c30a19b74e9036e20dfb15e5b85c14910dde8fc4cf0009655d65f0b363d390cc

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Size

180KB
MD5

e005c6cfb5419206f15ce3cc8feb972a
SHA1

582bb249b0516d555c205045031833375a25ff65
SHA256

c30a19b74e9036e20dfb15e5b85c14910dde8fc4cf0009655d65f0b363d390cc
SHA512

79def3c24a6b830a1bc9b760897a9df53d498884e12c4e33157048188364fea742b9adf679b89e178ca22669d8455b8f4f0f0d64c0eb53207478c9d8e7de3fc6
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGql5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012270-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016577-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016caa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a00000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b00000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c00000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6ED0F5-9647-41a6-A3BD-4445905641E2}	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6ED0F5-9647-41a6-A3BD-4445905641E2}\stubpath = "C:\\Windows\\{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe"	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D5712D7-85B1-4b30-9488-B03AC92B769D}\stubpath = "C:\\Windows\\{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe"	{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}\stubpath = "C:\\Windows\\{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}.exe"	{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}	{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C554AB03-BBFB-454e-9376-A0995C4A691F}\stubpath = "C:\\Windows\\{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe"	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF57514A-1546-4c9c-9CA9-14B7E894C27D}	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7847F6-5A8F-4025-B520-03B0897401D8}\stubpath = "C:\\Windows\\{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe"	{51881670-785A-4564-81C6-B91BC04120AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2F7A712-3EBA-4004-9370-DCE81F910EF9}\stubpath = "C:\\Windows\\{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe"	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295BF25B-5CF1-4766-A64D-683859345714}	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE0229A4-F7F9-4585-8183-4968042A2363}	{295BF25B-5CF1-4766-A64D-683859345714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D5712D7-85B1-4b30-9488-B03AC92B769D}	{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{565DC819-26F9-4336-B9E9-FC5DDC4006F9}\stubpath = "C:\\Windows\\{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe"	{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C554AB03-BBFB-454e-9376-A0995C4A691F}	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51881670-785A-4564-81C6-B91BC04120AF}	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7847F6-5A8F-4025-B520-03B0897401D8}	{51881670-785A-4564-81C6-B91BC04120AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2F7A712-3EBA-4004-9370-DCE81F910EF9}	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295BF25B-5CF1-4766-A64D-683859345714}\stubpath = "C:\\Windows\\{295BF25B-5CF1-4766-A64D-683859345714}.exe"	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE0229A4-F7F9-4585-8183-4968042A2363}\stubpath = "C:\\Windows\\{AE0229A4-F7F9-4585-8183-4968042A2363}.exe"	{295BF25B-5CF1-4766-A64D-683859345714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{565DC819-26F9-4336-B9E9-FC5DDC4006F9}	{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF57514A-1546-4c9c-9CA9-14B7E894C27D}\stubpath = "C:\\Windows\\{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe"	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51881670-785A-4564-81C6-B91BC04120AF}\stubpath = "C:\\Windows\\{51881670-785A-4564-81C6-B91BC04120AF}.exe"	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe

Executes dropped EXE 11 IoCs

pid	Process
2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe
2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe
2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe
1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe
2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe
2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe
1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe
1112	{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe
2364	{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe
2320	{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe
1972	{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe
File created	C:\Windows\{51881670-785A-4564-81C6-B91BC04120AF}.exe	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe
File created	C:\Windows\{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	{51881670-785A-4564-81C6-B91BC04120AF}.exe
File created	C:\Windows\{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe
File created	C:\Windows\{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}.exe	{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe
File created	C:\Windows\{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
File created	C:\Windows\{295BF25B-5CF1-4766-A64D-683859345714}.exe	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe
File created	C:\Windows\{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	{295BF25B-5CF1-4766-A64D-683859345714}.exe
File created	C:\Windows\{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe
File created	C:\Windows\{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe	{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe
File created	C:\Windows\{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe	{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe
Token: SeIncBasePriorityPrivilege	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe
Token: SeIncBasePriorityPrivilege	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe
Token: SeIncBasePriorityPrivilege	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe
Token: SeIncBasePriorityPrivilege	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe
Token: SeIncBasePriorityPrivilege	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe
Token: SeIncBasePriorityPrivilege	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe
Token: SeIncBasePriorityPrivilege	1112	{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe
Token: SeIncBasePriorityPrivilege	2364	{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe
Token: SeIncBasePriorityPrivilege	2320	{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2296	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	28
PID 2540 wrote to memory of 2296	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	28
PID 2540 wrote to memory of 2296	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	28
PID 2540 wrote to memory of 2296	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	28
PID 2540 wrote to memory of 2004	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	29
PID 2540 wrote to memory of 2004	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	29
PID 2540 wrote to memory of 2004	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	29
PID 2540 wrote to memory of 2004	2540	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	29
PID 2296 wrote to memory of 2060	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	30
PID 2296 wrote to memory of 2060	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	30
PID 2296 wrote to memory of 2060	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	30
PID 2296 wrote to memory of 2060	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	30
PID 2296 wrote to memory of 2852	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	31
PID 2296 wrote to memory of 2852	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	31
PID 2296 wrote to memory of 2852	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	31
PID 2296 wrote to memory of 2852	2296	{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe	31
PID 2060 wrote to memory of 2632	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	35
PID 2060 wrote to memory of 2632	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	35
PID 2060 wrote to memory of 2632	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	35
PID 2060 wrote to memory of 2632	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	35
PID 2060 wrote to memory of 2744	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	34
PID 2060 wrote to memory of 2744	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	34
PID 2060 wrote to memory of 2744	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	34
PID 2060 wrote to memory of 2744	2060	{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe	34
PID 2632 wrote to memory of 1640	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	36
PID 2632 wrote to memory of 1640	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	36
PID 2632 wrote to memory of 1640	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	36
PID 2632 wrote to memory of 1640	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	36
PID 2632 wrote to memory of 1508	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	37
PID 2632 wrote to memory of 1508	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	37
PID 2632 wrote to memory of 1508	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	37
PID 2632 wrote to memory of 1508	2632	{51881670-785A-4564-81C6-B91BC04120AF}.exe	37
PID 1640 wrote to memory of 2912	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	38
PID 1640 wrote to memory of 2912	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	38
PID 1640 wrote to memory of 2912	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	38
PID 1640 wrote to memory of 2912	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	38
PID 1640 wrote to memory of 528	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	39
PID 1640 wrote to memory of 528	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	39
PID 1640 wrote to memory of 528	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	39
PID 1640 wrote to memory of 528	1640	{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe	39
PID 2912 wrote to memory of 2548	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	40
PID 2912 wrote to memory of 2548	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	40
PID 2912 wrote to memory of 2548	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	40
PID 2912 wrote to memory of 2548	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	40
PID 2912 wrote to memory of 1748	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	41
PID 2912 wrote to memory of 1748	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	41
PID 2912 wrote to memory of 1748	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	41
PID 2912 wrote to memory of 1748	2912	{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe	41
PID 2548 wrote to memory of 1664	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	43
PID 2548 wrote to memory of 1664	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	43
PID 2548 wrote to memory of 1664	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	43
PID 2548 wrote to memory of 1664	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	43
PID 2548 wrote to memory of 320	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	42
PID 2548 wrote to memory of 320	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	42
PID 2548 wrote to memory of 320	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	42
PID 2548 wrote to memory of 320	2548	{295BF25B-5CF1-4766-A64D-683859345714}.exe	42
PID 1664 wrote to memory of 1112	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	44
PID 1664 wrote to memory of 1112	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	44
PID 1664 wrote to memory of 1112	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	44
PID 1664 wrote to memory of 1112	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	44
PID 1664 wrote to memory of 1620	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	45
PID 1664 wrote to memory of 1620	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	45
PID 1664 wrote to memory of 1620	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	45
PID 1664 wrote to memory of 1620	1664	{AE0229A4-F7F9-4585-8183-4968042A2363}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe
  C:\Windows\{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe
    C:\Windows\{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AF575~1.EXE > nul
      4⤵
      PID:2744
  - - C:\Windows\{51881670-785A-4564-81C6-B91BC04120AF}.exe
      C:\Windows\{51881670-785A-4564-81C6-B91BC04120AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe
        
        C:\Windows\{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe
        
        C:\Windows\{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{295BF25B-5CF1-4766-A64D-683859345714}.exe
        
        C:\Windows\{295BF25B-5CF1-4766-A64D-683859345714}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{295BF~1.EXE > nul
        8⤵
        
        PID:320
        
        C:\Windows\{AE0229A4-F7F9-4585-8183-4968042A2363}.exe
        
        C:\Windows\{AE0229A4-F7F9-4585-8183-4968042A2363}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe
        
        C:\Windows\{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe
        
        C:\Windows\{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe
        
        C:\Windows\{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}.exe
        
        C:\Windows\{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{565DC~1.EXE > nul
        12⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D571~1.EXE > nul
        11⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA6ED~1.EXE > nul
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE022~1.EXE > nul
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2F7A~1.EXE > nul
        7⤵
        
        PID:1748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF784~1.EXE > nul
        6⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51881~1.EXE > nul
        5⤵
        
        PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C554A~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{180ABC93-E5E8-42cb-B34A-D3E7BEE4EEE0}.exe

Filesize
180KB

MD5
aca0fbfe9ce304c1490144b94d5dba60

SHA1
f63b5fe25bd5a03cb44802de8a59c4aac38f6aac

SHA256
6079e43d9eaee5f7b028160dcaa3b55c74b6d0bac084f5da7d897af8f4a66af7

SHA512
654f45c25e5c62f6a42482e91fb5c9e7243909f9d9e310e4d1ff846b91a060eb689572b2fc3d6df3a934b11367088dc98f1e87c18a64829eb8a009aa64e5232e

Download Submit
C:\Windows\{295BF25B-5CF1-4766-A64D-683859345714}.exe

Filesize
180KB

MD5
7ea89b9683c6ccd34eb24b28b7cc73f0

SHA1
f300ebe07100f8b465b4d1724d858b87fee72dfa

SHA256
94318aa9eed8d3571112fe0af041ee244e0db0611efe9df52288e367207b4485

SHA512
503e7b52db50540e4de811d9af95b1716656638ddbff0bd7433bd5e458e32755e053e03905de3d982a142918d885d453c5350d8414904733190eadbea42f97ee

Download Submit
C:\Windows\{51881670-785A-4564-81C6-B91BC04120AF}.exe

Filesize
180KB

MD5
708bb6b8d5708675d7f928be30d4a8ee

SHA1
74541e459209eb6ece6102f03bdfc4f1f4c606f1

SHA256
e9d3937aca7ddda954d052bd8f9c2402b3aeb003295556e4e0ee92d6c1b804bf

SHA512
e14e54932650dd71fabc77a3769b223fa0fa301b51ab39fd5866a34e08a6a7550223fa083c6c522b29782b9d17747ae968db63d01ce974f279ef548a13e0a439

Download Submit
C:\Windows\{565DC819-26F9-4336-B9E9-FC5DDC4006F9}.exe

Filesize
180KB

MD5
5dbe87c537f209defe6b45c06f6b6290

SHA1
174b09b9665b2b2c53c6e5a735c20370a85cd23a

SHA256
b0ed71a34e736772faeff79915a94bbf9b3d7bd1ce46854a7ceaf59d551a01c7

SHA512
ca27af80ebd40398c72f7f942f7b120630bca8528b619a28ef58ce397583361cc78535ccf5b2e9ac6666db73600901b86200642d2b4832956ea834368d542188

Download Submit
C:\Windows\{9D5712D7-85B1-4b30-9488-B03AC92B769D}.exe

Filesize
180KB

MD5
c9158f2043171429449e37a924279cbc

SHA1
eee43f9f61f28ee7199544ef682445dc70b68a51

SHA256
41a91c52b18e4921fc881212df609dcb15f99959ce2f5917362da7f2d124d3d8

SHA512
600c1f8098bc792a04c54608e43f76960fe5902bc390a582869a80417dd06c6535a676dbd55dd2b5e2760fe051a61347befc45aa7450960e3eada757638ebebd

Download Submit
C:\Windows\{AE0229A4-F7F9-4585-8183-4968042A2363}.exe

Filesize
180KB

MD5
672f0598b338a9db17d8f4079bd3deac

SHA1
42e7dbf6ce2c7aa4e1a0cd2627acf9f4eca42989

SHA256
9ca56a15a6013b99a83424c965c02c584feb573a3041eec8f22c4447520716e8

SHA512
a7f3b04b171846afec726714246d6c288c89048fd83b5a63f7faf5401cee4e745d9263a2fec8e64d244bf07a95cff674fa2d1e62eae321e590c8dde3c42a3857

Download Submit
C:\Windows\{AF57514A-1546-4c9c-9CA9-14B7E894C27D}.exe

Filesize
180KB

MD5
033facd6a933d941a8294f6b31214760

SHA1
8b84559cdf8862ce0b2dc550ac2e43896d354e43

SHA256
63953b93be64b9ed26156bdd5923224be20875844e1752d88b6fb6ec4bee101a

SHA512
68d83680573e0ad2bc95f221470d67fae51af00b5942527ca750de5afafd98e42109ec01b170d9be2fb0e1539ead4d46a6d0c6b7783cbb6e546f54fd9a48adbc

Download Submit
C:\Windows\{C554AB03-BBFB-454e-9376-A0995C4A691F}.exe

Filesize
180KB

MD5
6341bf87a2475792ab7e104cd4c88737

SHA1
9de980884e00868a54514f8910e3b779dab66109

SHA256
928f859a4c3190e84b32a04bcb9c704c2bc6d6eb10cc45ad81ebaabf3a02fcec

SHA512
d52f9d9f9f865c89944a294d0e15c4be54d1d8e0b69187926fc26153f583a9529f148e42287e505a6a9ab69c0743af0096c14b84999aa2fe048b0f35d17d5132

Download Submit
C:\Windows\{D2F7A712-3EBA-4004-9370-DCE81F910EF9}.exe

Filesize
180KB

MD5
173dce39c7bc32d50a6e14be36218275

SHA1
423c0c574ee400a2d3ae082662cb61d949f5674c

SHA256
d383014e1306da1ae551a188542ea7dc8974e99f349bf8653aec88d268bce3bf

SHA512
a1cb65920db1dcf887ca0d34d88b6997bbdb080f97e2d1bb77a6db4d462f67c1e60a08ef967cfd61de7767641a6d74bb044baf672dcc53b3f23afa6f517c45bb

Download Submit
C:\Windows\{DF7847F6-5A8F-4025-B520-03B0897401D8}.exe

Filesize
180KB

MD5
f179eacbbada275dede789dfa595726b

SHA1
56ab3cfdbc94a16c3429c8d24f9af818176f6aa8

SHA256
8982e7a3b061fee05395d67a980ddcd0cc2de6de1cbd7a517294b670ddcb8b18

SHA512
0dde75667f3bb0480ec2778f0b8dabb0fe79dd6ce15b2adeb5d1b6823cba5e2eaa5f26f63e1c95f317d391445f46b45ab1fa5fc78c66d90cbe19ef8e9729aa07

Download Submit
C:\Windows\{FA6ED0F5-9647-41a6-A3BD-4445905641E2}.exe

Filesize
180KB

MD5
cd5b979dd2cd17f16e06c074e91838c0

SHA1
d5ed080049c62878d1b8644896a32c19d883a37f

SHA256
a14341168b46dd7897c952a5af9460c416f8ec5e8806dd9abfdbd6cd32c5a30d

SHA512
514d39ea272310dcab79a42864938fd55d0d12739f4eea723d214fffd0706ac7d8d025f5f18eeb0828e2031e68198553504c6fceff89a51183fc1fd7565398d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads