54595d06b7a42f4579b9451e9c3d7899734d55196be8b198bb393fa43682bb50

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe
Size

372KB
MD5

0b1c3fe30acbd6ad57b6485c6620784b
SHA1

1d840d9652a72ce11ff50bc7a9661535c49a24a8
SHA256

54595d06b7a42f4579b9451e9c3d7899734d55196be8b198bb393fa43682bb50
SHA512

99b4941ecfe2f2be66d30b2c70fe25b88640c300f544a8a01c81a5ac990ac9b75a400ecd2af62160646d4c57b1302bf46a479652837c854c3e9680aa7afa3673
SSDEEP

3072:CEGh0o3lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012247-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015c9f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012247-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012247-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015c9f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015d8e-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e82-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015d8e-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}\stubpath = "C:\\Windows\\{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe"	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}\stubpath = "C:\\Windows\\{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe"	{A74902CF-7707-4f32-AD97-2F439528C523}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37D1C223-986C-4b09-ABFC-59C0C959660F}	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B25B559F-8627-4b3e-92FA-33FF4C2CD410}	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B25B559F-8627-4b3e-92FA-33FF4C2CD410}\stubpath = "C:\\Windows\\{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe"	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}\stubpath = "C:\\Windows\\{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe"	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F8185FD-BCBE-419b-8E21-A9ABB7726389}	{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A74902CF-7707-4f32-AD97-2F439528C523}	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22915228-EF6B-451e-91C4-0BA660E3E85F}	{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22915228-EF6B-451e-91C4-0BA660E3E85F}\stubpath = "C:\\Windows\\{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe"	{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A74902CF-7707-4f32-AD97-2F439528C523}\stubpath = "C:\\Windows\\{A74902CF-7707-4f32-AD97-2F439528C523}.exe"	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}	{A74902CF-7707-4f32-AD97-2F439528C523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37D1C223-986C-4b09-ABFC-59C0C959660F}\stubpath = "C:\\Windows\\{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe"	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}\stubpath = "C:\\Windows\\{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe"	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}\stubpath = "C:\\Windows\\{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe"	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}	{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F8185FD-BCBE-419b-8E21-A9ABB7726389}\stubpath = "C:\\Windows\\{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe"	{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}\stubpath = "C:\\Windows\\{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}.exe"	{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe
2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe
2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe
1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe
2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe
2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe
1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe
1344	{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe
1652	{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe
2448	{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe
1448	{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe
File created	C:\Windows\{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe
File created	C:\Windows\{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe
File created	C:\Windows\{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe	{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe
File created	C:\Windows\{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe	{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe
File created	C:\Windows\{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	{A74902CF-7707-4f32-AD97-2F439528C523}.exe
File created	C:\Windows\{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe
File created	C:\Windows\{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe
File created	C:\Windows\{A74902CF-7707-4f32-AD97-2F439528C523}.exe	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe
File created	C:\Windows\{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe
File created	C:\Windows\{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}.exe	{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe
Token: SeIncBasePriorityPrivilege	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe
Token: SeIncBasePriorityPrivilege	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe
Token: SeIncBasePriorityPrivilege	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe
Token: SeIncBasePriorityPrivilege	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe
Token: SeIncBasePriorityPrivilege	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe
Token: SeIncBasePriorityPrivilege	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe
Token: SeIncBasePriorityPrivilege	1344	{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe
Token: SeIncBasePriorityPrivilege	1652	{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe
Token: SeIncBasePriorityPrivilege	2448	{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3068	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	28
PID 2880 wrote to memory of 3068	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	28
PID 2880 wrote to memory of 3068	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	28
PID 2880 wrote to memory of 3068	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	28
PID 2880 wrote to memory of 2776	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	29
PID 2880 wrote to memory of 2776	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	29
PID 2880 wrote to memory of 2776	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	29
PID 2880 wrote to memory of 2776	2880	2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe	29
PID 3068 wrote to memory of 2596	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	32
PID 3068 wrote to memory of 2596	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	32
PID 3068 wrote to memory of 2596	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	32
PID 3068 wrote to memory of 2596	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	32
PID 3068 wrote to memory of 2060	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	33
PID 3068 wrote to memory of 2060	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	33
PID 3068 wrote to memory of 2060	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	33
PID 3068 wrote to memory of 2060	3068	{A74902CF-7707-4f32-AD97-2F439528C523}.exe	33
PID 2596 wrote to memory of 2624	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	34
PID 2596 wrote to memory of 2624	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	34
PID 2596 wrote to memory of 2624	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	34
PID 2596 wrote to memory of 2624	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	34
PID 2596 wrote to memory of 2984	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	35
PID 2596 wrote to memory of 2984	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	35
PID 2596 wrote to memory of 2984	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	35
PID 2596 wrote to memory of 2984	2596	{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe	35
PID 2624 wrote to memory of 1056	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	36
PID 2624 wrote to memory of 1056	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	36
PID 2624 wrote to memory of 1056	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	36
PID 2624 wrote to memory of 1056	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	36
PID 2624 wrote to memory of 572	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	37
PID 2624 wrote to memory of 572	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	37
PID 2624 wrote to memory of 572	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	37
PID 2624 wrote to memory of 572	2624	{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe	37
PID 1056 wrote to memory of 2224	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	38
PID 1056 wrote to memory of 2224	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	38
PID 1056 wrote to memory of 2224	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	38
PID 1056 wrote to memory of 2224	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	38
PID 1056 wrote to memory of 852	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	39
PID 1056 wrote to memory of 852	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	39
PID 1056 wrote to memory of 852	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	39
PID 1056 wrote to memory of 852	1056	{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe	39
PID 2224 wrote to memory of 2612	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	40
PID 2224 wrote to memory of 2612	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	40
PID 2224 wrote to memory of 2612	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	40
PID 2224 wrote to memory of 2612	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	40
PID 2224 wrote to memory of 2116	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	41
PID 2224 wrote to memory of 2116	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	41
PID 2224 wrote to memory of 2116	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	41
PID 2224 wrote to memory of 2116	2224	{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe	41
PID 2612 wrote to memory of 1956	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	42
PID 2612 wrote to memory of 1956	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	42
PID 2612 wrote to memory of 1956	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	42
PID 2612 wrote to memory of 1956	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	42
PID 2612 wrote to memory of 2488	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	43
PID 2612 wrote to memory of 2488	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	43
PID 2612 wrote to memory of 2488	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	43
PID 2612 wrote to memory of 2488	2612	{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe	43
PID 1956 wrote to memory of 1344	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	44
PID 1956 wrote to memory of 1344	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	44
PID 1956 wrote to memory of 1344	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	44
PID 1956 wrote to memory of 1344	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	44
PID 1956 wrote to memory of 2476	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	45
PID 1956 wrote to memory of 2476	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	45
PID 1956 wrote to memory of 2476	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	45
PID 1956 wrote to memory of 2476	1956	{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_0b1c3fe30acbd6ad57b6485c6620784b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\{A74902CF-7707-4f32-AD97-2F439528C523}.exe
  C:\Windows\{A74902CF-7707-4f32-AD97-2F439528C523}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe
    C:\Windows\{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe
      C:\Windows\{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe
        
        C:\Windows\{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe
        
        C:\Windows\{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe
        
        C:\Windows\{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe
        
        C:\Windows\{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe
        
        C:\Windows\{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe
        
        C:\Windows\{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe
        
        C:\Windows\{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}.exe
        
        C:\Windows\{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F818~1.EXE > nul
        12⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22915~1.EXE > nul
        11⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BE60~1.EXE > nul
        10⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{334AE~1.EXE > nul
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E8A2~1.EXE > nul
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B25B5~1.EXE > nul
        7⤵
        
        PID:2116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0A2D~1.EXE > nul
        6⤵
        
        PID:852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37D1C~1.EXE > nul
        5⤵
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2FEA5~1.EXE > nul
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7490~1.EXE > nul
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16BA76B1-BBA8-4a4a-BF02-44F72F5A54BC}.exe

Filesize
372KB

MD5
cba699f5a6b17e6dec1e9a749de46256

SHA1
02784e75f29be14958c63737b78523a43b7134cd

SHA256
5a6cad29c784d6f258932670b276711937c8fdc326f1235c59fb6d71cc04fcad

SHA512
c3c1ba935bd89f0ce7e21eb9053aafcc6115adc820eb21d04fec0a8255865772f890b30e47f66bc635108d74e24f758006f9a4148226ef884a39f7b4cd37b6e7

Download Submit
C:\Windows\{22915228-EF6B-451e-91C4-0BA660E3E85F}.exe

Filesize
372KB

MD5
dc1e61907814d2fbb3e9f3f8543a6151

SHA1
b8fb97376800527bbb59bf31ecaa9ab559b0fe9c

SHA256
9ae8c473d3374ca0e55da6c59518f86a3a11aa4ae9e3c26e04d0a14c23d6d095

SHA512
77284af3447283b6165869cb78a5a845c009dbe991e78e5586df1c369d9dcf0cf3edc0378660c4895c5d59488925135dbfc7da3a0dbd13766e783a5178a5da4e

Download Submit
C:\Windows\{2FEA5CBF-3689-45c7-801E-50EAAEDEA5B6}.exe

Filesize
372KB

MD5
b0af210f85094a293aa99023747e4d36

SHA1
9569f7d9d30e58a8d274cac1d387473bf86301ca

SHA256
8f943137d14e8d4517e8906b86242a1d0d0a93f100450da4138a83e966ccb213

SHA512
2842825e0bf1c7c604524a6d2658eecd9d08c703b9ba6737cfd8265025da863b4f28a08ae4e203b0113c9ab307dd22ec02065fb2309c9a425c2e8a25b96dcc27

Download Submit
C:\Windows\{334AEB30-2C43-48ca-ACE9-7E9CB6CDA775}.exe

Filesize
372KB

MD5
321e147be43af158a565afef515e19b0

SHA1
16c9862c56d64027bbe9ca5b27e0ee9f2268822b

SHA256
9570c1e29669d1a924318da08c5603c33f95d493cd2ab3bc0ee24e52ce16ec04

SHA512
90dda08e2a20e149341b9a545b56f22e32f0bfc6fab26b6af89ac5f96a4c6667add23bdb4c276dfd27c6b0814edd0a4ffffe8a5fd4b3db6db5a82c23c34de923

Download Submit
C:\Windows\{37D1C223-986C-4b09-ABFC-59C0C959660F}.exe

Filesize
372KB

MD5
b980ba93f60867739b669c7a97a81134

SHA1
0d48836fcece4985a1a96d56eaefe9f37845c5c7

SHA256
cfedf7582de9691d15e2e5dbc2fd3ed4bbf88c109b8dccfc24beaa9346bca728

SHA512
f8de02e54507e99d454364029a667f515e9011155a269e1f13218f8116f32a5d985695533ba2bb9d282e174422b8829f586fdbe5826b3080011002d98d3f9a85

Download Submit
C:\Windows\{4BE60BD3-FB4B-4fbc-B84F-6BAFB44CF59A}.exe

Filesize
372KB

MD5
5a6e29dd9fb65e4de927dcb808369714

SHA1
a9590b11867a85b195a8d2b972488b54e0f1ee83

SHA256
68d2fa07b09e6d9e8ee80d7b12ddd0604bae36bcb0f6c87816b90dc904e357a1

SHA512
ace6dac1d8c1a6e3d64c3b41c69a2ac4c0c3aee905ae636cbe0b0ddbcc5144933d0c5c0944ee218c846a8dbe895e05018adb244dec23613c245854a8546686bd

Download Submit
C:\Windows\{5F8185FD-BCBE-419b-8E21-A9ABB7726389}.exe

Filesize
372KB

MD5
76d3eb12b20a99f138131ed61a48e176

SHA1
70a583e759b0bd6032cbacfc58c75d476b544ad8

SHA256
a7b175288e4b11250092953345c29018513c2a5f439c54f778260f45732a5e89

SHA512
42e5d77eb3ff74f96c40b0ab71971cc3a69601c0d3c092d63bdda462c73520b871f17f38ce426c8b63665ccdaf0acb3703d3c30c7521971a0eb75b6052dbe773

Download Submit
C:\Windows\{6E8A2997-0D1E-4301-869C-D9EB18D05DB3}.exe

Filesize
372KB

MD5
ff555f4d87974658cc4d04c7bbd5e947

SHA1
46f80faeae0d2d1fed60309150ef35ea097a2143

SHA256
f22eb30a51706ed84b3ad8158091f09140d94bd431cb95616334cffb27ae7466

SHA512
b3085c5df9674dd3eec755f44a2c4ff054a0f3a379d627dd4f385c1e26b93a23a68eabfdfcb56012eaa2b7b10a306a051a126cc443fe799455947ac8d66aaef5

Download Submit
C:\Windows\{A74902CF-7707-4f32-AD97-2F439528C523}.exe

Filesize
372KB

MD5
cc6225ca78a04d8424519a174de28b9d

SHA1
4623c84b242062d46f65ffb52d4adeb4aa39ac35

SHA256
d2ca9711e2c2c84628f185b97f23adc5c02ede2b087eb4bfada53e195fdbad70

SHA512
1bdfcab857408fdcea3dd0d4416de940e7faf424c0aa102fe597f49759dcaeedfea70cb91727e86d99cb0399410d27b056ab76460fe4c59adee628f79997b4e0

Download Submit
C:\Windows\{B25B559F-8627-4b3e-92FA-33FF4C2CD410}.exe

Filesize
372KB

MD5
56aff7fc0a65dc04a98fabe98683f194

SHA1
f952df5f8abb2fb816ecd19d90da47a58442e816

SHA256
103fdda1ea2eef15d8cbd4ccffd7538607d5771c7ae9054db7a4e4bd50ae72f0

SHA512
774e64ec8484e758b1b849b760c1598315902a807fba3b44d5339104ecb9a8973ccd6416ee30dadd6ea3b20de011d616565870d47bf4658b0a8732c9faf269b8

Download Submit
C:\Windows\{D0A2DA0E-5E10-47c9-8B9C-8298117B5788}.exe

Filesize
372KB

MD5
11f8ce9b50d85f82a749a150e645ecec

SHA1
7bd79536fb65762e46634a113f946b8648bc373b

SHA256
fe1c5edb08315c7a2fc0c2df306560da8ea7a88b308458b474c94c8b0d201fed

SHA512
a80a4b1f32b0a72652e80bed5dd904111f7a57cb0d6b5ef5f4f08ec36202c06f4c76e7197b78a197b54a04788e0b68e670f4f9d82fab7d751c1f666d939f22c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads