046a17bfac09f58d41c62ebdfe914bdffd2b080923fab7ae9ccb3dce91c8f82b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Size

180KB
MD5

aa06f55fb547e0c70256d0aeb8e0117f
SHA1

2dde9b7db50c79f22c1ec4aa802e887cc0cb6beb
SHA256

046a17bfac09f58d41c62ebdfe914bdffd2b080923fab7ae9ccb3dce91c8f82b
SHA512

6273ddd33c4d6d6a23be1aa43aff46cf3336461440bb88eeeb4ace302b07013735f1c447fe6951b4d35c52a4b51d501c240498c3833bd01595dd06e0f9a4fb6b
SSDEEP

3072:jEGh0oilfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGEl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012284-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001225a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{627E6428-1F86-448c-851A-DBCB1017123A}\stubpath = "C:\\Windows\\{627E6428-1F86-448c-851A-DBCB1017123A}.exe"	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E87040-CF7D-4162-8ED2-AD2D2A769242}\stubpath = "C:\\Windows\\{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe"	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F8B7A15-9979-417b-BD96-267FA4B65533}	{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B93F87B-E295-40eb-853E-6EF322B530F8}\stubpath = "C:\\Windows\\{3B93F87B-E295-40eb-853E-6EF322B530F8}.exe"	{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{072BF20C-B771-46fc-B599-A2BBF7678A58}	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{072BF20C-B771-46fc-B599-A2BBF7678A58}\stubpath = "C:\\Windows\\{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe"	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}\stubpath = "C:\\Windows\\{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe"	{627E6428-1F86-448c-851A-DBCB1017123A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F8B7A15-9979-417b-BD96-267FA4B65533}\stubpath = "C:\\Windows\\{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe"	{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B93F87B-E295-40eb-853E-6EF322B530F8}	{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{627E6428-1F86-448c-851A-DBCB1017123A}	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}	{627E6428-1F86-448c-851A-DBCB1017123A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}\stubpath = "C:\\Windows\\{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe"	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15E87040-CF7D-4162-8ED2-AD2D2A769242}	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28D19B8C-B52C-43cc-8966-5FF468B4D515}	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28D19B8C-B52C-43cc-8966-5FF468B4D515}\stubpath = "C:\\Windows\\{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe"	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}	{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}\stubpath = "C:\\Windows\\{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe"	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}\stubpath = "C:\\Windows\\{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe"	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}\stubpath = "C:\\Windows\\{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe"	{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe
2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe
2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe
2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe
2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe
1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe
528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe
2900	{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe
1396	{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe
1936	{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe
460	{3B93F87B-E295-40eb-853E-6EF322B530F8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe
File created	C:\Windows\{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe
File created	C:\Windows\{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe
File created	C:\Windows\{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe	{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe
File created	C:\Windows\{3B93F87B-E295-40eb-853E-6EF322B530F8}.exe	{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe
File created	C:\Windows\{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
File created	C:\Windows\{627E6428-1F86-448c-851A-DBCB1017123A}.exe	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe
File created	C:\Windows\{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	{627E6428-1F86-448c-851A-DBCB1017123A}.exe
File created	C:\Windows\{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe
File created	C:\Windows\{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe
File created	C:\Windows\{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe	{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe
Token: SeIncBasePriorityPrivilege	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe
Token: SeIncBasePriorityPrivilege	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe
Token: SeIncBasePriorityPrivilege	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe
Token: SeIncBasePriorityPrivilege	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe
Token: SeIncBasePriorityPrivilege	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe
Token: SeIncBasePriorityPrivilege	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe
Token: SeIncBasePriorityPrivilege	2900	{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe
Token: SeIncBasePriorityPrivilege	1396	{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe
Token: SeIncBasePriorityPrivilege	1936	{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2712	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	28
PID 1184 wrote to memory of 2712	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	28
PID 1184 wrote to memory of 2712	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	28
PID 1184 wrote to memory of 2712	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	28
PID 1184 wrote to memory of 2836	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	29
PID 1184 wrote to memory of 2836	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	29
PID 1184 wrote to memory of 2836	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	29
PID 1184 wrote to memory of 2836	1184	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	29
PID 2712 wrote to memory of 2416	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	30
PID 2712 wrote to memory of 2416	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	30
PID 2712 wrote to memory of 2416	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	30
PID 2712 wrote to memory of 2416	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	30
PID 2712 wrote to memory of 2876	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	31
PID 2712 wrote to memory of 2876	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	31
PID 2712 wrote to memory of 2876	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	31
PID 2712 wrote to memory of 2876	2712	{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe	31
PID 2416 wrote to memory of 2776	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	32
PID 2416 wrote to memory of 2776	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	32
PID 2416 wrote to memory of 2776	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	32
PID 2416 wrote to memory of 2776	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	32
PID 2416 wrote to memory of 2608	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	33
PID 2416 wrote to memory of 2608	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	33
PID 2416 wrote to memory of 2608	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	33
PID 2416 wrote to memory of 2608	2416	{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe	33
PID 2776 wrote to memory of 2948	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	37
PID 2776 wrote to memory of 2948	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	37
PID 2776 wrote to memory of 2948	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	37
PID 2776 wrote to memory of 2948	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	37
PID 2776 wrote to memory of 3048	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	36
PID 2776 wrote to memory of 3048	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	36
PID 2776 wrote to memory of 3048	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	36
PID 2776 wrote to memory of 3048	2776	{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe	36
PID 2948 wrote to memory of 2116	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	39
PID 2948 wrote to memory of 2116	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	39
PID 2948 wrote to memory of 2116	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	39
PID 2948 wrote to memory of 2116	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	39
PID 2948 wrote to memory of 2784	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	38
PID 2948 wrote to memory of 2784	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	38
PID 2948 wrote to memory of 2784	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	38
PID 2948 wrote to memory of 2784	2948	{627E6428-1F86-448c-851A-DBCB1017123A}.exe	38
PID 2116 wrote to memory of 1916	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	40
PID 2116 wrote to memory of 1916	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	40
PID 2116 wrote to memory of 1916	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	40
PID 2116 wrote to memory of 1916	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	40
PID 2116 wrote to memory of 2292	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	41
PID 2116 wrote to memory of 2292	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	41
PID 2116 wrote to memory of 2292	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	41
PID 2116 wrote to memory of 2292	2116	{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe	41
PID 1916 wrote to memory of 528	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	43
PID 1916 wrote to memory of 528	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	43
PID 1916 wrote to memory of 528	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	43
PID 1916 wrote to memory of 528	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	43
PID 1916 wrote to memory of 764	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	42
PID 1916 wrote to memory of 764	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	42
PID 1916 wrote to memory of 764	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	42
PID 1916 wrote to memory of 764	1916	{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe	42
PID 528 wrote to memory of 2900	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	44
PID 528 wrote to memory of 2900	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	44
PID 528 wrote to memory of 2900	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	44
PID 528 wrote to memory of 2900	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	44
PID 528 wrote to memory of 1640	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	45
PID 528 wrote to memory of 1640	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	45
PID 528 wrote to memory of 1640	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	45
PID 528 wrote to memory of 1640	528	{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe
  C:\Windows\{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe
    C:\Windows\{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe
      C:\Windows\{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{072BF~1.EXE > nul
        5⤵
        
        PID:3048
    - - C:\Windows\{627E6428-1F86-448c-851A-DBCB1017123A}.exe
        
        C:\Windows\{627E6428-1F86-448c-851A-DBCB1017123A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{627E6~1.EXE > nul
        6⤵
        
        PID:2784
      - C:\Windows\{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe
        
        C:\Windows\{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe
        
        C:\Windows\{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD8D~1.EXE > nul
        8⤵
        
        PID:764
        
        C:\Windows\{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe
        
        C:\Windows\{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe
        
        C:\Windows\{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28D19~1.EXE > nul
        10⤵
        
        PID:2080
        
        C:\Windows\{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe
        
        C:\Windows\{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe
        
        C:\Windows\{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\{3B93F87B-E295-40eb-853E-6EF322B530F8}.exe
        
        C:\Windows\{3B93F87B-E295-40eb-853E-6EF322B530F8}.exe
        12⤵
        Executes dropped EXE
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F8B7~1.EXE > nul
        12⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32E17~1.EXE > nul
        11⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15E87~1.EXE > nul
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEE76~1.EXE > nul
        7⤵
        
        PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A74D5~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2F406~1.EXE > nul
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{072BF20C-B771-46fc-B599-A2BBF7678A58}.exe

Filesize
180KB

MD5
463a444702ce39bae34728a22a9f8e82

SHA1
50276b66afb1923d6f82f283a024e1c055943c28

SHA256
fdb8c593871656734ab14fcbec6ec4ec2cb574540cb6f1f09d58989cb28eacc8

SHA512
b70ac5c179fce5113e2fabaa15f43a05cc26d494efee19876dfb07b9b9d555bd12d05857a33d9183abe0d2b4282f68d4107fa1e4fb878a7bd5a693e582e84795

Download Submit
C:\Windows\{15E87040-CF7D-4162-8ED2-AD2D2A769242}.exe

Filesize
180KB

MD5
45acafdf82ff3ef21c8f7b02d1fb40e6

SHA1
81f4e09ae7a7b09b5b28d73d98ddee7c2d82aa8a

SHA256
823b7c4979bb89d6d872976b9cc2120b955fa7810f5fbd7b0476a5cea1874d55

SHA512
5b3d7c9970231b685d4a68445a69e9bc339f291f8fbe40ba7ec69e92d24a162fbb1c29fe60ef998950032e03303712a3ddb9e0801d4b683542f37b1ffb6f61a1

Download Submit
C:\Windows\{28D19B8C-B52C-43cc-8966-5FF468B4D515}.exe

Filesize
180KB

MD5
20fb389df5fea35334fb27527c6b0a87

SHA1
707ffef3dd5650f64e3d9bde317a8df1b5c33bac

SHA256
b520a502f61c7dbd28b7571578e8d8ebd8648246362ea6f095c4bec372047201

SHA512
feb706d0ad7e9201b0701cb85fe3d76d8d88ccbc86b79b14791eea60f9277c8910f3b87787fd1e2584d8d4d8617ef07007a51bbfa1e182cb31f2ff7fb4c56a8d

Download Submit
C:\Windows\{2F4060EC-D9AE-47fb-8741-8EFCBA3FD1C4}.exe

Filesize
180KB

MD5
0bbcbfac5ed1c69466628eba8e21d20a

SHA1
367b6c3b5c92af80cb25c817e5292ef0c68206a9

SHA256
f9e100db0c7259ef7c99799c4e3337919c713e1163136dd958cfef8063c1db95

SHA512
628371a7668cb09ada6ae4d76b3946f8d17af69f5b21b7c65facfb2824849cee7cb0515f76cd77ca2450b8f1bc966f7749af9bcaf44863ef1efebe0c4ae90a91

Download Submit
C:\Windows\{32E176A7-E8A0-4981-B3E7-EF1C62FFE68D}.exe

Filesize
180KB

MD5
01638ed37ef7b0c5b43be1f7aecf0665

SHA1
599a0f6ad4594c772c01b20a97980b6e4fa0f1e0

SHA256
49b27ee0a117c75299c0d2be3cf3af2e835592fbe4fd6aa94df6dd3f4b4a6bc7

SHA512
9aac422bf7df12383f1af31d46a3872bf12ae3017e154e509c3ebb3dd1f4ec9e2aa6feb9b8d9b77fb139284aac2ab99d272d00e60e7a911e201ff9437c46329d

Download Submit
C:\Windows\{3B93F87B-E295-40eb-853E-6EF322B530F8}.exe

Filesize
180KB

MD5
ad7a1ca2f4ebba249c95ff3bca2d430a

SHA1
d8d8c48fc5d5f6c614ab3c5dd4e689213677085f

SHA256
318e2c718893e8cc916545d1244aa8464e5e041b0db904cc6204e84db2157fd3

SHA512
94826173ebd5694d4e01fa58fcfa7caba57767b4dc6ecfd64c746863a0ab6a135f57fc79bd882d8c28066dfe102f9ea02857e55e60936044d2d3f628469d651f

Download Submit
C:\Windows\{627E6428-1F86-448c-851A-DBCB1017123A}.exe

Filesize
180KB

MD5
db9f4c30778b7feb6ac7c92a631a05ed

SHA1
b35939afb9112ba8e6f5dd2abfeaf7710fb94a95

SHA256
b937816679ff4ea5dced5324dc7d5dc1ae3cbbc58c8295d203bf364ba6cf515a

SHA512
dbc0ecab58b67362df11fc3802f5638c17e607e4ec545a61c0cfa788daeb4a4a210b1412341c081ded5958a89fa887af121c6f3c218ab06a7405e3e5382ef045

Download Submit
C:\Windows\{7F8B7A15-9979-417b-BD96-267FA4B65533}.exe

Filesize
180KB

MD5
2840d2464867a57e56ec15e8ad3eb8df

SHA1
10a8a86e48aa0a7e8027f04a438e801799288ff1

SHA256
90987f99fdef6c408390df4e428400b77fd50fcd51629d93aa0cae094a42acd0

SHA512
5a7395e500719e57afdde3b9e26486138d0eeda146c671ac673c5488c67d10df2a41cdd89a69ea3cd753c779f9cef39bd63d5c09f6b8bdfbe1ad0116c0ee3fed

Download Submit
C:\Windows\{A74D5BD3-264D-4bf5-BA9C-4C222B0937E5}.exe

Filesize
180KB

MD5
fcfffb83b4d440eb39617baecc173597

SHA1
20c7e85a96fb6f738ec178ee956f6792a23754c8

SHA256
4433dfb4dca4ad39f46de5bbc8c84958ea89cc00e3b2b164cb42453d9bae6e6c

SHA512
9f18a4f8d03053973c083c99643365a129ddd1c000fe47611511444d8ff08e7211f6a200cf8fb43b89ad60d4af81d0465d8d8044b0e212e861b4e6e0fb3e366d

Download Submit
C:\Windows\{ABD8D996-A7ED-45a2-B8D5-8D5C84C1E9F0}.exe

Filesize
180KB

MD5
0360d50d7a623ea7ed225539a4d6dbc2

SHA1
4212f9739f16792790201b1c65003bd8557ea643

SHA256
e13b762d0f00c591600ab5cd8e4199b09dbf45124065300d10933525daa3ec0a

SHA512
2ced0737a5beb1e6ef4fc5eeed48e3630a62498ab3722bbc642c417fab9441b4be4cd82a22b7afcd41a4d77b9981c856933e03b88efd9e85289ef67b7a823e7b

Download Submit
C:\Windows\{DEE7663A-DB1E-4ed5-80F1-07E9C393CA13}.exe

Filesize
180KB

MD5
a8b6e364cd89ac0c64c0c91081c0b2d9

SHA1
2042248892023df809e2793ea4dc0404ec17c5d5

SHA256
e7a6733a2a77e2777c6d8d79a9d69381dd193a418ea0898d14a60b2b1635b42e

SHA512
94e8bbd43a9f21ff6aad1731bccb0c8cd19f66ca73db2936c67c2ee87109dfeb8d073f25ef45748b3f02e60b6929cbbed2bd334ce0df7c85e66c05eefd5878b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads