6a6784059d0ee811b131513cd3f54

SHA512
0096e3d3141b03a6017122213df6200c3bff5d0bf9b4d1fe8d24e2d3da222f77571918f3a2fab773ce8c42526bcc206f7a57d510df4b769a53446b8f7d8efa99

Download Submit
C:\Windows\{F06CAA30-F84A-455d-933A-FD61F1F6D725}.exe

Filesize
408KB

MD5
da3cf730944b15952c7ace65a84c3a63

SHA1
d2c1cac61b40f3805ee47500877e7e22aede295a

SHA256
670ba1f0c2dfac6a98ae2f2ef805c38d3f00310c3fd5f4de505206665ca1b800

SHA512
3d42b38ed8d880976d7daef907746c3c4c99a6cad4ccecebbabbef7eb5fb2b51f04ec1c7be4ff24924b1bb8193922a25b57dc34a5cac0d24303abc2ef96a9c65

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads