29fc545f3ef76fb84802f3d8e41e6d1e3d2d65b00a03de99d7ead48adf6e8daa

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Size

197KB
MD5

05d620445f982ac836dfc862039dc831
SHA1

bf644a2e476c6369d4ee184b3d093391b96a7d2a
SHA256

29fc545f3ef76fb84802f3d8e41e6d1e3d2d65b00a03de99d7ead48adf6e8daa
SHA512

26b67d3bde51754839587841a0fbfd56088046961eeca4e0b50c2b153218cb2f5c6e4e794b7aa2ba605bd4bdd628cba1cb34376b28d034ff464e27a0f354fe7b
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG4lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012281-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016ced-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016ced-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016ced-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}	{5DB288D8-142E-417c-8967-682DE27E283E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}\stubpath = "C:\\Windows\\{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe"	{5DB288D8-142E-417c-8967-682DE27E283E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D722C74-B43E-4caf-94EB-C7D286A9D76B}	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D722C74-B43E-4caf-94EB-C7D286A9D76B}\stubpath = "C:\\Windows\\{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe"	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4858A5D8-5576-42d0-BF9B-C0E332A4797C}	{E5B54247-E66B-464f-8937-B6C73FA03954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}	{457F36F7-4928-449c-A208-7AFC003D8353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB288D8-142E-417c-8967-682DE27E283E}\stubpath = "C:\\Windows\\{5DB288D8-142E-417c-8967-682DE27E283E}.exe"	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}	{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}\stubpath = "C:\\Windows\\{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe"	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB288D8-142E-417c-8967-682DE27E283E}	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}\stubpath = "C:\\Windows\\{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}.exe"	{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}\stubpath = "C:\\Windows\\{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe"	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}\stubpath = "C:\\Windows\\{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe"	{457F36F7-4928-449c-A208-7AFC003D8353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}\stubpath = "C:\\Windows\\{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe"	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B54247-E66B-464f-8937-B6C73FA03954}	{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B54247-E66B-464f-8937-B6C73FA03954}\stubpath = "C:\\Windows\\{E5B54247-E66B-464f-8937-B6C73FA03954}.exe"	{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4858A5D8-5576-42d0-BF9B-C0E332A4797C}\stubpath = "C:\\Windows\\{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe"	{E5B54247-E66B-464f-8937-B6C73FA03954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457F36F7-4928-449c-A208-7AFC003D8353}	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457F36F7-4928-449c-A208-7AFC003D8353}\stubpath = "C:\\Windows\\{457F36F7-4928-449c-A208-7AFC003D8353}.exe"	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe

Deletes itself 1 IoCs

pid	Process
2380	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe
2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe
2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe
2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe
780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe
2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe
1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe
1652	{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe
1800	{E5B54247-E66B-464f-8937-B6C73FA03954}.exe
2336	{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe
1136	{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{457F36F7-4928-449c-A208-7AFC003D8353}.exe	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe
File created	C:\Windows\{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	{457F36F7-4928-449c-A208-7AFC003D8353}.exe
File created	C:\Windows\{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe
File created	C:\Windows\{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	{5DB288D8-142E-417c-8967-682DE27E283E}.exe
File created	C:\Windows\{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
File created	C:\Windows\{5DB288D8-142E-417c-8967-682DE27E283E}.exe	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe
File created	C:\Windows\{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe
File created	C:\Windows\{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe
File created	C:\Windows\{E5B54247-E66B-464f-8937-B6C73FA03954}.exe	{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe
File created	C:\Windows\{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe	{E5B54247-E66B-464f-8937-B6C73FA03954}.exe
File created	C:\Windows\{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}.exe	{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe
Token: SeIncBasePriorityPrivilege	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe
Token: SeIncBasePriorityPrivilege	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe
Token: SeIncBasePriorityPrivilege	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe
Token: SeIncBasePriorityPrivilege	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe
Token: SeIncBasePriorityPrivilege	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe
Token: SeIncBasePriorityPrivilege	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe
Token: SeIncBasePriorityPrivilege	1652	{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe
Token: SeIncBasePriorityPrivilege	1800	{E5B54247-E66B-464f-8937-B6C73FA03954}.exe
Token: SeIncBasePriorityPrivilege	2336	{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1956	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	28
PID 2472 wrote to memory of 1956	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	28
PID 2472 wrote to memory of 1956	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	28
PID 2472 wrote to memory of 1956	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	28
PID 2472 wrote to memory of 2380	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	29
PID 2472 wrote to memory of 2380	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	29
PID 2472 wrote to memory of 2380	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	29
PID 2472 wrote to memory of 2380	2472	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	29
PID 1956 wrote to memory of 2704	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	30
PID 1956 wrote to memory of 2704	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	30
PID 1956 wrote to memory of 2704	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	30
PID 1956 wrote to memory of 2704	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	30
PID 1956 wrote to memory of 2800	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	31
PID 1956 wrote to memory of 2800	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	31
PID 1956 wrote to memory of 2800	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	31
PID 1956 wrote to memory of 2800	1956	{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe	31
PID 2704 wrote to memory of 2564	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	34
PID 2704 wrote to memory of 2564	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	34
PID 2704 wrote to memory of 2564	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	34
PID 2704 wrote to memory of 2564	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	34
PID 2704 wrote to memory of 2620	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	35
PID 2704 wrote to memory of 2620	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	35
PID 2704 wrote to memory of 2620	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	35
PID 2704 wrote to memory of 2620	2704	{457F36F7-4928-449c-A208-7AFC003D8353}.exe	35
PID 2564 wrote to memory of 2532	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	36
PID 2564 wrote to memory of 2532	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	36
PID 2564 wrote to memory of 2532	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	36
PID 2564 wrote to memory of 2532	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	36
PID 2564 wrote to memory of 2128	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	37
PID 2564 wrote to memory of 2128	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	37
PID 2564 wrote to memory of 2128	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	37
PID 2564 wrote to memory of 2128	2564	{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe	37
PID 2532 wrote to memory of 780	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	38
PID 2532 wrote to memory of 780	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	38
PID 2532 wrote to memory of 780	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	38
PID 2532 wrote to memory of 780	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	38
PID 2532 wrote to memory of 2728	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	39
PID 2532 wrote to memory of 2728	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	39
PID 2532 wrote to memory of 2728	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	39
PID 2532 wrote to memory of 2728	2532	{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe	39
PID 780 wrote to memory of 2940	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	40
PID 780 wrote to memory of 2940	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	40
PID 780 wrote to memory of 2940	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	40
PID 780 wrote to memory of 2940	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	40
PID 780 wrote to memory of 1984	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	41
PID 780 wrote to memory of 1984	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	41
PID 780 wrote to memory of 1984	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	41
PID 780 wrote to memory of 1984	780	{5DB288D8-142E-417c-8967-682DE27E283E}.exe	41
PID 2940 wrote to memory of 1836	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	42
PID 2940 wrote to memory of 1836	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	42
PID 2940 wrote to memory of 1836	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	42
PID 2940 wrote to memory of 1836	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	42
PID 2940 wrote to memory of 108	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	43
PID 2940 wrote to memory of 108	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	43
PID 2940 wrote to memory of 108	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	43
PID 2940 wrote to memory of 108	2940	{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe	43
PID 1836 wrote to memory of 1652	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	44
PID 1836 wrote to memory of 1652	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	44
PID 1836 wrote to memory of 1652	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	44
PID 1836 wrote to memory of 1652	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	44
PID 1836 wrote to memory of 2856	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	45
PID 1836 wrote to memory of 2856	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	45
PID 1836 wrote to memory of 2856	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	45
PID 1836 wrote to memory of 2856	1836	{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe
  C:\Windows\{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\{457F36F7-4928-449c-A208-7AFC003D8353}.exe
    C:\Windows\{457F36F7-4928-449c-A208-7AFC003D8353}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe
      C:\Windows\{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe
        
        C:\Windows\{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{5DB288D8-142E-417c-8967-682DE27E283E}.exe
        
        C:\Windows\{5DB288D8-142E-417c-8967-682DE27E283E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe
        
        C:\Windows\{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe
        
        C:\Windows\{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe
        
        C:\Windows\{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{E5B54247-E66B-464f-8937-B6C73FA03954}.exe
        
        C:\Windows\{E5B54247-E66B-464f-8937-B6C73FA03954}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe
        
        C:\Windows\{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}.exe
        
        C:\Windows\{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4858A~1.EXE > nul
        12⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B54~1.EXE > nul
        11⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D722~1.EXE > nul
        10⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{847C1~1.EXE > nul
        9⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B0E4~1.EXE > nul
        8⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DB28~1.EXE > nul
        7⤵
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3B71~1.EXE > nul
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86A09~1.EXE > nul
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{457F3~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CBACE~1.EXE > nul
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{457F36F7-4928-449c-A208-7AFC003D8353}.exe

Filesize
197KB

MD5
c3e50036c777ef63ec8c7b2871dbb8a0

SHA1
33f015edef2e88632f1c1bb4827dce49f527de8d

SHA256
1fc82092eccf7822588df18f2757b3cf47376270561a88997771f0e257218838

SHA512
e8f0a04a4c269fdbf87328b33a8a6b1b6c7545785d28095950a71bf71cac0554c28ca17657ef3cdf5fa50a6e0e17c102837a0bc7a575cbbce27742e0c7daa8f6

Download Submit
C:\Windows\{4858A5D8-5576-42d0-BF9B-C0E332A4797C}.exe

Filesize
197KB

MD5
e0529abf976cdb5e16c418615bdd7565

SHA1
1bae8cd5f57c333ca89fc48af3313822a0ef6daf

SHA256
281ba435c4e55d14e75b6d801c188d34006ba12489ebb2ab9b1d6cda3763f36e

SHA512
6cc5496c4598d1a1804a6a6cf1533d27e6ff5cccecac37dddbfa6c613f615a777493952975e409f643ace07fa092eed206f6ec9f2181fd20d2794af8ce681df8

Download Submit
C:\Windows\{5DB288D8-142E-417c-8967-682DE27E283E}.exe

Filesize
197KB

MD5
a82f0303435e467e908011cf0980c9c4

SHA1
f5659c81156dbef8866b61ac6556d12981ee0687

SHA256
487e8953d0964a35929184f3929c7fc86fde2130fcb3e65f6d87417ad0bd7b14

SHA512
95b51973356b7bb4d15d09cea17143d0f7e7067c0f10414265e866810a7e031f8a072ae16c5364b1d9b1d90f732678c2a32418ad214e03c3cf3d154cdd1fc77a

Download Submit
C:\Windows\{6B0E4D15-7A7E-4814-8563-55DA3B7B4221}.exe

Filesize
197KB

MD5
f0147568cce15d9e09960a18fca2ff67

SHA1
f9fe2398247160ee6991cbf0777884b09ec29987

SHA256
06bd9a238ca415bde79cee53ea08af5ac452b4a9aeb933726cf2583cbcf27664

SHA512
a0eda36d021fbadb61c5ebe8fffe1bac321c5e6c188c6084ed7f09ff962b40054e3216690fd456f01d76977bfb1693ed97d903a22c4ddb0fe91c7e3fd8e22857

Download Submit
C:\Windows\{847C1EEE-F7D7-4514-ADB8-21B8CC75CCA2}.exe

Filesize
197KB

MD5
938f1860ef8f786dc2cd8eb80d61a494

SHA1
58b6778e60fcd2bf9ffbefa2019576aad978145c

SHA256
ab28d2aa684fbaa081f8317b57b9cf74888f0ced416aceffc61af26d20b695b8

SHA512
bffbb65c548d57f103fd7b4ee4ead33ed97c5d42f9c99c691ce850c45ce46296618968595b35df792c5f0c16e6f58a86e4e03d4edd79857710451335d333449d

Download Submit
C:\Windows\{86A09A5D-1698-4c8e-804C-E0DFFE5BFF9C}.exe

Filesize
197KB

MD5
ee469fe2ad2f13d605332f23fcddca91

SHA1
38f67f8efd886ac90cf6a7bc2354c74cd927914a

SHA256
f1bff13a4d05cf50e259a872d2057f1af2f873effbc036d204416841fcbe06cf

SHA512
8327136fb928e33698bf29c991eb520701207b0dff42dec4ddc67c17a0d848f7082f35d60d5c799085c5dda0320e23701b4ddf1ec43ef82658db16b22ba93bf4

Download Submit
C:\Windows\{9D722C74-B43E-4caf-94EB-C7D286A9D76B}.exe

Filesize
197KB

MD5
47fb0347383d99c1b04e5275d7f38af3

SHA1
1eea2996e6c25f07d5536858af969d3fd5106c3f

SHA256
607fad84ab54c41f5fd64dfcfb46824ce5a84d74ddff4c4e701e9fd65765b91b

SHA512
f66d922f9c72389105df1d3c657405cc797bb2c951b299da28adc1cefcffa1242892cfbcf6c2ee61b152e27ae6acbc20369835016a0e0c10d788a16e9a5ff8b5

Download Submit
C:\Windows\{B3B7125D-C02A-455d-B62F-0AF7D1C571A7}.exe

Filesize
197KB

MD5
6b099082c1f0c0fc42fde117525bfef6

SHA1
743592728b9a35ff6f6f44191e811fc641f45c23

SHA256
0e794be21ce5731019caa3c622969070a79fcab71e6befe4cca0cd95189b4d3a

SHA512
6925ae3b54a0bf0519ac4222c34e9fb39eae595294c6042f6c6dc6598a166568369d8f1cca8f1b1fb94782167800d5bb373a5a02af6d6fc028045a7f78f99ce9

Download Submit
C:\Windows\{CBACE77D-2EDD-446c-9D18-D183A7E4C5B6}.exe

Filesize
197KB

MD5
b6ca899a52c8273a84b8384e11afc678

SHA1
92afc49eff305cfd7c6c406c497e6acedd29ee56

SHA256
4e971a5966a50ae4acd937150eda5dbe8f4130cfd6d9a26cd2aa380865271aa7

SHA512
c4fad31c4ade0a96e60d4f79de4294880035cd7aa5e8211c09cca53ad702175fff42dc968039fd86b0b9f7db1cca1b1904cf874952505edd4e6f4117dc46c9c4

Download Submit
C:\Windows\{D2A4720F-BC31-483e-A3B0-F564D3C5CAD7}.exe

Filesize
197KB

MD5
821af69c0869af5c6b1d3df215055e82

SHA1
8a00f13850e76486c1070c19883ff67db1bfd85b

SHA256
2dd4d6b016a20ffd8659ff13e06f6d1bd135c1bc8a05dba78dd7b80c48bfd038

SHA512
a6dc9fc1aaee0219033d624b31544c3a83af086f15020de99e9e102ad8ba561ec61e2673b17708914421acd77e4736a836d7cd98f57b82e9c8d45fe658a20ba0

Download Submit
C:\Windows\{E5B54247-E66B-464f-8937-B6C73FA03954}.exe

Filesize
197KB

MD5
c425460b0cc317fe6ada239db86acd5d

SHA1
ca02047e36bd77da0bbbe1ad0608b61a04f1daa8

SHA256
294bce837430fd6aed5d2ae87a16c1f54aa40efc142b95a430e08a54412709ba

SHA512
001fa58f162b866fa8e8ab10ca890a855609c43af75733996ca417ac4f3c62540b2d6e921b68f44b2aa5891723b9268abd67e48b57ecdc5808b5fbda14caeffe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads