935cbd20db1942b5a9b16d9efb5c58d2144a9e4679d56fee1ed63f6d4c16fc0e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Size

408KB
MD5

ec7aabc7ef39defeb6692f3c951f9e3e
SHA1

168c436d265be27db982b5b2f5e335b39cd164bb
SHA256

935cbd20db1942b5a9b16d9efb5c58d2144a9e4679d56fee1ed63f6d4c16fc0e
SHA512

97c4a0433ce8e5f5f9ce0935c24b3408bd650f76a183fb3dafb26f6d94bd28ec237138d3287f8a53f550ee05962cd7fbe3fb7da0e173c74c04b078e6c7520c30
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGgldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c33-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c52-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c33-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015cfa-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c33-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c33-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015c33-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5729B661-A647-4d99-A077-FC4F2536CA82}\stubpath = "C:\\Windows\\{5729B661-A647-4d99-A077-FC4F2536CA82}.exe"	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A002E35-3447-41d5-841F-EBCBDC1692A4}\stubpath = "C:\\Windows\\{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe"	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}\stubpath = "C:\\Windows\\{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe"	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5729B661-A647-4d99-A077-FC4F2536CA82}	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC48C591-2C62-49e2-A348-9FC0FFC5344A}	{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}	{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}\stubpath = "C:\\Windows\\{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe"	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}\stubpath = "C:\\Windows\\{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe"	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD104696-B344-4eae-99A6-4C49C9B30C4F}\stubpath = "C:\\Windows\\{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe"	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}\stubpath = "C:\\Windows\\{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe"	{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47BF478C-22F5-4889-AA50-846BE0FD34F3}	{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47BF478C-22F5-4889-AA50-846BE0FD34F3}\stubpath = "C:\\Windows\\{47BF478C-22F5-4889-AA50-846BE0FD34F3}.exe"	{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E985F137-8400-45c0-AC39-46D2BC847BBF}	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E985F137-8400-45c0-AC39-46D2BC847BBF}\stubpath = "C:\\Windows\\{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe"	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A002E35-3447-41d5-841F-EBCBDC1692A4}	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC48C591-2C62-49e2-A348-9FC0FFC5344A}\stubpath = "C:\\Windows\\{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe"	{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}\stubpath = "C:\\Windows\\{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe"	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD104696-B344-4eae-99A6-4C49C9B30C4F}	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe
2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe
2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe
2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe
1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe
1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe
772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe
1320	{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe
1160	{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe
2008	{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe
1204	{47BF478C-22F5-4889-AA50-846BE0FD34F3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
File created	C:\Windows\{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe
File created	C:\Windows\{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe
File created	C:\Windows\{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe	{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe
File created	C:\Windows\{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe
File created	C:\Windows\{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe	{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe
File created	C:\Windows\{47BF478C-22F5-4889-AA50-846BE0FD34F3}.exe	{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe
File created	C:\Windows\{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe
File created	C:\Windows\{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe
File created	C:\Windows\{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe
File created	C:\Windows\{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe
Token: SeIncBasePriorityPrivilege	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe
Token: SeIncBasePriorityPrivilege	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe
Token: SeIncBasePriorityPrivilege	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe
Token: SeIncBasePriorityPrivilege	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe
Token: SeIncBasePriorityPrivilege	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe
Token: SeIncBasePriorityPrivilege	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe
Token: SeIncBasePriorityPrivilege	1320	{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe
Token: SeIncBasePriorityPrivilege	1160	{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe
Token: SeIncBasePriorityPrivilege	2008	{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1820	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	28
PID 2364 wrote to memory of 1820	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	28
PID 2364 wrote to memory of 1820	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	28
PID 2364 wrote to memory of 1820	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	28
PID 2364 wrote to memory of 3052	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	29
PID 2364 wrote to memory of 3052	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	29
PID 2364 wrote to memory of 3052	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	29
PID 2364 wrote to memory of 3052	2364	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	29
PID 1820 wrote to memory of 2596	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	30
PID 1820 wrote to memory of 2596	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	30
PID 1820 wrote to memory of 2596	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	30
PID 1820 wrote to memory of 2596	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	30
PID 1820 wrote to memory of 2672	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	31
PID 1820 wrote to memory of 2672	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	31
PID 1820 wrote to memory of 2672	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	31
PID 1820 wrote to memory of 2672	1820	{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe	31
PID 2596 wrote to memory of 2128	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	32
PID 2596 wrote to memory of 2128	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	32
PID 2596 wrote to memory of 2128	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	32
PID 2596 wrote to memory of 2128	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	32
PID 2596 wrote to memory of 2760	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	33
PID 2596 wrote to memory of 2760	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	33
PID 2596 wrote to memory of 2760	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	33
PID 2596 wrote to memory of 2760	2596	{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe	33
PID 2128 wrote to memory of 2572	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	37
PID 2128 wrote to memory of 2572	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	37
PID 2128 wrote to memory of 2572	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	37
PID 2128 wrote to memory of 2572	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	37
PID 2128 wrote to memory of 2824	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	36
PID 2128 wrote to memory of 2824	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	36
PID 2128 wrote to memory of 2824	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	36
PID 2128 wrote to memory of 2824	2128	{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe	36
PID 2572 wrote to memory of 1900	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	39
PID 2572 wrote to memory of 1900	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	39
PID 2572 wrote to memory of 1900	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	39
PID 2572 wrote to memory of 1900	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	39
PID 2572 wrote to memory of 2704	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	38
PID 2572 wrote to memory of 2704	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	38
PID 2572 wrote to memory of 2704	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	38
PID 2572 wrote to memory of 2704	2572	{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe	38
PID 1900 wrote to memory of 1656	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	40
PID 1900 wrote to memory of 1656	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	40
PID 1900 wrote to memory of 1656	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	40
PID 1900 wrote to memory of 1656	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	40
PID 1900 wrote to memory of 2728	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	41
PID 1900 wrote to memory of 2728	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	41
PID 1900 wrote to memory of 2728	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	41
PID 1900 wrote to memory of 2728	1900	{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe	41
PID 1656 wrote to memory of 772	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	42
PID 1656 wrote to memory of 772	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	42
PID 1656 wrote to memory of 772	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	42
PID 1656 wrote to memory of 772	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	42
PID 1656 wrote to memory of 2192	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	43
PID 1656 wrote to memory of 2192	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	43
PID 1656 wrote to memory of 2192	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	43
PID 1656 wrote to memory of 2192	1656	{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe	43
PID 772 wrote to memory of 1320	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	44
PID 772 wrote to memory of 1320	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	44
PID 772 wrote to memory of 1320	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	44
PID 772 wrote to memory of 1320	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	44
PID 772 wrote to memory of 1404	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	45
PID 772 wrote to memory of 1404	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	45
PID 772 wrote to memory of 1404	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	45
PID 772 wrote to memory of 1404	772	{5729B661-A647-4d99-A077-FC4F2536CA82}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe
  C:\Windows\{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe
    C:\Windows\{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe
      C:\Windows\{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C05C~1.EXE > nul
        5⤵
        
        PID:2824
    - - C:\Windows\{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe
        
        C:\Windows\{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD104~1.EXE > nul
        6⤵
        
        PID:2704
      - C:\Windows\{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe
        
        C:\Windows\{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe
        
        C:\Windows\{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{5729B661-A647-4d99-A077-FC4F2536CA82}.exe
        
        C:\Windows\{5729B661-A647-4d99-A077-FC4F2536CA82}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe
        
        C:\Windows\{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A002~1.EXE > nul
        10⤵
        
        PID:1988
        
        C:\Windows\{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe
        
        C:\Windows\{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC48C~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe
        
        C:\Windows\{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\{47BF478C-22F5-4889-AA50-846BE0FD34F3}.exe
        
        C:\Windows\{47BF478C-22F5-4889-AA50-846BE0FD34F3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CF0B~1.EXE > nul
        12⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5729B~1.EXE > nul
        9⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE7D9~1.EXE > nul
        8⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48B75~1.EXE > nul
        7⤵
        
        PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8AF66~1.EXE > nul
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E985F~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{47BF478C-22F5-4889-AA50-846BE0FD34F3}.exe

Filesize
408KB

MD5
52f5e5de658252beb13bf0d83ffa4a15

SHA1
c25415bd3799e61e861079996c8eee0c3dc97d43

SHA256
6aca02c617a7940e985b661857a4bbcebe2a8cd5760532c8175203905826d028

SHA512
a4ab3f253536bbc87e993db92e09d2815ec4d60d6beb760ccb908e62ecb6dcc14b633285cfeda89f214ba149a21b7996baaeb26aa99a89eb47dc020893a0c878

Download Submit
C:\Windows\{48B75DDA-0F0D-4ed7-B11B-C9B95972AB01}.exe

Filesize
408KB

MD5
c8f33091e50ff59f56887a6b6ba24505

SHA1
9bb13b91994288d9a2e9eb8e3d9d14d943fbb14a

SHA256
3593d39f195ae1f25419de4e3ec0988999205ab7d458330ebe68f83c37d472fa

SHA512
5af26b37bad2ea40200cf05a0ec51399ead641c800e2879b8caf2ff329e68649b1f320152d6106caf49e5c77d1dc73d44dbd67dbb24368af233b19bda5449fc9

Download Submit
C:\Windows\{5729B661-A647-4d99-A077-FC4F2536CA82}.exe

Filesize
408KB

MD5
01af62a999877e006fcfd5b90893235d

SHA1
95db6f34891a0d899fcdf619e13f1b3d54f1296a

SHA256
1a72680ed203b5feb53463d4ba6bbf28de7871679cc1c73d62ea303a47ddbb38

SHA512
6e403882cfb23aa6eb0cb46745f4c7f07ee3f51b02c7a65e2e4e2b24c2a68d392563bc4aa737cce34880f4bfd7d7f8598a2a1415321e1a2fe3a95d9fbd7f64c2

Download Submit
C:\Windows\{5C05C4F5-303B-4481-972F-5A4F3E2BC77C}.exe

Filesize
408KB

MD5
6ae1ec0efca3cb732ead2c3fdb4c5e04

SHA1
a01545297f4133fc156480b330c7d0855fc43522

SHA256
bd250a876135b6654b6ca034ee721d8a0175dccf0d76d7521085c0e71ee8eb4c

SHA512
76c3b862e0fd7fec62dee28d05fb006c23afcceb824f851c9ae970354f6de0c12bcec3855815c9d5956033d4650476f2bd0b07ff5bffc8a1030e86bbcdf223ea

Download Submit
C:\Windows\{7CF0B71C-C6F3-4d83-AC71-F8A1B91C9AF4}.exe

Filesize
408KB

MD5
03004804c18fb48b4ef2f2577300634f

SHA1
15432782d4c900f425051ca25765b6fbd7609440

SHA256
6b0a4c4d7e14066bd4bfefb1809344202ebf067f4a0211bed9332b4de3daa50d

SHA512
c8eea8a4e751aadd9a1988da926493ca0fac313c8159b6109e2db54d87e0513d1f20f51c524174ea0da0a051018d04c42ebf2128d8196bddcbffc9db0ec6b4ea

Download Submit
C:\Windows\{8A002E35-3447-41d5-841F-EBCBDC1692A4}.exe

Filesize
408KB

MD5
6f5a131be9e1e64f28d010b311fdf818

SHA1
28b251b578997a1660e94ea4308f5c438b914790

SHA256
fef8ad9860c0ab013b821242641e78db10105382ee0fb6b25da60387007326c7

SHA512
a5729784c68560ac64e11ee38f5c2123e6b634f6d4d46b98fa30906e083e95de26f75addf669caab32bd1ebc4681965eb13a4a1704c17380ce8b5a84e8038601

Download Submit
C:\Windows\{8AF66C23-CE6B-43ac-89A0-404A5AB9D813}.exe

Filesize
408KB

MD5
36eb468b6d63d8b39bcf93011879e7ea

SHA1
dcfe11191fb4bb373ca8ac4c47de7426ef1ed5bb

SHA256
16f011b7e34205ded2fd53778d179a392afdb9458fae6d77c03fc7fdcd36e199

SHA512
69c2111567163fe71565bc5e0e5b21e76236dbf5ed0a56d0af7d406ea2785ff35b28b02c8ab600efb35c7b4e78eaf5938c693afe88f0ac1333f68234c99f8222

Download Submit
C:\Windows\{AE7D9D6B-6CBF-48c0-8B4B-646C632A57EA}.exe

Filesize
408KB

MD5
56abb05a6231744a03abce2631bc6429

SHA1
bf0b9c1bd63243fd39811c9344f48d33b62144f1

SHA256
f1ee26feb2419a02c1395f3fa1a5125f7d095d3b1bd17a6b4255e98ee9be4142

SHA512
9f7766bb18730edd1d6541910fecc4fd9ef9ec85e8745536a830992eed7e826d522b872c4c9736d71669a654b293e4317d1d15288d6d631388b99c8e847c3713

Download Submit
C:\Windows\{BC48C591-2C62-49e2-A348-9FC0FFC5344A}.exe

Filesize
408KB

MD5
90a31161588d363377c7156a681b020f

SHA1
72f7a6edd5bd44687e53900e846fcae272da33dd

SHA256
888494c1e256b1ad2f86e22af18e0afb79351f1f33c8ff7e164b3307909146c9

SHA512
490782bd12a496fb7fdd58feb837e93c34aa352de9d21773a4b68b651f51c04b718bb9dd43a694b9ed1f498effd7d0dca88b09d23f3cb323635556a555a316a0

Download Submit
C:\Windows\{DD104696-B344-4eae-99A6-4C49C9B30C4F}.exe

Filesize
408KB

MD5
66c65c63f185aa0615121d89f51eca7e

SHA1
5c1d0bfd56794aee8003a60d3e5efff3651e0b81

SHA256
49f641aa4b011b196829725f0faef0116265a3946c3ef26c3247881d2f3c8e9d

SHA512
5d5c6491068e0ccd9b05766a64557824457a971d94ca37b1ac01b6b4988cb64040345ff29ce6c14186e89aeafc314d3c51e730cd0335ba85c73f65a8fb5b707f

Download Submit
C:\Windows\{E985F137-8400-45c0-AC39-46D2BC847BBF}.exe

Filesize
408KB

MD5
64bdef6e2f78b3aa9f178706fbb3ccc7

SHA1
a8166ec1f1749b6621c0a109b99929a29f2a04a7

SHA256
4a80e8ab1e94910378aa45afc082449304b59f4dfd0acb1bbbda67f77639f351

SHA512
0960a571ef6eeb35c3190c290d84c4abc301d330c6793e1efe56200f8c20a7754fae6f8f40e789e19c4492da0debdff263beaefcb489fadc06fa5989a7c5c47e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads