f46c8797f741fa69370e7cd3af92d66d44b5e1364327fb81d0f21e0257995b90

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe
Size

180KB
MD5

ebb4139bb66669a1d18ab98ffc823485
SHA1

21072d5b896d370d88a1bee68b5ce6e08b78b580
SHA256

f46c8797f741fa69370e7cd3af92d66d44b5e1364327fb81d0f21e0257995b90
SHA512

18f5649d04615837053ec01c36f7b00fc0be6dfce59ce8b540d6d471d95561f55d4c22a1d28fcf534b6e746f3ceac3e6ee6b35b44e828d7ed6650f99864e154e
SSDEEP

3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012284-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012284-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012284-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000016cd0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012284-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012284-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012284-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012284-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012284-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F30665-B4C5-4cfe-99B4-C22680ED782F}	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}\stubpath = "C:\\Windows\\{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe"	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5529E509-4178-47c4-B361-24E4DFFF8D4A}\stubpath = "C:\\Windows\\{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe"	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5155451B-B831-4462-9CD3-4B7C27968A66}\stubpath = "C:\\Windows\\{5155451B-B831-4462-9CD3-4B7C27968A66}.exe"	{80429732-638F-47f3-969B-0EF563B72DF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}\stubpath = "C:\\Windows\\{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe"	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B66191E6-0D02-4a08-90FF-DC8ED9188E63}	{5155451B-B831-4462-9CD3-4B7C27968A66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C8FDE7-5745-47df-9D58-45EF4DB693ED}	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F30665-B4C5-4cfe-99B4-C22680ED782F}\stubpath = "C:\\Windows\\{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe"	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5155451B-B831-4462-9CD3-4B7C27968A66}	{80429732-638F-47f3-969B-0EF563B72DF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}\stubpath = "C:\\Windows\\{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe"	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80429732-638F-47f3-969B-0EF563B72DF9}\stubpath = "C:\\Windows\\{80429732-638F-47f3-969B-0EF563B72DF9}.exe"	{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}\stubpath = "C:\\Windows\\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe"	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5529E509-4178-47c4-B361-24E4DFFF8D4A}	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80429732-638F-47f3-969B-0EF563B72DF9}	{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B66191E6-0D02-4a08-90FF-DC8ED9188E63}\stubpath = "C:\\Windows\\{B66191E6-0D02-4a08-90FF-DC8ED9188E63}.exe"	{5155451B-B831-4462-9CD3-4B7C27968A66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C8FDE7-5745-47df-9D58-45EF4DB693ED}\stubpath = "C:\\Windows\\{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe"	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}\stubpath = "C:\\Windows\\{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe"	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe

Deletes itself 1 IoCs

pid	Process
2128	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe
2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe
2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe
2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe
2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe
2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe
308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe
1488	{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe
1196	{80429732-638F-47f3-969B-0EF563B72DF9}.exe
2992	{5155451B-B831-4462-9CD3-4B7C27968A66}.exe
2096	{B66191E6-0D02-4a08-90FF-DC8ED9188E63}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe
File created	C:\Windows\{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe
File created	C:\Windows\{5155451B-B831-4462-9CD3-4B7C27968A66}.exe	{80429732-638F-47f3-969B-0EF563B72DF9}.exe
File created	C:\Windows\{80429732-638F-47f3-969B-0EF563B72DF9}.exe	{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe
File created	C:\Windows\{B66191E6-0D02-4a08-90FF-DC8ED9188E63}.exe	{5155451B-B831-4462-9CD3-4B7C27968A66}.exe
File created	C:\Windows\{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe
File created	C:\Windows\{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe
File created	C:\Windows\{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe
File created	C:\Windows\{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe
File created	C:\Windows\{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe
File created	C:\Windows\{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe
Token: SeIncBasePriorityPrivilege	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe
Token: SeIncBasePriorityPrivilege	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe
Token: SeIncBasePriorityPrivilege	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe
Token: SeIncBasePriorityPrivilege	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe
Token: SeIncBasePriorityPrivilege	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe
Token: SeIncBasePriorityPrivilege	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe
Token: SeIncBasePriorityPrivilege	1488	{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe
Token: SeIncBasePriorityPrivilege	1196	{80429732-638F-47f3-969B-0EF563B72DF9}.exe
Token: SeIncBasePriorityPrivilege	2992	{5155451B-B831-4462-9CD3-4B7C27968A66}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2004	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	28
PID 3024 wrote to memory of 2004	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	28
PID 3024 wrote to memory of 2004	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	28
PID 3024 wrote to memory of 2004	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	28
PID 3024 wrote to memory of 2128	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	29
PID 3024 wrote to memory of 2128	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	29
PID 3024 wrote to memory of 2128	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	29
PID 3024 wrote to memory of 2128	3024	2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe	29
PID 2004 wrote to memory of 2572	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	30
PID 2004 wrote to memory of 2572	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	30
PID 2004 wrote to memory of 2572	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	30
PID 2004 wrote to memory of 2572	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	30
PID 2004 wrote to memory of 2728	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	31
PID 2004 wrote to memory of 2728	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	31
PID 2004 wrote to memory of 2728	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	31
PID 2004 wrote to memory of 2728	2004	{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe	31
PID 2572 wrote to memory of 2584	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	34
PID 2572 wrote to memory of 2584	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	34
PID 2572 wrote to memory of 2584	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	34
PID 2572 wrote to memory of 2584	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	34
PID 2572 wrote to memory of 2688	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	35
PID 2572 wrote to memory of 2688	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	35
PID 2572 wrote to memory of 2688	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	35
PID 2572 wrote to memory of 2688	2572	{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe	35
PID 2584 wrote to memory of 2548	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	37
PID 2584 wrote to memory of 2548	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	37
PID 2584 wrote to memory of 2548	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	37
PID 2584 wrote to memory of 2548	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	37
PID 2584 wrote to memory of 2220	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	36
PID 2584 wrote to memory of 2220	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	36
PID 2584 wrote to memory of 2220	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	36
PID 2584 wrote to memory of 2220	2584	{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe	36
PID 2548 wrote to memory of 2932	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	39
PID 2548 wrote to memory of 2932	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	39
PID 2548 wrote to memory of 2932	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	39
PID 2548 wrote to memory of 2932	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	39
PID 2548 wrote to memory of 472	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	38
PID 2548 wrote to memory of 472	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	38
PID 2548 wrote to memory of 472	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	38
PID 2548 wrote to memory of 472	2548	{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe	38
PID 2932 wrote to memory of 2412	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	40
PID 2932 wrote to memory of 2412	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	40
PID 2932 wrote to memory of 2412	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	40
PID 2932 wrote to memory of 2412	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	40
PID 2932 wrote to memory of 2028	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	41
PID 2932 wrote to memory of 2028	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	41
PID 2932 wrote to memory of 2028	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	41
PID 2932 wrote to memory of 2028	2932	{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe	41
PID 2412 wrote to memory of 308	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	42
PID 2412 wrote to memory of 308	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	42
PID 2412 wrote to memory of 308	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	42
PID 2412 wrote to memory of 308	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	42
PID 2412 wrote to memory of 1020	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	43
PID 2412 wrote to memory of 1020	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	43
PID 2412 wrote to memory of 1020	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	43
PID 2412 wrote to memory of 1020	2412	{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe	43
PID 308 wrote to memory of 1488	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	45
PID 308 wrote to memory of 1488	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	45
PID 308 wrote to memory of 1488	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	45
PID 308 wrote to memory of 1488	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	45
PID 308 wrote to memory of 2768	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	44
PID 308 wrote to memory of 2768	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	44
PID 308 wrote to memory of 2768	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	44
PID 308 wrote to memory of 2768	308	{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ebb4139bb66669a1d18ab98ffc823485_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe
  C:\Windows\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe
    C:\Windows\{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe
      C:\Windows\{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8B8B~1.EXE > nul
        5⤵
        
        PID:2220
    - - C:\Windows\{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe
        
        C:\Windows\{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEF40~1.EXE > nul
        6⤵
        
        PID:472
      - C:\Windows\{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe
        
        C:\Windows\{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe
        
        C:\Windows\{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe
        
        C:\Windows\{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5529E~1.EXE > nul
        9⤵
        
        PID:2768
        
        C:\Windows\{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe
        
        C:\Windows\{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB750~1.EXE > nul
        10⤵
        
        PID:2024
        
        C:\Windows\{80429732-638F-47f3-969B-0EF563B72DF9}.exe
        
        C:\Windows\{80429732-638F-47f3-969B-0EF563B72DF9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\{5155451B-B831-4462-9CD3-4B7C27968A66}.exe
        
        C:\Windows\{5155451B-B831-4462-9CD3-4B7C27968A66}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\{B66191E6-0D02-4a08-90FF-DC8ED9188E63}.exe
        
        C:\Windows\{B66191E6-0D02-4a08-90FF-DC8ED9188E63}.exe
        12⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51554~1.EXE > nul
        12⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80429~1.EXE > nul
        11⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86C3E~1.EXE > nul
        8⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F30~1.EXE > nul
        7⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58C8F~1.EXE > nul
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75A31~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5155451B-B831-4462-9CD3-4B7C27968A66}.exe

Filesize
180KB

MD5
c90925210d39f785adbf374bc6848348

SHA1
8f14b7303e8a9c2a010036dc04b564acb4a15a66

SHA256
7c40cf10eec8f4f8800494a7765acd9ced6943db882615ac21d6b32c19d56ca9

SHA512
38378b1ca8a0ca614f67d3a4f3b42726a42bdca9b751c4fabce357ca3b5df31acf14a500f4b87d03ad96ffd8e65fea82a686bb32e73a41d89b668b73b9f98b6b

Download Submit
C:\Windows\{5529E509-4178-47c4-B361-24E4DFFF8D4A}.exe

Filesize
180KB

MD5
351c6750105a546cfbd617eb8ddade65

SHA1
c385a146bdb251037f46efbd12d0f2b828f63942

SHA256
269c493de1e862070ede2e8f20a37eb3bbaba879d58a1678bb88b7085c51e477

SHA512
a1d74793e6374ed481a5b474ca8cfdc910b71713433c1a1bfb5a9b217dfe23d6b7aa98ab6f3f6da141060b7778f5e01d4e049dd837573d9aa5dae0dd849d73bc

Download Submit
C:\Windows\{58C8FDE7-5745-47df-9D58-45EF4DB693ED}.exe

Filesize
180KB

MD5
05b3a2bce4de8c5e92417929114ba3ce

SHA1
111dc38b6f56c0f635e2f5290c9053d5d5645e78

SHA256
6c37015f9f2b340b4e7042ea7a2ff1256af72aa5a63fb29d464e92759d634260

SHA512
4963acbe679b8c7016b2e6e80db542e5067e83e448ee5c4d3f68513c59a60591c28d2e4ab39af90e7b551912f142691ed854170a1fc7eab0be08a635b0c37bc8

Download Submit
C:\Windows\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe

Filesize
64KB

MD5
e29f1665ed422e07e67cdb1d2a59930d

SHA1
b9a0fab56826c43656e163c65515a3a8c2e5b416

SHA256
9247d06addaee8360dd07d59367565011dca7740b5e99dfba5aba6c8f0074b75

SHA512
042af89ea627c1de3d10555368fc0fb77f1d6d6c9912f9ab1b20f66a83b08dd561fa71b16e5b33474faaddcac97d4dc984785fc8642ebed19949bf5c6fc19015

Download Submit
C:\Windows\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe

Filesize
38KB

MD5
511e2cdaf632ebdec1eb2853a1e4c8c0

SHA1
4ff8576cddb5e5260df146d2f89cbe5b7f7e0601

SHA256
3649c3c287f5ec7cf343f0f27a111a49b8e7d85b570dc8fb7ff516bc7dab14c5

SHA512
3ee2e08148951f27ceae49c0f8ec39f04263e3459b4858010cb3286129b3d54ac6204f43bc5ea686e3b6a5686e722d6cec3e7e7663dd0686db8181436ba80f57

Download Submit
C:\Windows\{75A31F09-BD93-4561-B9B2-A32F60EB6EEB}.exe

Filesize
180KB

MD5
6d56373414dc01d274e099f771e4f592

SHA1
8a584f0bed16597742122561241f0b431b1550f5

SHA256
63b4be608eacce272668e17668b343ff4aaca477768c9eddd7e948283e3e2512

SHA512
7458cd6fcfbac4a963cbcf6b01670b9eae444d13c54cd02ce5f90124a7ee38f97748da0b3f45c2c2ae052e85f3c56945fe7a5c0b7e06c8e7c0a29df4e2a0e65d

Download Submit
C:\Windows\{80429732-638F-47f3-969B-0EF563B72DF9}.exe

Filesize
180KB

MD5
a561aa663c4238de8fe965db3782471b

SHA1
a35b915389ce7e32495d3e9769c813633ed28165

SHA256
121b6bb594841e1da0f1096d78029ac96bd8e99bba40e49c01a775f6465dc2da

SHA512
c551724dcce5aea48f2333c9336beaa1a594f8f0fede9b656e2968bf274c7a2a95e248dbe845c284c2e9424e505a8e8e0a919d63521824072396b9f0b983a300

Download Submit
C:\Windows\{86C3E19D-06CC-4ac3-913B-DC3E868A19C1}.exe

Filesize
180KB

MD5
be2633278150247c615dcc63d487d1c9

SHA1
27df2bc017aeed2f69bc5cc441f462c2a5cf61db

SHA256
1a4d71ee732e43599b62a8a119dd04199819e471d1d8c1b04f4f3e0c3c8d30fe

SHA512
53fedff2aabe0d9c20adc4e5eaa43d967fcf189d7418a892c248afb2e1c312ce7d056027d9884680a997e3b5ce85e3f29daf9eb00fec59a1a8c6902bf5a0ff96

Download Submit
C:\Windows\{B1F30665-B4C5-4cfe-99B4-C22680ED782F}.exe

Filesize
180KB

MD5
e685c7dbc8b23ee063e46ad1b59b939b

SHA1
0b2b08f4e0fca01b8423010b2e48b87e5b02d16a

SHA256
8437ef0211240303a47e005c8367b0f389557674a432555717bec7b54457cdd1

SHA512
65e752e5595fdd50756d90d8801d28260b77e5a69ff90afa809339835d05f265b4d66ef1f88b0f499f3fb38a1b8b683c751ef83ca84591aae181c1a997e51ada

Download Submit
C:\Windows\{B66191E6-0D02-4a08-90FF-DC8ED9188E63}.exe

Filesize
180KB

MD5
903cd7a6fd4110e6a0e9f7033fb7088c

SHA1
ad64f9188ec7d57f602fd8b9f000aafe5b36d40c

SHA256
3cf3fc06ab8cfb2a85979ef91d0d2d551e9060e82c906d2f29f3757a2e0550e3

SHA512
b7aec612ecb9278ef2d36be09144bbaddbb9775757c4da77a36366d1b2af3ba106b28dd910108d94a2152a5b11597114efdcccc727366f52868eabc701ae268c

Download Submit
C:\Windows\{C8B8BAF6-D05A-464e-BAFF-05ABF238E360}.exe

Filesize
180KB

MD5
887346b80daa0cd8644ace2c433530a9

SHA1
ee162b0baf8acca77d7a9fad5a10c9e9b6ee8ce0

SHA256
83be59dc83e115e9b216b01aa8f259bdee431956ff69ce5f3c97df1708be46ad

SHA512
b8eaa67553095c03a94afb92a16e9a3206d23b00c5f56b910011a38c221f9bbaac8ad15e3b4822e89d50234b4a12a620098811aaf772e626715ea866820b2404

Download Submit
C:\Windows\{DEF404A5-D511-4f61-AA4F-01CFCFC4B4EE}.exe

Filesize
180KB

MD5
262acf45f0c70cb831839273f0bfa075

SHA1
872cd169d0d660457b9c8d6a2debcef9fbf8ca5c

SHA256
3f7835125219c7f5b8135048b4a55e8d17c050add0d424109164a7a391c2e491

SHA512
567ab89ef19f402970bc11829d771177b2506e83dfd7e4aa08ba3b00c976a770268b70f9ab7cb1649ae446f403027ca48aae8a72e854e2b38502ed59d55892b6

Download Submit
C:\Windows\{EB750EF0-AB02-4cb9-8A07-D1DCE0546D4F}.exe

Filesize
180KB

MD5
2d65474c378f0dabd2102d864b7eeba3

SHA1
e36de5a51230ef3dd35e16dc4844aa8abf68c04a

SHA256
341cfb895bc4c3fb761b38e25ee0c851accf0b8f77cd55106bfdf4b81629d05b

SHA512
cd575c46c8cc16d64df3a227970f1e6d64e5f97739050811d59df661396219464754ad59c2518386cc1c60f89a39da5b0a60409a967e633022c396435271f026

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads