61bcdc503340a3ac1825eb672c810db1e813a93da3970e279fce2b7e513f21ad

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 21:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Size

216KB
MD5

6743a6ab932c886c579671a13926ae13
SHA1

32dd25c1dea5c6d0964676fad8e32b7a93bd4a34
SHA256

61bcdc503340a3ac1825eb672c810db1e813a93da3970e279fce2b7e513f21ad
SHA512

2854c8b4e9d76848e2563e89505482e50b9c5f5849df92fc27fd432e692cf0b44dfbe3143330bc0ff4e55b07fd598f74b89aed1c1393d7b5a85746105e5cc519
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012262-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012270-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016047-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a00000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016047-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001604f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016047-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001604f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}	{0A138141-DF67-4f42-B412-848BC625C234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB032E6-0007-402e-8FD3-3EADF29A20D4}	{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}\stubpath = "C:\\Windows\\{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe"	{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82526B0C-F149-471f-9FA2-0D1F24BE90DA}	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A138141-DF67-4f42-B412-848BC625C234}	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A138141-DF67-4f42-B412-848BC625C234}\stubpath = "C:\\Windows\\{0A138141-DF67-4f42-B412-848BC625C234}.exe"	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{676B2627-79C5-4f45-BED0-9428B8D451F0}	{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E834BE60-D871-4fa5-A2F4-3AC24168DACC}	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}\stubpath = "C:\\Windows\\{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe"	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}\stubpath = "C:\\Windows\\{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe"	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}\stubpath = "C:\\Windows\\{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe"	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}\stubpath = "C:\\Windows\\{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe"	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{676B2627-79C5-4f45-BED0-9428B8D451F0}\stubpath = "C:\\Windows\\{676B2627-79C5-4f45-BED0-9428B8D451F0}.exe"	{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82526B0C-F149-471f-9FA2-0D1F24BE90DA}\stubpath = "C:\\Windows\\{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe"	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}\stubpath = "C:\\Windows\\{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe"	{0A138141-DF67-4f42-B412-848BC625C234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB032E6-0007-402e-8FD3-3EADF29A20D4}\stubpath = "C:\\Windows\\{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe"	{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}	{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E834BE60-D871-4fa5-A2F4-3AC24168DACC}\stubpath = "C:\\Windows\\{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe"	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe

Deletes itself 1 IoCs

pid	Process
2204	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe
2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe
3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe
2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe
1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe
2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe
872	{0A138141-DF67-4f42-B412-848BC625C234}.exe
284	{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe
1520	{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe
792	{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe
2792	{676B2627-79C5-4f45-BED0-9428B8D451F0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe
File created	C:\Windows\{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe
File created	C:\Windows\{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe
File created	C:\Windows\{676B2627-79C5-4f45-BED0-9428B8D451F0}.exe	{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe
File created	C:\Windows\{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe	{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe
File created	C:\Windows\{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
File created	C:\Windows\{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe
File created	C:\Windows\{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe
File created	C:\Windows\{0A138141-DF67-4f42-B412-848BC625C234}.exe	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe
File created	C:\Windows\{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe	{0A138141-DF67-4f42-B412-848BC625C234}.exe
File created	C:\Windows\{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe	{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe
Token: SeIncBasePriorityPrivilege	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe
Token: SeIncBasePriorityPrivilege	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe
Token: SeIncBasePriorityPrivilege	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe
Token: SeIncBasePriorityPrivilege	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe
Token: SeIncBasePriorityPrivilege	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe
Token: SeIncBasePriorityPrivilege	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe
Token: SeIncBasePriorityPrivilege	284	{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe
Token: SeIncBasePriorityPrivilege	1520	{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe
Token: SeIncBasePriorityPrivilege	792	{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2172	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	28
PID 2044 wrote to memory of 2172	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	28
PID 2044 wrote to memory of 2172	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	28
PID 2044 wrote to memory of 2172	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	28
PID 2044 wrote to memory of 2204	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	29
PID 2044 wrote to memory of 2204	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	29
PID 2044 wrote to memory of 2204	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	29
PID 2044 wrote to memory of 2204	2044	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	29
PID 2172 wrote to memory of 2300	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	30
PID 2172 wrote to memory of 2300	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	30
PID 2172 wrote to memory of 2300	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	30
PID 2172 wrote to memory of 2300	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	30
PID 2172 wrote to memory of 2668	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	31
PID 2172 wrote to memory of 2668	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	31
PID 2172 wrote to memory of 2668	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	31
PID 2172 wrote to memory of 2668	2172	{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe	31
PID 2300 wrote to memory of 3000	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	34
PID 2300 wrote to memory of 3000	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	34
PID 2300 wrote to memory of 3000	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	34
PID 2300 wrote to memory of 3000	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	34
PID 2300 wrote to memory of 2732	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	35
PID 2300 wrote to memory of 2732	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	35
PID 2300 wrote to memory of 2732	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	35
PID 2300 wrote to memory of 2732	2300	{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe	35
PID 3000 wrote to memory of 2628	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	36
PID 3000 wrote to memory of 2628	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	36
PID 3000 wrote to memory of 2628	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	36
PID 3000 wrote to memory of 2628	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	36
PID 3000 wrote to memory of 2132	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	37
PID 3000 wrote to memory of 2132	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	37
PID 3000 wrote to memory of 2132	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	37
PID 3000 wrote to memory of 2132	3000	{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe	37
PID 2628 wrote to memory of 1992	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	38
PID 2628 wrote to memory of 1992	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	38
PID 2628 wrote to memory of 1992	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	38
PID 2628 wrote to memory of 1992	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	38
PID 2628 wrote to memory of 528	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	39
PID 2628 wrote to memory of 528	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	39
PID 2628 wrote to memory of 528	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	39
PID 2628 wrote to memory of 528	2628	{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe	39
PID 1992 wrote to memory of 2180	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	40
PID 1992 wrote to memory of 2180	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	40
PID 1992 wrote to memory of 2180	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	40
PID 1992 wrote to memory of 2180	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	40
PID 1992 wrote to memory of 1644	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	41
PID 1992 wrote to memory of 1644	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	41
PID 1992 wrote to memory of 1644	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	41
PID 1992 wrote to memory of 1644	1992	{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe	41
PID 2180 wrote to memory of 872	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	42
PID 2180 wrote to memory of 872	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	42
PID 2180 wrote to memory of 872	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	42
PID 2180 wrote to memory of 872	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	42
PID 2180 wrote to memory of 2652	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	43
PID 2180 wrote to memory of 2652	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	43
PID 2180 wrote to memory of 2652	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	43
PID 2180 wrote to memory of 2652	2180	{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe	43
PID 872 wrote to memory of 284	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	45
PID 872 wrote to memory of 284	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	45
PID 872 wrote to memory of 284	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	45
PID 872 wrote to memory of 284	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	45
PID 872 wrote to memory of 2932	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	44
PID 872 wrote to memory of 2932	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	44
PID 872 wrote to memory of 2932	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	44
PID 872 wrote to memory of 2932	872	{0A138141-DF67-4f42-B412-848BC625C234}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe
  C:\Windows\{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe
    C:\Windows\{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe
      C:\Windows\{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe
        
        C:\Windows\{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe
        
        C:\Windows\{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe
        
        C:\Windows\{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{0A138141-DF67-4f42-B412-848BC625C234}.exe
        
        C:\Windows\{0A138141-DF67-4f42-B412-848BC625C234}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A138~1.EXE > nul
        9⤵
        
        PID:2932
        
        C:\Windows\{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe
        
        C:\Windows\{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe
        
        C:\Windows\{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB03~1.EXE > nul
        11⤵
        
        PID:2400
        
        C:\Windows\{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe
        
        C:\Windows\{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC01A~1.EXE > nul
        12⤵
        
        PID:2076
        
        C:\Windows\{676B2627-79C5-4f45-BED0-9428B8D451F0}.exe
        
        C:\Windows\{676B2627-79C5-4f45-BED0-9428B8D451F0}.exe
        12⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD00F~1.EXE > nul
        10⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A9E4~1.EXE > nul
        8⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC86E~1.EXE > nul
        7⤵
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6AB8~1.EXE > nul
        6⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E834B~1.EXE > nul
        5⤵
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EA093~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{82526~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A138141-DF67-4f42-B412-848BC625C234}.exe

Filesize
216KB

MD5
ccf2f0a049b1067c02d0d5211adc5219

SHA1
b11c72731b8cdfcd4b1173b22b42e847dd1b71dc

SHA256
9fe517e11955f59d27600746be4f7416976d659d294d70faf4bd5ed38556fa81

SHA512
bee6fd4f4a439d52392a1e7e6243b57974afb0759198aa5887bf7d77b0f5e4cf374c9f89f599bd4773aa23c3af0e9f36e87aef01e6db571b6d6f35b771575ca4

Download Submit
C:\Windows\{2DB032E6-0007-402e-8FD3-3EADF29A20D4}.exe

Filesize
216KB

MD5
3614f457fec685f34281516c8266dca8

SHA1
efa06e559bb841f08fc7cf155af12641fb43a9bc

SHA256
2cff021473fbb081d071915fd8e949d0efc5a6d511ab91c4cf2190f9a5d80d84

SHA512
73f8ef198c6a2b8c46700004dc234cc2e73d27075021206208c53751f6577e1c038d3511c39034482f002507425e733b6a915be72b42561ef5d843145023f9be

Download Submit
C:\Windows\{676B2627-79C5-4f45-BED0-9428B8D451F0}.exe

Filesize
216KB

MD5
3456cf0ad942cb06d7a2abe62f591108

SHA1
0fe2c8cbc13cc1ea2f5a16bf9f3bc07b3786eb34

SHA256
04c4b6bcd96202ee99c8bcad521744a751a79a32b5a7b3cba3b370ff43f9982c

SHA512
a39a3be6fc445952fa211cbffd2b3e6e7ea9418c6e85e26feaa2a36f4cd70cad26f81fe5c8a13d1b39dea8d12d07712d22bb4b2f533904507c27348057737282

Download Submit
C:\Windows\{82526B0C-F149-471f-9FA2-0D1F24BE90DA}.exe

Filesize
216KB

MD5
c20e3785a6258472eab0c919329889b3

SHA1
171495a7c86d68ff56f4e906e29f95bdb28f0778

SHA256
3d81a282969001da02cd6726adcfdeb7f54b42c4debdb1776dcff34cdab4680a

SHA512
514808221f8c830df93dbb9b40afd98b3802d167a4f71cfb4a08594b827415401b6d1a558ef849b2e1e02030e4cc43b430c2238fca9f0fc3e3f54a3dc8c25f4c

Download Submit
C:\Windows\{8A9E4870-9EF9-44ee-AF76-9FCBC6197E0E}.exe

Filesize
216KB

MD5
4b33a112cf72bc5176608a4253766cd0

SHA1
014858621153f059ba968955002618bc49b17abf

SHA256
b324036b1ff96ae05c7f75e10aacf03050d6ab290dbe2676b75b98b938a9ae6e

SHA512
bca6d7131a08d1755294169f3db8b821cd8a006b42238a6df993bf95199c8d64f8c41ef0638a2b60ec52dfa8286ddbc74c64aaef1346ef73026d1809b0869f32

Download Submit
C:\Windows\{B6AB8E5C-D81E-442b-B544-97C8E1EB0E00}.exe

Filesize
216KB

MD5
1cab8f00fd6d5e7fd325d1d9dfd24040

SHA1
1888f527298838464f2d49aecda8fbc5307276b1

SHA256
8369dd03fa1d21ae3ebdd68ce551c4aec9d1310d76897e24fbbe4ee6121dae0d

SHA512
1e1b66fca46e0c763a8ca1bc3310ed086380b6882095e24dbca0dff05a0592ad3e179ab71ac6b9a4c841fb05e5fc114e436372f9a8fe33b515f34812020ab6d8

Download Submit
C:\Windows\{BD00FCEF-4563-4d4e-81DC-AA10BF03D8B6}.exe

Filesize
216KB

MD5
a24bdb181d94835e3d5fbcdc3287e97b

SHA1
954a3ad3ba3bcd629209f13a86a09ed9a83d53f6

SHA256
dd34633038d8ad5967b762bfe16f3cd47e67bd0cd3bde4bf7d2ad1c15d9113d5

SHA512
05fcd7b2ca05f1425755daf1d87bbac30a590f4c1d8db4716233fff9aa4f4a598a5e04ef9a754545cef55619e68943031c94fc45b13398ec646759210a13326e

Download Submit
C:\Windows\{DC86EC26-F6AB-4ecc-AF69-A1F45A821F8B}.exe

Filesize
216KB

MD5
0d873500bf0962d04d33889d198ad2ea

SHA1
77da6ba573afa2cc153c4a07cb5ff1583723b313

SHA256
c228808a4c33efd0d3736bc275b1526ee1514ea9ca9a86695145e592b58854a1

SHA512
ae9333c51db94daf70f6c42eedb7ab3941e27e87be751a78fe819e68b7ab3a54e4c6193179c094f1e3c2967153538caa97a01e567d8052fdb138c08e5d340f5a

Download Submit
C:\Windows\{E834BE60-D871-4fa5-A2F4-3AC24168DACC}.exe

Filesize
216KB

MD5
f968177b75f7bcce65bfda8100343ec9

SHA1
a1f4baeb832759d5ace09df1db9c5b64f9770fb2

SHA256
89ad683ebb61fe3f03cc3cccd0738d884ed9b1662ac2b89dc82b3f77541eb186

SHA512
2ad64efae12108d5ae4e673f2989a11c1facc570bee9f30ad6a34de4902362555133f5b52d069ec3bf7b213cd326d093692ab7c45eef713c622cf0e22634e10f

Download Submit
C:\Windows\{EA093BA8-ED3A-4ac9-B8AF-7F64109EEBF1}.exe

Filesize
216KB

MD5
c2eab34623b4d38db426e4346cd3ac80

SHA1
36a6c7099709c82da4ebd7033c8f9471a46f6882

SHA256
c5cc3f81f145d18eed2b1308f89ca638738e294a60b91491deeba94943d37c84

SHA512
5d0504dfb4cf4cbf8f1dcef562efd7edcea50dcc508193486a92c0ca5a4e3505b2392de742c7d4ed44122221ca98afd5e3eb049bcd38ae75de104a88ef8967eb

Download Submit
C:\Windows\{FC01A5CB-0C69-48a6-A3ED-25A3B6009EED}.exe

Filesize
216KB

MD5
88646852eeb9a9e403f0099a12787f30

SHA1
edf1e894fef28e4dd76a7cb4a0f232e5d9f4bf21

SHA256
0d8bff1091fcd210e68eb6fd7e59dfdfe9aaf67246bada2195e4d7daf6e42ace

SHA512
5fd1d79c8da87a8de604c94014802fc8fc2d4a830f7e48fd5d0da362b23af44d8ac695a8b30d50b4c278fc35bcdafcdb70b090be35251eba87f15d07e790fce3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads