7a09b43a183020add390a6282120f0b3d26f27242bd1f82d87c17eb35056410d

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Size

180KB
MD5

0261ff0691822157084b12b89134cdef
SHA1

10926bd56456880084aa75e5d92b4ec098c0fffa
SHA256

7a09b43a183020add390a6282120f0b3d26f27242bd1f82d87c17eb35056410d
SHA512

cdd5867a457f37ac31f9df712a7e5ee8580789a5af26d3204708d59dba0441eab23d47b5e5796d5d05c603656e06cd41cd2696f68a682b6cfec521c1ea864b2a
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012262-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000133bd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012262-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a00000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b00000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c00000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9DDDCD5-218F-4077-9602-AC482BCC628B}	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14A241B1-B8C6-47a6-9162-D771F0C06A03}\stubpath = "C:\\Windows\\{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe"	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C14499-9D35-4622-8CFB-B0C36871859D}\stubpath = "C:\\Windows\\{53C14499-9D35-4622-8CFB-B0C36871859D}.exe"	{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{268FB3A0-D821-45d3-B5DB-98F99723F8AD}	{53C14499-9D35-4622-8CFB-B0C36871859D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C066E86-E518-4053-8D1E-CF8339BA2CE8}\stubpath = "C:\\Windows\\{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe"	{8B079697-9B6B-4718-8837-5C795716E066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9DDDCD5-218F-4077-9602-AC482BCC628B}\stubpath = "C:\\Windows\\{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe"	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}\stubpath = "C:\\Windows\\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe"	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{534DB4B1-6EE1-4177-B274-ECD3E46C043F}\stubpath = "C:\\Windows\\{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe"	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14A241B1-B8C6-47a6-9162-D771F0C06A03}	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{268FB3A0-D821-45d3-B5DB-98F99723F8AD}\stubpath = "C:\\Windows\\{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe"	{53C14499-9D35-4622-8CFB-B0C36871859D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B079697-9B6B-4718-8837-5C795716E066}\stubpath = "C:\\Windows\\{8B079697-9B6B-4718-8837-5C795716E066}.exe"	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}\stubpath = "C:\\Windows\\{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe"	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{534DB4B1-6EE1-4177-B274-ECD3E46C043F}	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C14499-9D35-4622-8CFB-B0C36871859D}	{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C066E86-E518-4053-8D1E-CF8339BA2CE8}	{8B079697-9B6B-4718-8837-5C795716E066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}\stubpath = "C:\\Windows\\{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe"	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D81F208-B55A-42c3-80C2-37FD64A66D50}	{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D81F208-B55A-42c3-80C2-37FD64A66D50}\stubpath = "C:\\Windows\\{3D81F208-B55A-42c3-80C2-37FD64A66D50}.exe"	{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B079697-9B6B-4718-8837-5C795716E066}	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe

Executes dropped EXE 11 IoCs

pid	Process
2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe
2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe
2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe
2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe
2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe
2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe
2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe
1484	{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe
1616	{53C14499-9D35-4622-8CFB-B0C36871859D}.exe
1104	{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe
2456	{3D81F208-B55A-42c3-80C2-37FD64A66D50}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe
File created	C:\Windows\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe
File created	C:\Windows\{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe
File created	C:\Windows\{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe
File created	C:\Windows\{53C14499-9D35-4622-8CFB-B0C36871859D}.exe	{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe
File created	C:\Windows\{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe
File created	C:\Windows\{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	{8B079697-9B6B-4718-8837-5C795716E066}.exe
File created	C:\Windows\{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe
File created	C:\Windows\{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe	{53C14499-9D35-4622-8CFB-B0C36871859D}.exe
File created	C:\Windows\{3D81F208-B55A-42c3-80C2-37FD64A66D50}.exe	{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe
File created	C:\Windows\{8B079697-9B6B-4718-8837-5C795716E066}.exe	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe
Token: SeIncBasePriorityPrivilege	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe
Token: SeIncBasePriorityPrivilege	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe
Token: SeIncBasePriorityPrivilege	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe
Token: SeIncBasePriorityPrivilege	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe
Token: SeIncBasePriorityPrivilege	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe
Token: SeIncBasePriorityPrivilege	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe
Token: SeIncBasePriorityPrivilege	1484	{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe
Token: SeIncBasePriorityPrivilege	1616	{53C14499-9D35-4622-8CFB-B0C36871859D}.exe
Token: SeIncBasePriorityPrivilege	1104	{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2416	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	28
PID 2392 wrote to memory of 2416	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	28
PID 2392 wrote to memory of 2416	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	28
PID 2392 wrote to memory of 2416	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	28
PID 2392 wrote to memory of 2828	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	29
PID 2392 wrote to memory of 2828	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	29
PID 2392 wrote to memory of 2828	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	29
PID 2392 wrote to memory of 2828	2392	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	29
PID 2416 wrote to memory of 2864	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	30
PID 2416 wrote to memory of 2864	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	30
PID 2416 wrote to memory of 2864	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	30
PID 2416 wrote to memory of 2864	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	30
PID 2416 wrote to memory of 2272	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	31
PID 2416 wrote to memory of 2272	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	31
PID 2416 wrote to memory of 2272	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	31
PID 2416 wrote to memory of 2272	2416	{8B079697-9B6B-4718-8837-5C795716E066}.exe	31
PID 2864 wrote to memory of 2696	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	35
PID 2864 wrote to memory of 2696	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	35
PID 2864 wrote to memory of 2696	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	35
PID 2864 wrote to memory of 2696	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	35
PID 2864 wrote to memory of 868	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	34
PID 2864 wrote to memory of 868	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	34
PID 2864 wrote to memory of 868	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	34
PID 2864 wrote to memory of 868	2864	{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe	34
PID 2696 wrote to memory of 2920	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	36
PID 2696 wrote to memory of 2920	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	36
PID 2696 wrote to memory of 2920	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	36
PID 2696 wrote to memory of 2920	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	36
PID 2696 wrote to memory of 2952	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	37
PID 2696 wrote to memory of 2952	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	37
PID 2696 wrote to memory of 2952	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	37
PID 2696 wrote to memory of 2952	2696	{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe	37
PID 2920 wrote to memory of 2288	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	38
PID 2920 wrote to memory of 2288	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	38
PID 2920 wrote to memory of 2288	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	38
PID 2920 wrote to memory of 2288	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	38
PID 2920 wrote to memory of 2792	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	39
PID 2920 wrote to memory of 2792	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	39
PID 2920 wrote to memory of 2792	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	39
PID 2920 wrote to memory of 2792	2920	{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe	39
PID 2288 wrote to memory of 2776	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	41
PID 2288 wrote to memory of 2776	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	41
PID 2288 wrote to memory of 2776	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	41
PID 2288 wrote to memory of 2776	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	41
PID 2288 wrote to memory of 1332	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	40
PID 2288 wrote to memory of 1332	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	40
PID 2288 wrote to memory of 1332	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	40
PID 2288 wrote to memory of 1332	2288	{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe	40
PID 2776 wrote to memory of 2632	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	43
PID 2776 wrote to memory of 2632	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	43
PID 2776 wrote to memory of 2632	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	43
PID 2776 wrote to memory of 2632	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	43
PID 2776 wrote to memory of 688	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	42
PID 2776 wrote to memory of 688	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	42
PID 2776 wrote to memory of 688	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	42
PID 2776 wrote to memory of 688	2776	{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe	42
PID 2632 wrote to memory of 1484	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	45
PID 2632 wrote to memory of 1484	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	45
PID 2632 wrote to memory of 1484	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	45
PID 2632 wrote to memory of 1484	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	45
PID 2632 wrote to memory of 2808	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	44
PID 2632 wrote to memory of 2808	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	44
PID 2632 wrote to memory of 2808	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	44
PID 2632 wrote to memory of 2808	2632	{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\{8B079697-9B6B-4718-8837-5C795716E066}.exe
  C:\Windows\{8B079697-9B6B-4718-8837-5C795716E066}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe
    C:\Windows\{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8C066~1.EXE > nul
      4⤵
      PID:868
  - - C:\Windows\{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe
      C:\Windows\{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe
        
        C:\Windows\{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe
        
        C:\Windows\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8DA8~1.EXE > nul
        7⤵
        
        PID:1332
        
        C:\Windows\{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe
        
        C:\Windows\{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21622~1.EXE > nul
        8⤵
        
        PID:688
        
        C:\Windows\{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe
        
        C:\Windows\{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{534DB~1.EXE > nul
        9⤵
        
        PID:2808
        
        C:\Windows\{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe
        
        C:\Windows\{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{53C14499-9D35-4622-8CFB-B0C36871859D}.exe
        
        C:\Windows\{53C14499-9D35-4622-8CFB-B0C36871859D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe
        
        C:\Windows\{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{3D81F208-B55A-42c3-80C2-37FD64A66D50}.exe
        
        C:\Windows\{3D81F208-B55A-42c3-80C2-37FD64A66D50}.exe
        12⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{268FB~1.EXE > nul
        12⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C14~1.EXE > nul
        11⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14A24~1.EXE > nul
        10⤵
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9DDD~1.EXE > nul
        6⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{710F1~1.EXE > nul
        5⤵
        
        PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8B079~1.EXE > nul
    3⤵
    PID:2272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14A241B1-B8C6-47a6-9162-D771F0C06A03}.exe

Filesize
180KB

MD5
35aa627658b6698f34fbef7573dd91e2

SHA1
06c4cb6bbfd5769922d95a0f02ef11a459f3a17d

SHA256
5537cf29508f9dc3404619bf4ae3d92d859fa8a7205cf0b9bfc20676c333e95c

SHA512
f2ebab90560705dd85367bd8802f19e72b783a04a72155067337bcd8cda05bca1e922d8c07420c77a318a3d0e6fa9128d1407ef4bafa17f05e6ac000371d11a7

Download Submit
C:\Windows\{21622F11-C95C-4d2e-A0D7-7AB4BEC3DD6A}.exe

Filesize
180KB

MD5
89163836fdfc5b34d46b5786d6d5e2fd

SHA1
9f8ffa1b9247081fa7c17e9b4f3814cce1d9d9c3

SHA256
fe63f1650c3b952cdea5b60316a568d50e70bf4045ac542e980d5fa4d8672314

SHA512
c7a1c71a97f7b4956fbb092b20e5aa06cae309f2ce55476f3bdcf9a1d2c7b397e383365e0456fde6474bd0fd5a2ef775ee3ab55fa8b739d9abbb738260a75c85

Download Submit
C:\Windows\{268FB3A0-D821-45d3-B5DB-98F99723F8AD}.exe

Filesize
180KB

MD5
946c84a729212d4aad2e3378563074e9

SHA1
b5f5ae73a83f2117a3dd1ecce0b118c9c437bccc

SHA256
64958c7043079b0473a124bdfec621706ab0cf2d78b9b0ae7114faaa6f005c86

SHA512
811e617d4ee497bebb48cd39dcd11b097f1d851215abc46785f2b8af9815de1f910577500292b1f654291f9d10fe253b5a7399874ef26f25a95b1508c11f02b6

Download Submit
C:\Windows\{3D81F208-B55A-42c3-80C2-37FD64A66D50}.exe

Filesize
180KB

MD5
da111ce61fb5deb7a20cb68354829712

SHA1
ceb20d36d2266ce7867b042aa9c270d75aeb98c1

SHA256
9d53b3bf8fc2a1178e13804333d7c4add997e073d51875da0dbb43602aae8229

SHA512
fcab3d0ebcfdcb7bfb1148556f3012c0643d6a478958244b8a559aafa9c642e5f0235f8d66e1183d359f5202b994695d531735548cccb9ab4bce70e55b4fea56

Download Submit
C:\Windows\{534DB4B1-6EE1-4177-B274-ECD3E46C043F}.exe

Filesize
180KB

MD5
10fe4f82a1d90eba44d9b768b4ef01ce

SHA1
6527a2b46782ec3fc981bb2b3d8f1cd99d45ffd5

SHA256
5340f8fa1f65d2ee409a3ea9582ca2dfc691c7c2930090ff92e4162492de45dd

SHA512
ec1c406bd9e26da523f8fe964b9764d68f0ee5d6ee06735a7dd3c17e568e9bc07ef9299a76a4d41b553e152616b2b969b06e37cb02ce2dd7700d516fcc00e598

Download Submit
C:\Windows\{53C14499-9D35-4622-8CFB-B0C36871859D}.exe

Filesize
180KB

MD5
49b8aebc3ff32788192bce62d80c68de

SHA1
70584f21a34c4a5c755dd341d04da285e4397ed4

SHA256
fa098eb6fbcf1ad01bf2a11c4bfc005cfd1574d183a34ac3d8c2025db4b98964

SHA512
8f3ee14fe90700ddc63bbfd01a627cdf232adde257f1abcf61081f4bd73ad218cc574073b6f3bcc4518e877476b649eeebf29b5d7d84f27f5c44ff07e132be56

Download Submit
C:\Windows\{710F1F1E-AA72-48df-BD0C-E02D7F6E4C0B}.exe

Filesize
180KB

MD5
fc01ccb682aba1e24b50b9e27c029138

SHA1
89a0f4d32fff820eb4599837fdb91b3101aedbb9

SHA256
3573b965cfecb60ac632b41127161a912213fe4041f3aa605a6d0d9e7991621c

SHA512
b86c10fc3f814b3094e426c68523e187096a224fc809217f08ee0b21ab357a8ff2e28005cab7602b6be07bfd898580ea33a98596bd10f6d401905d581d7c0b8b

Download Submit
C:\Windows\{8B079697-9B6B-4718-8837-5C795716E066}.exe

Filesize
180KB

MD5
6c0adb1cea91b6a69cd6d3538ad414d3

SHA1
f2cd09aac228eecbb8dd867ba494f1f9ac1c9f53

SHA256
f02e57b52d9245838d71afcdcdfb6f5358cfff8324fae693b21d1c3566dd17fd

SHA512
92b69838c1265b2944806b64275d21752718d2b7775893c4960bd7a0338a436199fc5ef98be7dc09a6f94ed7751ee80a7204c403978ac2a170fb66c4c7ef3779

Download Submit
C:\Windows\{8C066E86-E518-4053-8D1E-CF8339BA2CE8}.exe

Filesize
180KB

MD5
33b10fffe61a4adbb3bac537ee532e24

SHA1
afb4b579db910f165f1e7d93dbe4e98b7aad91d7

SHA256
7a3d5faefee3c720207db504c1d6c3af15478b0f9724c91514d067614c86782e

SHA512
2cbb41f4db408245475f81e4db2a5a2ce5152e5fcf1e63277516ae280c07f639a7abf1d11269419c538f5b77a2f5c09c578fb92adc2f9f5f6aeb7d9b7e5e09c6

Download Submit
C:\Windows\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe

Filesize
180KB

MD5
4140d5b5470ca68c65fd4fdc1741c672

SHA1
e37905ade3228b9cf2552e23057829b9060b4c33

SHA256
b1cbf642084c3f69b274b3668abd110bf3a7f171e76bed069d3d68413430ec20

SHA512
0ab621e2c961f2c5243f9275b97de2db37ae472549029c82a5161c21f420fb4b934ff2b8ce39d3a1d3fa569c4e5297269263822801d5f7fdca5c0f31d6c6ca8b

Download Submit
C:\Windows\{C8DA8C57-E220-4749-B5AB-E06DF0CF8319}.exe

Filesize
128KB

MD5
75d5da33a647eb0095038fcd4506252f

SHA1
ad7a09908a336304520e7eb46eb4ccf2e8f963bf

SHA256
58010f9b02417bc4156d3a8fb5dd9acb5b983a406ecf6de0449a3255a50c1b12

SHA512
28d8bfd8819d2216f3f3fd9ebcf2779f4191d149cab2e9e154b32a654fbd53e7a87f5ff4b7aab4e9781809903fa01381a6cf0b9c84282c1dd3fa1bba7469c0f5

Download Submit
C:\Windows\{E9DDDCD5-218F-4077-9602-AC482BCC628B}.exe

Filesize
180KB

MD5
b1a431aec4433d965523c5f366a36b2c

SHA1
25734a5a4fe757d8a91fa57adb9eb8ec064ddbe1

SHA256
941f77fb2d34aba84dbfc2e1792ce8814a7269f872b66f5c9af2fcb0f0381909

SHA512
549c862f71bf3684bc3e55adcac7741e4618ff128503b2b6d054130e19279c0e5c2a6f16c0103006fbebf5237e6edb0869419166f8db7cf32f27911e81e41a71

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads