4dc0d71e11abc38cfb3e936ec73ef7d10662721b62f45c2a70828520c2ee4e19

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Size

344KB
MD5

270a14242378a05514b21f10895e0227
SHA1

813e985f7d64539a882b593fa39ab079ed1b49d7
SHA256

4dc0d71e11abc38cfb3e936ec73ef7d10662721b62f45c2a70828520c2ee4e19
SHA512

6f8b898b9e7cea9ae8938eda420e3155bf2b9c80de250ae30ae1b84359345dae55278dc96e5ace71dfe2650340ed5dcbdfb34f135dfd322b73300606542f843c
SSDEEP

3072:mEGh0oZlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGTlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c3-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014a92-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0065AC8A-2541-47fe-A85E-DE24A170BFD4}	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E493AE9A-8C96-4e25-BD97-7690FDC2569F}\stubpath = "C:\\Windows\\{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe"	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B879082-3C8C-4431-85AF-A5A9A1759076}\stubpath = "C:\\Windows\\{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe"	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C48D36AD-2C18-4fc9-92CA-96635D6BA255}\stubpath = "C:\\Windows\\{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe"	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0065AC8A-2541-47fe-A85E-DE24A170BFD4}\stubpath = "C:\\Windows\\{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe"	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}\stubpath = "C:\\Windows\\{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe"	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9607D4C-DB59-48ac-927C-933928A9361E}	{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABF6B595-68D7-461e-A365-8037E09778D3}	{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E493AE9A-8C96-4e25-BD97-7690FDC2569F}	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B879082-3C8C-4431-85AF-A5A9A1759076}	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F659357-5E10-4e85-ACDC-C119A4319950}	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{271FD95E-61D2-4437-8CE3-3929F901564E}\stubpath = "C:\\Windows\\{271FD95E-61D2-4437-8CE3-3929F901564E}.exe"	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C48D36AD-2C18-4fc9-92CA-96635D6BA255}	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9607D4C-DB59-48ac-927C-933928A9361E}\stubpath = "C:\\Windows\\{C9607D4C-DB59-48ac-927C-933928A9361E}.exe"	{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}	{C9607D4C-DB59-48ac-927C-933928A9361E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}\stubpath = "C:\\Windows\\{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe"	{C9607D4C-DB59-48ac-927C-933928A9361E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABF6B595-68D7-461e-A365-8037E09778D3}\stubpath = "C:\\Windows\\{ABF6B595-68D7-461e-A365-8037E09778D3}.exe"	{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}\stubpath = "C:\\Windows\\{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe"	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F659357-5E10-4e85-ACDC-C119A4319950}\stubpath = "C:\\Windows\\{6F659357-5E10-4e85-ACDC-C119A4319950}.exe"	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{271FD95E-61D2-4437-8CE3-3929F901564E}	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe
1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe
2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe
1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe
2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe
2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe
1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe
2608	{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe
1588	{C9607D4C-DB59-48ac-927C-933928A9361E}.exe
2304	{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe
3068	{ABF6B595-68D7-461e-A365-8037E09778D3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
File created	C:\Windows\{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe
File created	C:\Windows\{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe
File created	C:\Windows\{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe
File created	C:\Windows\{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe	{C9607D4C-DB59-48ac-927C-933928A9361E}.exe
File created	C:\Windows\{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe
File created	C:\Windows\{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe
File created	C:\Windows\{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe
File created	C:\Windows\{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe
File created	C:\Windows\{C9607D4C-DB59-48ac-927C-933928A9361E}.exe	{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe
File created	C:\Windows\{ABF6B595-68D7-461e-A365-8037E09778D3}.exe	{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe
Token: SeIncBasePriorityPrivilege	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe
Token: SeIncBasePriorityPrivilege	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe
Token: SeIncBasePriorityPrivilege	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe
Token: SeIncBasePriorityPrivilege	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe
Token: SeIncBasePriorityPrivilege	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe
Token: SeIncBasePriorityPrivilege	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe
Token: SeIncBasePriorityPrivilege	2608	{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe
Token: SeIncBasePriorityPrivilege	1588	{C9607D4C-DB59-48ac-927C-933928A9361E}.exe
Token: SeIncBasePriorityPrivilege	2304	{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2612	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	28
PID 2364 wrote to memory of 2612	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	28
PID 2364 wrote to memory of 2612	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	28
PID 2364 wrote to memory of 2612	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	28
PID 2364 wrote to memory of 3004	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	29
PID 2364 wrote to memory of 3004	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	29
PID 2364 wrote to memory of 3004	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	29
PID 2364 wrote to memory of 3004	2364	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	29
PID 2612 wrote to memory of 1564	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	31
PID 2612 wrote to memory of 1564	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	31
PID 2612 wrote to memory of 1564	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	31
PID 2612 wrote to memory of 1564	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	31
PID 2612 wrote to memory of 2728	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	30
PID 2612 wrote to memory of 2728	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	30
PID 2612 wrote to memory of 2728	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	30
PID 2612 wrote to memory of 2728	2612	{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe	30
PID 1564 wrote to memory of 2752	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	32
PID 1564 wrote to memory of 2752	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	32
PID 1564 wrote to memory of 2752	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	32
PID 1564 wrote to memory of 2752	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	32
PID 1564 wrote to memory of 2664	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	33
PID 1564 wrote to memory of 2664	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	33
PID 1564 wrote to memory of 2664	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	33
PID 1564 wrote to memory of 2664	1564	{6F659357-5E10-4e85-ACDC-C119A4319950}.exe	33
PID 2752 wrote to memory of 1736	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	36
PID 2752 wrote to memory of 1736	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	36
PID 2752 wrote to memory of 1736	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	36
PID 2752 wrote to memory of 1736	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	36
PID 2752 wrote to memory of 1964	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	37
PID 2752 wrote to memory of 1964	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	37
PID 2752 wrote to memory of 1964	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	37
PID 2752 wrote to memory of 1964	2752	{271FD95E-61D2-4437-8CE3-3929F901564E}.exe	37
PID 1736 wrote to memory of 2784	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	38
PID 1736 wrote to memory of 2784	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	38
PID 1736 wrote to memory of 2784	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	38
PID 1736 wrote to memory of 2784	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	38
PID 1736 wrote to memory of 2888	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	39
PID 1736 wrote to memory of 2888	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	39
PID 1736 wrote to memory of 2888	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	39
PID 1736 wrote to memory of 2888	1736	{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe	39
PID 2784 wrote to memory of 2036	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	40
PID 2784 wrote to memory of 2036	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	40
PID 2784 wrote to memory of 2036	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	40
PID 2784 wrote to memory of 2036	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	40
PID 2784 wrote to memory of 1712	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	41
PID 2784 wrote to memory of 1712	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	41
PID 2784 wrote to memory of 1712	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	41
PID 2784 wrote to memory of 1712	2784	{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe	41
PID 2036 wrote to memory of 1104	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	42
PID 2036 wrote to memory of 1104	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	42
PID 2036 wrote to memory of 1104	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	42
PID 2036 wrote to memory of 1104	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	42
PID 2036 wrote to memory of 1752	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	43
PID 2036 wrote to memory of 1752	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	43
PID 2036 wrote to memory of 1752	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	43
PID 2036 wrote to memory of 1752	2036	{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe	43
PID 1104 wrote to memory of 2608	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	45
PID 1104 wrote to memory of 2608	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	45
PID 1104 wrote to memory of 2608	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	45
PID 1104 wrote to memory of 2608	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	45
PID 1104 wrote to memory of 440	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	44
PID 1104 wrote to memory of 440	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	44
PID 1104 wrote to memory of 440	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	44
PID 1104 wrote to memory of 440	1104	{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe
  C:\Windows\{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D8D~1.EXE > nul
    3⤵
    PID:2728
- - C:\Windows\{6F659357-5E10-4e85-ACDC-C119A4319950}.exe
    C:\Windows\{6F659357-5E10-4e85-ACDC-C119A4319950}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\{271FD95E-61D2-4437-8CE3-3929F901564E}.exe
      C:\Windows\{271FD95E-61D2-4437-8CE3-3929F901564E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe
        
        C:\Windows\{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe
        
        C:\Windows\{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe
        
        C:\Windows\{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe
        
        C:\Windows\{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0065A~1.EXE > nul
        9⤵
        
        PID:440
        
        C:\Windows\{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe
        
        C:\Windows\{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEDC7~1.EXE > nul
        10⤵
        
        PID:1724
        
        C:\Windows\{C9607D4C-DB59-48ac-927C-933928A9361E}.exe
        
        C:\Windows\{C9607D4C-DB59-48ac-927C-933928A9361E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe
        
        C:\Windows\{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{ABF6B595-68D7-461e-A365-8037E09778D3}.exe
        
        C:\Windows\{ABF6B595-68D7-461e-A365-8037E09778D3}.exe
        12⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7960C~1.EXE > nul
        12⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9607~1.EXE > nul
        11⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C48D3~1.EXE > nul
        8⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B879~1.EXE > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E493A~1.EXE > nul
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{271FD~1.EXE > nul
        5⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F659~1.EXE > nul
      4⤵
      PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0065AC8A-2541-47fe-A85E-DE24A170BFD4}.exe

Filesize
344KB

MD5
227d5d08e32b67e80f8193a7fc7b67d3

SHA1
6651fde2e0d883d0230855b27186cc1d590be9bc

SHA256
945c883006607ba551bd315e5e545f585df61325bfb2a6cd17de7e5fc52edbe3

SHA512
a5c24c80f03a54437209ae197fa5b2e691a956f19cd80871c7e3a264c62643aa0a44c95b12a89183ebff29478091b1078f2b9a711d5f888c875397b3caa3ed36

Download Submit
C:\Windows\{271FD95E-61D2-4437-8CE3-3929F901564E}.exe

Filesize
344KB

MD5
b684bd75dbb9fb4082cadaacf00e4ce0

SHA1
c7360546345a7dc5c21277b38d2d1050fdfd0813

SHA256
674cf9d2eb5ad0b1fe921a6ca2a4a4b88579641f68375566a9f6897bfbef2790

SHA512
0b5e1c6ee800c3dd8cb90f01524fb732702b6096c5fa5e6e31d25be66097d993748734cf9e51fba7025ca210590a8c0ef836c14e6772117e764986fc08d8939a

Download Submit
C:\Windows\{6B879082-3C8C-4431-85AF-A5A9A1759076}.exe

Filesize
344KB

MD5
1ee3e56e49dd96ab168846bf27acf046

SHA1
2ab370e62d11b9cf892511e886bd6c86702809d0

SHA256
5e0b90b7c83342b8dfb33789e5d9c9b2e6340e0565dc289628e9fb855492a5d1

SHA512
f975fb0bda70345f92f4e31baccc955bbff589bce852774996b456c5c3145cf0a5eef35d011c0c867940bb6141b9aac979a2df88e88beb7f12bf26ae46527566

Download Submit
C:\Windows\{6F659357-5E10-4e85-ACDC-C119A4319950}.exe

Filesize
344KB

MD5
f7238bc0b57f582461d85dfa8004dfb6

SHA1
0e626c623c5597308cb4ed26f0f38f02fc1ca31f

SHA256
8dc21307c19063b144a3a4d756492c48e2b19b47926c8ed48a030dfb316c0b44

SHA512
933433ad612921aa6736e6a3c8c720194f009fa1e111a6ff7b42a8b07be87eab23b1286d10025e6f72396f15db3a0c92b66a9814da948a3cc1aa06f0f63c9d6a

Download Submit
C:\Windows\{7960CD9F-2856-4ad6-B3D6-708DBC301DDC}.exe

Filesize
344KB

MD5
4ad4559e6e6e6e043ad7317e97c7f745

SHA1
0180c3f9a4085da78fcde94c1bc77b45c2864c2c

SHA256
444b74aea62fd36a10b7871f559eb4b4f001067f2bc8d973d99a385d75d224e3

SHA512
d129cdb8d1b7d01a532a18b74e84b33e44cdd7d9fc99fb7f0d8f9ca1104700e4d5e7d3208b9edb73afd2815f6b739edf98828f804b04e462629bd87ba89fcb98

Download Submit
C:\Windows\{ABF6B595-68D7-461e-A365-8037E09778D3}.exe

Filesize
344KB

MD5
f2d9f0ad6b66b64abafc593ab2e1e34a

SHA1
1fc59e29ac4f2502f8077960a496004442ec48ec

SHA256
ec04419f1af1d5932ef17f6c6e6705e7b8e287ac13f9416d27f0d24e98f50015

SHA512
21203762a1e27cdfcefa2eb2bfac38802e98886b67f35a0a97898e291aa824f9aa2686e31edd64654bc1310190065fe902820af21a98cdfa5e38073a7c00d614

Download Submit
C:\Windows\{AEDC7335-DD66-4ef4-B2F1-CFD1CC654A7A}.exe

Filesize
344KB

MD5
3c76ab3c32a81494172fb23e49a2111e

SHA1
16c6dc7bbc3336c38fbf2a8f7aa5d7e132fbb095

SHA256
9b32f6e04c13eeedfe1f9f64771cac550b0d9cc280d12a8bdeb98b4586762dbc

SHA512
de7d79fa41e81241d2acd3784f41ed2c1d8cb320405ae09a1abbedb9f19d38f88cd9fd702f5086a0c4a63a9251df7cb9cf10ca550110b494432c31363f1e41f7

Download Submit
C:\Windows\{C2D8D172-DCE6-4d5a-8508-68A82D76BF5C}.exe

Filesize
344KB

MD5
ab49e77d11d4f1380b3fd93b49294616

SHA1
448ee4cc58a3bffb708b041a83f44a422d1b3fd6

SHA256
bc3bfb42fda9f02afc18dfafcb584962695d56c21666a2f91fa4334cbbdb7a51

SHA512
daa3fd9a6894ef2241ee30ad0a9a3898cf5e8a785270186cdb73d43c325f95dbcdca0e93b0ccad513b5ac8be09a51c60743c56de9eefced99c46c49e5991b874

Download Submit
C:\Windows\{C48D36AD-2C18-4fc9-92CA-96635D6BA255}.exe

Filesize
344KB

MD5
1aafd946baf75dfd145fdf987221f8d4

SHA1
85ee15daaef830c8c0b456cb46b5810e033bf678

SHA256
4e27169a17eebd3815bc934a4b039356213bd4dfc67a8dbd54548f2a0facde31

SHA512
de5ece582779c6c88593ab9dfd7e17b80659143d32b234f0ed045ebe7298f6ecbd1e348e73f356b91cab7cd2d371c595a489bc4e654fabb504ad9a956c9a5c75

Download Submit
C:\Windows\{C9607D4C-DB59-48ac-927C-933928A9361E}.exe

Filesize
344KB

MD5
8d0b5377de1b747fb826e8b3d66e2d02

SHA1
2d79cf8c93df68b147a69676f6324c2e46803cd4

SHA256
cb056d1f609225028dbd5d58d993fff80f8916ba0f551c49000357968ac16fd5

SHA512
435023081b5ba321ecd2bd9234b76bbb1c9473042923aa0147465eb106a809ccb990d06c6d2052e8a8e093f1a51446943feeda7158949c142620901e296b43dc

Download Submit
C:\Windows\{E493AE9A-8C96-4e25-BD97-7690FDC2569F}.exe

Filesize
344KB

MD5
efcce0800833955b93fe3f4a31f296ff

SHA1
f0e9b0cb13e50dd91d657c82fa11add82548d4bd

SHA256
f6d349eed5ac2168dadc405d80ec99550983003d3914df5b1ef61b9a768dc262

SHA512
d372479b0ac00ab26641dba97418960ff0d2b77008ce936c1ccef6c21a3cbaea2e1ba44fbe5e9308e6ab83738273b6b2f492375a3779ccb3a5c15318ffe844ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads