0d6c02aba9abb40fc1e7bd117caf74714c63191002d22999867da5594c891fd9

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe
Size

408KB
MD5

5af84e7f5d76c97905e3255bd6ba6c92
SHA1

d4b8fc4b3b42458f184eebd59b36e0ab62f947e0
SHA256

0d6c02aba9abb40fc1e7bd117caf74714c63191002d22999867da5594c891fd9
SHA512

10080bd9507e228a214e73fd33c2398e03a22f3ea825229711890785bf7340ea57a9dea21c7c36822a544fbd061320495e284a01cc0e24531f7656979c54eb43
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122d5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122d5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000014824-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000014824-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014824-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB716B8B-668C-4e71-BEC7-DB459CB37E25}	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C1FAE78-2079-4ce0-8B67-62387F16C06D}\stubpath = "C:\\Windows\\{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe"	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E90D57A-6D36-4821-BB9F-99CFB8C41032}	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}\stubpath = "C:\\Windows\\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe"	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3F71A83-1475-4289-8367-ACB5CAADF4D0}	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714CB8D3-FDA4-4e06-9C73-E516526D32E6}	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714CB8D3-FDA4-4e06-9C73-E516526D32E6}\stubpath = "C:\\Windows\\{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe"	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}\stubpath = "C:\\Windows\\{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe"	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{171E3A3F-566E-4a74-A722-5147D560188D}\stubpath = "C:\\Windows\\{171E3A3F-566E-4a74-A722-5147D560188D}.exe"	{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}\stubpath = "C:\\Windows\\{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe"	{171E3A3F-566E-4a74-A722-5147D560188D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}\stubpath = "C:\\Windows\\{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe"	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E90D57A-6D36-4821-BB9F-99CFB8C41032}\stubpath = "C:\\Windows\\{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe"	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75A11D8-601D-44bb-BCD7-83056D97FBB0}	{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3F71A83-1475-4289-8367-ACB5CAADF4D0}\stubpath = "C:\\Windows\\{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe"	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB716B8B-668C-4e71-BEC7-DB459CB37E25}\stubpath = "C:\\Windows\\{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe"	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C1FAE78-2079-4ce0-8B67-62387F16C06D}	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{171E3A3F-566E-4a74-A722-5147D560188D}	{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}	{171E3A3F-566E-4a74-A722-5147D560188D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75A11D8-601D-44bb-BCD7-83056D97FBB0}\stubpath = "C:\\Windows\\{C75A11D8-601D-44bb-BCD7-83056D97FBB0}.exe"	{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe
2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe
3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe
828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe
2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe
2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe
2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe
772	{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe
1584	{171E3A3F-566E-4a74-A722-5147D560188D}.exe
2224	{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe
2680	{C75A11D8-601D-44bb-BCD7-83056D97FBB0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C75A11D8-601D-44bb-BCD7-83056D97FBB0}.exe	{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe
File created	C:\Windows\{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe
File created	C:\Windows\{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe
File created	C:\Windows\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe
File created	C:\Windows\{171E3A3F-566E-4a74-A722-5147D560188D}.exe	{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe
File created	C:\Windows\{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe	{171E3A3F-566E-4a74-A722-5147D560188D}.exe
File created	C:\Windows\{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe
File created	C:\Windows\{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe
File created	C:\Windows\{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe
File created	C:\Windows\{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe
File created	C:\Windows\{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe
Token: SeIncBasePriorityPrivilege	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe
Token: SeIncBasePriorityPrivilege	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe
Token: SeIncBasePriorityPrivilege	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe
Token: SeIncBasePriorityPrivilege	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe
Token: SeIncBasePriorityPrivilege	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe
Token: SeIncBasePriorityPrivilege	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe
Token: SeIncBasePriorityPrivilege	772	{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe
Token: SeIncBasePriorityPrivilege	1584	{171E3A3F-566E-4a74-A722-5147D560188D}.exe
Token: SeIncBasePriorityPrivilege	2224	{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2420	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	28
PID 1944 wrote to memory of 2420	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	28
PID 1944 wrote to memory of 2420	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	28
PID 1944 wrote to memory of 2420	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	28
PID 1944 wrote to memory of 2728	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	29
PID 1944 wrote to memory of 2728	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	29
PID 1944 wrote to memory of 2728	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	29
PID 1944 wrote to memory of 2728	1944	2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe	29
PID 2420 wrote to memory of 2708	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	30
PID 2420 wrote to memory of 2708	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	30
PID 2420 wrote to memory of 2708	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	30
PID 2420 wrote to memory of 2708	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	30
PID 2420 wrote to memory of 2888	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	31
PID 2420 wrote to memory of 2888	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	31
PID 2420 wrote to memory of 2888	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	31
PID 2420 wrote to memory of 2888	2420	{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe	31
PID 2708 wrote to memory of 3012	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	32
PID 2708 wrote to memory of 3012	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	32
PID 2708 wrote to memory of 3012	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	32
PID 2708 wrote to memory of 3012	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	32
PID 2708 wrote to memory of 2752	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	33
PID 2708 wrote to memory of 2752	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	33
PID 2708 wrote to memory of 2752	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	33
PID 2708 wrote to memory of 2752	2708	{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe	33
PID 3012 wrote to memory of 828	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	36
PID 3012 wrote to memory of 828	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	36
PID 3012 wrote to memory of 828	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	36
PID 3012 wrote to memory of 828	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	36
PID 3012 wrote to memory of 2976	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	37
PID 3012 wrote to memory of 2976	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	37
PID 3012 wrote to memory of 2976	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	37
PID 3012 wrote to memory of 2976	3012	{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe	37
PID 828 wrote to memory of 2996	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	38
PID 828 wrote to memory of 2996	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	38
PID 828 wrote to memory of 2996	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	38
PID 828 wrote to memory of 2996	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	38
PID 828 wrote to memory of 2136	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	39
PID 828 wrote to memory of 2136	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	39
PID 828 wrote to memory of 2136	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	39
PID 828 wrote to memory of 2136	828	{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe	39
PID 2996 wrote to memory of 2236	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	40
PID 2996 wrote to memory of 2236	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	40
PID 2996 wrote to memory of 2236	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	40
PID 2996 wrote to memory of 2236	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	40
PID 2996 wrote to memory of 1908	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	41
PID 2996 wrote to memory of 1908	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	41
PID 2996 wrote to memory of 1908	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	41
PID 2996 wrote to memory of 1908	2996	{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe	41
PID 2236 wrote to memory of 2632	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	42
PID 2236 wrote to memory of 2632	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	42
PID 2236 wrote to memory of 2632	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	42
PID 2236 wrote to memory of 2632	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	42
PID 2236 wrote to memory of 524	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	43
PID 2236 wrote to memory of 524	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	43
PID 2236 wrote to memory of 524	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	43
PID 2236 wrote to memory of 524	2236	{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe	43
PID 2632 wrote to memory of 772	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	44
PID 2632 wrote to memory of 772	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	44
PID 2632 wrote to memory of 772	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	44
PID 2632 wrote to memory of 772	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	44
PID 2632 wrote to memory of 1092	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	45
PID 2632 wrote to memory of 1092	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	45
PID 2632 wrote to memory of 1092	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	45
PID 2632 wrote to memory of 1092	2632	{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_5af84e7f5d76c97905e3255bd6ba6c92_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe
  C:\Windows\{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe
    C:\Windows\{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe
      C:\Windows\{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe
        
        C:\Windows\{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe
        
        C:\Windows\{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe
        
        C:\Windows\{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe
        
        C:\Windows\{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe
        
        C:\Windows\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7BBA~1.EXE > nul
        10⤵
        
        PID:1360
        
        C:\Windows\{171E3A3F-566E-4a74-A722-5147D560188D}.exe
        
        C:\Windows\{171E3A3F-566E-4a74-A722-5147D560188D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe
        
        C:\Windows\{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B386~1.EXE > nul
        12⤵
        
        PID:1852
        
        C:\Windows\{C75A11D8-601D-44bb-BCD7-83056D97FBB0}.exe
        
        C:\Windows\{C75A11D8-601D-44bb-BCD7-83056D97FBB0}.exe
        12⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{171E3~1.EXE > nul
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E90D~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C1FA~1.EXE > nul
        8⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB716~1.EXE > nul
        7⤵
        
        PID:1908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26FBB~1.EXE > nul
        6⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{714CB~1.EXE > nul
        5⤵
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16DC5~1.EXE > nul
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3F71~1.EXE > nul
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16DC5438-33D4-47d6-A2DA-8EAF5B263D43}.exe

Filesize
408KB

MD5
f3ee56fadad4b5e4b5b22cd4ea2e8654

SHA1
98a54386721d2477a5be54ad002cd5e52f2b7d7a

SHA256
53218aa92bf6a5d19a943bf429eca6b6950f03e56a1264ddddfd2bd04c981357

SHA512
45acb9efe27f9565d3ef8a6d64c7389b1a6565a9a1a95b54babdccbd3c381e57246eeda5765690e9c11c0979c4e4ef135ebb6ad473e21a4a007f80e4366fb30c

Download Submit
C:\Windows\{171E3A3F-566E-4a74-A722-5147D560188D}.exe

Filesize
408KB

MD5
2716ea13911eee051fb361fd4cadcee2

SHA1
482c9399c2f621f3032da966dd550cde2d08c50c

SHA256
30bcd7e9441ea72fdf185dae13e04cdf33997cf2468caaa15851a6b32a2bdeca

SHA512
f705b7ea552e89059df6f18de1c99e2f8323ba2a5cac93380ce5f87bb8d0f153cda54718eb120b1a8c46cc6699e04efa9bb59e2efc72cc9d612d6ef6daa973a3

Download Submit
C:\Windows\{26FBBDB1-0565-4015-A0CD-AD1E9D187C6B}.exe

Filesize
408KB

MD5
c9d56a3471040ca8349fea0481e960c2

SHA1
d6d1aa5a4d44f2d94c4208b20bee06a6a7e0669c

SHA256
3b27f41b69a1657e2509b45e53f2c62f69e471663feb403077121748ef139ce9

SHA512
49eca10c0b3297729f32e99da19a40f98ae8ded6e5e859a9a4134bb5cd6c279786f9e432aba15ff6128bba2c2355cf2bc566c81a03f6b7739cf6fe3df335da2e

Download Submit
C:\Windows\{2E90D57A-6D36-4821-BB9F-99CFB8C41032}.exe

Filesize
408KB

MD5
fbf99e4733d358e58adc307f0752fb43

SHA1
ecc82833b158493a0c6da402f4dc9beb1f8e2809

SHA256
0fcb0785447457ccc2180658f5c038ce6718ce469ee4e90c5fc00686f8b02184

SHA512
fc29c11a1afbbcd6c69f2c9ccbbafb3c8506beda5f3d978baa8bbcf57b845af89a41de8fa2eb4deefbf921054225543f72335f477110967734ca23f527ed8f97

Download Submit
C:\Windows\{3C1FAE78-2079-4ce0-8B67-62387F16C06D}.exe

Filesize
408KB

MD5
fdd7443e64751ed609f78bb49b1727b8

SHA1
a0d0de3672a8a1e37df80b447c2a8c330f32cf31

SHA256
b9c4e33d9972d25bc07f6a6bc4a84e667ff9ef0db7dbce8032a5ac467a406082

SHA512
0854db95ffe7437ce29b92531836297a35daad95677924f51606f315cf3b1abe4186069b93effa2745859a73206a9594752446763a9be17a51e158283d08863a

Download Submit
C:\Windows\{714CB8D3-FDA4-4e06-9C73-E516526D32E6}.exe

Filesize
408KB

MD5
d2d384ed44775cf1a628e418d381f04e

SHA1
e2315688a3c1137a8b82d92ee33175248688e91e

SHA256
aac77b8887ad3b21fe2019637f1b594e63ce34feddb3c9d2bbbdc4f0c8b6c645

SHA512
06a0e9340cd75fb1f527b60b501c625b9ebff7210ea3554334075eae1fe9aa711e5e49205439d4a2a4429d0bb1a62a1e087ccc09f991b8edb012950f8d32f108

Download Submit
C:\Windows\{7B386BA9-F6C2-4b46-B3DD-78173DDB2431}.exe

Filesize
408KB

MD5
5780db35cf630b5868fb82e8b51e0315

SHA1
95897505f3462a8a6ba91f7797de1271d14d05cd

SHA256
3bff32a622e2387ea2a53cd0456bf1621f68b343d46c88b3e69bfa1cc34d0121

SHA512
ef261687b87ddef457a502ec52d45bfc18674f0bc62fed64f7eb7f6520d09ca2daa19e1fa81ecb5d2a929faece615f82ff5fe2efafc78d35972a63bf0a026799

Download Submit
C:\Windows\{B3F71A83-1475-4289-8367-ACB5CAADF4D0}.exe

Filesize
408KB

MD5
7e9d04e28594362e2eb9066784fac2db

SHA1
13499b98afdd3dcd81d6482feab27c896d355c6c

SHA256
290cc9e5db5e0eea1a397bb7fc11201ca8b24330344fc96a6d1b1cfff973c102

SHA512
3eba5d4b9e48cf452d343cba2668ade1202f1d81aef5dac3deae6e816faec868bf62706787e53b169255fd5399e64aa4df22b7c2557be393dc87f841fc913fac

Download Submit
C:\Windows\{C75A11D8-601D-44bb-BCD7-83056D97FBB0}.exe

Filesize
408KB

MD5
361786a04818ee44ba8cf2ff27611472

SHA1
a955cabf05f022b31e6fa91c3b1411ef7f073af6

SHA256
be6fc21c98db96ae4425a3434a5efca4b256d62b3624b4e5239970435dd6d4b7

SHA512
1794d331cd0f29d8ee6e408c2f9bbc8c3b3e0644a818a09c3a16234f051838e72e4f5ceb09a8c243b1448f126038c52b622d5dd641883b0e921ff85fc8266958

Download Submit
C:\Windows\{EB716B8B-668C-4e71-BEC7-DB459CB37E25}.exe

Filesize
408KB

MD5
7652f3ab2e8800797b7a53fa8010abd0

SHA1
c811e9c6d73395506c039a7865f96f887cd4a666

SHA256
83886802df2dff50eb81ccb9c6a82d3310630dd7938abbc43f9fc8583be7e543

SHA512
a506ef69917007f164624e0777eeb64fd7989b08cc42b6599b92e009a51c1e7b8b8b27dd5b61475d7ce59818fc2dc8886eed0838406926b330f68bfe68834027

Download Submit
C:\Windows\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe

Filesize
408KB

MD5
1056860f99265332905bff063e708e3a

SHA1
63d35c15382f897de4836bff96e96246cd91c482

SHA256
a55da2400e20681fa7d41f3d8599710fea9301a815394181933e3fe22910cf74

SHA512
52a745fe2957e9615eb5dcadb4e729cef745bc9f939f21cbb7c7b1f95b71bfa8fe463a2abf263e1e5840dca47154ba99bfc7f3f123a06bd916e71c135bceabac

Download Submit
C:\Windows\{F7BBADA3-AF6B-4dcc-8A24-78831AF9D992}.exe

Filesize
48KB

MD5
3e87deb967e2b57e70c8c2188c7692a6

SHA1
fb2521442e483d1faaec5bf0dea7066b7ca441e4

SHA256
99b1afcbe4ea2c586bbbf06a4a98a75e50469784567d5090165fc86ba0550878

SHA512
802ae558d622999a6e72ed873f3e2b42acbad68a2784bbd6ffcb4d8d29b8088519ac9a3b8b982e5695e58e8558e49c0c8ad2ce18ee71f78540c28a3d9eec5284

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads