d8d084a7f00da8e9ea6a6b20a824d850a7285de2d25ae1808ccd3cd1209ba2a6

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe
Size

204KB
MD5

0230f77526c0e840308daf60620f7d90
SHA1

cfb5e9b5dbc413ea2c8d1e3d66eea504c3011157
SHA256

d8d084a7f00da8e9ea6a6b20a824d850a7285de2d25ae1808ccd3cd1209ba2a6
SHA512

29576b2957ac4ca24f5fa03ec7dcffe9a20ce3330000678f34dc6b81c847f728854c21e24d55dfa747d77585691de78dc0973eb3c4568810fa8cc4ab995f88d8
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000000e610-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001220d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001220d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d31-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015d98-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015df1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015d98-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015f7a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d98-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015f7a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D400E40A-8F92-4a39-AACA-AE06F98505C3}	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039F6E87-6766-4791-AF63-CF0840AF892A}	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06EAF32D-B05F-4c29-B3CD-985E368DAF11}\stubpath = "C:\\Windows\\{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe"	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F7C584-6405-4961-B4D6-0EF51297902C}	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1483EBF-9FED-4352-AC81-69DF721DB9C1}	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{610FD04F-73F7-4236-AF40-9525F5DB04D7}\stubpath = "C:\\Windows\\{610FD04F-73F7-4236-AF40-9525F5DB04D7}.exe"	{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F7C584-6405-4961-B4D6-0EF51297902C}\stubpath = "C:\\Windows\\{46F7C584-6405-4961-B4D6-0EF51297902C}.exe"	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1483EBF-9FED-4352-AC81-69DF721DB9C1}\stubpath = "C:\\Windows\\{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe"	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2A8356D-786D-477d-AAC2-F845B71F1395}	{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2A8356D-786D-477d-AAC2-F845B71F1395}\stubpath = "C:\\Windows\\{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe"	{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED92A5F-785A-4cfc-A403-821E25B093BB}	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED92A5F-785A-4cfc-A403-821E25B093BB}\stubpath = "C:\\Windows\\{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe"	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06EAF32D-B05F-4c29-B3CD-985E368DAF11}	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}\stubpath = "C:\\Windows\\{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe"	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D665765C-B4D1-4adf-96B9-88782DDFFB6F}	{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D665765C-B4D1-4adf-96B9-88782DDFFB6F}\stubpath = "C:\\Windows\\{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe"	{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{610FD04F-73F7-4236-AF40-9525F5DB04D7}	{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}\stubpath = "C:\\Windows\\{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe"	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D400E40A-8F92-4a39-AACA-AE06F98505C3}\stubpath = "C:\\Windows\\{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe"	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039F6E87-6766-4791-AF63-CF0840AF892A}\stubpath = "C:\\Windows\\{039F6E87-6766-4791-AF63-CF0840AF892A}.exe"	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe
2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe
2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe
2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe
2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe
2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe
2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe
1628	{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe
844	{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe
1668	{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe
2736	{610FD04F-73F7-4236-AF40-9525F5DB04D7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe
File created	C:\Windows\{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe
File created	C:\Windows\{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe
File created	C:\Windows\{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe	{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe
File created	C:\Windows\{610FD04F-73F7-4236-AF40-9525F5DB04D7}.exe	{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe
File created	C:\Windows\{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe
File created	C:\Windows\{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe
File created	C:\Windows\{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe
File created	C:\Windows\{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe
File created	C:\Windows\{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe
File created	C:\Windows\{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe	{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe
Token: SeIncBasePriorityPrivilege	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe
Token: SeIncBasePriorityPrivilege	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe
Token: SeIncBasePriorityPrivilege	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe
Token: SeIncBasePriorityPrivilege	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe
Token: SeIncBasePriorityPrivilege	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe
Token: SeIncBasePriorityPrivilege	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe
Token: SeIncBasePriorityPrivilege	1628	{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe
Token: SeIncBasePriorityPrivilege	844	{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe
Token: SeIncBasePriorityPrivilege	1668	{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2548	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	28
PID 2992 wrote to memory of 2548	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	28
PID 2992 wrote to memory of 2548	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	28
PID 2992 wrote to memory of 2548	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	28
PID 2992 wrote to memory of 2832	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	29
PID 2992 wrote to memory of 2832	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	29
PID 2992 wrote to memory of 2832	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	29
PID 2992 wrote to memory of 2832	2992	2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe	29
PID 2548 wrote to memory of 2892	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	30
PID 2548 wrote to memory of 2892	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	30
PID 2548 wrote to memory of 2892	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	30
PID 2548 wrote to memory of 2892	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	30
PID 2548 wrote to memory of 2612	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	31
PID 2548 wrote to memory of 2612	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	31
PID 2548 wrote to memory of 2612	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	31
PID 2548 wrote to memory of 2612	2548	{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe	31
PID 2892 wrote to memory of 2464	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	34
PID 2892 wrote to memory of 2464	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	34
PID 2892 wrote to memory of 2464	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	34
PID 2892 wrote to memory of 2464	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	34
PID 2892 wrote to memory of 2544	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	35
PID 2892 wrote to memory of 2544	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	35
PID 2892 wrote to memory of 2544	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	35
PID 2892 wrote to memory of 2544	2892	{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe	35
PID 2464 wrote to memory of 2972	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	36
PID 2464 wrote to memory of 2972	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	36
PID 2464 wrote to memory of 2972	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	36
PID 2464 wrote to memory of 2972	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	36
PID 2464 wrote to memory of 592	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	37
PID 2464 wrote to memory of 592	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	37
PID 2464 wrote to memory of 592	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	37
PID 2464 wrote to memory of 592	2464	{039F6E87-6766-4791-AF63-CF0840AF892A}.exe	37
PID 2972 wrote to memory of 2260	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	38
PID 2972 wrote to memory of 2260	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	38
PID 2972 wrote to memory of 2260	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	38
PID 2972 wrote to memory of 2260	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	38
PID 2972 wrote to memory of 576	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	39
PID 2972 wrote to memory of 576	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	39
PID 2972 wrote to memory of 576	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	39
PID 2972 wrote to memory of 576	2972	{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe	39
PID 2260 wrote to memory of 2420	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	40
PID 2260 wrote to memory of 2420	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	40
PID 2260 wrote to memory of 2420	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	40
PID 2260 wrote to memory of 2420	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	40
PID 2260 wrote to memory of 1716	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	41
PID 2260 wrote to memory of 1716	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	41
PID 2260 wrote to memory of 1716	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	41
PID 2260 wrote to memory of 1716	2260	{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe	41
PID 2420 wrote to memory of 2248	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	42
PID 2420 wrote to memory of 2248	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	42
PID 2420 wrote to memory of 2248	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	42
PID 2420 wrote to memory of 2248	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	42
PID 2420 wrote to memory of 2348	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	43
PID 2420 wrote to memory of 2348	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	43
PID 2420 wrote to memory of 2348	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	43
PID 2420 wrote to memory of 2348	2420	{46F7C584-6405-4961-B4D6-0EF51297902C}.exe	43
PID 2248 wrote to memory of 1628	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	44
PID 2248 wrote to memory of 1628	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	44
PID 2248 wrote to memory of 1628	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	44
PID 2248 wrote to memory of 1628	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	44
PID 2248 wrote to memory of 2400	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	45
PID 2248 wrote to memory of 2400	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	45
PID 2248 wrote to memory of 2400	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	45
PID 2248 wrote to memory of 2400	2248	{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_0230f77526c0e840308daf60620f7d90_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe
  C:\Windows\{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe
    C:\Windows\{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{039F6E87-6766-4791-AF63-CF0840AF892A}.exe
      C:\Windows\{039F6E87-6766-4791-AF63-CF0840AF892A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe
        
        C:\Windows\{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe
        
        C:\Windows\{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{46F7C584-6405-4961-B4D6-0EF51297902C}.exe
        
        C:\Windows\{46F7C584-6405-4961-B4D6-0EF51297902C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe
        
        C:\Windows\{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe
        
        C:\Windows\{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe
        
        C:\Windows\{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe
        
        C:\Windows\{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\{610FD04F-73F7-4236-AF40-9525F5DB04D7}.exe
        
        C:\Windows\{610FD04F-73F7-4236-AF40-9525F5DB04D7}.exe
        12⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6657~1.EXE > nul
        12⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2A83~1.EXE > nul
        11⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AAB5~1.EXE > nul
        10⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1483~1.EXE > nul
        9⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46F7C~1.EXE > nul
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06EAF~1.EXE > nul
        7⤵
        
        PID:1716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED92~1.EXE > nul
        6⤵
        
        PID:576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{039F6~1.EXE > nul
        5⤵
        
        PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D400E~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E30~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{039F6E87-6766-4791-AF63-CF0840AF892A}.exe

Filesize
204KB

MD5
e49e070e60e1bcaf3975743b8d119ab8

SHA1
f864093d6bc9fe5a031f52c2904c2c2ae86f22c2

SHA256
69f5f6c5f9e28c21ae77523be5b40109d6bc38ca75726fec4de0b9fb125145fa

SHA512
b4a4f3028ebe7f9ccf3d61cb175df23b7d4b1c7a2e8db8d326ed7c1dd5929b099106e282c859f49772d176eb616daec6700b26736d92e1621f96f86cee72a80f

Download Submit
C:\Windows\{06EAF32D-B05F-4c29-B3CD-985E368DAF11}.exe

Filesize
204KB

MD5
542409496bb0019cbc7cfd6aa07feabf

SHA1
6993aff9690004c93d5b967c28aed916a6e190e4

SHA256
026452a5ee60650c38f0ceb54b462ed290d7bc3f99590478b8411ed76d729435

SHA512
4996f1b1df4ed306b2fa330919c9b37e54f08d6a859f36286271c236af9762ab3e0366336dbbdeed82c3fcc2acb265dad2543c6bb3b01a7cafff6fee89ea9f7a

Download Submit
C:\Windows\{46F7C584-6405-4961-B4D6-0EF51297902C}.exe

Filesize
204KB

MD5
ce8ec8cfd44bbd644a0814bfc1bb3ae6

SHA1
688cb6cbe4058845c2acef2da1a0ecf43c364169

SHA256
ee43b0a29a9d8a86fb799160f84b0897959ed8d0cabb72bff46f72a2b4302c26

SHA512
92812d4bad268ce4d646a2419ef6cb7814816365798a544bb4da83795084b8d5313d18bbac6e148e313d21739215779631c76f90283beb4502c9305e71f0fc0e

Download Submit
C:\Windows\{4AAB5518-61EF-48e0-B47B-6FD71B7F951B}.exe

Filesize
204KB

MD5
1e93cdc96ef01d9c009a27dedddb1cda

SHA1
918f80ef4201b718d728821abf513e4ee26dbb63

SHA256
20c552cb67ba7813ee9f99580cd3f6609a0d55d6567604be5360070b4a756b82

SHA512
fedf50da434ca24f7a8db8fefdbf0ccd7dd727304db57a41d2969497c6b83a7a240933d7558699c21c9bc8c3cf8cbc9344779b9a03b0a4795a7b187358602b29

Download Submit
C:\Windows\{610FD04F-73F7-4236-AF40-9525F5DB04D7}.exe

Filesize
204KB

MD5
6b3ceeccf63f4f93c96fee89afed1f1a

SHA1
b818de0bba49bcb77583d2647b4fc531a7b26aac

SHA256
3c7a6a36d63075e8668a1db23e0440ca8a5f245d8d17aa7aa668012981838983

SHA512
2638610bb3c9691d026586db36dae8092705e060331dc20e652b42655484aa9e24759352d4d5f51daf509359c4f9c095001f4902d9f88ad5d44b5e3d47c1e993

Download Submit
C:\Windows\{6ED92A5F-785A-4cfc-A403-821E25B093BB}.exe

Filesize
204KB

MD5
fb89ab24112b21d1d5ccef971a342e04

SHA1
3abb6884cb98555c069c648730327709559b3d90

SHA256
8c0b5072a8178ff00612b83fe4e680bff9869d133a6c24628fc9733871f47905

SHA512
84918806d164ff92fda345f937c0c6db853ac4b308922c25cdcf1b4a10d586697a9558956dd0a39c1fc179a4ece4b51eaf85eb7a0f06c61addaea8e93201a02f

Download Submit
C:\Windows\{B2A8356D-786D-477d-AAC2-F845B71F1395}.exe

Filesize
204KB

MD5
f1bd54e691ea88195632221fa6bc6cef

SHA1
0bdb650ac91f677739072ea5f6677e70231908b0

SHA256
41a22e67b71398bafeddff238d16209de1ce40c353df40917a59b94997c9e085

SHA512
209378203c13f7dc9a9fa8b6eb32f2b7479ef67007cc06f5b2872a5610ad03663d689aa48e5456542d973ae758296d6a33058d172500f881023ad0f22762dce5

Download Submit
C:\Windows\{C7E306D6-BA3E-42ff-A1AC-AD4D4C0D86FE}.exe

Filesize
204KB

MD5
f3fcba670184614ad07a82de7555c917

SHA1
aa7fedef136491212b43b771392714c490bbc1ff

SHA256
28a85a086a24f13a03c6e9ad9003171edaad42a7fa8dbb3ca84afcb6f09a391f

SHA512
396b47fce46720b7b87b3eee9bc3bde333ff3587eb5aa931d3de2eb00b7883bce66df79f589d6918cf6813a4399bd1b73e3b0ceddf37bcabba8115c3c675763c

Download Submit
C:\Windows\{D400E40A-8F92-4a39-AACA-AE06F98505C3}.exe

Filesize
204KB

MD5
76aedd7a26de334e01e2a0f461f32b59

SHA1
a7f1c99f3887ac88169ab5bfe540ddfedc2cfd9e

SHA256
6cb91ce71b2d7a2d5c9adaa4250d750a50ad4d695ac9f018cfa85ed3ff6f10e5

SHA512
ec16e3727eec74131f84b061b43ff0b748dfd5e2b6d1a4188e147af2ae4b925a059a44b4bbbf0bdb68a87512785e7cff9c5d9a0d336689b8075424ec0ebd34f5

Download Submit
C:\Windows\{D665765C-B4D1-4adf-96B9-88782DDFFB6F}.exe

Filesize
204KB

MD5
eea04f1e615ac138c9ab53ec0eb77a14

SHA1
cdb9065ecda1eb277ba4256d8d0ebba894226303

SHA256
70a07a8f6ad3d669ea0207fbd5b07bcce20cfc9a6c08a5d9015ec5252a314810

SHA512
c14d8dc045fb753869fbb5f59742f03cf44ccbc4ebe043add5c1af4bb9c1ae30bc229ab0850029b763245952b91bcf45612be70567de8ee443501ac856b56942

Download Submit
C:\Windows\{F1483EBF-9FED-4352-AC81-69DF721DB9C1}.exe

Filesize
204KB

MD5
5f3ca974d8e7e4657d7331087ff3e5ed

SHA1
606ac5731e88b924b394406d351d7acc9627b619

SHA256
4be7f51b102919a6f1662f70e0e2dc52ab41fd5b19fc4ed77fead6061f13de33

SHA512
e12ae570a04c63dde5150dbafe70c01792af1ca6a0005ae3999ba76872816575a5682f62ff50e6b954dcf79a9b1fb329b9d2082fbe6a90dabe7028ece7ba642a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads