0ed04466b3c358a575506f48d8e3e7a0e1ca0e10fe542e336b66d025d91838ad

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 20:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Size

408KB
MD5

c5557a9afbd4214c779ff467d044e4ed
SHA1

29efb0b393c83188c3d93c25fee37333cd5b6754
SHA256

0ed04466b3c358a575506f48d8e3e7a0e1ca0e10fe542e336b66d025d91838ad
SHA512

a8e9c27af48b5b5d423388d59f9f32252da51815da2aae4ed7068330a09943fc039524dd4393842c79e13e91cfee1064d9b09c50d3734116ecc9b5d8d1e6aae7
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGQldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a83-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016c9c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23ED44EF-F24B-4e6b-8540-E784A85888A1}	{75526C1D-8721-4f93-9032-6355234FA448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23ED44EF-F24B-4e6b-8540-E784A85888A1}\stubpath = "C:\\Windows\\{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe"	{75526C1D-8721-4f93-9032-6355234FA448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DC1D40-9B58-4762-939C-07F43F68F144}\stubpath = "C:\\Windows\\{46DC1D40-9B58-4762-939C-07F43F68F144}.exe"	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9025C02-CDD7-49ad-A80D-FB63FED8075D}\stubpath = "C:\\Windows\\{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe"	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}	{74C9A91C-5497-4021-8893-83E75021FE32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75526C1D-8721-4f93-9032-6355234FA448}	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD952FE6-BD1B-4a20-A536-EF491BE97694}	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DC1D40-9B58-4762-939C-07F43F68F144}	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4004A33A-3769-48ca-A847-AB76859B9E87}	{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C9A91C-5497-4021-8893-83E75021FE32}\stubpath = "C:\\Windows\\{74C9A91C-5497-4021-8893-83E75021FE32}.exe"	{4004A33A-3769-48ca-A847-AB76859B9E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75526C1D-8721-4f93-9032-6355234FA448}\stubpath = "C:\\Windows\\{75526C1D-8721-4f93-9032-6355234FA448}.exe"	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8E474A0-4A56-4af9-91CA-519FC052DB60}\stubpath = "C:\\Windows\\{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe"	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}\stubpath = "C:\\Windows\\{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}.exe"	{74C9A91C-5497-4021-8893-83E75021FE32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8E474A0-4A56-4af9-91CA-519FC052DB60}	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD952FE6-BD1B-4a20-A536-EF491BE97694}\stubpath = "C:\\Windows\\{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe"	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9025C02-CDD7-49ad-A80D-FB63FED8075D}	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4004A33A-3769-48ca-A847-AB76859B9E87}\stubpath = "C:\\Windows\\{4004A33A-3769-48ca-A847-AB76859B9E87}.exe"	{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C9A91C-5497-4021-8893-83E75021FE32}	{4004A33A-3769-48ca-A847-AB76859B9E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}\stubpath = "C:\\Windows\\{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe"	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}\stubpath = "C:\\Windows\\{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe"	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe
3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe
2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe
1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe
2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe
2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe
1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe
1208	{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe
2592	{4004A33A-3769-48ca-A847-AB76859B9E87}.exe
268	{74C9A91C-5497-4021-8893-83E75021FE32}.exe
1660	{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe
File created	C:\Windows\{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe
File created	C:\Windows\{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe
File created	C:\Windows\{74C9A91C-5497-4021-8893-83E75021FE32}.exe	{4004A33A-3769-48ca-A847-AB76859B9E87}.exe
File created	C:\Windows\{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}.exe	{74C9A91C-5497-4021-8893-83E75021FE32}.exe
File created	C:\Windows\{75526C1D-8721-4f93-9032-6355234FA448}.exe	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe
File created	C:\Windows\{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	{75526C1D-8721-4f93-9032-6355234FA448}.exe
File created	C:\Windows\{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe
File created	C:\Windows\{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe
File created	C:\Windows\{4004A33A-3769-48ca-A847-AB76859B9E87}.exe	{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe
File created	C:\Windows\{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe
Token: SeIncBasePriorityPrivilege	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe
Token: SeIncBasePriorityPrivilege	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe
Token: SeIncBasePriorityPrivilege	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe
Token: SeIncBasePriorityPrivilege	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe
Token: SeIncBasePriorityPrivilege	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe
Token: SeIncBasePriorityPrivilege	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe
Token: SeIncBasePriorityPrivilege	1208	{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe
Token: SeIncBasePriorityPrivilege	2592	{4004A33A-3769-48ca-A847-AB76859B9E87}.exe
Token: SeIncBasePriorityPrivilege	268	{74C9A91C-5497-4021-8893-83E75021FE32}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2700	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	28
PID 1948 wrote to memory of 2700	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	28
PID 1948 wrote to memory of 2700	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	28
PID 1948 wrote to memory of 2700	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	28
PID 1948 wrote to memory of 2748	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	29
PID 1948 wrote to memory of 2748	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	29
PID 1948 wrote to memory of 2748	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	29
PID 1948 wrote to memory of 2748	1948	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	29
PID 2700 wrote to memory of 3028	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	30
PID 2700 wrote to memory of 3028	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	30
PID 2700 wrote to memory of 3028	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	30
PID 2700 wrote to memory of 3028	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	30
PID 2700 wrote to memory of 2140	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	31
PID 2700 wrote to memory of 2140	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	31
PID 2700 wrote to memory of 2140	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	31
PID 2700 wrote to memory of 2140	2700	{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe	31
PID 3028 wrote to memory of 2632	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	32
PID 3028 wrote to memory of 2632	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	32
PID 3028 wrote to memory of 2632	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	32
PID 3028 wrote to memory of 2632	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	32
PID 3028 wrote to memory of 2780	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	33
PID 3028 wrote to memory of 2780	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	33
PID 3028 wrote to memory of 2780	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	33
PID 3028 wrote to memory of 2780	3028	{75526C1D-8721-4f93-9032-6355234FA448}.exe	33
PID 2632 wrote to memory of 1940	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	36
PID 2632 wrote to memory of 1940	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	36
PID 2632 wrote to memory of 1940	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	36
PID 2632 wrote to memory of 1940	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	36
PID 2632 wrote to memory of 2844	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	37
PID 2632 wrote to memory of 2844	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	37
PID 2632 wrote to memory of 2844	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	37
PID 2632 wrote to memory of 2844	2632	{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe	37
PID 1940 wrote to memory of 2972	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	39
PID 1940 wrote to memory of 2972	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	39
PID 1940 wrote to memory of 2972	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	39
PID 1940 wrote to memory of 2972	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	39
PID 1940 wrote to memory of 312	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	38
PID 1940 wrote to memory of 312	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	38
PID 1940 wrote to memory of 312	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	38
PID 1940 wrote to memory of 312	1940	{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe	38
PID 2972 wrote to memory of 2272	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	41
PID 2972 wrote to memory of 2272	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	41
PID 2972 wrote to memory of 2272	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	41
PID 2972 wrote to memory of 2272	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	41
PID 2972 wrote to memory of 1640	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	40
PID 2972 wrote to memory of 1640	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	40
PID 2972 wrote to memory of 1640	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	40
PID 2972 wrote to memory of 1640	2972	{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe	40
PID 2272 wrote to memory of 1772	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	43
PID 2272 wrote to memory of 1772	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	43
PID 2272 wrote to memory of 1772	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	43
PID 2272 wrote to memory of 1772	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	43
PID 2272 wrote to memory of 1276	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	42
PID 2272 wrote to memory of 1276	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	42
PID 2272 wrote to memory of 1276	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	42
PID 2272 wrote to memory of 1276	2272	{46DC1D40-9B58-4762-939C-07F43F68F144}.exe	42
PID 1772 wrote to memory of 1208	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	45
PID 1772 wrote to memory of 1208	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	45
PID 1772 wrote to memory of 1208	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	45
PID 1772 wrote to memory of 1208	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	45
PID 1772 wrote to memory of 1244	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	44
PID 1772 wrote to memory of 1244	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	44
PID 1772 wrote to memory of 1244	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	44
PID 1772 wrote to memory of 1244	1772	{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe
  C:\Windows\{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\{75526C1D-8721-4f93-9032-6355234FA448}.exe
    C:\Windows\{75526C1D-8721-4f93-9032-6355234FA448}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe
      C:\Windows\{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe
        
        C:\Windows\{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8E47~1.EXE > nul
        6⤵
        
        PID:312
      - C:\Windows\{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe
        
        C:\Windows\{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD952~1.EXE > nul
        7⤵
        
        PID:1640
        
        C:\Windows\{46DC1D40-9B58-4762-939C-07F43F68F144}.exe
        
        C:\Windows\{46DC1D40-9B58-4762-939C-07F43F68F144}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46DC1~1.EXE > nul
        8⤵
        
        PID:1276
        
        C:\Windows\{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe
        
        C:\Windows\{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{408B3~1.EXE > nul
        9⤵
        
        PID:1244
        
        C:\Windows\{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe
        
        C:\Windows\{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9025~1.EXE > nul
        10⤵
        
        PID:2132
        
        C:\Windows\{4004A33A-3769-48ca-A847-AB76859B9E87}.exe
        
        C:\Windows\{4004A33A-3769-48ca-A847-AB76859B9E87}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4004A~1.EXE > nul
        11⤵
        
        PID:568
        
        C:\Windows\{74C9A91C-5497-4021-8893-83E75021FE32}.exe
        
        C:\Windows\{74C9A91C-5497-4021-8893-83E75021FE32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74C9A~1.EXE > nul
        12⤵
        
        PID:2412
        
        C:\Windows\{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}.exe
        
        C:\Windows\{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23ED4~1.EXE > nul
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75526~1.EXE > nul
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FFDBA~1.EXE > nul
    3⤵
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23ED44EF-F24B-4e6b-8540-E784A85888A1}.exe

Filesize
408KB

MD5
61e8bb9139963b61bb4d7798d74afdff

SHA1
e42e256d662c78cbad53ca9fb0ffe10601c0ecf4

SHA256
7091f970cb6e4010d6f5da9ec6eed48a05be09b3b22ed47ca9ff0a8ecbe4bd4f

SHA512
7c8c73ca0f0ea72f8581ee34f89c32c8899979992befd39e026c13a9ebeb3da25e2bcdfa00f2c7fec27e03688b0dac5ffc348120dc4bc27cd1d15dae124e3276

Download Submit
C:\Windows\{4004A33A-3769-48ca-A847-AB76859B9E87}.exe

Filesize
408KB

MD5
53a614e5225bc2ea9747b21f64fa7fb7

SHA1
fc0daa31da5eedcfd4cfc953c2a20c359bd08f24

SHA256
686cfb2a530fca65e41cd619985d8f0b0fc79efbf9c3d5a8331ad62994834fac

SHA512
68a7e83a5156b4bee78c9efa5eefbe8d62cbc65bb290ebddec87e6cbd85cfd7732118b1a682ecf1c6a17ea3ab8206c17c8f2e598942e1c6024c6553f40a48046

Download Submit
C:\Windows\{408B3FEC-BE23-499f-9D1F-07B02E02CE7B}.exe

Filesize
408KB

MD5
fec7343c7aa3ae414ccdc02e20a8ea89

SHA1
9b4213d9e08b43375f734323e04129a15cf1ae95

SHA256
4b6bfc5f491229ffdf3764683a187dc66fc34088f3f372f2db9a6599985792f7

SHA512
bb51bff15f77b84ace74741ac4c22b548a7ee7cfa779afb24ddb1d28a13833d010dcc2325bc8819e49ce23406b96358cf3aa66c28967496b7a2b51ed2c3691b2

Download Submit
C:\Windows\{46DC1D40-9B58-4762-939C-07F43F68F144}.exe

Filesize
408KB

MD5
2e8f66355132a208de8107111db7cff2

SHA1
4ba9f97e56d9795567694757bc5f70aa737c7890

SHA256
7d35ad649fab7eafd3edf87bb4891ca84a4d69a6e4dc3966acdfaa148496e4fe

SHA512
d9339379060064263660686c0b1a9b94dedd5e8e365cbf5995d1f4f1cc6ab078a25728549ad08410d2f5c69825478d509714a97a83074d03c72e552144e038df

Download Submit
C:\Windows\{74C9A91C-5497-4021-8893-83E75021FE32}.exe

Filesize
408KB

MD5
db3cbed4caec0ff5f0a3f40a57a4bdfb

SHA1
8edfd0a0210852104a18c304cc2d41bc1f143eeb

SHA256
dc9ecb630de5d084d1c3e32a900fd78df0f200f823e4bbc424f006c74143ba31

SHA512
6c755a039a54d249500c34f291a777178437e5fa5146a4dcd028df4161bd1377e6d149f234a53b03afd3660c95802a213192657a73c86713ad1e34ab73ee8065

Download Submit
C:\Windows\{75526C1D-8721-4f93-9032-6355234FA448}.exe

Filesize
408KB

MD5
8eb34a3ad265dd8fd039de22e64d7c81

SHA1
2eede42cc6a70a0bdc3ba7235f279c4af8a4abfd

SHA256
e50c95e47300e1c2136634db7f69dbd74736b3ccc176d4a89876f449eb60f580

SHA512
369960f72e3b50d517c9021ed2ae7bfdb77d0cf28e33a50725eb487b6e8c0686252808d7ed11e9264f088b2b17ed503db128223a883e762bb1c3dcd0883d55ab

Download Submit
C:\Windows\{C8E474A0-4A56-4af9-91CA-519FC052DB60}.exe

Filesize
408KB

MD5
80d6e4ec94d2e8cca6444c208015de0b

SHA1
389cc73e27206264dde3451331a80fb7a2c59951

SHA256
353fd03a007849451e3f04f2cc0d34dd846157aae659634f81bebbf0be3925ca

SHA512
37d69bbce45d7233d230a4cea3790bd21dbb8bd74e12771f05e05bf625ffa498cfb0fe233ffb517d51ccbcefe4bd714566a25fb3888ca1f194b8d932e3ce5a8a

Download Submit
C:\Windows\{CD952FE6-BD1B-4a20-A536-EF491BE97694}.exe

Filesize
408KB

MD5
e84a6423f65bcdbbc3a2c17dcaf6bce0

SHA1
12746ac853a313e2c8b162c659713b5451214319

SHA256
2b00e5924733d6bbd92229cd7b1c6dc62a0bc9f3cbde510d948894468f5e0a69

SHA512
40024326fe8a04c9c44b8fee58c4a71597b97cc38030f1429afe92b49216afb771ba517694635d6e6291e47541e3141ba08216a62ab8e2dd23eca634922a512d

Download Submit
C:\Windows\{D9025C02-CDD7-49ad-A80D-FB63FED8075D}.exe

Filesize
408KB

MD5
48ad38a9155ddd8ee9fb82251f166f87

SHA1
257efeb673c2ef9e5e30fb49318d7643aaa16207

SHA256
ecfc25b5b6b8aa2ef49b625d30df091db063cdde9e6d81eebba454233d868d06

SHA512
cb9b2136887bd6c11cf8c9286451c031b8df55007e52acb8f4a25ccacf6e37999f5d738e458cd9a39b33614219b050b84924580f7898fe861c7ab6520e759f24

Download Submit
C:\Windows\{FE92FC74-C6AE-44ed-9FB7-25BA76E7E6F8}.exe

Filesize
408KB

MD5
70b09518730e2b77efdd3be6d84d011b

SHA1
07b1219b9231f9d15b0c2d38105d9534e252bef5

SHA256
942e5e6e96edd198346fe5ac618434a62a175525b1e56843030113a171e4dbe6

SHA512
7d5109156c3545f3de95f5b0daf845aac915a5393e8b0f7548dda569f49b7717109f77236aabf68a27fff2331fcbbfde71212f44b8dbc48e9a0b81519ef1f463

Download Submit
C:\Windows\{FFDBAA9A-B1EE-4c82-A1A7-C9972BB7ECF7}.exe

Filesize
408KB

MD5
21234749aee7325e706773d995a76876

SHA1
a456dcaa3d2e69670f4efbd4606a46fcd1090488

SHA256
ba7f73da25a60ad87c60ceded40b633b9f0c062e5b96b2416b154560758e811b

SHA512
1947b0b6007aee927596050cf5f6cb8563151b8e6facb3e5eaea24eef6cb0c382496862847decc81a763afe53201aa8ffc9fe7bf04e63b296d0a125321cbdcb2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.