a1c12373643a9a4de6f86c3d57882487c8328441f709f03e370e2cb0561e8b56

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe
Size

197KB
MD5

9639300f59e97c3e64a5f23d5602b8d7
SHA1

c7696aa7fb5e84e7b10fdc688317668f700f94d6
SHA256

a1c12373643a9a4de6f86c3d57882487c8328441f709f03e370e2cb0561e8b56
SHA512

81c97c631093431ea038f714d246eb17fa79a09f13f24fa18ac0e32e93b7fccbada684f2c283199968099730c6afeccbd037bab8b43641124f4ad4511210c7b5
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGJlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012257-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012306-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012257-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015c95-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012257-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012257-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012257-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{755603DC-832F-4686-8F63-49180464BF00}\stubpath = "C:\\Windows\\{755603DC-832F-4686-8F63-49180464BF00}.exe"	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC3DA2AF-C815-452c-8678-72080207B58F}\stubpath = "C:\\Windows\\{EC3DA2AF-C815-452c-8678-72080207B58F}.exe"	{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}\stubpath = "C:\\Windows\\{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe"	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}\stubpath = "C:\\Windows\\{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe"	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}\stubpath = "C:\\Windows\\{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe"	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}\stubpath = "C:\\Windows\\{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe"	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}	{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{755603DC-832F-4686-8F63-49180464BF00}	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C040A74-F040-4bc8-8F77-C32C3B76A819}	{755603DC-832F-4686-8F63-49180464BF00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}\stubpath = "C:\\Windows\\{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe"	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}\stubpath = "C:\\Windows\\{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe"	{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75D571A3-6E7C-4a48-86A1-9B249D91169D}	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75D571A3-6E7C-4a48-86A1-9B249D91169D}\stubpath = "C:\\Windows\\{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe"	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C040A74-F040-4bc8-8F77-C32C3B76A819}\stubpath = "C:\\Windows\\{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe"	{755603DC-832F-4686-8F63-49180464BF00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC3DA2AF-C815-452c-8678-72080207B58F}	{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1223E6E0-9626-4161-913E-78944CDB2968}	{EC3DA2AF-C815-452c-8678-72080207B58F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1223E6E0-9626-4161-913E-78944CDB2968}\stubpath = "C:\\Windows\\{1223E6E0-9626-4161-913E-78944CDB2968}.exe"	{EC3DA2AF-C815-452c-8678-72080207B58F}.exe

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe
2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe
2576	{755603DC-832F-4686-8F63-49180464BF00}.exe
652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe
2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe
1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe
1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe
1208	{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe
1152	{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe
2856	{EC3DA2AF-C815-452c-8678-72080207B58F}.exe
1312	{1223E6E0-9626-4161-913E-78944CDB2968}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe
File created	C:\Windows\{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe
File created	C:\Windows\{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe	{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe
File created	C:\Windows\{1223E6E0-9626-4161-913E-78944CDB2968}.exe	{EC3DA2AF-C815-452c-8678-72080207B58F}.exe
File created	C:\Windows\{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe
File created	C:\Windows\{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe
File created	C:\Windows\{755603DC-832F-4686-8F63-49180464BF00}.exe	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe
File created	C:\Windows\{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	{755603DC-832F-4686-8F63-49180464BF00}.exe
File created	C:\Windows\{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe
File created	C:\Windows\{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe
File created	C:\Windows\{EC3DA2AF-C815-452c-8678-72080207B58F}.exe	{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe
Token: SeIncBasePriorityPrivilege	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe
Token: SeIncBasePriorityPrivilege	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe
Token: SeIncBasePriorityPrivilege	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe
Token: SeIncBasePriorityPrivilege	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe
Token: SeIncBasePriorityPrivilege	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe
Token: SeIncBasePriorityPrivilege	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe
Token: SeIncBasePriorityPrivilege	1208	{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe
Token: SeIncBasePriorityPrivilege	1152	{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe
Token: SeIncBasePriorityPrivilege	2856	{EC3DA2AF-C815-452c-8678-72080207B58F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 3036	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	28
PID 2016 wrote to memory of 3036	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	28
PID 2016 wrote to memory of 3036	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	28
PID 2016 wrote to memory of 3036	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	28
PID 2016 wrote to memory of 2552	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	29
PID 2016 wrote to memory of 2552	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	29
PID 2016 wrote to memory of 2552	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	29
PID 2016 wrote to memory of 2552	2016	2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe	29
PID 3036 wrote to memory of 2708	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	30
PID 3036 wrote to memory of 2708	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	30
PID 3036 wrote to memory of 2708	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	30
PID 3036 wrote to memory of 2708	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	30
PID 3036 wrote to memory of 3024	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	31
PID 3036 wrote to memory of 3024	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	31
PID 3036 wrote to memory of 3024	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	31
PID 3036 wrote to memory of 3024	3036	{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe	31
PID 2708 wrote to memory of 2576	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	32
PID 2708 wrote to memory of 2576	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	32
PID 2708 wrote to memory of 2576	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	32
PID 2708 wrote to memory of 2576	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	32
PID 2708 wrote to memory of 2404	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	33
PID 2708 wrote to memory of 2404	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	33
PID 2708 wrote to memory of 2404	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	33
PID 2708 wrote to memory of 2404	2708	{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe	33
PID 2576 wrote to memory of 652	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	36
PID 2576 wrote to memory of 652	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	36
PID 2576 wrote to memory of 652	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	36
PID 2576 wrote to memory of 652	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	36
PID 2576 wrote to memory of 2740	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	37
PID 2576 wrote to memory of 2740	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	37
PID 2576 wrote to memory of 2740	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	37
PID 2576 wrote to memory of 2740	2576	{755603DC-832F-4686-8F63-49180464BF00}.exe	37
PID 652 wrote to memory of 2800	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	38
PID 652 wrote to memory of 2800	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	38
PID 652 wrote to memory of 2800	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	38
PID 652 wrote to memory of 2800	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	38
PID 652 wrote to memory of 2796	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	39
PID 652 wrote to memory of 2796	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	39
PID 652 wrote to memory of 2796	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	39
PID 652 wrote to memory of 2796	652	{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe	39
PID 2800 wrote to memory of 1168	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	40
PID 2800 wrote to memory of 1168	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	40
PID 2800 wrote to memory of 1168	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	40
PID 2800 wrote to memory of 1168	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	40
PID 2800 wrote to memory of 2312	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	41
PID 2800 wrote to memory of 2312	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	41
PID 2800 wrote to memory of 2312	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	41
PID 2800 wrote to memory of 2312	2800	{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe	41
PID 1168 wrote to memory of 1484	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	42
PID 1168 wrote to memory of 1484	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	42
PID 1168 wrote to memory of 1484	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	42
PID 1168 wrote to memory of 1484	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	42
PID 1168 wrote to memory of 1108	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	43
PID 1168 wrote to memory of 1108	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	43
PID 1168 wrote to memory of 1108	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	43
PID 1168 wrote to memory of 1108	1168	{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe	43
PID 1484 wrote to memory of 1208	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	45
PID 1484 wrote to memory of 1208	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	45
PID 1484 wrote to memory of 1208	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	45
PID 1484 wrote to memory of 1208	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	45
PID 1484 wrote to memory of 2688	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	44
PID 1484 wrote to memory of 2688	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	44
PID 1484 wrote to memory of 2688	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	44
PID 1484 wrote to memory of 2688	1484	{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_9639300f59e97c3e64a5f23d5602b8d7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe
  C:\Windows\{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe
    C:\Windows\{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{755603DC-832F-4686-8F63-49180464BF00}.exe
      C:\Windows\{755603DC-832F-4686-8F63-49180464BF00}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe
        
        C:\Windows\{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Windows\{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe
        
        C:\Windows\{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe
        
        C:\Windows\{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe
        
        C:\Windows\{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A743~1.EXE > nul
        9⤵
        
        PID:2688
        
        C:\Windows\{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe
        
        C:\Windows\{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B25C~1.EXE > nul
        10⤵
        
        PID:1032
        
        C:\Windows\{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe
        
        C:\Windows\{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7AEC~1.EXE > nul
        11⤵
        
        PID:836
        
        C:\Windows\{EC3DA2AF-C815-452c-8678-72080207B58F}.exe
        
        C:\Windows\{EC3DA2AF-C815-452c-8678-72080207B58F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC3DA~1.EXE > nul
        12⤵
        
        PID:1140
        
        C:\Windows\{1223E6E0-9626-4161-913E-78944CDB2968}.exe
        
        C:\Windows\{1223E6E0-9626-4161-913E-78944CDB2968}.exe
        12⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84E31~1.EXE > nul
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E45A~1.EXE > nul
        7⤵
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C040~1.EXE > nul
        6⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75560~1.EXE > nul
        5⤵
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1DAE~1.EXE > nul
      4⤵
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75D57~1.EXE > nul
    3⤵
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1223E6E0-9626-4161-913E-78944CDB2968}.exe

Filesize
197KB

MD5
14f3c3d47927b080a8c4fbd3d8386d88

SHA1
6034e7a309fd5e6ce76911151e3328ecc05daf59

SHA256
453998d121a53c1cb9837a5026459c289847a8d7d2d2e16660d3583e9caf4d59

SHA512
7a66cd53231066a519d387e2273f633bb9d9ef8afe35d517ca950299f8e47bed33348d67a6a4ddd1c6d0c9195da454e0c1e6d3513331be8d48352db7ff4e43a2

Download Submit
C:\Windows\{5B25CE34-D5B6-4b6c-B80E-6245D5325B46}.exe

Filesize
197KB

MD5
71d26a5456515219e47da42a025adc59

SHA1
39b1e3b76f2cc22367ddc6a9f8e892867f5ef161

SHA256
84e9dc8d3274a2caabaf8aeb10f515d8ceb750b1ab0585c08c07d7a7b989dae0

SHA512
2bb01111a7d84d701d1a8f42da3d610d3acd0f680fa22891121bc0b3ca7518e184e861748133f7d92b7833fea094dbb62c9e49af804c718c3248949bab3dfaa3

Download Submit
C:\Windows\{755603DC-832F-4686-8F63-49180464BF00}.exe

Filesize
197KB

MD5
9fcbb2b200d0f9f99a87d9a531d3ebad

SHA1
053567e8f0fd05bf323caeba260362f2535f3dbf

SHA256
d328a07799cbef94a5d23208e84c6819787c779bbcdcf2d5cc35c6d187dc25e8

SHA512
146dd7408f920e0e804b08974357831314a597cf9114a19de768937611a178be6240d6e1f31dc589cdf72458a01dea992c59bbb47ccd9ad831274015299704ad

Download Submit
C:\Windows\{75D571A3-6E7C-4a48-86A1-9B249D91169D}.exe

Filesize
197KB

MD5
01605d214c417f5a15dca4763c00ead2

SHA1
ca14b4623ecc924700554ad34b9ade8320042950

SHA256
a9e26b953f0f9cf5f8293e1debdb922c6db8a89c10aef809b890b8b56c353c09

SHA512
ad151bced44f5a1445c75cdbde20e645b64104f16bc7f2073139798e84eaed5f84f9effb34f49a9f45e5c4a75122b483fb211b16295bc941b49469ed0aa95ba1

Download Submit
C:\Windows\{84E31E57-0BC1-4b72-81B1-3C41ECEC2508}.exe

Filesize
197KB

MD5
39d3823af177d277aeaff8b9b5a9a497

SHA1
f2218e93b44db1d0149bbd250ce2bc04872b430b

SHA256
29b2912da82b04c26696b0b8ea334c94f2702f4fed2190d3a4893e0e97affb4d

SHA512
6e981a972fd08792d29ae2cb63bd1892998a44ffb39a71437f8f06f149c99b281a534a8df45dfc0793200f73923b3d64d120db48e07a237c61833ba4db80c85e

Download Submit
C:\Windows\{8C040A74-F040-4bc8-8F77-C32C3B76A819}.exe

Filesize
197KB

MD5
da6e7c4aa853b26586ca0bed05d63190

SHA1
b54071cb4a7b0c6083ee825aeb421db38b023c6a

SHA256
6c73f0f20bdb4e6fb9e0a7392ec6f89d97058c3f633866a2e7f484c8fd4e91b8

SHA512
64e30d2a171cc19b2d1be9fd46d8f564729b982dbe01a57b41c8aa057f3358cdd732bc23015a04243f4541a5589bd040a4c1b997575d161fe6e2191c3e1773c8

Download Submit
C:\Windows\{9A7434A2-AEA0-4fd6-ADE8-3130A08401E4}.exe

Filesize
197KB

MD5
733b743d3a000e61187b30b1a5965de4

SHA1
5e333163d8d9744a6bd38f577da1ff36b6bae8a1

SHA256
d38635bab65a583da5df505f5b4ff8883391607d8611d33e5200596314b5719d

SHA512
c4fa33a887295e9bfb7e7619f6ba827c3cda34b0eb20cafe780310b607ffe4863b795fba21ffe6c174ef5d6275604f86d40a39f1564321ab59d000051022dccb

Download Submit
C:\Windows\{9E45A74C-C58D-455f-957B-6A51FD8FE4D0}.exe

Filesize
197KB

MD5
879cb738f0d54e869cc9de21bcf287d9

SHA1
73188e08454fed3a3f2baffb96e0c1e650f72395

SHA256
54084083e0e29b10a0454186826409514bd50a3d65a77645976baf07042e8282

SHA512
fee1301755c11fc505961534a39d4d8834dda24ed11187705d310f3567a6baa282a53bc9e82d14f1cd54dcf847433909d4b4413db476e63457d4b53962494209

Download Submit
C:\Windows\{B7AEC0AD-6658-47ba-8A9B-F0172119ECB8}.exe

Filesize
197KB

MD5
8de208a6de2d8ea704f3b4e6f255052f

SHA1
a9c116d56b3d5811781cac6967946c866c3e7504

SHA256
920a8b57c546c2ec2449051fbf69fb5449d09dca4dc102ed3e73069ed0f61ae1

SHA512
919732ab1a9f34a78a19a2fad056b3005f1465a7a9fb355aa2d803af4d7eea4cd00f1b0c74b3e1cbdb92b72ae6618de9664dfb800f7e0a38d12e593adfdffb19

Download Submit
C:\Windows\{E1DAE0E1-5A0C-4182-B009-3950BFB90D4F}.exe

Filesize
197KB

MD5
5baf28c966941e431372215dc845e9e8

SHA1
3092ae369e7fd84c3262bd813cd22edb95f581f9

SHA256
6c8ddaa2b052b8c7a442cf57d4ef4a7a5fb7a77c853a2b6695f273d7fe62143f

SHA512
c906aacefb3650b351a0a8a6013483a376559dc7c4793c035674342645de0f48f939339cfbe1b4e663a198a3fe35369b4751d6e0b7b63698dab00f168739ab48

Download Submit
C:\Windows\{EC3DA2AF-C815-452c-8678-72080207B58F}.exe

Filesize
197KB

MD5
fdc8a64ed391bfde1d9f8b4541c6f7f1

SHA1
9a21b9179fcb7b0f736f0c1644822caa52191c31

SHA256
85b36578fdefe566fa7756720c5ba1555bb45ee1a40d75e47ddd302b8197f037

SHA512
0886b7dbe12c45dbe500b1bf25c2afc1a7a6f765303ca6be0806bc96aa57f01c7f71f1736a8c9b0ac2ce87c740abe712b59b654f939cee68e942061100704c35

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads