5ffdf5e37692b1b1316b8e8e112ae5b2bef04d2e4073af4aa16268be0d16f702

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
Size

197KB
MD5

d8fba6b8bd61293524fbbb30b58a026a
SHA1

3089586e7b948bb9a8d6c69279d657529951fa0e
SHA256

5ffdf5e37692b1b1316b8e8e112ae5b2bef04d2e4073af4aa16268be0d16f702
SHA512

25097454762d3e30bd562b9f1d63886d99ede667840c5a77b572b8aac985d8122fb6b4c4014d41b9e16e656d2a6527b9603c522a9cb2242b7591d776cc125a3a
SSDEEP

3072:jEGh0oLl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGFlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 18 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c4-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122c4-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000133c4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000133c4-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a24-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c4-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a24-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122c4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122c4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122c4-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122c4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122c4-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{198FA6D5-327F-47f9-A33F-697F4A19E70C}	{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}\stubpath = "C:\\Windows\\{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe"	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}\stubpath = "C:\\Windows\\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe"	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31C32CED-F8EE-43ee-9859-B288B4F7C517}	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B2CB82-360B-429e-8B11-379F10D60E45}\stubpath = "C:\\Windows\\{87B2CB82-360B-429e-8B11-379F10D60E45}.exe"	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{763CEBE1-A28A-42fb-88FF-4838B176968B}	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A468033-3021-4454-933D-212EC656EDE0}	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A468033-3021-4454-933D-212EC656EDE0}\stubpath = "C:\\Windows\\{5A468033-3021-4454-933D-212EC656EDE0}.exe"	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016758CE-BA59-403b-BD0E-59CBE5A9551E}	{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B2CB82-360B-429e-8B11-379F10D60E45}	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}	{5A468033-3021-4454-933D-212EC656EDE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016758CE-BA59-403b-BD0E-59CBE5A9551E}\stubpath = "C:\\Windows\\{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe"	{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{198FA6D5-327F-47f9-A33F-697F4A19E70C}\stubpath = "C:\\Windows\\{198FA6D5-327F-47f9-A33F-697F4A19E70C}.exe"	{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640CB9B4-4392-41c0-8233-955CB4A86BE9}	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640CB9B4-4392-41c0-8233-955CB4A86BE9}\stubpath = "C:\\Windows\\{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe"	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}\stubpath = "C:\\Windows\\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe"	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31C32CED-F8EE-43ee-9859-B288B4F7C517}\stubpath = "C:\\Windows\\{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe"	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{763CEBE1-A28A-42fb-88FF-4838B176968B}\stubpath = "C:\\Windows\\{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe"	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}\stubpath = "C:\\Windows\\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe"	{5A468033-3021-4454-933D-212EC656EDE0}.exe

Deletes itself 1 IoCs

pid	Process
1676	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe
2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe
1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe
2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe
2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe
2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe
2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe
1660	{5A468033-3021-4454-933D-212EC656EDE0}.exe
2336	{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe
1636	{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe
1204	{198FA6D5-327F-47f9-A33F-697F4A19E70C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe
File created	C:\Windows\{5A468033-3021-4454-933D-212EC656EDE0}.exe	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe
File created	C:\Windows\{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe	{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe
File created	C:\Windows\{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
File created	C:\Windows\{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe
File created	C:\Windows\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe
File created	C:\Windows\{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe
File created	C:\Windows\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe	{5A468033-3021-4454-933D-212EC656EDE0}.exe
File created	C:\Windows\{198FA6D5-327F-47f9-A33F-697F4A19E70C}.exe	{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe
File created	C:\Windows\{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe
File created	C:\Windows\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe
Token: SeIncBasePriorityPrivilege	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe
Token: SeIncBasePriorityPrivilege	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe
Token: SeIncBasePriorityPrivilege	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe
Token: SeIncBasePriorityPrivilege	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe
Token: SeIncBasePriorityPrivilege	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe
Token: SeIncBasePriorityPrivilege	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe
Token: SeIncBasePriorityPrivilege	1660	{5A468033-3021-4454-933D-212EC656EDE0}.exe
Token: SeIncBasePriorityPrivilege	2336	{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe
Token: SeIncBasePriorityPrivilege	1636	{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2996	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	29
PID 2980 wrote to memory of 2996	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	29
PID 2980 wrote to memory of 2996	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	29
PID 2980 wrote to memory of 2996	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	29
PID 2980 wrote to memory of 1676	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	28
PID 2980 wrote to memory of 1676	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	28
PID 2980 wrote to memory of 1676	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	28
PID 2980 wrote to memory of 1676	2980	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	28
PID 2996 wrote to memory of 2660	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	30
PID 2996 wrote to memory of 2660	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	30
PID 2996 wrote to memory of 2660	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	30
PID 2996 wrote to memory of 2660	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	30
PID 2996 wrote to memory of 2868	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	31
PID 2996 wrote to memory of 2868	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	31
PID 2996 wrote to memory of 2868	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	31
PID 2996 wrote to memory of 2868	2996	{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe	31
PID 2660 wrote to memory of 1688	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	33
PID 2660 wrote to memory of 1688	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	33
PID 2660 wrote to memory of 1688	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	33
PID 2660 wrote to memory of 1688	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	33
PID 2660 wrote to memory of 2484	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	32
PID 2660 wrote to memory of 2484	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	32
PID 2660 wrote to memory of 2484	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	32
PID 2660 wrote to memory of 2484	2660	{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe	32
PID 1688 wrote to memory of 2508	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	37
PID 1688 wrote to memory of 2508	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	37
PID 1688 wrote to memory of 2508	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	37
PID 1688 wrote to memory of 2508	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	37
PID 1688 wrote to memory of 2936	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	36
PID 1688 wrote to memory of 2936	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	36
PID 1688 wrote to memory of 2936	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	36
PID 1688 wrote to memory of 2936	1688	{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe	36
PID 2508 wrote to memory of 2792	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	38
PID 2508 wrote to memory of 2792	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	38
PID 2508 wrote to memory of 2792	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	38
PID 2508 wrote to memory of 2792	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	38
PID 2508 wrote to memory of 2544	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	39
PID 2508 wrote to memory of 2544	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	39
PID 2508 wrote to memory of 2544	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	39
PID 2508 wrote to memory of 2544	2508	{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe	39
PID 2792 wrote to memory of 2784	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	40
PID 2792 wrote to memory of 2784	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	40
PID 2792 wrote to memory of 2784	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	40
PID 2792 wrote to memory of 2784	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	40
PID 2792 wrote to memory of 1876	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	41
PID 2792 wrote to memory of 1876	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	41
PID 2792 wrote to memory of 1876	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	41
PID 2792 wrote to memory of 1876	2792	{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe	41
PID 2784 wrote to memory of 2764	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	43
PID 2784 wrote to memory of 2764	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	43
PID 2784 wrote to memory of 2764	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	43
PID 2784 wrote to memory of 2764	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	43
PID 2784 wrote to memory of 2280	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	42
PID 2784 wrote to memory of 2280	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	42
PID 2784 wrote to memory of 2280	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	42
PID 2784 wrote to memory of 2280	2784	{87B2CB82-360B-429e-8B11-379F10D60E45}.exe	42
PID 2764 wrote to memory of 1660	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	44
PID 2764 wrote to memory of 1660	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	44
PID 2764 wrote to memory of 1660	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	44
PID 2764 wrote to memory of 1660	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	44
PID 2764 wrote to memory of 1092	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	45
PID 2764 wrote to memory of 1092	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	45
PID 2764 wrote to memory of 1092	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	45
PID 2764 wrote to memory of 1092	2764	{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1676
- C:\Windows\{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe
  C:\Windows\{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe
    C:\Windows\{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C9C~1.EXE > nul
      4⤵
      PID:2484
  - - C:\Windows\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe
      C:\Windows\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AF93~1.EXE > nul
        5⤵
        
        PID:2936
    - - C:\Windows\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe
        
        C:\Windows\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe
        
        C:\Windows\{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{87B2CB82-360B-429e-8B11-379F10D60E45}.exe
        
        C:\Windows\{87B2CB82-360B-429e-8B11-379F10D60E45}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87B2C~1.EXE > nul
        8⤵
        
        PID:2280
        
        C:\Windows\{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe
        
        C:\Windows\{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{5A468033-3021-4454-933D-212EC656EDE0}.exe
        
        C:\Windows\{5A468033-3021-4454-933D-212EC656EDE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe
        
        C:\Windows\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CAA0~1.EXE > nul
        11⤵
        
        PID:488
        
        C:\Windows\{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe
        
        C:\Windows\{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01675~1.EXE > nul
        12⤵
        
        PID:1016
        
        C:\Windows\{198FA6D5-327F-47f9-A33F-697F4A19E70C}.exe
        
        C:\Windows\{198FA6D5-327F-47f9-A33F-697F4A19E70C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A468~1.EXE > nul
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{763CE~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31C32~1.EXE > nul
        7⤵
        
        PID:1876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{150EF~1.EXE > nul
        6⤵
        
        PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{640CB~1.EXE > nul
    3⤵
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe

Filesize
45KB

MD5
8a7e03a2b153861ea3a24f36ecd5adc2

SHA1
fe279bc119d7264c347535ad6fe151cced522b1a

SHA256
19d662e92d005ede17195efcbaf7e352c27e29682ff0481e47181f00f27616aa

SHA512
020f9c622d306a3d7b0a60da53514b67aaf7a76589f05e6a356569af97a5ce0d172048906842e1f11e1b3ee6751dd93c7b76b5fc70b89d93878a81b65c3aee75

Download Submit
C:\Windows\{016758CE-BA59-403b-BD0E-59CBE5A9551E}.exe

Filesize
197KB

MD5
b00d375d294a54bd3382485a00c6da07

SHA1
f850f20088e7304c70f2739f0cfd8d261595ea6a

SHA256
7e00b98c327134a572ea63fdbf53726267ca89ac10b8b2e7884e73b25f4a5d27

SHA512
317c2a8093b4983301dabb5e4a1f26aeb48ca337ad4b3b54b240dd4bab8ac99393a41994cd7f0ba818ff2766695f904aac0f5fcc039d1a99716c8ed3e423da00

Download Submit
C:\Windows\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe

Filesize
42KB

MD5
13835fc2b6586124701a7e25c805b05a

SHA1
a23139abd5a4232b531edf8a453bc929d0718347

SHA256
a0adb2977a539f4896f4454767a012d4aa1dba360506a55656b0d6162c88067d

SHA512
dc7ef1a2c94dbd47ceb68809fbba07d3f6eee6a93b91f4155b2e610242379e06aa0a7bd0b5221f5a1d457a4263b1e00dc002ea258ddf585077280e0978c7e4fe

Download Submit
C:\Windows\{150EFD63-9304-4b2b-A236-75F8A4BB4A72}.exe

Filesize
197KB

MD5
5f2bf9f0b54acf77d333d9cdd870a234

SHA1
2604431728094948f47e04510d34e2810777344b

SHA256
d90b72339d0e91d40d72ad7b5c1386d6bda2b703cd984b482aace9e9e71533ce

SHA512
945f67904f6932eb521efa4832eaaeb67af29e5812b94ae80cecf236ef90072ad010ec26260a38f67ff7d0c348b4bbf5e73ee4f8b3cf05166f41eacb79a2353e

Download Submit
C:\Windows\{198FA6D5-327F-47f9-A33F-697F4A19E70C}.exe

Filesize
197KB

MD5
206bbb2b31fd3773dffbc03bc383803b

SHA1
3d8764cdf62b8859eaa3dcf7b438e20c2a51a9a1

SHA256
f613b4cdbf36a4388ae7ce8b22daa1353f6dc7434b6da7f54e834f5e8f5ba61e

SHA512
f4d7fd6c99ea143d8f9fa8c204809572e1ea0cd73ad4fc5d03e2e073ff41835680a7d8359e62fd4e289aa9e2a2ead44ce46153f1f0f8adba80eeb9e34ee5d96d

Download Submit
C:\Windows\{31C32CED-F8EE-43ee-9859-B288B4F7C517}.exe

Filesize
197KB

MD5
1294c8837e58f1ecf63f953d36cf80d6

SHA1
cf2dfe11cfd3107124b2674ba1a41b3487226527

SHA256
46dc8535e507b95ae9f56b9fff0c17bad88ccd7a1acbc1409a010157c3632486

SHA512
94439bab09d6d50668a105212b4ff1600769d3c1bffb06e940720dc2d096b2041f29976e3535fa2d49c04b5ae0ce8d0afcdd5e47a48168c62d4b578e13d9264a

Download Submit
C:\Windows\{5A468033-3021-4454-933D-212EC656EDE0}.exe

Filesize
197KB

MD5
1593bc64670c0b0f8d16350f0c6e887c

SHA1
f4b17b5f043f26fac54712ef4a6bf4a71bae8f94

SHA256
37e05587a43869f8ecae1247d9db939cb399df5b9a3b451bf739641dcb7a84a5

SHA512
86aaefbeb9e09280fa27c935f073160ed6c9b8c318f5deaae3f58fc1ea6e3eabe35f958c8702304b1aa642cfc18b28d02feb887f86a158f5d5876429245beac7

Download Submit
C:\Windows\{5A468033-3021-4454-933D-212EC656EDE0}.exe

Filesize
92KB

MD5
2c3fe51adaf736b839bf1ea85ed766c4

SHA1
65f7e9bf5e9abfb2f63c9f2439a1f99338f4ff99

SHA256
f02027586495638415f2738c5d18c9bc5386163c5f6a1848aba06d3e063eae0f

SHA512
0b7386838c64338c299abc27da0de88f4cd2dd45afd4ceb5cd42341ebac52434f2e120bd6840491188655edb640da14317a81870bc5c2068384e84f60ce0fd4f

Download Submit
C:\Windows\{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe

Filesize
157KB

MD5
3b4ac05a562c2e4ae3bd8a6293379dfb

SHA1
c199cf2ea70d1fb23f37985565d24c1803f9a364

SHA256
5f74d1e51cf05122775591a547743e3abb07e5b9b13e6917185afa6bd54e1421

SHA512
834ee50693d3c722708aaf8c8d3e92632798ca576bd0fc6245b4b42c8058c85d3e7f4012382ac05d6eced21bd1fc261faaa17fe27ed69f33915b8b616e6f2acf

Download Submit
C:\Windows\{640CB9B4-4392-41c0-8233-955CB4A86BE9}.exe

Filesize
197KB

MD5
637ef4471f01d114d8e4a8fde957e326

SHA1
f8331b5105158e33aeed75fba96fb7e110e251d2

SHA256
93b052f2dd78e49f72ae2c69fd21ca956ebd2c0e3eccc790e5ee54eb6cdd62c3

SHA512
bd35b1d72256d796ca2f782bb33f501307ba5d8baf43fb654a25363a612c19b0523f2fc5ca3ce788270df1f9811de5d7e4e2a555b0edb67be321beabedd0e0d8

Download Submit
C:\Windows\{763CEBE1-A28A-42fb-88FF-4838B176968B}.exe

Filesize
197KB

MD5
9e2a603d2376300ab3d787c5b393b05c

SHA1
d5ac29e6c93f1b995e73d90dd78bd25bfae34dde

SHA256
5d9dc29f7ff57ef42fd68cbfd8ebd7715cbf2c25e1944215b0a678c0f7119177

SHA512
574303f60454a2746ed4476ef4f919893e8b303a05512a9da7f606d47e78d6bf0e76aaa820d60bf29d1c16019f0fa3ec4dbd8002df62d8c30fe0c8aa64a12c62

Download Submit
C:\Windows\{87B2CB82-360B-429e-8B11-379F10D60E45}.exe

Filesize
197KB

MD5
8d22287112f8aa13fa94cce952eb26e5

SHA1
ba09ba5d280fa232b5921f507ad89ca1adca8b8b

SHA256
33301f006ccbbdbf4bdf14b1c3cb33107ad0e9d75c642c97f0d094214235000c

SHA512
a440733df24c872543c1ac727d4e6a4d706c448e3b6dfa68960401d1dc40b33244b0c65fdf43501c9b13ace7e805459f4222e31cb9136804bb6fce6f65f1269d

Download Submit
C:\Windows\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe

Filesize
65KB

MD5
a44dbbc4222b38860b8e1283fc0977bd

SHA1
05c34c0d7422bc8762f3c1dfe3b5438aa88ce0d9

SHA256
542f9e36a05a77539e56e7ca4a682ac73200be58393531d22b2d5d8c28a9b0c3

SHA512
9c937983fc681196dd39be854dbedf559f0e741acc9648419d692a12e6d7926ac7091dfd4259f10b65f92160a50941ebcf2035a0d1bbfe503dbf30fa786ff5b2

Download Submit
C:\Windows\{8CAA043B-6813-43df-8C2F-3B4DFCB515C3}.exe

Filesize
60KB

MD5
7bf709001d3c13549f79561eed30aa00

SHA1
bae9828e2832804e4fa3b7b946c58425646ee8e8

SHA256
67f9184634d727c820ded31cc1676cc2b80544c7e98e4e45129a7337ce41503e

SHA512
42752351b46036cc4d35a9a1dc4e99e8ce8092c6d660b6dc253f7532d9607679b2d4e1a38a0fd2db0c7d2ac4bd7ac9473c73983ee7c831d91de2afd180b009d3

Download Submit
C:\Windows\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe

Filesize
52KB

MD5
b896d58033c86f3726a77848608cd415

SHA1
9229195fe3b86d921544ed172d82f59c5bc4348e

SHA256
93060d9079814843de19f09f095e0950b2da63d5f0ae40f276bb81e5fc07ed37

SHA512
811d20b2218435e10811d7fbe9ab9f213a9eea44372717dcd09228aea9d84e73481f3136199a2f352ee6d4fb7954fd7bc2e4ad18a68ab809885830762c27b3f3

Download Submit
C:\Windows\{9AF93722-1B4B-4ecb-95B3-0C894E61C93E}.exe

Filesize
23KB

MD5
1b2f83915f0c5e4c2705ce2166492953

SHA1
260ea004042179236104a10bae2e5189a0cc3287

SHA256
4cfd64b8cfdcba273f8527ccebb96b7c905d5c6f761facf4272a253fa2165442

SHA512
f782fa53c83a6dff8ebf69036c7619f87906cad83d3e9751f1be9bfcb9976b7644ddae1dba577d553421624759010239a14e509adaee3de67662152ba01dd732

Download Submit
C:\Windows\{C3C9C44E-02DF-4438-BFC6-5C2A6ABF96FD}.exe

Filesize
114KB

MD5
41d7d27d82e64b91fa7c6c13a19f8dfc

SHA1
87b34d1b0396e0603b40dbb1a50ae9fe052406a3

SHA256
6a85fa81db4a87a009ab92a16fc0a1be2b83f35bba471c920cce2eafdafac4b5

SHA512
b7ae19fcc71a65e21ee4d2db70783c0ed174c870d2acf7ebb3d225ca5f2a3d54d697ca43ec3608317b80641c73bfa79c0e83d3cfecee45dc4ec67f656e467b9b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads