3cee0fa73b23ec125c81d1ee757ef0868befe4db9b80cd40be057beb5a59854b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 13:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe
Size

168KB
MD5

d469f6a41560f6b2a63bd366ac00aba6
SHA1

d3a0be984935ee2c25775165be0bb0d0a2cc3260
SHA256

3cee0fa73b23ec125c81d1ee757ef0868befe4db9b80cd40be057beb5a59854b
SHA512

8e737e0cfff91a26b32a4658975d74c254b25f348fc8e31e91f3ef6f9aa85573e6c06d1b52ab6a993a6ceba50225485aca03e9f0ac8ddc3a25b481b8448c0e27
SSDEEP

1536:1EGh0oilq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oilqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00070000000122c9-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014249-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000144df-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122c9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122c9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122c9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89F97FC6-4FCC-4524-9852-C5F3066B7606}\stubpath = "C:\\Windows\\{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe"	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9915D1C0-1B14-4d5b-8094-549CB09D72DA}\stubpath = "C:\\Windows\\{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe"	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}\stubpath = "C:\\Windows\\{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe"	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD10C280-274F-405a-9411-BFB50ED0CBAB}\stubpath = "C:\\Windows\\{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe"	{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905BE1D8-DCD6-4682-884C-8DB075AF2304}	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2AA5755-FA62-4c59-AA03-1644F319F9D1}	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2AA5755-FA62-4c59-AA03-1644F319F9D1}\stubpath = "C:\\Windows\\{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe"	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9915D1C0-1B14-4d5b-8094-549CB09D72DA}	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A03C75-A6F3-4aec-AC97-D395C41DA420}	{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD10C280-274F-405a-9411-BFB50ED0CBAB}	{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}	{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89F97FC6-4FCC-4524-9852-C5F3066B7606}	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}\stubpath = "C:\\Windows\\{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe"	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905BE1D8-DCD6-4682-884C-8DB075AF2304}\stubpath = "C:\\Windows\\{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe"	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{724773D7-C87C-49a5-93FD-407BD4917120}	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{724773D7-C87C-49a5-93FD-407BD4917120}\stubpath = "C:\\Windows\\{724773D7-C87C-49a5-93FD-407BD4917120}.exe"	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D24F02D-7F95-4661-AF50-6EE2666441E5}	{724773D7-C87C-49a5-93FD-407BD4917120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D24F02D-7F95-4661-AF50-6EE2666441E5}\stubpath = "C:\\Windows\\{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe"	{724773D7-C87C-49a5-93FD-407BD4917120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A03C75-A6F3-4aec-AC97-D395C41DA420}\stubpath = "C:\\Windows\\{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe"	{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}\stubpath = "C:\\Windows\\{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}.exe"	{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe
2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe
2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe
1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe
2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe
1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe
1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe
1284	{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe
1888	{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe
588	{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe
2900	{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{724773D7-C87C-49a5-93FD-407BD4917120}.exe	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe
File created	C:\Windows\{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	{724773D7-C87C-49a5-93FD-407BD4917120}.exe
File created	C:\Windows\{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe
File created	C:\Windows\{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}.exe	{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe
File created	C:\Windows\{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe
File created	C:\Windows\{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe
File created	C:\Windows\{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe
File created	C:\Windows\{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe
File created	C:\Windows\{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe	{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe
File created	C:\Windows\{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe	{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe
File created	C:\Windows\{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe
Token: SeIncBasePriorityPrivilege	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe
Token: SeIncBasePriorityPrivilege	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe
Token: SeIncBasePriorityPrivilege	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe
Token: SeIncBasePriorityPrivilege	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe
Token: SeIncBasePriorityPrivilege	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe
Token: SeIncBasePriorityPrivilege	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe
Token: SeIncBasePriorityPrivilege	1284	{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe
Token: SeIncBasePriorityPrivilege	1888	{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe
Token: SeIncBasePriorityPrivilege	588	{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 3036	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	28
PID 2500 wrote to memory of 3036	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	28
PID 2500 wrote to memory of 3036	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	28
PID 2500 wrote to memory of 3036	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	28
PID 2500 wrote to memory of 2692	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	29
PID 2500 wrote to memory of 2692	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	29
PID 2500 wrote to memory of 2692	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	29
PID 2500 wrote to memory of 2692	2500	2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe	29
PID 3036 wrote to memory of 2884	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	30
PID 3036 wrote to memory of 2884	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	30
PID 3036 wrote to memory of 2884	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	30
PID 3036 wrote to memory of 2884	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	30
PID 3036 wrote to memory of 2384	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	31
PID 3036 wrote to memory of 2384	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	31
PID 3036 wrote to memory of 2384	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	31
PID 3036 wrote to memory of 2384	3036	{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe	31
PID 2884 wrote to memory of 2600	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	32
PID 2884 wrote to memory of 2600	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	32
PID 2884 wrote to memory of 2600	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	32
PID 2884 wrote to memory of 2600	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	32
PID 2884 wrote to memory of 2720	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	33
PID 2884 wrote to memory of 2720	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	33
PID 2884 wrote to memory of 2720	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	33
PID 2884 wrote to memory of 2720	2884	{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe	33
PID 2600 wrote to memory of 1224	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	36
PID 2600 wrote to memory of 1224	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	36
PID 2600 wrote to memory of 1224	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	36
PID 2600 wrote to memory of 1224	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	36
PID 2600 wrote to memory of 1384	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	37
PID 2600 wrote to memory of 1384	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	37
PID 2600 wrote to memory of 1384	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	37
PID 2600 wrote to memory of 1384	2600	{724773D7-C87C-49a5-93FD-407BD4917120}.exe	37
PID 1224 wrote to memory of 2960	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	38
PID 1224 wrote to memory of 2960	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	38
PID 1224 wrote to memory of 2960	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	38
PID 1224 wrote to memory of 2960	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	38
PID 1224 wrote to memory of 2592	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	39
PID 1224 wrote to memory of 2592	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	39
PID 1224 wrote to memory of 2592	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	39
PID 1224 wrote to memory of 2592	1224	{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe	39
PID 2960 wrote to memory of 1604	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	40
PID 2960 wrote to memory of 1604	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	40
PID 2960 wrote to memory of 1604	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	40
PID 2960 wrote to memory of 1604	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	40
PID 2960 wrote to memory of 2436	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	41
PID 2960 wrote to memory of 2436	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	41
PID 2960 wrote to memory of 2436	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	41
PID 2960 wrote to memory of 2436	2960	{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe	41
PID 1604 wrote to memory of 1504	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	42
PID 1604 wrote to memory of 1504	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	42
PID 1604 wrote to memory of 1504	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	42
PID 1604 wrote to memory of 1504	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	42
PID 1604 wrote to memory of 1472	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	43
PID 1604 wrote to memory of 1472	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	43
PID 1604 wrote to memory of 1472	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	43
PID 1604 wrote to memory of 1472	1604	{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe	43
PID 1504 wrote to memory of 1284	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	44
PID 1504 wrote to memory of 1284	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	44
PID 1504 wrote to memory of 1284	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	44
PID 1504 wrote to memory of 1284	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	44
PID 1504 wrote to memory of 2192	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	45
PID 1504 wrote to memory of 2192	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	45
PID 1504 wrote to memory of 2192	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	45
PID 1504 wrote to memory of 2192	1504	{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_d469f6a41560f6b2a63bd366ac00aba6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe
  C:\Windows\{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe
    C:\Windows\{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\{724773D7-C87C-49a5-93FD-407BD4917120}.exe
      C:\Windows\{724773D7-C87C-49a5-93FD-407BD4917120}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe
        
        C:\Windows\{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe
        
        C:\Windows\{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe
        
        C:\Windows\{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe
        
        C:\Windows\{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe
        
        C:\Windows\{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe
        
        C:\Windows\{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe
        
        C:\Windows\{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}.exe
        
        C:\Windows\{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD10C~1.EXE > nul
        12⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44A03~1.EXE > nul
        11⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7857B~1.EXE > nul
        10⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9915D~1.EXE > nul
        9⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B75A5~1.EXE > nul
        8⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89F97~1.EXE > nul
        7⤵
        
        PID:2436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D24F~1.EXE > nul
        6⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72477~1.EXE > nul
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2AA5~1.EXE > nul
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{905BE~1.EXE > nul
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{44A03C75-A6F3-4aec-AC97-D395C41DA420}.exe

Filesize
168KB

MD5
ffd7a63cd410d33dcf0b0e57a6ce0ae1

SHA1
9b26a74ac3a692636b0e4ea22e6696dd950eb323

SHA256
d4efff6bea46cebb19f2f46ea061d5656fcc41861617cfa3aef865c9100a0009

SHA512
6f5beef3d0642a64aa16cc35a2d864c101eda54ceb0ef29736213cc13f288ed8df4164a80a7db963966e3e07e488c1f9d87e2459b8681e811d55609aac97359f

Download Submit
C:\Windows\{724773D7-C87C-49a5-93FD-407BD4917120}.exe

Filesize
168KB

MD5
4e60869ffeb83fa4a3ca46f24a9daa72

SHA1
8600094db36a2c86db833912d200e73f428b5589

SHA256
df94912beb7cc348573317482417be26bd18635e525c563d98f7b652e420b911

SHA512
6cf620bb30a7eaca60a4b41f6fdf2344167855f3a0cdcef9d4771a4526aabb24d300e0cc9d0a5a4d4bb9a2bd84a6ea55e91519a976119cb41f926948f7c26b4d

Download Submit
C:\Windows\{7857BA35-175B-434a-81AF-A1CC0DD8BA1A}.exe

Filesize
168KB

MD5
d3c738f912b40df9224b3c28ff7991dc

SHA1
083ec09c63bad15896043a55f64ec11a8ab08c70

SHA256
63bf572bc0c57b0e06d87c1e8eb6789a5ce5a15a4425c47f6a15efa724d785cf

SHA512
7e0972c192bd103fa8ba3ade3ea2c1fa50f3b51308626c73e252908d1741741bb9c085432e619a1180f9d0c7c77a6e2df259aee9cf3966bf43fc26ea336027ac

Download Submit
C:\Windows\{89F97FC6-4FCC-4524-9852-C5F3066B7606}.exe

Filesize
168KB

MD5
a1baeec65771f27dc13902af881bfdfe

SHA1
f014df070792e7e30aa8cb2d2d02b75c0d89011c

SHA256
a7a2d32a9ca04c6b01462c00a2505b29f5f88e604d288722e4335cc8ec45b4d1

SHA512
e934acdf5f9387d3358f4722d5319f66efcdb2576c448b7204bde9c49215d06c00a09781fbcd3a8549b97a4f8aa5a19847886efd63e6bbd666a189255476290c

Download Submit
C:\Windows\{905BE1D8-DCD6-4682-884C-8DB075AF2304}.exe

Filesize
168KB

MD5
f5ef70c9ae4128ad2293dd7b9f44861e

SHA1
a01e1a6ba8e0d2dbab6d7c402baf91ce550cf99e

SHA256
f5669155e21b60045b1492b57686f77a9643ac574134eb46218dfe75d5058415

SHA512
7f12e20e7d4eb47c51b47411a9b2946648ae3f4c3439da035a45816c005db743c689c3cd9920c047b51eddc38d7f61d27efdc96515f8318d2d5fe208d3c549a9

Download Submit
C:\Windows\{9915D1C0-1B14-4d5b-8094-549CB09D72DA}.exe

Filesize
168KB

MD5
388d0170e241a190bd196cf317b0453f

SHA1
c0e11aeb43ad55283880a6da6939d78fd0b4107f

SHA256
7955fefabde6083875783c08c97eec5bae4e44fd6f0da2c635d2a05d4de22a4c

SHA512
00299b44f85c8ae96ff2b5db4d95aa48a5a1943a8ec4a9580ed6926c728cda73f29974ff1914ce30790062ce1dec5a934a6d11b0d717ad8f247c809d761a5ac5

Download Submit
C:\Windows\{9D24F02D-7F95-4661-AF50-6EE2666441E5}.exe

Filesize
168KB

MD5
f004177bc0ddc6e27d6cede0289938f4

SHA1
c15bd10974a3526ee009bb98bc0e0623060fa7fc

SHA256
bc987a4badada61ad55a85a0cc908c1f0eb3f4e50f8b996b1802ef890cb3afeb

SHA512
e740a678a70638c70fde0659df7787b96c6b8be497a11575ed4a9ca9ee72810fdc8cad988ffe9ca66b0833882aba8dd7ac43d9c6fa382ccc155afc32edfa16f7

Download Submit
C:\Windows\{B2AA5755-FA62-4c59-AA03-1644F319F9D1}.exe

Filesize
168KB

MD5
1d59a95e634044fac3129a47e28850ec

SHA1
b2313663ff5183dd1630f22d699b3bd2c0d875d3

SHA256
5d9e067b55269c59a120a36b94272c140456c026579f9d63db81e346f9c4751d

SHA512
1b4387b28afd9d5bed35d74023ac54748ddb279a8ccce0c98265b42eefba0d02e6b29fbfa0c18ee752cef35d2d9ccd0a64d75f531496d4d62f55f6983858db61

Download Submit
C:\Windows\{B75A5D87-AD5F-4f8d-B5A9-F2009FC17106}.exe

Filesize
168KB

MD5
e11439611f2f571f8cfd65aa0a37b573

SHA1
64d79b3accf6b311be1b52cde08a47fa32fd6e48

SHA256
4f2b1c18ec3d1828cc72df97541ba8eba427d305690bdc726017677a20987188

SHA512
13a1519ddd6c7f0fa8cbfedec1797bbf1e5186d145d896c8168e0be37e2d8f4e18f5aac5d70f70f8e25a267ae464dcd19cff2a8d1db4a571434c03e57148bceb

Download Submit
C:\Windows\{F22DD9EC-16B8-45ca-B162-F0D9FF4A30B9}.exe

Filesize
168KB

MD5
984b0edc049d1b8febdc180d41669d60

SHA1
a37b876d256f2a3d95c93b0bd6e87e93418d0223

SHA256
2c21ad873acfe328311b53e7a320a8058f25e55adc3e67cc911381ea9d3744eb

SHA512
225c0fa370dc098892c3fb742916890f2068b626ee60490d393d015db7ddde3b3eff1b3d814c7c9cbd9f33a4ac2fe61a2cf068d68604a2a16f171308d8cbb4bd

Download Submit
C:\Windows\{FD10C280-274F-405a-9411-BFB50ED0CBAB}.exe

Filesize
168KB

MD5
b5cbf22c87a06f02b30544f5c6e102cf

SHA1
1f57323ce166478868cb0f8353ee7e9bbc730e74

SHA256
8ae444ba75b8dc11a208295e645ff6eac2c836f66f2407e1ade897b23adb7301

SHA512
6d1fbb3bf0aa07b886f2a566d962f93cde405381c2d75c1b0214b6e7836a5689bb27ad787b75f8450a62971bdab8d1cd258e5e68a3b089c9a83b7dc8d617524f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads