9db3950edbff3454f1b444194d4ccb4d7642397b085219e8535c6987a0472fa4

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Size

197KB
MD5

2dd6d90da3f968240d607dbda919c668
SHA1

1040a917a7dac1bbcfd19e9a13a40a86198d47f0
SHA256

9db3950edbff3454f1b444194d4ccb4d7642397b085219e8535c6987a0472fa4
SHA512

541b48f33b64f80da840047e2eaf74949e0f046e7a8e9e4eed61d3f2763cce2d1e7c63615feb742a5b252ac4e3abaa89d756da008b8d5e782ea54bc70eb676d7
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGnlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012262-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001494f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012262-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D083817-6899-45c1-9B9C-F233D78FDC69}\stubpath = "C:\\Windows\\{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe"	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2007326-0816-4f64-9BBB-DF0B050E50F5}\stubpath = "C:\\Windows\\{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe"	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}\stubpath = "C:\\Windows\\{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe"	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}	{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}\stubpath = "C:\\Windows\\{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe"	{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BBE4E7C-E5E5-4e22-BA79-61451699D615}\stubpath = "C:\\Windows\\{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe"	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76474E34-C072-45a2-936E-EA68118803F7}\stubpath = "C:\\Windows\\{76474E34-C072-45a2-936E-EA68118803F7}.exe"	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}	{76474E34-C072-45a2-936E-EA68118803F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}\stubpath = "C:\\Windows\\{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe"	{76474E34-C072-45a2-936E-EA68118803F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{994195E9-43F5-4356-9C0B-67B93ACC7279}\stubpath = "C:\\Windows\\{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe"	{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83F436B-D7B4-4df5-9334-D7423E05A7AD}	{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BBE4E7C-E5E5-4e22-BA79-61451699D615}	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D083817-6899-45c1-9B9C-F233D78FDC69}	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76474E34-C072-45a2-936E-EA68118803F7}	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2007326-0816-4f64-9BBB-DF0B050E50F5}	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{994195E9-43F5-4356-9C0B-67B93ACC7279}	{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D83F436B-D7B4-4df5-9334-D7423E05A7AD}\stubpath = "C:\\Windows\\{D83F436B-D7B4-4df5-9334-D7423E05A7AD}.exe"	{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98616F95-7911-431c-832E-CF8BA8FA0E34}	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98616F95-7911-431c-832E-CF8BA8FA0E34}\stubpath = "C:\\Windows\\{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe"	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}\stubpath = "C:\\Windows\\{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe"	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe
2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe
2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe
2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe
2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe
1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe
1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe
2916	{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe
844	{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe
2228	{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe
2024	{D83F436B-D7B4-4df5-9334-D7423E05A7AD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D83F436B-D7B4-4df5-9334-D7423E05A7AD}.exe	{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe
File created	C:\Windows\{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
File created	C:\Windows\{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe
File created	C:\Windows\{76474E34-C072-45a2-936E-EA68118803F7}.exe	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe
File created	C:\Windows\{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe	{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe
File created	C:\Windows\{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe
File created	C:\Windows\{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe	{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe
File created	C:\Windows\{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe
File created	C:\Windows\{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	{76474E34-C072-45a2-936E-EA68118803F7}.exe
File created	C:\Windows\{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe
File created	C:\Windows\{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe
Token: SeIncBasePriorityPrivilege	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe
Token: SeIncBasePriorityPrivilege	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe
Token: SeIncBasePriorityPrivilege	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe
Token: SeIncBasePriorityPrivilege	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe
Token: SeIncBasePriorityPrivilege	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe
Token: SeIncBasePriorityPrivilege	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe
Token: SeIncBasePriorityPrivilege	2916	{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe
Token: SeIncBasePriorityPrivilege	844	{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe
Token: SeIncBasePriorityPrivilege	2228	{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2080	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	28
PID 2548 wrote to memory of 2080	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	28
PID 2548 wrote to memory of 2080	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	28
PID 2548 wrote to memory of 2080	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	28
PID 2548 wrote to memory of 2836	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	29
PID 2548 wrote to memory of 2836	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	29
PID 2548 wrote to memory of 2836	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	29
PID 2548 wrote to memory of 2836	2548	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	29
PID 2080 wrote to memory of 2808	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	30
PID 2080 wrote to memory of 2808	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	30
PID 2080 wrote to memory of 2808	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	30
PID 2080 wrote to memory of 2808	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	30
PID 2080 wrote to memory of 2780	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	31
PID 2080 wrote to memory of 2780	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	31
PID 2080 wrote to memory of 2780	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	31
PID 2080 wrote to memory of 2780	2080	{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe	31
PID 2808 wrote to memory of 2788	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	32
PID 2808 wrote to memory of 2788	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	32
PID 2808 wrote to memory of 2788	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	32
PID 2808 wrote to memory of 2788	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	32
PID 2808 wrote to memory of 2772	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	33
PID 2808 wrote to memory of 2772	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	33
PID 2808 wrote to memory of 2772	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	33
PID 2808 wrote to memory of 2772	2808	{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe	33
PID 2788 wrote to memory of 2900	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	36
PID 2788 wrote to memory of 2900	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	36
PID 2788 wrote to memory of 2900	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	36
PID 2788 wrote to memory of 2900	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	36
PID 2788 wrote to memory of 2796	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	37
PID 2788 wrote to memory of 2796	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	37
PID 2788 wrote to memory of 2796	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	37
PID 2788 wrote to memory of 2796	2788	{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe	37
PID 2900 wrote to memory of 2692	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	38
PID 2900 wrote to memory of 2692	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	38
PID 2900 wrote to memory of 2692	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	38
PID 2900 wrote to memory of 2692	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	38
PID 2900 wrote to memory of 2904	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	39
PID 2900 wrote to memory of 2904	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	39
PID 2900 wrote to memory of 2904	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	39
PID 2900 wrote to memory of 2904	2900	{76474E34-C072-45a2-936E-EA68118803F7}.exe	39
PID 2692 wrote to memory of 1624	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	41
PID 2692 wrote to memory of 1624	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	41
PID 2692 wrote to memory of 1624	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	41
PID 2692 wrote to memory of 1624	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	41
PID 2692 wrote to memory of 2700	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	40
PID 2692 wrote to memory of 2700	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	40
PID 2692 wrote to memory of 2700	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	40
PID 2692 wrote to memory of 2700	2692	{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe	40
PID 1624 wrote to memory of 1800	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	42
PID 1624 wrote to memory of 1800	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	42
PID 1624 wrote to memory of 1800	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	42
PID 1624 wrote to memory of 1800	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	42
PID 1624 wrote to memory of 676	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	43
PID 1624 wrote to memory of 676	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	43
PID 1624 wrote to memory of 676	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	43
PID 1624 wrote to memory of 676	1624	{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe	43
PID 1800 wrote to memory of 2916	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	44
PID 1800 wrote to memory of 2916	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	44
PID 1800 wrote to memory of 2916	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	44
PID 1800 wrote to memory of 2916	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	44
PID 1800 wrote to memory of 2920	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	45
PID 1800 wrote to memory of 2920	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	45
PID 1800 wrote to memory of 2920	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	45
PID 1800 wrote to memory of 2920	1800	{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe
  C:\Windows\{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe
    C:\Windows\{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe
      C:\Windows\{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{76474E34-C072-45a2-936E-EA68118803F7}.exe
        
        C:\Windows\{76474E34-C072-45a2-936E-EA68118803F7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe
        
        C:\Windows\{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BF2E~1.EXE > nul
        7⤵
        
        PID:2700
        
        C:\Windows\{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe
        
        C:\Windows\{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe
        
        C:\Windows\{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe
        
        C:\Windows\{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe
        
        C:\Windows\{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe
        
        C:\Windows\{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{D83F436B-D7B4-4df5-9334-D7423E05A7AD}.exe
        
        C:\Windows\{D83F436B-D7B4-4df5-9334-D7423E05A7AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99419~1.EXE > nul
        12⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC46A~1.EXE > nul
        11⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D91FF~1.EXE > nul
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2007~1.EXE > nul
        9⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98616~1.EXE > nul
        8⤵
        
        PID:676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76474~1.EXE > nul
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D083~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29BD0~1.EXE > nul
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8BBE4~1.EXE > nul
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D083817-6899-45c1-9B9C-F233D78FDC69}.exe

Filesize
197KB

MD5
0ecbafede66b49601971803f1cc24a9a

SHA1
046c559f524c574fdeef936dd0dee44f066071c7

SHA256
5cc32125270a5296d20b8f53eb6ea930e2978a6d4e5f8fe944beb19f85343fbd

SHA512
01119fdd7f8f0fd1d5812689f6ae14bfc609cfc57b8ff7616bd6fe7ababc557f26ce866a3d847c140f97881625deb024275a9f98e874ddd1c96e86c0b88d1934

Download Submit
C:\Windows\{29BD0C5C-D738-4bc3-9031-C6E48FE2DBC2}.exe

Filesize
197KB

MD5
9eadf46e0bd80df311e148c79a34f207

SHA1
9dcf9d7350b5d26a97332d9f87e3f0b1c396c530

SHA256
e2cc53d284d6d43011835b35d743d6012027ba5faf0a976d18a06380b8e6f2e7

SHA512
65403cc8e252fefa7d09b19196e6642e055e01f0123fecd7be3ec3881de4b75c9e23070b01fa25fb40babb222ddc017c56c86913e7314914aa96306d4d7d28a0

Download Submit
C:\Windows\{76474E34-C072-45a2-936E-EA68118803F7}.exe

Filesize
197KB

MD5
dbc93976c46e4e9c9f117c1e4db3b5ca

SHA1
7a1d0ae9586fdbc15643af24740bbc441cbb362d

SHA256
4bceef0526ccd4baca3a4be7bbaa6c059a347fe8cd4f6ad9d56d8c8c98eb3284

SHA512
fe153b0da6bb206f5ee96aac6a4c70406153fb1666015abf06a4e805b8cc713b20266695c93511bac6514a7d24db69efa73ad59d2c0233b20aa8c1b2d9fc8650

Download Submit
C:\Windows\{7BF2E6A1-9044-431a-87FB-31C1AA4B2CBA}.exe

Filesize
197KB

MD5
3a811553d07b3efb164fe3e8c588c38a

SHA1
b6d23574370f6b9c4550331059a674547394040a

SHA256
4740c49de03e4d1a20e2bb4a3e543cafd6f7772f08b801f3a7add6d8cf6622ae

SHA512
147d13fdff8110104c5aa0f55fcad55afb9700df77f2666b58f6af77b02f038df4defb6e4fd801ca6561c5e97e7ec180dcc3a13be025c27c476347f4ae986b6f

Download Submit
C:\Windows\{8BBE4E7C-E5E5-4e22-BA79-61451699D615}.exe

Filesize
197KB

MD5
283f033409af9ad3fb93ea250ca5f264

SHA1
7bbb5d0044b849da482ad6746789933bc633fbe5

SHA256
be84c1c202a3d5b673112c44b096ad2e46a351a5c6234fc2ab6c0a1ba9bc1774

SHA512
8589f782dd63b67433fc4144604719b6d18526ed4bde561ed055008c3b2496e01616478cc4c6b3a971e21875d229a32ebaa88722e1c471f3f738d4ebfb68c255

Download Submit
C:\Windows\{98616F95-7911-431c-832E-CF8BA8FA0E34}.exe

Filesize
197KB

MD5
980eb39be30bfa97b1a72c3b964ed7cb

SHA1
51539285deaa27305216c8041ed2d6111f524769

SHA256
0547834e39c57d19f882001f7ba96d9cb6bdd8b22deffe487a4bc0e5ba99d895

SHA512
50fc9ca8ac5b8f3125135bcb5daf330fdd6f3059e5d6916daa18c7bcf408d953cf05b41672708f3b609c7062217b2598aea8acd5bd1c091498f3f76d42a5601c

Download Submit
C:\Windows\{994195E9-43F5-4356-9C0B-67B93ACC7279}.exe

Filesize
197KB

MD5
b26997e5ee0b58ec31c10fdd3becccd9

SHA1
876cfbc0f337abe8db77dbae3b390df2f6a93065

SHA256
60c53b1694955874c97d8aa3eb52960d5f076c24c5d1e696311dc673e48aca60

SHA512
f013ee8b39318fc5d2a237698e934c8b4588a0e44d0f8967b10d0c74943b2694420153bdf5d538c273e9716c183cac9765ab56444e91b6770bc858eb7d75a866

Download Submit
C:\Windows\{BC46A3B7-6665-48b4-8B6C-D4C6F598DC5F}.exe

Filesize
197KB

MD5
d864a9c86195d7e6d7165ff2adf486c6

SHA1
494796c39a893264eb26fb439ff5ab294a9ee219

SHA256
2f99127aa915a058a92140e1fa83d2c3af294dda2a300a7b80d440117f1a42ae

SHA512
d9ca74d5f2ac49136d474d84756258ae8951f8cf22ad05da1dc90210a0dd38ff530582f0f76b92826e1a1281c17502bb6500ac86efdda415bbd5ee80e0eee2d0

Download Submit
C:\Windows\{D83F436B-D7B4-4df5-9334-D7423E05A7AD}.exe

Filesize
197KB

MD5
0e993ee613f9a7db719938ecd70f3de9

SHA1
a539de2a42a15fc6843ff624707b439bbe04f068

SHA256
a019d0e077f0805f7a5770a6a88bbf1186261dfde54ca6a4d8c85cd2b1b25a3e

SHA512
31dea6b81dd03edde95118504d1e741f98aaa94621ef02292e6072dac063ca03ddcfae616a338005f958cbb1a1358e15823f8d7ac68965e1cc6034ae70d06f06

Download Submit
C:\Windows\{D91FFEC2-A636-4a5e-9FAD-360C8DF06537}.exe

Filesize
197KB

MD5
23fd7997643e28ee51563347a2963963

SHA1
fda92fd55d9bcca21980b0f4252e0ee059eb379d

SHA256
1f9f8ddc4beddced9cef27e19c84844c1167a914c61bdeafb730501fb4ac4809

SHA512
2a1d381894b96757c3b1583ae2bd310eaaa789e49e49a3770dbae8668ea333556a3b74a98c22c6bd57d2b99eade2f116e0bf2e1a7eff64a8fe0139cff7dcc915

Download Submit
C:\Windows\{F2007326-0816-4f64-9BBB-DF0B050E50F5}.exe

Filesize
197KB

MD5
50a4d4264feb3c4fc96f0976c5c426b3

SHA1
bc8d2064479f05963924a2239034384b4d07a255

SHA256
14acf099e553e308416c6c3823e1bb4de8d32d68c892c88eb9cfb1e279a480df

SHA512
b16bd7cba2cd542b05c865ffb0bd82f3ae927eae5e61df997d5591be9f6266bd05b81b81052fa2a50ea0f4951662634f0412cf776d17042274e6d7eafac903ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads