655372c34b139d1bb2a8ff365896a8e93ccbd0ceb8cb6eaff3724a616aa457ac

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
Size

204KB
MD5

ea76e1a1498b2b3ec513911914620492
SHA1

d9c76ed59ef5dc4ee04d00a2df6a59645e207e40
SHA256

655372c34b139d1bb2a8ff365896a8e93ccbd0ceb8cb6eaff3724a616aa457ac
SHA512

0702fc173d99333fa06eaeb76afa018f24f6f69504b83819cd0b7bdd9d30874f9f95eb3e88bcac3505b7ec7188cd9f1f5768613417ec58ca961f3c13c87ce349
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001231a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a3d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001231a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a7c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001231a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001231a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001231a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{006D847A-D5CC-4cee-A4C8-763AFF04FA55}	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{006D847A-D5CC-4cee-A4C8-763AFF04FA55}\stubpath = "C:\\Windows\\{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe"	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D91FA38-6C56-45ed-90ED-D31A424C6654}	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D91FA38-6C56-45ed-90ED-D31A424C6654}\stubpath = "C:\\Windows\\{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe"	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321648D9-90F2-4316-A975-71AB4DF66ABB}\stubpath = "C:\\Windows\\{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe"	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321648D9-90F2-4316-A975-71AB4DF66ABB}	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51020CE4-0C22-4a1f-A070-F49E5C7058ED}\stubpath = "C:\\Windows\\{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe"	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17004B77-2DDB-42d7-A0DA-624BA75916F7}	{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3747D87-0C6A-4c58-AFA7-0C786038775E}	{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}\stubpath = "C:\\Windows\\{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe"	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7318002B-3A23-4f2a-BD21-10790EBC5718}\stubpath = "C:\\Windows\\{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe"	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51020CE4-0C22-4a1f-A070-F49E5C7058ED}	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3747D87-0C6A-4c58-AFA7-0C786038775E}\stubpath = "C:\\Windows\\{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe"	{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}	{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}\stubpath = "C:\\Windows\\{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe"	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7318002B-3A23-4f2a-BD21-10790EBC5718}	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17004B77-2DDB-42d7-A0DA-624BA75916F7}\stubpath = "C:\\Windows\\{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe"	{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}\stubpath = "C:\\Windows\\{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}.exe"	{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}\stubpath = "C:\\Windows\\{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe"	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe
3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe
2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe
1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe
2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe
2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe
1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe
1648	{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe
2304	{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe
876	{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe
1504	{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe	{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe
File created	C:\Windows\{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}.exe	{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe
File created	C:\Windows\{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe
File created	C:\Windows\{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe
File created	C:\Windows\{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe
File created	C:\Windows\{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe
File created	C:\Windows\{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe
File created	C:\Windows\{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe	{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe
File created	C:\Windows\{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
File created	C:\Windows\{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe
File created	C:\Windows\{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe
Token: SeIncBasePriorityPrivilege	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe
Token: SeIncBasePriorityPrivilege	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe
Token: SeIncBasePriorityPrivilege	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe
Token: SeIncBasePriorityPrivilege	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe
Token: SeIncBasePriorityPrivilege	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe
Token: SeIncBasePriorityPrivilege	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe
Token: SeIncBasePriorityPrivilege	1648	{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe
Token: SeIncBasePriorityPrivilege	2304	{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe
Token: SeIncBasePriorityPrivilege	876	{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2204	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	28
PID 2120 wrote to memory of 2204	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	28
PID 2120 wrote to memory of 2204	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	28
PID 2120 wrote to memory of 2204	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	28
PID 2120 wrote to memory of 2600	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	29
PID 2120 wrote to memory of 2600	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	29
PID 2120 wrote to memory of 2600	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	29
PID 2120 wrote to memory of 2600	2120	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	29
PID 2204 wrote to memory of 3044	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	30
PID 2204 wrote to memory of 3044	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	30
PID 2204 wrote to memory of 3044	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	30
PID 2204 wrote to memory of 3044	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	30
PID 2204 wrote to memory of 2280	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	31
PID 2204 wrote to memory of 2280	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	31
PID 2204 wrote to memory of 2280	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	31
PID 2204 wrote to memory of 2280	2204	{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe	31
PID 3044 wrote to memory of 2488	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	33
PID 3044 wrote to memory of 2488	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	33
PID 3044 wrote to memory of 2488	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	33
PID 3044 wrote to memory of 2488	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	33
PID 3044 wrote to memory of 2624	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	32
PID 3044 wrote to memory of 2624	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	32
PID 3044 wrote to memory of 2624	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	32
PID 3044 wrote to memory of 2624	3044	{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe	32
PID 2488 wrote to memory of 1840	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	36
PID 2488 wrote to memory of 1840	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	36
PID 2488 wrote to memory of 1840	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	36
PID 2488 wrote to memory of 1840	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	36
PID 2488 wrote to memory of 2436	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	37
PID 2488 wrote to memory of 2436	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	37
PID 2488 wrote to memory of 2436	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	37
PID 2488 wrote to memory of 2436	2488	{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe	37
PID 1840 wrote to memory of 2548	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	38
PID 1840 wrote to memory of 2548	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	38
PID 1840 wrote to memory of 2548	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	38
PID 1840 wrote to memory of 2548	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	38
PID 1840 wrote to memory of 2884	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	39
PID 1840 wrote to memory of 2884	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	39
PID 1840 wrote to memory of 2884	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	39
PID 1840 wrote to memory of 2884	1840	{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe	39
PID 2548 wrote to memory of 2024	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	41
PID 2548 wrote to memory of 2024	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	41
PID 2548 wrote to memory of 2024	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	41
PID 2548 wrote to memory of 2024	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	41
PID 2548 wrote to memory of 1828	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	40
PID 2548 wrote to memory of 1828	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	40
PID 2548 wrote to memory of 1828	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	40
PID 2548 wrote to memory of 1828	2548	{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe	40
PID 2024 wrote to memory of 1060	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	43
PID 2024 wrote to memory of 1060	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	43
PID 2024 wrote to memory of 1060	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	43
PID 2024 wrote to memory of 1060	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	43
PID 2024 wrote to memory of 2220	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	42
PID 2024 wrote to memory of 2220	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	42
PID 2024 wrote to memory of 2220	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	42
PID 2024 wrote to memory of 2220	2024	{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe	42
PID 1060 wrote to memory of 1648	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	44
PID 1060 wrote to memory of 1648	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	44
PID 1060 wrote to memory of 1648	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	44
PID 1060 wrote to memory of 1648	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	44
PID 1060 wrote to memory of 1692	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	45
PID 1060 wrote to memory of 1692	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	45
PID 1060 wrote to memory of 1692	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	45
PID 1060 wrote to memory of 1692	1060	{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe
  C:\Windows\{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe
    C:\Windows\{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DA3D0~1.EXE > nul
      4⤵
      PID:2624
  - - C:\Windows\{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe
      C:\Windows\{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe
        
        C:\Windows\{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe
        
        C:\Windows\{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6A08~1.EXE > nul
        7⤵
        
        PID:1828
        
        C:\Windows\{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe
        
        C:\Windows\{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D91F~1.EXE > nul
        8⤵
        
        PID:2220
        
        C:\Windows\{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe
        
        C:\Windows\{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe
        
        C:\Windows\{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51020~1.EXE > nul
        10⤵
        
        PID:1800
        
        C:\Windows\{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe
        
        C:\Windows\{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe
        
        C:\Windows\{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}.exe
        
        C:\Windows\{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3747~1.EXE > nul
        12⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17004~1.EXE > nul
        11⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73180~1.EXE > nul
        9⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{006D8~1.EXE > nul
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32164~1.EXE > nul
        5⤵
        
        PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B15E4~1.EXE > nul
    3⤵
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{006D847A-D5CC-4cee-A4C8-763AFF04FA55}.exe

Filesize
204KB

MD5
d54aa65b7ed02becd2757db5f2f55c0e

SHA1
c9dc7aa43a63714897e34b7401f7dcb2099b0c81

SHA256
5f7e2ba0721d48a13f24167dc3f7d2f0d0d1b7239c1a6e50a4751e883d22f91a

SHA512
82b5170fe79dcc7734eec63751c9f611be67da5daae847914dea631beb164dd31ef166f06cb3d711375bd24abae8c956c2ace46efa6714352db69416aba40016

Download Submit
C:\Windows\{17004B77-2DDB-42d7-A0DA-624BA75916F7}.exe

Filesize
204KB

MD5
0781cff99f1181086de46159b39a9b72

SHA1
9ed1da95c665580bae61d0386d32caaa677d2736

SHA256
ee258e8f36c5d5bede56c3588e28d22151f6b8e93b89e28dd0c3630f40130585

SHA512
960efa2e31730608afa2b7497844620053bfb5108bbc585f7d4c869ca3e56d2246e1e5ad73833be7850339d7b63cf5ba9a214e4c44c5a859e6ae858084738e89

Download Submit
C:\Windows\{321648D9-90F2-4316-A975-71AB4DF66ABB}.exe

Filesize
204KB

MD5
7181130ecbfc7b72fba44ecb912cac22

SHA1
b78e398815a7dc43013297c77942ca6da550b726

SHA256
7d96e0f8c3bafdf911954028750ad54e0d934f4b5b300faa07a6008cf7b0632e

SHA512
0374994c09129e0003b5e64c74a32cddecabfac8fd04621af2add50470eab4f8f9a69c9dd5cabf6999ed3fdbbab566020700da6aebdec4bb2fdc51ff6fefbf8d

Download Submit
C:\Windows\{51020CE4-0C22-4a1f-A070-F49E5C7058ED}.exe

Filesize
204KB

MD5
af2da8fed081bc790e81d744fc6c4a2a

SHA1
512098f108e198d554c3deba87f7e0a2703c6afb

SHA256
2c6cf4120917528f04117672e3630cafbc1458ab3696ed7af679319654fbcb39

SHA512
c693a589ba0f17b5d1ec6abe66fef2fb12e3badeff8a1055f4faa32e20e491adc6f1f7cf7fd8468f39ae502edd6be4ffd4ee50f9cc6ab16671976c470cb35434

Download Submit
C:\Windows\{5D91FA38-6C56-45ed-90ED-D31A424C6654}.exe

Filesize
204KB

MD5
7220a4300b58011da4bd7f133ffdbd75

SHA1
8a3986269890edf6b3d2e387d63aea431b56fda8

SHA256
4a307746d83600aa761da813cc328937cc2342eaece3b3280d50568c3bcb4e62

SHA512
38ef5c07d83351461f69e0ef012874bf3972ed72a137a173363f6fca7dc57396b1343a714b8e2fe9dbdab7e45619ff5dc1ee877a4cc6676f2692f06d11d06309

Download Submit
C:\Windows\{64EC6B4D-41D2-4aa5-96A4-74A30A10927E}.exe

Filesize
204KB

MD5
e1d26ddf505cba23c57347e1fb0100a5

SHA1
7dc69727278bc733eed5bfd1c3a5bf4401fee3f2

SHA256
ffe144f491d20a16da26ac5d8cb80cb75bd124fa171eba373521fbc291c3c4bb

SHA512
18f045e34dff8ff9b34cb5e0b3bb1599d8989a0a2638eed6487ef44dbdbaa9145617cd1b4e1e54880d1dbcc98e6be7bc92b60834197d14d47638bed1277b241e

Download Submit
C:\Windows\{7318002B-3A23-4f2a-BD21-10790EBC5718}.exe

Filesize
204KB

MD5
0422a8a786e4983fec399f83fbeb62d5

SHA1
5061e305518e725540c4c6d3103af2c05e66b5f9

SHA256
92a4dca41d26033da886fa25d4b8afd31ce7a9a8bd6e425a7876a097eaab7086

SHA512
324419134bd9555f56dcea9174a30857c4c57dc8efc625c01eeaadde8fc2960945964524118c00b03fad8bbbd59a83aab291c3cdc6c166a3d1e1a59b547fd700

Download Submit
C:\Windows\{B15E4ACC-E2FD-4c2b-8201-1A59B07176F2}.exe

Filesize
204KB

MD5
24e92832282b54368709c9657c599568

SHA1
6c3d72a85785de36beaa4ac6eaf9126ecb268422

SHA256
dcfc8ec4572fddab91e026b98754b590f64ae8c0b2fc09b0f7ddd78fc769da76

SHA512
98550ba5f742740dd10bd70b4e7e3958f3b6febe691dc81d00db4d6b125708a508186274ad753f8e309dbf25f857a19828ede4a5a19cc974bc88b7812113a8dd

Download Submit
C:\Windows\{C3747D87-0C6A-4c58-AFA7-0C786038775E}.exe

Filesize
204KB

MD5
71bb6737f2ce3d82014416c95232af40

SHA1
b9e6f9a29a194d6e59ef7583af5cd93bc6ba24f3

SHA256
983db59ecdc7471c2d99415cba923c12a7ec0158592b9149465bf18747cba358

SHA512
9870193a630319fe01346262ea1f24fdee027f9ea686b9c2c3ce39fff15ba19efe0dcc6b506844e859c4f0ad4257c2e770158e06e6c89021a34bee750b1dec92

Download Submit
C:\Windows\{D6A0874F-E8D9-4272-8BCA-E6F24DEBDE75}.exe

Filesize
204KB

MD5
6799275660bb3899444b1f606ea5a84e

SHA1
d560852d6204d1cf44f14244d41c5e2f5a01ee87

SHA256
00ea6f4a8badef5a84280874e22c8f9e6105a51a0d5fa2ac8efbc6193ecf5a23

SHA512
4b08323be430cc034403da7d090072072d90a211effc9e74ea6d4f9bf008118cffb6d2b3da8cd2a03ab4bcef8c5cf7ef020042728e422e34b93e1942cdca6572

Download Submit
C:\Windows\{DA3D0C8B-C35D-48b4-BC0B-EF3B43B6BEBB}.exe

Filesize
204KB

MD5
70e5c9a22cc4b71f7d7c923ea0c1b27c

SHA1
b28a99c4555cec933fa906ceeee9eed1f3368f55

SHA256
e8363968fd385cf0547be9adcd0ce83ed3499f688d3fa9a6ee716d649e055c9b

SHA512
b8c9fe3da87a1986301af6cba8f3d8442c01a844f8c269636ca5ed3e7d71e63cf78d9a00dd56152180148e6095cb1e8aa7ec2d310ee94db51303908692d48a15

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads