22eb551e10a17923d9f1dadc82a4368348e79d4731ff62dfb4d4875b1ec38fc9

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Size

408KB
MD5

2a01eda4306ac7376ebdd725380cadce
SHA1

1a5c369374ffa7ef2e870ee034e98c111b9b3959
SHA256

22eb551e10a17923d9f1dadc82a4368348e79d4731ff62dfb4d4875b1ec38fc9
SHA512

51bf8db2ed30df3cbddd5419469fb275e947fe7624e46635869935630cb2d18256edd321a6831bcaf6bc4d1765d670fa3ade4355288a8a724f75bb7190cd5477
SSDEEP

3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGKldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013417-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000013a53-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001225d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48541360-5323-4053-BF30-8C01417F6D20}	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46ADE142-700C-44a2-906B-B8ACC54EFDE3}	{48541360-5323-4053-BF30-8C01417F6D20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}	{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37FB8722-538E-466b-BF19-0CF866F37B64}\stubpath = "C:\\Windows\\{37FB8722-538E-466b-BF19-0CF866F37B64}.exe"	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A351C0F1-D592-489c-BB1A-447E6C45C4B1}\stubpath = "C:\\Windows\\{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe"	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{271C6745-3821-41b4-8592-7480CE3E6D76}\stubpath = "C:\\Windows\\{271C6745-3821-41b4-8592-7480CE3E6D76}.exe"	{74C8D03E-7278-4532-AD80-73185464D39C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48541360-5323-4053-BF30-8C01417F6D20}\stubpath = "C:\\Windows\\{48541360-5323-4053-BF30-8C01417F6D20}.exe"	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37FB8722-538E-466b-BF19-0CF866F37B64}	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A351C0F1-D592-489c-BB1A-447E6C45C4B1}	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47835314-F6BC-4af8-BE09-4D695F80B9C8}\stubpath = "C:\\Windows\\{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe"	{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8378B6F-0FE1-4172-86C5-97C588875B63}\stubpath = "C:\\Windows\\{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe"	{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47835314-F6BC-4af8-BE09-4D695F80B9C8}	{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{271C6745-3821-41b4-8592-7480CE3E6D76}	{74C8D03E-7278-4532-AD80-73185464D39C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}\stubpath = "C:\\Windows\\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe"	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46ADE142-700C-44a2-906B-B8ACC54EFDE3}\stubpath = "C:\\Windows\\{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe"	{48541360-5323-4053-BF30-8C01417F6D20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}\stubpath = "C:\\Windows\\{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe"	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8378B6F-0FE1-4172-86C5-97C588875B63}	{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}\stubpath = "C:\\Windows\\{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}.exe"	{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C8D03E-7278-4532-AD80-73185464D39C}	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74C8D03E-7278-4532-AD80-73185464D39C}\stubpath = "C:\\Windows\\{74C8D03E-7278-4532-AD80-73185464D39C}.exe"	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe
2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe
2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe
2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe
2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe
2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe
1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe
2772	{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe
1732	{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe
2000	{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe
772	{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe
File created	C:\Windows\{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	{74C8D03E-7278-4532-AD80-73185464D39C}.exe
File created	C:\Windows\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe
File created	C:\Windows\{48541360-5323-4053-BF30-8C01417F6D20}.exe	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe
File created	C:\Windows\{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	{48541360-5323-4053-BF30-8C01417F6D20}.exe
File created	C:\Windows\{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe	{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe
File created	C:\Windows\{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
File created	C:\Windows\{74C8D03E-7278-4532-AD80-73185464D39C}.exe	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe
File created	C:\Windows\{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe
File created	C:\Windows\{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe	{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe
File created	C:\Windows\{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}.exe	{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe
Token: SeIncBasePriorityPrivilege	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe
Token: SeIncBasePriorityPrivilege	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe
Token: SeIncBasePriorityPrivilege	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe
Token: SeIncBasePriorityPrivilege	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe
Token: SeIncBasePriorityPrivilege	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe
Token: SeIncBasePriorityPrivilege	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe
Token: SeIncBasePriorityPrivilege	2772	{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe
Token: SeIncBasePriorityPrivilege	1732	{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe
Token: SeIncBasePriorityPrivilege	2000	{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2356	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	28
PID 2200 wrote to memory of 2356	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	28
PID 2200 wrote to memory of 2356	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	28
PID 2200 wrote to memory of 2356	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	28
PID 2200 wrote to memory of 2712	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	29
PID 2200 wrote to memory of 2712	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	29
PID 2200 wrote to memory of 2712	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	29
PID 2200 wrote to memory of 2712	2200	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	29
PID 2356 wrote to memory of 2640	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	30
PID 2356 wrote to memory of 2640	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	30
PID 2356 wrote to memory of 2640	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	30
PID 2356 wrote to memory of 2640	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	30
PID 2356 wrote to memory of 2624	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	31
PID 2356 wrote to memory of 2624	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	31
PID 2356 wrote to memory of 2624	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	31
PID 2356 wrote to memory of 2624	2356	{37FB8722-538E-466b-BF19-0CF866F37B64}.exe	31
PID 2640 wrote to memory of 2468	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	32
PID 2640 wrote to memory of 2468	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	32
PID 2640 wrote to memory of 2468	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	32
PID 2640 wrote to memory of 2468	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	32
PID 2640 wrote to memory of 2796	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	33
PID 2640 wrote to memory of 2796	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	33
PID 2640 wrote to memory of 2796	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	33
PID 2640 wrote to memory of 2796	2640	{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe	33
PID 2468 wrote to memory of 2476	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	36
PID 2468 wrote to memory of 2476	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	36
PID 2468 wrote to memory of 2476	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	36
PID 2468 wrote to memory of 2476	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	36
PID 2468 wrote to memory of 1684	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	37
PID 2468 wrote to memory of 1684	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	37
PID 2468 wrote to memory of 1684	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	37
PID 2468 wrote to memory of 1684	2468	{74C8D03E-7278-4532-AD80-73185464D39C}.exe	37
PID 2476 wrote to memory of 2816	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	39
PID 2476 wrote to memory of 2816	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	39
PID 2476 wrote to memory of 2816	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	39
PID 2476 wrote to memory of 2816	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	39
PID 2476 wrote to memory of 2472	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	38
PID 2476 wrote to memory of 2472	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	38
PID 2476 wrote to memory of 2472	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	38
PID 2476 wrote to memory of 2472	2476	{271C6745-3821-41b4-8592-7480CE3E6D76}.exe	38
PID 2816 wrote to memory of 2668	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	41
PID 2816 wrote to memory of 2668	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	41
PID 2816 wrote to memory of 2668	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	41
PID 2816 wrote to memory of 2668	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	41
PID 2816 wrote to memory of 1032	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	40
PID 2816 wrote to memory of 1032	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	40
PID 2816 wrote to memory of 1032	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	40
PID 2816 wrote to memory of 1032	2816	{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe	40
PID 2668 wrote to memory of 1752	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	43
PID 2668 wrote to memory of 1752	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	43
PID 2668 wrote to memory of 1752	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	43
PID 2668 wrote to memory of 1752	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	43
PID 2668 wrote to memory of 1436	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	42
PID 2668 wrote to memory of 1436	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	42
PID 2668 wrote to memory of 1436	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	42
PID 2668 wrote to memory of 1436	2668	{48541360-5323-4053-BF30-8C01417F6D20}.exe	42
PID 1752 wrote to memory of 2772	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	45
PID 1752 wrote to memory of 2772	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	45
PID 1752 wrote to memory of 2772	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	45
PID 1752 wrote to memory of 2772	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	45
PID 1752 wrote to memory of 1192	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	44
PID 1752 wrote to memory of 1192	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	44
PID 1752 wrote to memory of 1192	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	44
PID 1752 wrote to memory of 1192	1752	{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{37FB8722-538E-466b-BF19-0CF866F37B64}.exe
  C:\Windows\{37FB8722-538E-466b-BF19-0CF866F37B64}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe
    C:\Windows\{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{74C8D03E-7278-4532-AD80-73185464D39C}.exe
      C:\Windows\{74C8D03E-7278-4532-AD80-73185464D39C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{271C6745-3821-41b4-8592-7480CE3E6D76}.exe
        
        C:\Windows\{271C6745-3821-41b4-8592-7480CE3E6D76}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{271C6~1.EXE > nul
        6⤵
        
        PID:2472
      - C:\Windows\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe
        
        C:\Windows\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08D49~1.EXE > nul
        7⤵
        
        PID:1032
        
        C:\Windows\{48541360-5323-4053-BF30-8C01417F6D20}.exe
        
        C:\Windows\{48541360-5323-4053-BF30-8C01417F6D20}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48541~1.EXE > nul
        8⤵
        
        PID:1436
        
        C:\Windows\{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe
        
        C:\Windows\{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46ADE~1.EXE > nul
        9⤵
        
        PID:1192
        
        C:\Windows\{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe
        
        C:\Windows\{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25E0D~1.EXE > nul
        10⤵
        
        PID:2272
        
        C:\Windows\{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe
        
        C:\Windows\{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe
        
        C:\Windows\{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8378~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}.exe
        
        C:\Windows\{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}.exe
        12⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47835~1.EXE > nul
        11⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74C8D~1.EXE > nul
        5⤵
        
        PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A351C~1.EXE > nul
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{37FB8~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{047A4EAE-D00B-4f06-ACEA-CFD87CB90D01}.exe

Filesize
408KB

MD5
20087d9842ce46e847f84ae6ac11af6c

SHA1
7f97baf4e4586ccf3d1ed768f181cfed95539972

SHA256
9bc132859c53b1f46bcc7cfab217c131f6e3c394d01412522177bf41aba195a5

SHA512
b5daadb9e79dbce34299bfc47ed9c9433b901544bd1fca6ae70b950e42c6f2b015ee846164db5daf2c6b0ceebeb4287930e95c07ed9ce83371990f6a542abbb5

Download Submit
C:\Windows\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe

Filesize
383KB

MD5
34f1e56208a5a4d4e3a4ca8aa3bd40bb

SHA1
ecced4917a30da6229b2328112ddea1e007752d3

SHA256
c82166d4f1f8c75b330af859361cf2f63b6784b0e75957206a93640387b4b2dd

SHA512
afa0ed18c8ab724b0502406b16d8bc33c2d3e712c54267a40c96c26c6f079220bbbf99340a2efa013ac08e44c45daf2917f0a39537cb5161627dea3880fb10f0

Download Submit
C:\Windows\{08D49DE8-A24E-467b-AE86-ED4EC64B2773}.exe

Filesize
408KB

MD5
2bae0fe55af6c59c4208d218fe802c13

SHA1
ca469b57c0a5e6d9052d80363c741f21de4a4ccc

SHA256
5920991dd6ddcf98f6599dece804a59997cc9f30223007a54f236dbdd9210187

SHA512
fe8a5655b45af9d61bc763e8bd1a78e6bf567a4ffbb088a5d5f27dab21f525ddb54e7464d877653de2f75413e1e90d58135ae04be8ffb5820c2477bbcaa686c4

Download Submit
C:\Windows\{25E0D14A-E3AC-4c95-8CB8-4B6DE9587896}.exe

Filesize
408KB

MD5
71b70410cf7b4b2072ac5f733897a0d3

SHA1
cec7a9391fa7b6e53c8c1e2d09007507a3386d9a

SHA256
9c5a2ca3ef138553b20372005cea443abdd6e76580e4d90c35ac6cbd32c0c4bc

SHA512
63c6f11d99595ea3f23d5ae0402640b9fac2b61477d73ed73fe1696d725a5047b9ea6d3897454ebb137ffcc6e151327a227ce28ef009c51446f452bed0b8a12c

Download Submit
C:\Windows\{271C6745-3821-41b4-8592-7480CE3E6D76}.exe

Filesize
408KB

MD5
2bc2f96481f661e78c9f99666054cd80

SHA1
045b77f0f2e0082c5e9af47d2dc96b9c41458037

SHA256
d9700db6299335f953cb86de48ad1bc43acf564bd995bda82c72bd7785137f48

SHA512
5f724a94d07f41818f84d76450f2f096035ca8010111f0cc5bfd9d359e6e8d972a02aa38bfb95c8f0140e2b3166c5fc49ef0c4a9cb7a55a4aeaf04e2b4784d1a

Download Submit
C:\Windows\{37FB8722-538E-466b-BF19-0CF866F37B64}.exe

Filesize
228KB

MD5
a41f00bec1ba21894023703e0a8c54af

SHA1
d53cbf053ae4290b5c802ad081e5a6a7cf4312c7

SHA256
4374abde766f1fd6d166e62f6559ecfff6578b03ab5c0c5c6217d22ff26ee63b

SHA512
86433b62d469a48174895a491f20d6a9e6ad16b37fe1499857ad3d4545e54fb74b9dab0a83a20fa5ebe502f75979f95b3ccc7b7ae73a01732757dd309ccb28f0

Download Submit
C:\Windows\{37FB8722-538E-466b-BF19-0CF866F37B64}.exe

Filesize
150KB

MD5
1ee73fd78d481175dc16494462edb4f3

SHA1
5a24565f2ff2f719c0a571c17bcde561300c5c6c

SHA256
f91b043b0d8ba50b6897a531beae63935472678fd2b7624740e261a44720222e

SHA512
15f68c5592dacc0a2aea3f69f922c998acee85eacf9540cd00f86c3a8b96292281c3a3f88f0be03e51097c1bab254375b98bb352c85a10446feffe17d33244fc

Download Submit
C:\Windows\{37FB8722-538E-466b-BF19-0CF866F37B64}.exe

Filesize
408KB

MD5
065c3d80b1cb354526ed3d7235745bd8

SHA1
aaad1796810ee99bb0f553fb8b5ba5adb53faaa0

SHA256
fb22c54f0f2a4e7f6c8190eae70deef0bc6c9eee41b2e36beb830696125e2bb1

SHA512
ed4c19ae4494050b7ce659a7aa57ffbbdeaccd4caa695a18d69c395ed4092d25bc362e52a85b84f5ed5d262bfb66d48294ff8193fbb16b91af5e588407fbd88d

Download Submit
C:\Windows\{46ADE142-700C-44a2-906B-B8ACC54EFDE3}.exe

Filesize
408KB

MD5
7bc6d8f3827e34a15f5f9f384312cd04

SHA1
ab74140960ddfc5f8923cf9bc6c7441fb8a348fd

SHA256
2badca99da723053bdb58ce04545a920c93998e294107a1a34bf0008164d092c

SHA512
c9cdd1ecc3d367ac6c22f1adb96d830a4824320cbf0ec13b1eabd159538209157c577e6449d447515502b3d08e717cbbaf3b287cbab90ef45eeef4fa55a90bc9

Download Submit
C:\Windows\{47835314-F6BC-4af8-BE09-4D695F80B9C8}.exe

Filesize
408KB

MD5
ff9f412a1f1ce32adcdee5a8658054b1

SHA1
db2a421d620268e08f4ac2f515b857416dc2ac69

SHA256
806ecd6c5ca482ffe111e07cc94e037868785c0aeff858d2dce7aa5f891ae779

SHA512
b374a256ee60db4712fdaaa001a4bee982ef985f39b66e43b9541796341b04dc3412d2ede8489442cd0b890d7d7f95bee6b7faa3c17abfd7adbbece1bf014c7e

Download Submit
C:\Windows\{48541360-5323-4053-BF30-8C01417F6D20}.exe

Filesize
408KB

MD5
1d598b38c77800a5c412b10b2be555db

SHA1
b8939f441a12d73aa7d475ef088cb5f4b4d66815

SHA256
0dd9f071cd9ec6f61dc3df32937231e92bdd49580de9802c21fc0b9798c2a2f7

SHA512
af1a07c903114dba21f6ffe286f4935a6b42e860985f6c74f478bba1666cf160c906fa4f2e0dff822fe7bc36f716e58e6665b2e3616546899f1f40b54bf942af

Download Submit
C:\Windows\{74C8D03E-7278-4532-AD80-73185464D39C}.exe

Filesize
408KB

MD5
f39a02d505d051ed397ac08d198eb947

SHA1
e77bf7c1b592e2634e7d10a1c27c15cb700d0ea8

SHA256
4da5a589d3929af476d176e91e51e60a0262855ab5e93e4af2b9f731dbc13364

SHA512
476181164a0a20f86b839b927f8bbbc1bff0e423fcabbc2ecc154172e0331df1b818124ce02ddd977516bb840d36fe1cdea67892e6262fcc4845c3f54ca820e5

Download Submit
C:\Windows\{A351C0F1-D592-489c-BB1A-447E6C45C4B1}.exe

Filesize
408KB

MD5
4efb846d7d08ecc6f3a9fa00e45f9f3d

SHA1
80781bd7e6b08103685a6b44a1a16c782a07cd8a

SHA256
848c02d885a5c89de3471d3748dbfc59f68a77442eb01538032fb37159c05675

SHA512
e3f74b714dbf56cb99c42f03135b5e6746bac493e004f1902e89c7adb35ba4a0e50fcb14b66218372d82c4ec423b8b3d780c3f3a4a2d9cb136537263848fcc3b

Download Submit
C:\Windows\{C8378B6F-0FE1-4172-86C5-97C588875B63}.exe

Filesize
408KB

MD5
1f3ca27c07867178bdbd75d85638eddf

SHA1
ecf1b7f8648b6501dcf2c3ab33157196f99ae5bb

SHA256
5de3f1e5cb58cb6842dffbfb3ffffc474a0d76919088935fe25a166fccf120a0

SHA512
b41e5dbf3979d8e109058249def8875daa4933e87db20f8453358b137a6c4801fcff833db177f45dc29436718d369f1c3afa47eab43a9829c48c44e15e4e9ef3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads