cda173f045a287255880fd3c233e62ad50ac6c6dadccce515053841d1216bd1b

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Size

180KB
MD5

dd633f0d01b4cff73dc7e94617c3394a
SHA1

ef6be6dae3f1fb963bf0dfce5b1d39c2eaa1b408
SHA256

cda173f045a287255880fd3c233e62ad50ac6c6dadccce515053841d1216bd1b
SHA512

8e69c539aa391bce8779c3cc969e9b84ea8d51f22e95780bd9438a2c95b2e39d9be555dbb77c38dfb2eb1efcc5d88fc58cac84b80b50f98d7a604501b237f459
SSDEEP

3072:jEGh0oxlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGbl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122c0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014ee2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001552e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014ee2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000014ee2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000014ee2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b000000014ee2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33BC683D-92D3-4757-A0A5-EECDFFABD025}	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}\stubpath = "C:\\Windows\\{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe"	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}\stubpath = "C:\\Windows\\{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe"	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C2127AF-8EEF-4839-91A2-3EE2031618C2}	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C2127AF-8EEF-4839-91A2-3EE2031618C2}\stubpath = "C:\\Windows\\{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe"	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20A2C92C-3348-43a4-9B80-5A89E0373874}\stubpath = "C:\\Windows\\{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe"	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB298A58-3415-464a-88F0-E85C5CB360AA}	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}\stubpath = "C:\\Windows\\{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe"	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}\stubpath = "C:\\Windows\\{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe"	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60D100F0-D90B-47bc-A79D-53CDB65D77C6}\stubpath = "C:\\Windows\\{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe"	{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}\stubpath = "C:\\Windows\\{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe"	{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB298A58-3415-464a-88F0-E85C5CB360AA}\stubpath = "C:\\Windows\\{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe"	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6347DE74-9A9F-487a-A4F1-7549645215A9}	{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20A2C92C-3348-43a4-9B80-5A89E0373874}	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60D100F0-D90B-47bc-A79D-53CDB65D77C6}	{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}	{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6347DE74-9A9F-487a-A4F1-7549645215A9}\stubpath = "C:\\Windows\\{6347DE74-9A9F-487a-A4F1-7549645215A9}.exe"	{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33BC683D-92D3-4757-A0A5-EECDFFABD025}\stubpath = "C:\\Windows\\{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe"	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe
1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe
1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe
1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe
2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe
2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe
1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe
2872	{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe
2396	{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe
2040	{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe
1096	{6347DE74-9A9F-487a-A4F1-7549645215A9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe
File created	C:\Windows\{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe
File created	C:\Windows\{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe	{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe
File created	C:\Windows\{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe	{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe
File created	C:\Windows\{6347DE74-9A9F-487a-A4F1-7549645215A9}.exe	{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe
File created	C:\Windows\{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe
File created	C:\Windows\{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
File created	C:\Windows\{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe
File created	C:\Windows\{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe
File created	C:\Windows\{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe
File created	C:\Windows\{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe
Token: SeIncBasePriorityPrivilege	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe
Token: SeIncBasePriorityPrivilege	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe
Token: SeIncBasePriorityPrivilege	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe
Token: SeIncBasePriorityPrivilege	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe
Token: SeIncBasePriorityPrivilege	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe
Token: SeIncBasePriorityPrivilege	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe
Token: SeIncBasePriorityPrivilege	2872	{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe
Token: SeIncBasePriorityPrivilege	2396	{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe
Token: SeIncBasePriorityPrivilege	2040	{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2792	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	28
PID 2444 wrote to memory of 2792	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	28
PID 2444 wrote to memory of 2792	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	28
PID 2444 wrote to memory of 2792	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	28
PID 2444 wrote to memory of 2688	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	29
PID 2444 wrote to memory of 2688	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	29
PID 2444 wrote to memory of 2688	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	29
PID 2444 wrote to memory of 2688	2444	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	29
PID 2792 wrote to memory of 1288	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	30
PID 2792 wrote to memory of 1288	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	30
PID 2792 wrote to memory of 1288	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	30
PID 2792 wrote to memory of 1288	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	30
PID 2792 wrote to memory of 2564	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	31
PID 2792 wrote to memory of 2564	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	31
PID 2792 wrote to memory of 2564	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	31
PID 2792 wrote to memory of 2564	2792	{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe	31
PID 1288 wrote to memory of 1660	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	35
PID 1288 wrote to memory of 1660	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	35
PID 1288 wrote to memory of 1660	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	35
PID 1288 wrote to memory of 1660	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	35
PID 1288 wrote to memory of 1756	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	34
PID 1288 wrote to memory of 1756	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	34
PID 1288 wrote to memory of 1756	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	34
PID 1288 wrote to memory of 1756	1288	{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe	34
PID 1660 wrote to memory of 1276	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	36
PID 1660 wrote to memory of 1276	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	36
PID 1660 wrote to memory of 1276	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	36
PID 1660 wrote to memory of 1276	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	36
PID 1660 wrote to memory of 1352	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	37
PID 1660 wrote to memory of 1352	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	37
PID 1660 wrote to memory of 1352	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	37
PID 1660 wrote to memory of 1352	1660	{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe	37
PID 1276 wrote to memory of 2916	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	39
PID 1276 wrote to memory of 2916	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	39
PID 1276 wrote to memory of 2916	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	39
PID 1276 wrote to memory of 2916	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	39
PID 1276 wrote to memory of 2644	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	38
PID 1276 wrote to memory of 2644	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	38
PID 1276 wrote to memory of 2644	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	38
PID 1276 wrote to memory of 2644	1276	{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe	38
PID 2916 wrote to memory of 2996	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	40
PID 2916 wrote to memory of 2996	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	40
PID 2916 wrote to memory of 2996	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	40
PID 2916 wrote to memory of 2996	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	40
PID 2916 wrote to memory of 1956	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	41
PID 2916 wrote to memory of 1956	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	41
PID 2916 wrote to memory of 1956	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	41
PID 2916 wrote to memory of 1956	2916	{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe	41
PID 2996 wrote to memory of 1580	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	43
PID 2996 wrote to memory of 1580	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	43
PID 2996 wrote to memory of 1580	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	43
PID 2996 wrote to memory of 1580	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	43
PID 2996 wrote to memory of 1720	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	42
PID 2996 wrote to memory of 1720	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	42
PID 2996 wrote to memory of 1720	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	42
PID 2996 wrote to memory of 1720	2996	{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe	42
PID 1580 wrote to memory of 2872	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	44
PID 1580 wrote to memory of 2872	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	44
PID 1580 wrote to memory of 2872	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	44
PID 1580 wrote to memory of 2872	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	44
PID 1580 wrote to memory of 1588	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	45
PID 1580 wrote to memory of 1588	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	45
PID 1580 wrote to memory of 1588	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	45
PID 1580 wrote to memory of 1588	1580	{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe
  C:\Windows\{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe
    C:\Windows\{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33BC6~1.EXE > nul
      4⤵
      PID:1756
  - - C:\Windows\{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe
      C:\Windows\{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe
        
        C:\Windows\{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03A2A~1.EXE > nul
        6⤵
        
        PID:2644
      - C:\Windows\{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe
        
        C:\Windows\{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe
        
        C:\Windows\{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C212~1.EXE > nul
        8⤵
        
        PID:1720
        
        C:\Windows\{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe
        
        C:\Windows\{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe
        
        C:\Windows\{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe
        
        C:\Windows\{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe
        
        C:\Windows\{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{6347DE74-9A9F-487a-A4F1-7549645215A9}.exe
        
        C:\Windows\{6347DE74-9A9F-487a-A4F1-7549645215A9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BDC9~1.EXE > nul
        12⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60D10~1.EXE > nul
        11⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB298~1.EXE > nul
        10⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60A8F~1.EXE > nul
        9⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E43~1.EXE > nul
        7⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22AEA~1.EXE > nul
        5⤵
        
        PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20A2C~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03A2A0E4-66F1-4e5d-BAAD-40530807EA86}.exe

Filesize
180KB

MD5
c230142dc502f51e9e6c347a01844527

SHA1
9e7d7f62af4891584784c3b5b6cea57bfd0c0450

SHA256
8a3df0b18684b12bddb143225eee7cee37418bbc2bb2c66255f372e9652f6a04

SHA512
8053c04f722508da8ae631e308d2c8a44f65ea9b7fa308c8606b4d72ae92984484f08acf006a98088ee0aee0ec6c1266eae3681605551bc04d6e730251b04700

Download Submit
C:\Windows\{20A2C92C-3348-43a4-9B80-5A89E0373874}.exe

Filesize
180KB

MD5
3755cb1cf00478ebdd65202cbb931f64

SHA1
e8a600f2eaf04cae6c238057273caf2194481709

SHA256
dbe5114169a07341eb33b6ca3d1c3b412607d3239983523b32684c54126f5b5d

SHA512
04e65d699a3f4bea5660517ecb4f576ac7fdaabace817745e0c4618c4335cc2ad7d8715f4c7df79ad0531515e25da2c636fb4f75a6d02fd812a123fa50db0cc9

Download Submit
C:\Windows\{22AEAD73-8B8C-4be8-B93B-48FC24A338DF}.exe

Filesize
180KB

MD5
7d359bba6d029f7798303eee9a1553b0

SHA1
6571a26f5237f575d6fdbb7cd65c325503576651

SHA256
b0ef650d85ba9f7f6c44498ed789a7da2e73e982282f9679ec8ebd7b9584de81

SHA512
b49ffb166835ced4e037c96089257f68261cbe88ff595cf777434ac5c922b00b439029723af00685ba979f9e46798911c1ef7fb4149f0f4c1c86a2d6db6120b1

Download Submit
C:\Windows\{33BC683D-92D3-4757-A0A5-EECDFFABD025}.exe

Filesize
180KB

MD5
73fff45f53c0ddd8ecfde6ce7de48823

SHA1
2476d3e4d410c3d568fa251ecc87b7006ab9cf42

SHA256
583cd9c0e6980ea029c494189223db38b73bd1322a59a6bb23c15ee1c1d2c975

SHA512
adc952e83e3e5e4e2d42e63dd1f88aaced5924749bee28776ec57f3a6f79d676f2c46ecffe804e368c7c13af2c5725ad4190ac04f52c85ef6544fa189499b0c0

Download Submit
C:\Windows\{3C2127AF-8EEF-4839-91A2-3EE2031618C2}.exe

Filesize
180KB

MD5
190fbf43ee662dd2ccb6f395c4d8c5b8

SHA1
fee46071c21d66dcaf87dc7e37ad7c87b57096ae

SHA256
06f49493a3b4d3029d49251b1606b8bc8bb1dcebab33b64936b9eb702a7ad109

SHA512
2a58e4ee3d24653da56e0591b5319d5c4ca093f27d84283d60f1718f5f55d15aeb32d079e31e92be6e46fdcfa4a382193f5de3f2074a839483af375de89523c0

Download Submit
C:\Windows\{60A8F90E-43E8-4307-9FE4-6F6B1CDBAC67}.exe

Filesize
180KB

MD5
1c3bd6e3366aa249f48d540d6a12e8b7

SHA1
548246c88f2eba3822319ec14d82023581acdf5a

SHA256
f5ee3628e40fdab0888a47dad9757825ff6756c97d83bc395376a7a33fd8a521

SHA512
6839458acc078c4b9b1d0eac3fdf548c14e6cca6c55e8a1dd2d19cfa4c1f2903f3252154780934e649122b807ba00faaa7c38a2d1e9ae8fecb457697fa9cd673

Download Submit
C:\Windows\{60D100F0-D90B-47bc-A79D-53CDB65D77C6}.exe

Filesize
180KB

MD5
9cb81c46bbbb730676df72cdc7febe20

SHA1
e05cd4fda10a62f8d5cca7b5c3e57605f83f05ac

SHA256
394e243b0aee5b5fda8f7e5d580b6bf128d2df8a77b1ac17e24fcbf147cc1832

SHA512
748fb4d90f09a8bb3a58416cadd8048697940504ad24b95908222ce043c45715a95fdfc82c914f1c5469f845f05b26fde6e723fb15919b9031e5066c1d8822ce

Download Submit
C:\Windows\{6347DE74-9A9F-487a-A4F1-7549645215A9}.exe

Filesize
180KB

MD5
003e92087724bf44601d2e9ead1dbd58

SHA1
e4753ef41d51d132447badc7904d8ce3de9945c9

SHA256
3731ce87ef9c9e8ea0994d018d99a0026b8464061c668f82ab18b33848524dfb

SHA512
1690f8a61a37d4b11a25b7da5c526a1f300384919eef211679a52d2e63c624016c545752e9ed5ffb88a92881bd1b9aba1baa4ece0f57ad3c2e8af2222b730605

Download Submit
C:\Windows\{7BDC93A6-FCD4-477f-BFD1-5D14D319A143}.exe

Filesize
180KB

MD5
cece0d649291f6c7cd26c69822d0b6d0

SHA1
f10d5293cd1bab0909d7186d3548d5f2df1e7980

SHA256
df8f2176296e15317076f8ac11e33be0c7468da2f88eb3104386571561ea2ac8

SHA512
45054a26cf215efe54b25b0655592cd53cec7a31d96c9d5eee16bf361490846e216a55eb98c4986d70fa1f560558169df834e6e5672387e1c50c8151694254bc

Download Submit
C:\Windows\{C4E43D7F-8246-44c2-9B8E-C7C64E5DA8EE}.exe

Filesize
180KB

MD5
5a90e374242381cb568549d59ce1d663

SHA1
20539f18ff67b202009bb3d7c3509f33f472fb57

SHA256
4ce3c3ebe58268dae4e7c809a050a653a4e29a015d3f4d2490ba01adf5c61123

SHA512
a12dee5185d78b5b6864bee20fcb8553a71212c9ff134184445c09877e6e266584da93294d7482641fc7cbc75ea33826cf37fc7a8097b332c62ba584119371d6

Download Submit
C:\Windows\{EB298A58-3415-464a-88F0-E85C5CB360AA}.exe

Filesize
180KB

MD5
30d633ccbb9053782db39a5ee35c2504

SHA1
a4bc12b4b17524c71f22c83f7a21817f8e8b5e53

SHA256
315fef1e81544349c84ee83092d24ae0708a80c8dd10c407dcd7b9aab457910c

SHA512
fae758dc052d939f40123350a7712a2e5284d75c82084a9dc271527432f91b4a052f8cf6870ff80898799127b77c34e4d2d471bac48b9d3d8b5804a274801fa8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads