532d2caf92465c4227983236236146db1f89379f2ea02f8e32cdd0d3a76961f8

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Size

204KB
MD5

e989b546a95541c29f914f9edf154be6
SHA1

9c5a86ee9139db94839f40e4459a93a4db74b3b5
SHA256

532d2caf92465c4227983236236146db1f89379f2ea02f8e32cdd0d3a76961f8
SHA512

60099902d8f5a6852b8e8798a4b97ae7cafd0a42988ebd60994f1dd6959f2b3c5b8a92331f4923f2ceb3e7e8a8ecea38472537726d3aa440a2b28ceb0c136eab
SSDEEP

1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014dae-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016cb2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016cb2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016ce4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016cb2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000016cf5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}\stubpath = "C:\\Windows\\{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe"	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82264822-6A79-429f-BB2C-7426ED656FEC}\stubpath = "C:\\Windows\\{82264822-6A79-429f-BB2C-7426ED656FEC}.exe"	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{600036E4-26D1-4eb2-ACAF-F57881CF9226}	{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}\stubpath = "C:\\Windows\\{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe"	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}\stubpath = "C:\\Windows\\{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe"	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}\stubpath = "C:\\Windows\\{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe"	{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01403481-9632-4ec4-B6E0-DB0EEF41CE32}	{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}\stubpath = "C:\\Windows\\{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe"	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DAFD645-355C-47df-B8AC-F3739DA7851D}	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}\stubpath = "C:\\Windows\\{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe"	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82264822-6A79-429f-BB2C-7426ED656FEC}	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}	{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}\stubpath = "C:\\Windows\\{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe"	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{600036E4-26D1-4eb2-ACAF-F57881CF9226}\stubpath = "C:\\Windows\\{600036E4-26D1-4eb2-ACAF-F57881CF9226}.exe"	{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DAFD645-355C-47df-B8AC-F3739DA7851D}\stubpath = "C:\\Windows\\{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe"	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01403481-9632-4ec4-B6E0-DB0EEF41CE32}\stubpath = "C:\\Windows\\{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe"	{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe

Deletes itself 1 IoCs

pid	Process
1668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe
2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe
2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe
2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe
864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe
1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe
1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe
2264	{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe
3052	{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe
2068	{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe
1828	{600036E4-26D1-4eb2-ACAF-F57881CF9226}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe
File created	C:\Windows\{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe
File created	C:\Windows\{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe
File created	C:\Windows\{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe
File created	C:\Windows\{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe	{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe
File created	C:\Windows\{600036E4-26D1-4eb2-ACAF-F57881CF9226}.exe	{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe
File created	C:\Windows\{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
File created	C:\Windows\{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe
File created	C:\Windows\{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe
File created	C:\Windows\{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe
File created	C:\Windows\{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe	{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe
Token: SeIncBasePriorityPrivilege	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe
Token: SeIncBasePriorityPrivilege	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe
Token: SeIncBasePriorityPrivilege	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe
Token: SeIncBasePriorityPrivilege	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe
Token: SeIncBasePriorityPrivilege	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe
Token: SeIncBasePriorityPrivilege	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe
Token: SeIncBasePriorityPrivilege	2264	{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe
Token: SeIncBasePriorityPrivilege	3052	{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe
Token: SeIncBasePriorityPrivilege	2068	{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1924	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	28
PID 1656 wrote to memory of 1924	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	28
PID 1656 wrote to memory of 1924	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	28
PID 1656 wrote to memory of 1924	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	28
PID 1656 wrote to memory of 1668	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	29
PID 1656 wrote to memory of 1668	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	29
PID 1656 wrote to memory of 1668	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	29
PID 1656 wrote to memory of 1668	1656	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	29
PID 1924 wrote to memory of 2508	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	30
PID 1924 wrote to memory of 2508	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	30
PID 1924 wrote to memory of 2508	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	30
PID 1924 wrote to memory of 2508	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	30
PID 1924 wrote to memory of 2620	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	31
PID 1924 wrote to memory of 2620	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	31
PID 1924 wrote to memory of 2620	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	31
PID 1924 wrote to memory of 2620	1924	{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe	31
PID 2508 wrote to memory of 2388	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	32
PID 2508 wrote to memory of 2388	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	32
PID 2508 wrote to memory of 2388	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	32
PID 2508 wrote to memory of 2388	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	32
PID 2508 wrote to memory of 2856	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	33
PID 2508 wrote to memory of 2856	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	33
PID 2508 wrote to memory of 2856	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	33
PID 2508 wrote to memory of 2856	2508	{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe	33
PID 2388 wrote to memory of 2368	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	36
PID 2388 wrote to memory of 2368	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	36
PID 2388 wrote to memory of 2368	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	36
PID 2388 wrote to memory of 2368	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	36
PID 2388 wrote to memory of 548	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	37
PID 2388 wrote to memory of 548	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	37
PID 2388 wrote to memory of 548	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	37
PID 2388 wrote to memory of 548	2388	{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe	37
PID 2368 wrote to memory of 864	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	38
PID 2368 wrote to memory of 864	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	38
PID 2368 wrote to memory of 864	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	38
PID 2368 wrote to memory of 864	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	38
PID 2368 wrote to memory of 2636	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	39
PID 2368 wrote to memory of 2636	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	39
PID 2368 wrote to memory of 2636	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	39
PID 2368 wrote to memory of 2636	2368	{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe	39
PID 864 wrote to memory of 1604	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	40
PID 864 wrote to memory of 1604	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	40
PID 864 wrote to memory of 1604	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	40
PID 864 wrote to memory of 1604	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	40
PID 864 wrote to memory of 1488	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	41
PID 864 wrote to memory of 1488	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	41
PID 864 wrote to memory of 1488	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	41
PID 864 wrote to memory of 1488	864	{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe	41
PID 1604 wrote to memory of 1184	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	42
PID 1604 wrote to memory of 1184	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	42
PID 1604 wrote to memory of 1184	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	42
PID 1604 wrote to memory of 1184	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	42
PID 1604 wrote to memory of 1720	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	43
PID 1604 wrote to memory of 1720	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	43
PID 1604 wrote to memory of 1720	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	43
PID 1604 wrote to memory of 1720	1604	{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe	43
PID 1184 wrote to memory of 2264	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	44
PID 1184 wrote to memory of 2264	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	44
PID 1184 wrote to memory of 2264	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	44
PID 1184 wrote to memory of 2264	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	44
PID 1184 wrote to memory of 1180	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	45
PID 1184 wrote to memory of 1180	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	45
PID 1184 wrote to memory of 1180	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	45
PID 1184 wrote to memory of 1180	1184	{82264822-6A79-429f-BB2C-7426ED656FEC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe
  C:\Windows\{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe
    C:\Windows\{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe
      C:\Windows\{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe
        
        C:\Windows\{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe
        
        C:\Windows\{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe
        
        C:\Windows\{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{82264822-6A79-429f-BB2C-7426ED656FEC}.exe
        
        C:\Windows\{82264822-6A79-429f-BB2C-7426ED656FEC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe
        
        C:\Windows\{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe
        
        C:\Windows\{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe
        
        C:\Windows\{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{600036E4-26D1-4eb2-ACAF-F57881CF9226}.exe
        
        C:\Windows\{600036E4-26D1-4eb2-ACAF-F57881CF9226}.exe
        12⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01403~1.EXE > nul
        12⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24F68~1.EXE > nul
        11⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B8A~1.EXE > nul
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82264~1.EXE > nul
        9⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DAFD~1.EXE > nul
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A85F~1.EXE > nul
        7⤵
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAA8A~1.EXE > nul
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34C78~1.EXE > nul
        5⤵
        
        PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C32DE~1.EXE > nul
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{144D1~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01403481-9632-4ec4-B6E0-DB0EEF41CE32}.exe

Filesize
204KB

MD5
750d55fe04bf3e6ef7cabb4075588843

SHA1
0ebeb4840206bafd9cc35e3f4058502eaf9c4770

SHA256
beb4d195e42e3b5e725856d636cc39308fada9ba740817e98c4cdd2b44e1eea6

SHA512
73ffb6d2a4bc5cb9157bba849f13a88892bee0a633a0e5ecc0feae5dff03ac51400fb6c7ae2146bda6941d6fcd15371501dedce7cdc3695bc7efa36e726506a7

Download Submit
C:\Windows\{144D1B8B-565E-4b7e-8A36-8C3F0785FAD6}.exe

Filesize
204KB

MD5
752ef1de9c032ab2cb3489ea95e5f07e

SHA1
f400976f515eecb125d79e0c1ad41fd50a75e6eb

SHA256
fe169329442b605825fed4432f4a383c139df0f7c566354b945789e911327e0b

SHA512
fb8d7faee4a1136eb17f57c72a95b305f3106a49dfe4299a5f14e312801ddec712c944f78e7e9ea2aa63309d45e09c6f87e8c63132760bee98a15a1045eeaf67

Download Submit
C:\Windows\{24F6805D-8E3B-4431-AB82-9BB915A7F1AB}.exe

Filesize
204KB

MD5
0afb4187f8fc7dc0eb4fa7c3b07b253e

SHA1
eca100ed1c608bdbddc2e323aa78794bf4a19b66

SHA256
92cfee9d1eaf274e41a340922e980ad13f8c50693ad91796b6317ac3a3c31c79

SHA512
ed4f03f8878632314fa25ecb2e4f195cfc7168a47cb9bc10051605a8456e68f0ed01974df9c8d1ce2a146fd66a996b152487a2051dc78214a355706a25444ef9

Download Submit
C:\Windows\{34C78807-53B3-41d1-9AA9-F6BE6EC5DAA3}.exe

Filesize
204KB

MD5
dd6459796d9790f4b348dd9330456a52

SHA1
2997c87426d1e98902d7a645f14ad41270522484

SHA256
b1f5489eebeda55b6832f7f4fc064891f7b822e4205040ac2752e2a3775a0e62

SHA512
b835618346a7e65302e8bd259380fd7b1e8d45cdd4f73bd164c0e6b0117fc2ed7fbbdaaf8f1b9278e2a6fdb3830eddb1ba597ae87ec7ca6d1457ddad659751a2

Download Submit
C:\Windows\{600036E4-26D1-4eb2-ACAF-F57881CF9226}.exe

Filesize
204KB

MD5
cf1bb55e110e5f9313328b498df96a9c

SHA1
c16584c5578d369239281201bb84ed54d90a281b

SHA256
3805b7bdf1afbe87e461212633d710b20f3d38f70ee5cab739a483a9f664bb32

SHA512
42276eeb77596391f4e68169bbad0193176265883c799f51b4d3357a8e42e02666ba8fd8db12845b4cf3ea47429d752ab94795396e05629b9e5cd94b7476cb2b

Download Submit
C:\Windows\{6A85FFB2-F1A3-475b-B511-66EF1744F3B1}.exe

Filesize
204KB

MD5
a1abdeb26d8aa7c492885c0b32cf0117

SHA1
52f184649adc48494e942748ae70586a4664234e

SHA256
8b6d2e80399c9e874723e5209db00191d9d0c5ff836eb905b204405c8ec84485

SHA512
eb7e1572a0bad56bf1f61bbc5f6399704724691a7c709691ab9ef8a62fd2e67c59bcb7ee24313b6df4e79a3736d22ee947ad3c5c767e4db789cfd5d93f0acb22

Download Submit
C:\Windows\{82264822-6A79-429f-BB2C-7426ED656FEC}.exe

Filesize
204KB

MD5
4741ed2bd3135e699e33d085a87c98ed

SHA1
e29b4a4e6af1061f295aaf07a80591de237cc832

SHA256
5c9a9ae2df0416ab853dabe6590b067bd3999779b5e8290ebd0828562a009865

SHA512
d87b9bef6a09f9778f365d9bc29192d4a6cb2f4dd7c51965d295a70dca22c00bd7f83e77fd846489d67ceae0ec90c3538d5ae3b6bb8a37e04f6484e9c3d81884

Download Submit
C:\Windows\{9DAFD645-355C-47df-B8AC-F3739DA7851D}.exe

Filesize
204KB

MD5
e44aa6b1c28a0a9a0bb7d2a1d309964c

SHA1
4a9c38482495564164e0ba64b86dffeab91c7f90

SHA256
c9b23776245bae3169f766a92e1c40d65d0b1177ea74f0f495b3a471b3b70f4f

SHA512
2c61eb36da98aa8748a8f4a48bb7ed22bb83856abe45fcedf34943e893bf7cb1f1cb6767b868c5349fa39239107cbc835543cc42c8765bc007b8cb1cf4be2480

Download Submit
C:\Windows\{C32DE5D6-9406-4e5f-A59C-A4CB901E6829}.exe

Filesize
204KB

MD5
d2920f4adac0281199fc657eb3297417

SHA1
dff2e6375d53bdd2f11616ae802f3b1f9324c313

SHA256
adff183e768ef0e48b2bdada58a776d555bdc5e18c4f83020414e40c81512d2d

SHA512
70fb019fd3aa498ef0df5f976a3ab9e53f9a48e3b139fddc1ff97ef07acb476aeb7ad3311789fbff1ea58c1bebdcc00465def0e50c1323d14ca1207bc7f695c6

Download Submit
C:\Windows\{D3B8A510-3EEA-4a1d-A33A-51185882CAC8}.exe

Filesize
204KB

MD5
cc75197ab6a10d2ebd8f8d62ca60c14f

SHA1
4fcae66df0c08f0f7221ad580c73ff0772b0163e

SHA256
e5e40735e1396baa9a2c9950055a7fac508dd92ccc89b7178bb5288ca2defcc8

SHA512
da63a6e60439a984490fcc1a6afc6cc6f56ca00896dd23e3b0c4e36196c007cd11dc02c96d4d55bc1a3a4428d41fb9d752933604907a2ffd2977b05c8ec5de6b

Download Submit
C:\Windows\{EAA8A879-D8EA-4b9e-93C1-D4CB8DB9C9BA}.exe

Filesize
204KB

MD5
d64ed6e3f470e22405a2582a1a3c8bb9

SHA1
07fab51207d85027dc5fe999cc647fa550bcb6d9

SHA256
1fb0fc36320ce491a5940214548fb8d9da81443199a949423191120cf32ba04d

SHA512
bf8a7d9f9a85cf564e7a682ff0547176d02d8524ebffceb93d7218ea83e623b35f194ad58bec8d589cf732e9145b22f9e7259721c8913025fa0f293a9cf1fd75

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads