f0852c0880c5acf8173e3b61ad6e439404ce52de71bfea97d0982e742502a8e4

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Size

192KB
MD5

501b7db51c4712a706cbfc003c389412
SHA1

d60c754e84f811e7d3c633bde1143a42f95ed4ff
SHA256

f0852c0880c5acf8173e3b61ad6e439404ce52de71bfea97d0982e742502a8e4
SHA512

040d091a67dddc2a590bad89706942aaaa765f18057d125bcd0036431f0ad14a9de844e54f938f6ef14c08440c6a547e3fb31442e3b9544eccd9d8cbae230543
SSDEEP

1536:1EGh0onl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0onl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001439d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016d58-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001439d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001439d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001439d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001439d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}\stubpath = "C:\\Windows\\{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe"	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292611FA-F0C0-49a6-B618-E528C1642FE6}	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292611FA-F0C0-49a6-B618-E528C1642FE6}\stubpath = "C:\\Windows\\{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe"	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}\stubpath = "C:\\Windows\\{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe"	{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D7DC28-98F4-4228-B59E-AC299838539E}	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}	{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}\stubpath = "C:\\Windows\\{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe"	{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}	{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}\stubpath = "C:\\Windows\\{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}.exe"	{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}\stubpath = "C:\\Windows\\{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe"	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9CF9F3D-FD86-40e4-A455-24707FC0989C}	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}\stubpath = "C:\\Windows\\{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe"	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874F98E6-6996-40f6-B4C2-F5C4DE20C676}\stubpath = "C:\\Windows\\{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe"	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D7DC28-98F4-4228-B59E-AC299838539E}\stubpath = "C:\\Windows\\{55D7DC28-98F4-4228-B59E-AC299838539E}.exe"	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9CF9F3D-FD86-40e4-A455-24707FC0989C}\stubpath = "C:\\Windows\\{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe"	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}\stubpath = "C:\\Windows\\{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe"	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}	{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874F98E6-6996-40f6-B4C2-F5C4DE20C676}	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe
2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe
2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe
524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe
1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe
2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe
1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe
820	{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe
1472	{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe
1300	{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe
1548	{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe
File created	C:\Windows\{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe
File created	C:\Windows\{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe
File created	C:\Windows\{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe
File created	C:\Windows\{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe
File created	C:\Windows\{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe	{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe
File created	C:\Windows\{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
File created	C:\Windows\{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe
File created	C:\Windows\{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe	{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe
File created	C:\Windows\{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}.exe	{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe
File created	C:\Windows\{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe
Token: SeIncBasePriorityPrivilege	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe
Token: SeIncBasePriorityPrivilege	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe
Token: SeIncBasePriorityPrivilege	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe
Token: SeIncBasePriorityPrivilege	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe
Token: SeIncBasePriorityPrivilege	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe
Token: SeIncBasePriorityPrivilege	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe
Token: SeIncBasePriorityPrivilege	820	{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe
Token: SeIncBasePriorityPrivilege	1472	{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe
Token: SeIncBasePriorityPrivilege	1300	{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1156	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	28
PID 2736 wrote to memory of 1156	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	28
PID 2736 wrote to memory of 1156	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	28
PID 2736 wrote to memory of 1156	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	28
PID 2736 wrote to memory of 2552	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	29
PID 2736 wrote to memory of 2552	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	29
PID 2736 wrote to memory of 2552	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	29
PID 2736 wrote to memory of 2552	2736	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	29
PID 1156 wrote to memory of 2740	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	30
PID 1156 wrote to memory of 2740	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	30
PID 1156 wrote to memory of 2740	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	30
PID 1156 wrote to memory of 2740	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	30
PID 1156 wrote to memory of 2688	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	31
PID 1156 wrote to memory of 2688	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	31
PID 1156 wrote to memory of 2688	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	31
PID 1156 wrote to memory of 2688	1156	{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe	31
PID 2740 wrote to memory of 2480	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	34
PID 2740 wrote to memory of 2480	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	34
PID 2740 wrote to memory of 2480	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	34
PID 2740 wrote to memory of 2480	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	34
PID 2740 wrote to memory of 2936	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	35
PID 2740 wrote to memory of 2936	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	35
PID 2740 wrote to memory of 2936	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	35
PID 2740 wrote to memory of 2936	2740	{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe	35
PID 2480 wrote to memory of 524	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	36
PID 2480 wrote to memory of 524	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	36
PID 2480 wrote to memory of 524	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	36
PID 2480 wrote to memory of 524	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	36
PID 2480 wrote to memory of 760	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	37
PID 2480 wrote to memory of 760	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	37
PID 2480 wrote to memory of 760	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	37
PID 2480 wrote to memory of 760	2480	{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe	37
PID 524 wrote to memory of 1560	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	38
PID 524 wrote to memory of 1560	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	38
PID 524 wrote to memory of 1560	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	38
PID 524 wrote to memory of 1560	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	38
PID 524 wrote to memory of 2600	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	39
PID 524 wrote to memory of 2600	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	39
PID 524 wrote to memory of 2600	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	39
PID 524 wrote to memory of 2600	524	{55D7DC28-98F4-4228-B59E-AC299838539E}.exe	39
PID 1560 wrote to memory of 2752	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	40
PID 1560 wrote to memory of 2752	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	40
PID 1560 wrote to memory of 2752	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	40
PID 1560 wrote to memory of 2752	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	40
PID 1560 wrote to memory of 2580	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	41
PID 1560 wrote to memory of 2580	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	41
PID 1560 wrote to memory of 2580	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	41
PID 1560 wrote to memory of 2580	1560	{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe	41
PID 2752 wrote to memory of 1948	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	42
PID 2752 wrote to memory of 1948	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	42
PID 2752 wrote to memory of 1948	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	42
PID 2752 wrote to memory of 1948	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	42
PID 2752 wrote to memory of 2236	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	43
PID 2752 wrote to memory of 2236	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	43
PID 2752 wrote to memory of 2236	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	43
PID 2752 wrote to memory of 2236	2752	{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe	43
PID 1948 wrote to memory of 820	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	44
PID 1948 wrote to memory of 820	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	44
PID 1948 wrote to memory of 820	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	44
PID 1948 wrote to memory of 820	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	44
PID 1948 wrote to memory of 1676	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	45
PID 1948 wrote to memory of 1676	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	45
PID 1948 wrote to memory of 1676	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	45
PID 1948 wrote to memory of 1676	1948	{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe
  C:\Windows\{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe
    C:\Windows\{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe
      C:\Windows\{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\{55D7DC28-98F4-4228-B59E-AC299838539E}.exe
        
        C:\Windows\{55D7DC28-98F4-4228-B59E-AC299838539E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe
        
        C:\Windows\{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe
        
        C:\Windows\{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe
        
        C:\Windows\{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe
        
        C:\Windows\{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe
        
        C:\Windows\{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe
        
        C:\Windows\{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}.exe
        
        C:\Windows\{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3242~1.EXE > nul
        12⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B8DA~1.EXE > nul
        11⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32AD0~1.EXE > nul
        10⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29261~1.EXE > nul
        9⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9CF9~1.EXE > nul
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECA66~1.EXE > nul
        7⤵
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55D7D~1.EXE > nul
        6⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CB2F~1.EXE > nul
        5⤵
        
        PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{874F9~1.EXE > nul
      4⤵
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FF785~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B8DA8E4-3B9B-44e5-AD5C-4ECE945DB0CD}.exe

Filesize
192KB

MD5
e3d054e415d94e5aa2626464ba6e2f46

SHA1
8537352b631260d3e9174a95e4bdf67f77e566e8

SHA256
6dd421a09d4ce4ed220d7b0f2b3479ed424c822db3345ffb3d0d978a83fe526d

SHA512
27ed6ac7da7931f8bc4f6c863708a1ac00c9a168c965fedad9d59134b8a3d87229845c907b2c14d14d75fb18fa0e0d1efdab18ffa2c58919c59f2692c7b9ed3b

Download Submit
C:\Windows\{292611FA-F0C0-49a6-B618-E528C1642FE6}.exe

Filesize
192KB

MD5
a917704c80d82f13bd4e5d2f88b97d43

SHA1
3dd39ed3441b86d4a634260a55b40b3e6bc31dd3

SHA256
8ff14df7a077ef4a268b23bf5d8cd4358a1d6ebdec46a60fd18b1a3be8df3a5d

SHA512
e3af5720ecfe1997b13712c174f599c75ebb6a45c907ba43b0502eeceab16c42a0652e371dc0b2711c9611cb816fdcbc250f9af3d4e2390a1df84ae952e97a68

Download Submit
C:\Windows\{32AD0976-05C3-4bf3-9C61-2E90A6A465FB}.exe

Filesize
192KB

MD5
885dfa49aa1be5ecfbd7d5eff1d37ba8

SHA1
1139229d1492bcb1dd9ea366909e23c473ab53d3

SHA256
3e1a428c7d306efbb873752b57c9a53eabfa444c5db9a04d9d5a0d644c12dd3e

SHA512
e572758f7011502fa3438ef61b98506ee1b9f1cddd7bf1bd664a5ad98efa1dd6c6e2d083bf4674cfefad6c093931d46dffdc1bf1331695e2cc793d6da80525fc

Download Submit
C:\Windows\{55D7DC28-98F4-4228-B59E-AC299838539E}.exe

Filesize
192KB

MD5
3c12e26a47a8f3ff3c46aaaf60ec37e1

SHA1
ca56a41dbb354189b4bddf21bd8dd02ced9c064f

SHA256
8fb563439870234f816d75c550c455a1076215e9e4770c52bcd98a398c5c5d24

SHA512
b52b1e95c958cb9d5894fb24da7b9fa9db6c12c91619118ea0b6688e98e5f7244abbde73b633c68609c388152005c1f74270bcb17167d9b721c246ca0a68cf22

Download Submit
C:\Windows\{874F98E6-6996-40f6-B4C2-F5C4DE20C676}.exe

Filesize
192KB

MD5
f3dc9c20ff4256b984be6e740ed8e130

SHA1
57fdd39582e80a54e7a152cdf8d5670198c0f20e

SHA256
a5cdd407198fdc17f7da9bef6cc0b8c4036955d9ff49952fb6e5ecef3349abfc

SHA512
0782974c81a36fc67efcf67e54a8f116fce8e7008a49f4907f1e954a76fdf903498ba445a1dcba750a5e1ea9d856999a766d56101c6718049ff5fb579c91adf9

Download Submit
C:\Windows\{8ECF363D-DC33-43d0-8BE7-63909D4A7A4C}.exe

Filesize
192KB

MD5
e9ba6f622ceccbbb51acd65a4765670c

SHA1
e90bad22913845a0b39daa2fe910b7ff0b33f40b

SHA256
5539ad5fbf368fe6fe6f42df3f0d243acc0c5b9f4a69339e359449843e46b31b

SHA512
d500a92d9480b02ba6e49d076232da3fac1ab638c2cd775e608314d92642ce3b1c0eb1f4f9b772685e8b49966191122ca133eec552b71205dd4617fab76bfab1

Download Submit
C:\Windows\{9CB2FD6A-FAB9-4ac6-8FE1-BFA9BFB7C443}.exe

Filesize
192KB

MD5
290885fe8bd79c6f37340b53263b90ae

SHA1
6c6dc545be5f254662c2a26b41f39df8c8d387dd

SHA256
ebe30fe8281281315cc4adec5e0dd683578ee1491bae048c270b82d8422acdc0

SHA512
c2ca1d9a5a37a9e5e9dd2b4bde55735ccc1b891a23658597428bde7a3b4cc064f4322862b4c27227a34e5578966284449bd22a7d967ba572703c8a518c281763

Download Submit
C:\Windows\{B3242794-C7D2-4fa1-B3DA-0EABE06C44C4}.exe

Filesize
192KB

MD5
595f224e30022a8e73094bab6518a226

SHA1
cfeff279e96177443b708ba2353ce45aa3a687ec

SHA256
563f3bee4c17e2c0a72188f64e22d859603745f61678fce859e201aa69dae7bd

SHA512
a8a09802c9b7e464d7cb3d08463743e5b71e2a70390dee7e9e7a4e46866e15a241f0cf154ceb19e3b44d676a536eda28a26666068a180277f3734437dd32c9e1

Download Submit
C:\Windows\{C9CF9F3D-FD86-40e4-A455-24707FC0989C}.exe

Filesize
192KB

MD5
994da5c9287f2e9ae09aa7bc9ae4321c

SHA1
221c94a506f4873940e515a037c9e5307d90a82b

SHA256
ab2c1ffd3162dd1d047c71a031846ef6713128fe3f1765e092039d7060bd0679

SHA512
bff4ad54cb537bd3c86c64037964dfc50d9f92eb21b8e63394d944ebb65e9bbe7b7e7d1e72ead316526cc6ef080f1bde15b81ae44ae3163f33fe17d48a882c08

Download Submit
C:\Windows\{ECA66D8D-01D8-45d5-BA05-4FFF72F76426}.exe

Filesize
192KB

MD5
aeb5a652ba81c4c4c3a8b56bce40e258

SHA1
9f2e6b7159ba4ec367748eac04dd193f02800121

SHA256
18de9aa7264054d52e5627e0d5df406a222f22e9ed4557d7d13b17661e6a3e7d

SHA512
2ea48c2fffd356b66a99d5b33ecc869db19263615fd4281ef76b249a5ece91ce679904735726ab9b41969d04138650a91323545aa9a2f66a0dae0bd06a17ac7c

Download Submit
C:\Windows\{FF7854AE-78BC-4295-9FB0-20F00B2AE1B3}.exe

Filesize
192KB

MD5
a003454289cc18783026b507227bac2b

SHA1
f6eb489d73c0339164f600f426695deacca04194

SHA256
d6198a5970569ed68e850b0f7ffb3ce65f3d08a7e239b4b5f0dcf01df67429fc

SHA512
5ec2c62f95f5f178dfb1da69c87b0dfaae30920c4a9b48783bc410cbd6582ea3ba539c33df7c58f1ca678410b59c7a2d41e5add468ba16366b0d1936e6dbc6d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads