f44c7cd33f6ea5991555c9a3b0ef660b553fce2b27513cc860262d4c59a8ae23

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Size

197KB
MD5

375b370e8111f0e435083b45f6e68365
SHA1

0d9db2d848abc8c2e864c48d42254e50dad9e70b
SHA256

f44c7cd33f6ea5991555c9a3b0ef660b553fce2b27513cc860262d4c59a8ae23
SHA512

e233c4be6766dcadba859fa45d33eb11b7f184abff331b48779c24c8fd33f87a745160e1b55d66ec9537114e4a351b29ed9288ffec02242e4dcc199a31afde8a
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGSlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000000b529-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000b529-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000b529-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000b529-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000b529-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000000b529-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAC11C52-584E-41c1-8546-179272CBB643}	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}\stubpath = "C:\\Windows\\{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe"	{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}\stubpath = "C:\\Windows\\{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}.exe"	{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}\stubpath = "C:\\Windows\\{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe"	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAC11C52-584E-41c1-8546-179272CBB643}\stubpath = "C:\\Windows\\{EAC11C52-584E-41c1-8546-179272CBB643}.exe"	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}\stubpath = "C:\\Windows\\{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe"	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D24863-5135-4dd1-A53B-963B60EFC10A}\stubpath = "C:\\Windows\\{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe"	{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}\stubpath = "C:\\Windows\\{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe"	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}\stubpath = "C:\\Windows\\{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe"	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467EEAEE-8492-43b4-8959-E8753BA12170}\stubpath = "C:\\Windows\\{467EEAEE-8492-43b4-8959-E8753BA12170}.exe"	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}	{EAC11C52-584E-41c1-8546-179272CBB643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A635082D-3243-462c-A692-FFDF2CBA7A39}	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A635082D-3243-462c-A692-FFDF2CBA7A39}\stubpath = "C:\\Windows\\{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe"	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D24863-5135-4dd1-A53B-963B60EFC10A}	{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467EEAEE-8492-43b4-8959-E8753BA12170}	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}\stubpath = "C:\\Windows\\{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe"	{EAC11C52-584E-41c1-8546-179272CBB643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}	{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}	{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe

Deletes itself 1 IoCs

pid	Process
1972	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe
1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe
2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe
2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe
2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe
2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe
2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe
2140	{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe
1288	{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe
1244	{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe
2824	{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe
File created	C:\Windows\{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe
File created	C:\Windows\{EAC11C52-584E-41c1-8546-179272CBB643}.exe	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe
File created	C:\Windows\{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	{EAC11C52-584E-41c1-8546-179272CBB643}.exe
File created	C:\Windows\{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe
File created	C:\Windows\{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe	{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe
File created	C:\Windows\{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}.exe	{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe
File created	C:\Windows\{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
File created	C:\Windows\{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe
File created	C:\Windows\{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe
File created	C:\Windows\{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe	{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe
Token: SeIncBasePriorityPrivilege	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe
Token: SeIncBasePriorityPrivilege	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe
Token: SeIncBasePriorityPrivilege	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe
Token: SeIncBasePriorityPrivilege	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe
Token: SeIncBasePriorityPrivilege	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe
Token: SeIncBasePriorityPrivilege	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe
Token: SeIncBasePriorityPrivilege	2140	{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe
Token: SeIncBasePriorityPrivilege	1288	{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe
Token: SeIncBasePriorityPrivilege	1244	{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3012	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	28
PID 1984 wrote to memory of 3012	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	28
PID 1984 wrote to memory of 3012	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	28
PID 1984 wrote to memory of 3012	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	28
PID 1984 wrote to memory of 1972	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	29
PID 1984 wrote to memory of 1972	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	29
PID 1984 wrote to memory of 1972	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	29
PID 1984 wrote to memory of 1972	1984	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	29
PID 3012 wrote to memory of 1460	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	32
PID 3012 wrote to memory of 1460	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	32
PID 3012 wrote to memory of 1460	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	32
PID 3012 wrote to memory of 1460	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	32
PID 3012 wrote to memory of 2808	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	33
PID 3012 wrote to memory of 2808	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	33
PID 3012 wrote to memory of 2808	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	33
PID 3012 wrote to memory of 2808	3012	{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe	33
PID 1460 wrote to memory of 2724	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	35
PID 1460 wrote to memory of 2724	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	35
PID 1460 wrote to memory of 2724	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	35
PID 1460 wrote to memory of 2724	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	35
PID 1460 wrote to memory of 2964	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	34
PID 1460 wrote to memory of 2964	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	34
PID 1460 wrote to memory of 2964	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	34
PID 1460 wrote to memory of 2964	1460	{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe	34
PID 2724 wrote to memory of 2780	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	37
PID 2724 wrote to memory of 2780	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	37
PID 2724 wrote to memory of 2780	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	37
PID 2724 wrote to memory of 2780	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	37
PID 2724 wrote to memory of 2116	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	36
PID 2724 wrote to memory of 2116	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	36
PID 2724 wrote to memory of 2116	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	36
PID 2724 wrote to memory of 2116	2724	{467EEAEE-8492-43b4-8959-E8753BA12170}.exe	36
PID 2780 wrote to memory of 2632	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	38
PID 2780 wrote to memory of 2632	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	38
PID 2780 wrote to memory of 2632	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	38
PID 2780 wrote to memory of 2632	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	38
PID 2780 wrote to memory of 2512	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	39
PID 2780 wrote to memory of 2512	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	39
PID 2780 wrote to memory of 2512	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	39
PID 2780 wrote to memory of 2512	2780	{EAC11C52-584E-41c1-8546-179272CBB643}.exe	39
PID 2632 wrote to memory of 2020	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	40
PID 2632 wrote to memory of 2020	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	40
PID 2632 wrote to memory of 2020	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	40
PID 2632 wrote to memory of 2020	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	40
PID 2632 wrote to memory of 1576	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	41
PID 2632 wrote to memory of 1576	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	41
PID 2632 wrote to memory of 1576	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	41
PID 2632 wrote to memory of 1576	2632	{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe	41
PID 2020 wrote to memory of 2400	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	42
PID 2020 wrote to memory of 2400	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	42
PID 2020 wrote to memory of 2400	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	42
PID 2020 wrote to memory of 2400	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	42
PID 2020 wrote to memory of 1764	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	43
PID 2020 wrote to memory of 1764	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	43
PID 2020 wrote to memory of 1764	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	43
PID 2020 wrote to memory of 1764	2020	{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe	43
PID 2400 wrote to memory of 2140	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	44
PID 2400 wrote to memory of 2140	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	44
PID 2400 wrote to memory of 2140	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	44
PID 2400 wrote to memory of 2140	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	44
PID 2400 wrote to memory of 1820	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	45
PID 2400 wrote to memory of 1820	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	45
PID 2400 wrote to memory of 1820	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	45
PID 2400 wrote to memory of 1820	2400	{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe
  C:\Windows\{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe
    C:\Windows\{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59BC9~1.EXE > nul
      4⤵
      PID:2964
  - - C:\Windows\{467EEAEE-8492-43b4-8959-E8753BA12170}.exe
      C:\Windows\{467EEAEE-8492-43b4-8959-E8753BA12170}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{467EE~1.EXE > nul
        5⤵
        
        PID:2116
    - - C:\Windows\{EAC11C52-584E-41c1-8546-179272CBB643}.exe
        
        C:\Windows\{EAC11C52-584E-41c1-8546-179272CBB643}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe
        
        C:\Windows\{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe
        
        C:\Windows\{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe
        
        C:\Windows\{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe
        
        C:\Windows\{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5088~1.EXE > nul
        10⤵
        
        PID:1280
        
        C:\Windows\{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe
        
        C:\Windows\{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26F9F~1.EXE > nul
        11⤵
        
        PID:2860
        
        C:\Windows\{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe
        
        C:\Windows\{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}.exe
        
        C:\Windows\{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}.exe
        12⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98D24~1.EXE > nul
        12⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6350~1.EXE > nul
        9⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D4A2~1.EXE > nul
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2172D~1.EXE > nul
        7⤵
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAC11~1.EXE > nul
        6⤵
        
        PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E96BA~1.EXE > nul
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2172DE1F-7DEE-4fed-8A16-346DF6485CC6}.exe

Filesize
197KB

MD5
9118536b3c17ba0412d1709b02435b29

SHA1
39601aeda8dbbde1ec5629fb82855025912ec5c2

SHA256
c6a83ba611659beddc619d54f6f594bb6df0bbb9cd0a48b26282341afd878e06

SHA512
52f97b5797e36b64c857e98a24cf26f283f5fbc29b7d6211f3b0c16672401af76d4eda5e6bc20a614d8dd4fb38f4bb35248d65e80945e870c72286651164ff67

Download Submit
C:\Windows\{26F9FA6A-5597-458e-9BA5-B87021DAAFDA}.exe

Filesize
197KB

MD5
5e651ae8233bfcb547f7be008b7230c1

SHA1
10c8b9a44fa0e6592ae2f5b9879256b6e40ad954

SHA256
8c2aa580e5e07070ed0ef4d699452788637ec948b1ec502f52abdcd45fec6148

SHA512
f02499de0adf2f8b417e94d4d530a8d2323c54437bfca7dd6f0a7fcb585d76b5718157a94aaccb60fae2155cec1c4a5f39ded6926ee5fd4fd69bea0d3456e58d

Download Submit
C:\Windows\{467EEAEE-8492-43b4-8959-E8753BA12170}.exe

Filesize
197KB

MD5
3fb32f5b5cde4b604c396bc3bd746c21

SHA1
ab2a1d3377289226664a457458c575e38e484ecc

SHA256
b4ecd8850c0de6bca6bc9610808facff4b3968a2616c7ae77e445a866ba1522f

SHA512
d3463b5e9d8726a74d55e668480730b7b17688eb39a8b7d326cf74b18d7f49730a8bdf02ad807e8512f422428f52fdb4aba85a580f5879b5feb12fa82e180145

Download Submit
C:\Windows\{5636D1F1-36E0-46be-B7A1-9C5DE93EF643}.exe

Filesize
197KB

MD5
ee3cbbcc2fda3c6cf1426fbc5c1a63b6

SHA1
0897e5bf86c8395744c6734fa83d86d001bae56c

SHA256
77e525c6d132a85578aeaf4f967c665b962c70692bfaa7cae0d227ccfc6fddb6

SHA512
a24e911c9e564e72ae6562cf3723182a920d85ada62733398f1633aac31b2f77831e6469d8fb5c852d4ad422dcb84e9b673fdeb695448f30a9290f1e53c13063

Download Submit
C:\Windows\{59BC98B8-03E7-49e7-8FE7-D5CA586588F7}.exe

Filesize
197KB

MD5
9584a7631263b8ee336ac549ab8d4d35

SHA1
b559cd50cf2431f4ccb7e587df345ea72327bbaa

SHA256
aef8df2b44b593bf87786491140437f732f4c8a798f92981c5ff20752f4e0307

SHA512
a7263810d2f483a1c3ebb8e12fec289bb36043cffdb53a58613b17ab2edd06a7be371e63b029675184b3e8cf39e98f24d1cb5a73806bdff548cc12eba42dafd8

Download Submit
C:\Windows\{8D4A2B04-09B2-42b6-B1FC-829E5E32F20D}.exe

Filesize
197KB

MD5
302c21ae4cf548f9bf1af38d85754481

SHA1
8349e3ffce40f547c4c7d43abff6d06435cc83ce

SHA256
a82abcdcbfa94eba1240fe92631367bf6e30f5e756ed0a85e46f5190a5ba7adc

SHA512
aa6c452023ce4d0738a7fc29b22cd8ba2a0862b8bfa20779f0c688a1f0980fbc4b01c133a679cb3c17e41968facfd173a923134e180d79f51f60f41d0cc9735e

Download Submit
C:\Windows\{98D24863-5135-4dd1-A53B-963B60EFC10A}.exe

Filesize
197KB

MD5
2dd0b2a4537e5a51ec785c5bcc4bae18

SHA1
965e8b14b7e2fae4fb17e345ebd78803e7c36111

SHA256
0adedbb04ce00217e842decc218ab551679e9ccde267d93be2cc31618f5e0dfc

SHA512
16593e1600335928ad0899c7dd24c7cb350d8cc63f9eb34829dc9a4401827d69f0bab54291958d7b02ec322cf596d92b181b5e8a8e51822927a572da56108454

Download Submit
C:\Windows\{A635082D-3243-462c-A692-FFDF2CBA7A39}.exe

Filesize
197KB

MD5
2ce2dafe339b2b71624e0f68d36201e8

SHA1
7763fe7a73636e886ced1b5240939bf036067838

SHA256
6c606dd82d44d4d372c9c7140e863e4cb67076ae259d53b6bd915b512a7a986f

SHA512
aa853252bcd79512513029b53e6c7ec0f9180abc206730656979f21e2f9f6d9512361b694ae364fb63565dfa0140614b2124b144bcefc842f01ad3da77395ea1

Download Submit
C:\Windows\{D5088E9A-DABE-4f35-A7E3-DE4DF8E2A8AD}.exe

Filesize
197KB

MD5
ba291c6b1374d243be6e313b1299f8ca

SHA1
cf17bae4f84adec0de3526de06d6b1d7a93f8d4d

SHA256
4dac3738b64ce61305372eb7c384b394934b229c8932cf6bdc40f10ed29e0341

SHA512
26fb8a9402999dcec04947c06450ee725aa4182b9e968b3827f8444bdc07a834e7e1c9f8f6b3d0eefccfdc8587e5ecdc6ce0a6b08899576cf86f39bc4ac78b86

Download Submit
C:\Windows\{E96BA8CD-0A73-489f-AFD0-B8A181ECA96A}.exe

Filesize
197KB

MD5
3936bdb611ea2710382b1ba4a87e198b

SHA1
7c14250198fccd72f018690dccb276fea2013d2f

SHA256
916ce7ccd114cc81140d52b9f27ea770a30df79f1ec967e1d6daaba83b19d48a

SHA512
12bc9a899c3d10a60e02ac1f3663a6328ab332f73285eda03151ab6cf13acc5c073924e63dfa5b5b39c3eace95320af42a584a0fd8bbd6fbf81be919ddc02ad7

Download Submit
C:\Windows\{EAC11C52-584E-41c1-8546-179272CBB643}.exe

Filesize
197KB

MD5
ac032af8d588636b2e34fe3c0f69782b

SHA1
e8c45cf843a29d61d820d8ecd0356fd95d678bcf

SHA256
8acfe547c4669f759db0667bd08dfc6294c06da91a2593089e39558e29a756b2

SHA512
48200e780799f66dc489f0b8e92d630694b4ae4205eebbd5b33604612f715a1a8a84aee866415aec818e0a50bdc7774b30da7c17c2f5c9b79aa542be78ad4708

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads