113ba559bc178bfe524b756b4373f378647548838ab11007dcc7571b209e021a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/02/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
Size

344KB
MD5

116cdcc3985aaa210782c5000d1bdc68
SHA1

a7ccc72b029687e96ec959ce5f601c56b7fe0ddb
SHA256

113ba559bc178bfe524b756b4373f378647548838ab11007dcc7571b209e021a
SHA512

7719cc3688fd924f2e5af3e6f1128a7920b407eead4296f3d6aa641dd392a338b03cada8ff81dbcb7fc40b9fbb34badc276557bf2af4c25e195681693e41773c
SSDEEP

3072:mEGh0orlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000133b0-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000133b0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000133b0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a21-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000133b0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000133b0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000133b0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{939DBF6C-F56F-4282-8641-1495B888946B}	{51EC9303-932C-4008-B632-F97D75712AA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{939DBF6C-F56F-4282-8641-1495B888946B}\stubpath = "C:\\Windows\\{939DBF6C-F56F-4282-8641-1495B888946B}.exe"	{51EC9303-932C-4008-B632-F97D75712AA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FE7572-FB91-4933-BDBF-EA7B6880CA76}\stubpath = "C:\\Windows\\{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe"	{939DBF6C-F56F-4282-8641-1495B888946B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6611600-B03B-46d4-997E-538E4DE1B606}\stubpath = "C:\\Windows\\{A6611600-B03B-46d4-997E-538E4DE1B606}.exe"	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D084C27-5546-45ab-BA7B-59F340916911}\stubpath = "C:\\Windows\\{8D084C27-5546-45ab-BA7B-59F340916911}.exe"	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}	{8D084C27-5546-45ab-BA7B-59F340916911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F10626E3-5BB2-4d28-AE48-2B018FB95360}	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F10626E3-5BB2-4d28-AE48-2B018FB95360}\stubpath = "C:\\Windows\\{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe"	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}\stubpath = "C:\\Windows\\{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe"	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C337F3BA-A64B-4b96-A895-A575061544BE}	{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FE7572-FB91-4933-BDBF-EA7B6880CA76}	{939DBF6C-F56F-4282-8641-1495B888946B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E5376EB-466F-4928-B8F9-3F95C4F9E706}\stubpath = "C:\\Windows\\{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe"	{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51EC9303-932C-4008-B632-F97D75712AA8}\stubpath = "C:\\Windows\\{51EC9303-932C-4008-B632-F97D75712AA8}.exe"	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E5376EB-466F-4928-B8F9-3F95C4F9E706}	{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{348658DE-C62B-485d-BB51-D18F795B7A54}	{C337F3BA-A64B-4b96-A895-A575061544BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{348658DE-C62B-485d-BB51-D18F795B7A54}\stubpath = "C:\\Windows\\{348658DE-C62B-485d-BB51-D18F795B7A54}.exe"	{C337F3BA-A64B-4b96-A895-A575061544BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6611600-B03B-46d4-997E-538E4DE1B606}	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D084C27-5546-45ab-BA7B-59F340916911}	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}\stubpath = "C:\\Windows\\{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe"	{8D084C27-5546-45ab-BA7B-59F340916911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51EC9303-932C-4008-B632-F97D75712AA8}	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C337F3BA-A64B-4b96-A895-A575061544BE}\stubpath = "C:\\Windows\\{C337F3BA-A64B-4b96-A895-A575061544BE}.exe"	{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe
2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe
2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe
768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe
2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe
764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe
1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe
1572	{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe
2492	{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe
1828	{C337F3BA-A64B-4b96-A895-A575061544BE}.exe
1648	{348658DE-C62B-485d-BB51-D18F795B7A54}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe
File created	C:\Windows\{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe	{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe
File created	C:\Windows\{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
File created	C:\Windows\{8D084C27-5546-45ab-BA7B-59F340916911}.exe	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe
File created	C:\Windows\{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe
File created	C:\Windows\{939DBF6C-F56F-4282-8641-1495B888946B}.exe	{51EC9303-932C-4008-B632-F97D75712AA8}.exe
File created	C:\Windows\{348658DE-C62B-485d-BB51-D18F795B7A54}.exe	{C337F3BA-A64B-4b96-A895-A575061544BE}.exe
File created	C:\Windows\{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	{8D084C27-5546-45ab-BA7B-59F340916911}.exe
File created	C:\Windows\{51EC9303-932C-4008-B632-F97D75712AA8}.exe	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe
File created	C:\Windows\{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	{939DBF6C-F56F-4282-8641-1495B888946B}.exe
File created	C:\Windows\{C337F3BA-A64B-4b96-A895-A575061544BE}.exe	{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe
Token: SeIncBasePriorityPrivilege	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe
Token: SeIncBasePriorityPrivilege	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe
Token: SeIncBasePriorityPrivilege	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe
Token: SeIncBasePriorityPrivilege	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe
Token: SeIncBasePriorityPrivilege	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe
Token: SeIncBasePriorityPrivilege	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe
Token: SeIncBasePriorityPrivilege	1572	{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe
Token: SeIncBasePriorityPrivilege	2492	{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe
Token: SeIncBasePriorityPrivilege	1828	{C337F3BA-A64B-4b96-A895-A575061544BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2868	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	28
PID 2180 wrote to memory of 2868	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	28
PID 2180 wrote to memory of 2868	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	28
PID 2180 wrote to memory of 2868	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	28
PID 2180 wrote to memory of 2224	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	29
PID 2180 wrote to memory of 2224	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	29
PID 2180 wrote to memory of 2224	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	29
PID 2180 wrote to memory of 2224	2180	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	29
PID 2868 wrote to memory of 2660	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	30
PID 2868 wrote to memory of 2660	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	30
PID 2868 wrote to memory of 2660	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	30
PID 2868 wrote to memory of 2660	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	30
PID 2868 wrote to memory of 2676	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	31
PID 2868 wrote to memory of 2676	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	31
PID 2868 wrote to memory of 2676	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	31
PID 2868 wrote to memory of 2676	2868	{A6611600-B03B-46d4-997E-538E4DE1B606}.exe	31
PID 2660 wrote to memory of 2812	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	32
PID 2660 wrote to memory of 2812	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	32
PID 2660 wrote to memory of 2812	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	32
PID 2660 wrote to memory of 2812	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	32
PID 2660 wrote to memory of 2384	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	33
PID 2660 wrote to memory of 2384	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	33
PID 2660 wrote to memory of 2384	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	33
PID 2660 wrote to memory of 2384	2660	{8D084C27-5546-45ab-BA7B-59F340916911}.exe	33
PID 2812 wrote to memory of 768	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	37
PID 2812 wrote to memory of 768	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	37
PID 2812 wrote to memory of 768	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	37
PID 2812 wrote to memory of 768	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	37
PID 2812 wrote to memory of 2960	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	36
PID 2812 wrote to memory of 2960	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	36
PID 2812 wrote to memory of 2960	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	36
PID 2812 wrote to memory of 2960	2812	{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe	36
PID 768 wrote to memory of 2000	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	39
PID 768 wrote to memory of 2000	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	39
PID 768 wrote to memory of 2000	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	39
PID 768 wrote to memory of 2000	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	39
PID 768 wrote to memory of 1700	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	38
PID 768 wrote to memory of 1700	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	38
PID 768 wrote to memory of 1700	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	38
PID 768 wrote to memory of 1700	768	{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe	38
PID 2000 wrote to memory of 764	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	41
PID 2000 wrote to memory of 764	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	41
PID 2000 wrote to memory of 764	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	41
PID 2000 wrote to memory of 764	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	41
PID 2000 wrote to memory of 2232	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	40
PID 2000 wrote to memory of 2232	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	40
PID 2000 wrote to memory of 2232	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	40
PID 2000 wrote to memory of 2232	2000	{51EC9303-932C-4008-B632-F97D75712AA8}.exe	40
PID 764 wrote to memory of 1080	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	43
PID 764 wrote to memory of 1080	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	43
PID 764 wrote to memory of 1080	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	43
PID 764 wrote to memory of 1080	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	43
PID 764 wrote to memory of 2512	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	42
PID 764 wrote to memory of 2512	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	42
PID 764 wrote to memory of 2512	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	42
PID 764 wrote to memory of 2512	764	{939DBF6C-F56F-4282-8641-1495B888946B}.exe	42
PID 1080 wrote to memory of 1572	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	44
PID 1080 wrote to memory of 1572	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	44
PID 1080 wrote to memory of 1572	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	44
PID 1080 wrote to memory of 1572	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	44
PID 1080 wrote to memory of 1624	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	45
PID 1080 wrote to memory of 1624	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	45
PID 1080 wrote to memory of 1624	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	45
PID 1080 wrote to memory of 1624	1080	{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{A6611600-B03B-46d4-997E-538E4DE1B606}.exe
  C:\Windows\{A6611600-B03B-46d4-997E-538E4DE1B606}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\{8D084C27-5546-45ab-BA7B-59F340916911}.exe
    C:\Windows\{8D084C27-5546-45ab-BA7B-59F340916911}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe
      C:\Windows\{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99B75~1.EXE > nul
        5⤵
        
        PID:2960
    - - C:\Windows\{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe
        
        C:\Windows\{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1062~1.EXE > nul
        6⤵
        
        PID:1700
      - C:\Windows\{51EC9303-932C-4008-B632-F97D75712AA8}.exe
        
        C:\Windows\{51EC9303-932C-4008-B632-F97D75712AA8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51EC9~1.EXE > nul
        7⤵
        
        PID:2232
        
        C:\Windows\{939DBF6C-F56F-4282-8641-1495B888946B}.exe
        
        C:\Windows\{939DBF6C-F56F-4282-8641-1495B888946B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{939DB~1.EXE > nul
        8⤵
        
        PID:2512
        
        C:\Windows\{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe
        
        C:\Windows\{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe
        
        C:\Windows\{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5049A~1.EXE > nul
        10⤵
        
        PID:2120
        
        C:\Windows\{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe
        
        C:\Windows\{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E537~1.EXE > nul
        11⤵
        
        PID:684
        
        C:\Windows\{C337F3BA-A64B-4b96-A895-A575061544BE}.exe
        
        C:\Windows\{C337F3BA-A64B-4b96-A895-A575061544BE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\{348658DE-C62B-485d-BB51-D18F795B7A54}.exe
        
        C:\Windows\{348658DE-C62B-485d-BB51-D18F795B7A54}.exe
        12⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C337F~1.EXE > nul
        12⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53FE7~1.EXE > nul
        9⤵
        
        PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D084~1.EXE > nul
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6611~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E5376EB-466F-4928-B8F9-3F95C4F9E706}.exe

Filesize
344KB

MD5
238517074718ec181c4e6ae661eedff5

SHA1
a39b422bd8f8cd5995fb46c03fa9ef4a1f1865a2

SHA256
d1dac8accf257fd85619a298fceac3d2163482d02ded60f57e0114320dde5fc6

SHA512
1aae950070275de49e63802f40fc13c51f53bff0aa3e323f62704d64f6e69b5cdf79630b68b96fd826ba699a2d2ad7e6b4b748968cc45ab3ebd77124f50a8eaa

Download Submit
C:\Windows\{348658DE-C62B-485d-BB51-D18F795B7A54}.exe

Filesize
344KB

MD5
35b4e62263c5257ea95ebf41b00e2b72

SHA1
f36c4fd02a1da98e7f521157c69ab43484f82843

SHA256
a78406df1270fe352aeccd5bb7a10280d4ad68b0db5d47b1ba3f08f022411597

SHA512
6c8f53ed071b0b812b228e746a0c6be42cc77b66cd50760a02bbd6c49081581814b787b08d879710b755cb388bbdc4d1ebe43e06f241953aed55ab308edd87c7

Download Submit
C:\Windows\{5049A0F0-88F4-4323-A8DC-54BF9B9A2CBF}.exe

Filesize
344KB

MD5
5df9171c4f5be9db4edff09d995e41a8

SHA1
6fb8c35bf9f1efc1364bd296fd17660d222d5f45

SHA256
9b9010f0ea6e5900417932c0c61c204892b3ea8f0b0386554e46f7db89da3708

SHA512
3c71fd17c152d132ee349eda0ba9afefd111dba6a46ee18e31b6ab4310d961503ebaf606d6fb15e7a019b4c8ca22ab4df5fb8f87f38167fd8b6341ea8856e431

Download Submit
C:\Windows\{51EC9303-932C-4008-B632-F97D75712AA8}.exe

Filesize
344KB

MD5
1da3029b05fe793783e11230abb44e2c

SHA1
557e34ef32a1250351d1892506717be6000f5603

SHA256
56f90b347ea012eab079668ba7950740631e926b9e52023ada011cc4b7f9b033

SHA512
0e34fd9fe9beec06aa37943664475692f5c19b683fa768f5695d7e9d5b2c651982ecf70ac2f14fca5f55bba80bba5e742a0c1d7dcc620ec474e4dc87476a6379

Download Submit
C:\Windows\{53FE7572-FB91-4933-BDBF-EA7B6880CA76}.exe

Filesize
344KB

MD5
6716f21ea762c36e2f21511f76260658

SHA1
0a2244ca6938a67c33d33cae3b1c29f9f17d264a

SHA256
1b794373560ce98741468d48b76332bab5399dcc5dcc52f64eb32aad6a59d68a

SHA512
6dc24294b5c29f5090c2bb346d644ee000d1b5b1d4f90c390c962fdebcc15ac64eafb377de9da445151ca6d16a46abd2292ec9f2206bae1f7bd1753d0ac2d6de

Download Submit
C:\Windows\{8D084C27-5546-45ab-BA7B-59F340916911}.exe

Filesize
344KB

MD5
7666045cdc7e9b6cc0876fc391b158c7

SHA1
22861c90350ad554bf2bfdbeee8f5851ef4e326f

SHA256
57eaf2b53563a015d0cd61bea136b7c19a6f29aab2750c5f15ffaba049d9909d

SHA512
893fe973af63d87b6b097f7bb7844b70b977a381d88662da173ffcf2a4116374282f837f60b206d3febb6767474903ea77f1964a4a8ccec530cab5c07dffbb06

Download Submit
C:\Windows\{939DBF6C-F56F-4282-8641-1495B888946B}.exe

Filesize
344KB

MD5
1aea1876e4e27922f3f96876f3a3f903

SHA1
0009b5b71b1f131590fa5e4121614de622aef90e

SHA256
f0b0fc85d1adace98ce4714a3fc4664feec8e750e1a123d2c92c330fac1564af

SHA512
a1c1660c9e96b9d06a17be14dccdd04049fda2b206402204cdf6e6bff2be084cc19ab4be61b1256e78b1aa6b81b0eed14424f58db07ebe615541118cc0eb4eeb

Download Submit
C:\Windows\{99B75006-A21C-4bd8-9AA5-FBC76A51C2D4}.exe

Filesize
344KB

MD5
b0d6e09683ea5d189def6220d7ecc704

SHA1
8ca7fde4e080c485be89dbf7ed315bd2cd80bf45

SHA256
2c8674ff5bb640c8a53e705fa1e6b4442dad9f9732f5c81da7144ff4bf8ff599

SHA512
37e8894457af76037cd16836a836424564bf09b0262eff3ed7340020fdeee28fb5f91eaf6a0d150c7a99fe903c63e59e6e3831b4692f81c8aa7bbb296447d304

Download Submit
C:\Windows\{A6611600-B03B-46d4-997E-538E4DE1B606}.exe

Filesize
344KB

MD5
e3856e10dbcfac76ea1514e2afedaafa

SHA1
8660beece0a61dd6bad36a502c88530e5abfca86

SHA256
505ffd366e02fcd3271f7a5675fb0c1752846e92fc7a078f54b06a57771edb53

SHA512
e967020778835fa8fb64eb9bc81a2f1e67b7e148a158d28ff635f47abe9d70367c01dfd4ce02efe5d8c0dc31e08212624c606d90ecf59a21f817e55fead50b2e

Download Submit
C:\Windows\{A6611600-B03B-46d4-997E-538E4DE1B606}.exe

Filesize
288KB

MD5
c2d81b478009f9049ff43a1492d3b516

SHA1
3d1ed0c1246e210963485741d5679942e93855bb

SHA256
58bc54fbd5cca5f06309658af897f4730a11eecf072b64aab76138e3cf50ad9c

SHA512
8ab650c4631678b3048bc103a59b1b0336ae3564613be2c9636220eec53fdb96292708212bfea9db6ed161cbabecb4aad8cca8217b779915f8043e1257168540

Download Submit
C:\Windows\{C337F3BA-A64B-4b96-A895-A575061544BE}.exe

Filesize
344KB

MD5
8f9cf68e064538a6ea8855d191223861

SHA1
21d47991e19d1fd2bbd26989799ec4b8ae87321d

SHA256
f787fbb8c97b5616570929a19c46e581f0da1765dd4a0a6783c7f06af5e9945a

SHA512
2e279dbe26a58b7d0781570584896b92200e10f824a637468b9b165a79764193c105559384de54ad424d5241c1c911e8f3954b2be22063d09f883e9def57b327

Download Submit
C:\Windows\{F10626E3-5BB2-4d28-AE48-2B018FB95360}.exe

Filesize
344KB

MD5
63903d07e77bb044907d3912653d709c

SHA1
b8a9258dfada77faf7836ac132f8b1341eb63d4d

SHA256
be0cf22b86b624c3c779d158284b76e6e5e3b9dad77ff70f69274eb66f89a0da

SHA512
eed63e76c761e6cf622cd87769cda7ac03225a16dbcd0b91309ffc30cd172e3319970c1eb031b19e31e1ecb6980ae41c4b753f0c60eb72960dbbc20eb09d2dc2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads