69b8593f1239f8450e433391b19415e5097922293a4e89bfff29e32a647338a9

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Size

197KB
MD5

22d143f4e3a1228a8c9b83cc3e27e085
SHA1

b3488ae67d7c54edb64443d51516cc15df10cdc3
SHA256

69b8593f1239f8450e433391b19415e5097922293a4e89bfff29e32a647338a9
SHA512

43bd4c30e7d03ce0cfe99606bcf82abee315907d4b3c2461a0f05e75d4d9625c68365818fdf22eb8f3cb122ff86118acdffb0c93e740896c3c21ab46a92471aa
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012683-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015e09-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015e09-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015e09-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000015e09-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015e09-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015e09-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E516CB2C-56E4-4691-800C-27BA53A932AD}	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A383D8C6-B573-4dd1-BD35-8DE19188260E}\stubpath = "C:\\Windows\\{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe"	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E268DA56-709C-4307-939D-B9945FBD3BB6}\stubpath = "C:\\Windows\\{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe"	{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}	{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B93C4F-D73D-49b4-B091-16FBF4993799}	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21704EC6-65BD-4bae-A76E-00A9924CB818}	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59E418C-6E81-42d6-B8B5-628A2114E2F9}\stubpath = "C:\\Windows\\{B59E418C-6E81-42d6-B8B5-628A2114E2F9}.exe"	{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21704EC6-65BD-4bae-A76E-00A9924CB818}\stubpath = "C:\\Windows\\{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe"	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC40B026-8AF0-44e0-AE5B-E762A42B0366}	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59E418C-6E81-42d6-B8B5-628A2114E2F9}	{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B93C4F-D73D-49b4-B091-16FBF4993799}\stubpath = "C:\\Windows\\{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe"	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}\stubpath = "C:\\Windows\\{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe"	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}\stubpath = "C:\\Windows\\{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe"	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC40B026-8AF0-44e0-AE5B-E762A42B0366}\stubpath = "C:\\Windows\\{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe"	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E268DA56-709C-4307-939D-B9945FBD3BB6}	{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}\stubpath = "C:\\Windows\\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe"	{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}\stubpath = "C:\\Windows\\{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe"	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E516CB2C-56E4-4691-800C-27BA53A932AD}\stubpath = "C:\\Windows\\{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe"	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A383D8C6-B573-4dd1-BD35-8DE19188260E}	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe
2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe
3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe
440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe
3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe
936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe
1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe
2900	{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe
1620	{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe
2320	{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe
2276	{B59E418C-6E81-42d6-B8B5-628A2114E2F9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe
File created	C:\Windows\{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe
File created	C:\Windows\{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe	{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe
File created	C:\Windows\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe	{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe
File created	C:\Windows\{B59E418C-6E81-42d6-B8B5-628A2114E2F9}.exe	{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe
File created	C:\Windows\{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
File created	C:\Windows\{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe
File created	C:\Windows\{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe
File created	C:\Windows\{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe
File created	C:\Windows\{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe
File created	C:\Windows\{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe
Token: SeIncBasePriorityPrivilege	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe
Token: SeIncBasePriorityPrivilege	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe
Token: SeIncBasePriorityPrivilege	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe
Token: SeIncBasePriorityPrivilege	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe
Token: SeIncBasePriorityPrivilege	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe
Token: SeIncBasePriorityPrivilege	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe
Token: SeIncBasePriorityPrivilege	2900	{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe
Token: SeIncBasePriorityPrivilege	1620	{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe
Token: SeIncBasePriorityPrivilege	2320	{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2804	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	28
PID 2780 wrote to memory of 2804	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	28
PID 2780 wrote to memory of 2804	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	28
PID 2780 wrote to memory of 2804	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	28
PID 2780 wrote to memory of 2852	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	29
PID 2780 wrote to memory of 2852	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	29
PID 2780 wrote to memory of 2852	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	29
PID 2780 wrote to memory of 2852	2780	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	29
PID 2804 wrote to memory of 2044	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	30
PID 2804 wrote to memory of 2044	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	30
PID 2804 wrote to memory of 2044	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	30
PID 2804 wrote to memory of 2044	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	30
PID 2804 wrote to memory of 2760	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	31
PID 2804 wrote to memory of 2760	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	31
PID 2804 wrote to memory of 2760	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	31
PID 2804 wrote to memory of 2760	2804	{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe	31
PID 2044 wrote to memory of 3056	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	34
PID 2044 wrote to memory of 3056	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	34
PID 2044 wrote to memory of 3056	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	34
PID 2044 wrote to memory of 3056	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	34
PID 2044 wrote to memory of 564	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	35
PID 2044 wrote to memory of 564	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	35
PID 2044 wrote to memory of 564	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	35
PID 2044 wrote to memory of 564	2044	{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe	35
PID 3056 wrote to memory of 440	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	36
PID 3056 wrote to memory of 440	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	36
PID 3056 wrote to memory of 440	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	36
PID 3056 wrote to memory of 440	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	36
PID 3056 wrote to memory of 584	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	37
PID 3056 wrote to memory of 584	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	37
PID 3056 wrote to memory of 584	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	37
PID 3056 wrote to memory of 584	3056	{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe	37
PID 440 wrote to memory of 3012	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	38
PID 440 wrote to memory of 3012	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	38
PID 440 wrote to memory of 3012	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	38
PID 440 wrote to memory of 3012	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	38
PID 440 wrote to memory of 2304	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	39
PID 440 wrote to memory of 2304	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	39
PID 440 wrote to memory of 2304	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	39
PID 440 wrote to memory of 2304	440	{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe	39
PID 3012 wrote to memory of 936	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	40
PID 3012 wrote to memory of 936	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	40
PID 3012 wrote to memory of 936	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	40
PID 3012 wrote to memory of 936	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	40
PID 3012 wrote to memory of 2884	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	41
PID 3012 wrote to memory of 2884	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	41
PID 3012 wrote to memory of 2884	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	41
PID 3012 wrote to memory of 2884	3012	{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe	41
PID 936 wrote to memory of 1168	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	42
PID 936 wrote to memory of 1168	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	42
PID 936 wrote to memory of 1168	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	42
PID 936 wrote to memory of 1168	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	42
PID 936 wrote to memory of 800	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	43
PID 936 wrote to memory of 800	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	43
PID 936 wrote to memory of 800	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	43
PID 936 wrote to memory of 800	936	{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe	43
PID 1168 wrote to memory of 2900	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	44
PID 1168 wrote to memory of 2900	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	44
PID 1168 wrote to memory of 2900	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	44
PID 1168 wrote to memory of 2900	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	44
PID 1168 wrote to memory of 1176	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	45
PID 1168 wrote to memory of 1176	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	45
PID 1168 wrote to memory of 1176	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	45
PID 1168 wrote to memory of 1176	1168	{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe
  C:\Windows\{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe
    C:\Windows\{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe
      C:\Windows\{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe
        
        C:\Windows\{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Windows\{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe
        
        C:\Windows\{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe
        
        C:\Windows\{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe
        
        C:\Windows\{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe
        
        C:\Windows\{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe
        
        C:\Windows\{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe
        
        C:\Windows\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD1D5~1.EXE > nul
        12⤵
        
        PID:1928
        
        C:\Windows\{B59E418C-6E81-42d6-B8B5-628A2114E2F9}.exe
        
        C:\Windows\{B59E418C-6E81-42d6-B8B5-628A2114E2F9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E268D~1.EXE > nul
        11⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC40B~1.EXE > nul
        10⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A383D~1.EXE > nul
        9⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E516C~1.EXE > nul
        8⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21704~1.EXE > nul
        7⤵
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA9D1~1.EXE > nul
        6⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D915~1.EXE > nul
        5⤵
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C5613~1.EXE > nul
      4⤵
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87B93~1.EXE > nul
    3⤵
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21704EC6-65BD-4bae-A76E-00A9924CB818}.exe

Filesize
197KB

MD5
344d78245dd4c7c0c2e1f32a5570cce6

SHA1
e307460d9c998c369010c24ec37f96121425ebb5

SHA256
b11421e8bd224830ac524a54acbde0dfd4b8d63efeebf08c4a507c3df04a421a

SHA512
5b1c51c3602b34253cdeb86cc0cc35404dbd92dd000e6c9ff1a9e2cea025617599f26ee342ce22e65f2f92d906c6ae151a61c61bc7300380c3d040dece73b88c

Download Submit
C:\Windows\{2D915A7E-FBDC-471f-BF18-AAF48D8F7414}.exe

Filesize
197KB

MD5
2ebce7816be56e02927aa33d16db3c4b

SHA1
8f4fb8788545191f1e554c8a0b2c7234d997a4b5

SHA256
817181e2165cf72cd3662547ecf6787ae730e54df28cf6abf85de15a46339198

SHA512
ce0d6243827443bbe16fbeaeb0d9c041b13f2bdb4495a584d5580c423175a7eac5091bb3c9f76f90cc8e9f80d1de3e0a0758d47b58fd05ec9b2a636be3e2db63

Download Submit
C:\Windows\{87B93C4F-D73D-49b4-B091-16FBF4993799}.exe

Filesize
197KB

MD5
bbd5b909cb9a50af03a10cb7d4e3be85

SHA1
46d18c9cb59395c621a47022f5c684a4418c2198

SHA256
24ea3accb68f0958f37e1ab2a8addf23f18ce6245e9e9bf66476b21fb29e29cd

SHA512
f735d129f66e1e44d175483f7886683d4551e6639b7b00ecb35116b9646ba6cc14e2870f7c37e577c77e257160b6af09167a640f0f4153120e0300491c0ba0cc

Download Submit
C:\Windows\{A383D8C6-B573-4dd1-BD35-8DE19188260E}.exe

Filesize
197KB

MD5
5e82b28f91c48f00aa46f6ab9ef356cf

SHA1
77b7a8d7e9f10911dd1daf7f825006610c9e063d

SHA256
f8ebe826b02dd55a73f044db451c6f8186cc3634a0f838946919ab84986d892e

SHA512
f637c3b02299d62fa3806ee568337cb4d5dfbd7ac4794a4df1942b3a149f90659401efd1550df72067f60abbe7e3b1704ea7fca5f41b0e74d4d8d7609b1ba9a6

Download Submit
C:\Windows\{B59E418C-6E81-42d6-B8B5-628A2114E2F9}.exe

Filesize
197KB

MD5
19aac2714ed8299caa2b32b91a39281b

SHA1
8dadcc67496d95d0744a30ad4d39eec6e1204add

SHA256
0258b2e4f44ad133e0766d802f24f4a365d0ef6884db917b8d4acbcf5f24a1ef

SHA512
6a9541ec884e9ae0f81dded378d4775ef7036a7a640e0bd4a8098a2eaa9a04410cf7e4f5599b1ae21289491988fa23bfb810bde4673dd3066d59b09f31fd7af6

Download Submit
C:\Windows\{C5613F3A-D3E1-4ef1-A04E-2357FA035B00}.exe

Filesize
197KB

MD5
4d2b624d084c0f375d905999b1159087

SHA1
f68ca5704aceadb7250a9f130e5f8c3b4f7beea6

SHA256
3f99272110f1b74bec2f0348e9ef468ce862270a976c268c5dbaddd4117e61f7

SHA512
907e7bc574f35d67d34efb5313eef38bc9540e51c642612787d010bc9ab2fd110f1c141637302526cbde9cf261be51bcc0fa4ba973dbda1dd6010120c4afe615

Download Submit
C:\Windows\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe

Filesize
197KB

MD5
6f33897db89a432629f592d0dc1c2e6f

SHA1
e01d0dee593cf7046674852b6f4b1293370273c4

SHA256
2cb2410c8adea6fe87c7e820cfdd71307bdbb9f063c2a26291bffb8a8a75ae7c

SHA512
3f405cce549f0166eea5b82c703961b052a01faecd8b33514d3864fe525709bfd2e963a32078c006c3a4ef8e08ba390ee952abe6a9f4e24e56d5612452b7d52e

Download Submit
C:\Windows\{CD1D5F22-FC74-4bb7-9B8F-6376A044F788}.exe

Filesize
96KB

MD5
9043276857b9ffd26d29580936fefc2e

SHA1
e7be06bf31380e1732126c9f644dae24db9f66df

SHA256
192f35e2afbf4ce7dc1718e345c9509ec9fe819e9de5afe89086345262ac68ef

SHA512
366d199be4fd292d0bca249ce61a4cc6ba2c4dfdf4c33639bebc6d7ecc50c9bd886d0c6f116771544acfc02958013b2ce3e2d77ca033b8ced14ec6e10cbd196c

Download Submit
C:\Windows\{DA9D1A3D-FE7C-44dc-A59E-30991CAF7429}.exe

Filesize
197KB

MD5
ce54879e602794716eafa282b498a7f3

SHA1
541393c9d49ee1f3a04944122e76a099a0eceb6b

SHA256
d5658786c45c78eee256dc408c2b79d8b2db73e4afe1b66253972ae2b43a152d

SHA512
815021de8d850f231179d1c0b61670f0ba25c594479ac9f62a9cbf8143e76c71a5a6c1d29685fab4bc60cbf7d824518ccee919c00f82753f99bc4b8fcfd8ae1b

Download Submit
C:\Windows\{E268DA56-709C-4307-939D-B9945FBD3BB6}.exe

Filesize
197KB

MD5
3e025573db9b92b6031b02513489e1e6

SHA1
54a542473d3aaf56c0f4d2f786d0f81f5f4465f1

SHA256
1fcf83a6fb64174d374d60ef083e8eaf57cea91c8d016b14bf422c64011eb6f9

SHA512
89d37b04b93e486bcfad8284d12bfa202aacbfaab4760a1e9370079f6a8c6f108fdb85241884960950ed269242611adc99a56a509cc30c513e1ff2244bba0859

Download Submit
C:\Windows\{E516CB2C-56E4-4691-800C-27BA53A932AD}.exe

Filesize
197KB

MD5
fcc2d8fe0585d8d27974f3b2a69c6daf

SHA1
bbc8f4092491006fe02e5872ec8747bd81341d0b

SHA256
d989a6aad4e0284761f1d815ace917be5a2b762a995e48864e76ba1d11d97359

SHA512
37e5ae1b197c900558629c1ade0bbfdae2534e5061be5b82228cf55d409ccaf8c9f9401fd8d2dfff05bbdf451f357dc3bb4a8e868f7aa85b99079680a449d8d0

Download Submit
C:\Windows\{EC40B026-8AF0-44e0-AE5B-E762A42B0366}.exe

Filesize
197KB

MD5
da73d87d5b6d17a93457ec55e7052d8b

SHA1
b901eca5f798ca5846442c005909a3ea60a9893a

SHA256
fa392dafd5d461a32d867b1d08042279a28458f41073064fe9a9aaf93ac17436

SHA512
615e242a42285376516e72d30110ab8af94da15d58db27fa14f8a13c9a7d26fbed12ee0d7dd01019183ce786b446d208a6f85298e8f4e764585ec7c1434e8c21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads