ad78c00e4b4d3c70b33567fe247c3a75b49e4a945555817630885cfb627526ce

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe
Size

408KB
MD5

062ad1ee08c7842304d6c3d282ceb164
SHA1

b6872b6d29f1924f2b83b9fcea890461a9c87760
SHA256

ad78c00e4b4d3c70b33567fe247c3a75b49e4a945555817630885cfb627526ce
SHA512

d9dae3b58c12aaa498a64082a72149edff338b1495e77e9cd0aa4b0567c7b53afb1d60089970b3208408b29bc7452ef3bc8dd568ad2ae69409f5d34ca987088d
SSDEEP

3072:CEGh0o9l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG3ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001332e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c87-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001332e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000015ce3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001332e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001332e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001332e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6A95AF9-51C6-4908-A72B-14C16408632A}\stubpath = "C:\\Windows\\{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe"	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B053C4D-EFBE-4b84-B79F-38249FAEA753}\stubpath = "C:\\Windows\\{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe"	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}	{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}	{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}\stubpath = "C:\\Windows\\{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe"	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB002859-8295-4d96-9B7C-CB17FE2B314B}	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}\stubpath = "C:\\Windows\\{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe"	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}\stubpath = "C:\\Windows\\{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe"	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}	{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}\stubpath = "C:\\Windows\\{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe"	{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6A95AF9-51C6-4908-A72B-14C16408632A}	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}\stubpath = "C:\\Windows\\{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}.exe"	{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}\stubpath = "C:\\Windows\\{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe"	{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B053C4D-EFBE-4b84-B79F-38249FAEA753}	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}\stubpath = "C:\\Windows\\{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe"	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA036C6-327C-441e-A783-5617DEB6A01E}\stubpath = "C:\\Windows\\{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe"	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB002859-8295-4d96-9B7C-CB17FE2B314B}\stubpath = "C:\\Windows\\{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe"	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA036C6-327C-441e-A783-5617DEB6A01E}	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe
2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe
2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe
816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe
2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe
2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe
1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe
2040	{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe
1680	{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe
1904	{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe
1584	{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe
File created	C:\Windows\{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe
File created	C:\Windows\{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe
File created	C:\Windows\{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe
File created	C:\Windows\{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe
File created	C:\Windows\{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe	{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe
File created	C:\Windows\{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}.exe	{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe
File created	C:\Windows\{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe
File created	C:\Windows\{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe
File created	C:\Windows\{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe
File created	C:\Windows\{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe	{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe
Token: SeIncBasePriorityPrivilege	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe
Token: SeIncBasePriorityPrivilege	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe
Token: SeIncBasePriorityPrivilege	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe
Token: SeIncBasePriorityPrivilege	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe
Token: SeIncBasePriorityPrivilege	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe
Token: SeIncBasePriorityPrivilege	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe
Token: SeIncBasePriorityPrivilege	2040	{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe
Token: SeIncBasePriorityPrivilege	1680	{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe
Token: SeIncBasePriorityPrivilege	1904	{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2116	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	28
PID 1968 wrote to memory of 2116	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	28
PID 1968 wrote to memory of 2116	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	28
PID 1968 wrote to memory of 2116	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	28
PID 1968 wrote to memory of 3008	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	29
PID 1968 wrote to memory of 3008	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	29
PID 1968 wrote to memory of 3008	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	29
PID 1968 wrote to memory of 3008	1968	2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe	29
PID 2116 wrote to memory of 2392	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	30
PID 2116 wrote to memory of 2392	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	30
PID 2116 wrote to memory of 2392	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	30
PID 2116 wrote to memory of 2392	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	30
PID 2116 wrote to memory of 2500	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	31
PID 2116 wrote to memory of 2500	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	31
PID 2116 wrote to memory of 2500	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	31
PID 2116 wrote to memory of 2500	2116	{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe	31
PID 2392 wrote to memory of 2924	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	33
PID 2392 wrote to memory of 2924	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	33
PID 2392 wrote to memory of 2924	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	33
PID 2392 wrote to memory of 2924	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	33
PID 2392 wrote to memory of 2552	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	32
PID 2392 wrote to memory of 2552	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	32
PID 2392 wrote to memory of 2552	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	32
PID 2392 wrote to memory of 2552	2392	{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe	32
PID 2924 wrote to memory of 816	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	36
PID 2924 wrote to memory of 816	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	36
PID 2924 wrote to memory of 816	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	36
PID 2924 wrote to memory of 816	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	36
PID 2924 wrote to memory of 2360	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	37
PID 2924 wrote to memory of 2360	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	37
PID 2924 wrote to memory of 2360	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	37
PID 2924 wrote to memory of 2360	2924	{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe	37
PID 816 wrote to memory of 2680	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	39
PID 816 wrote to memory of 2680	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	39
PID 816 wrote to memory of 2680	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	39
PID 816 wrote to memory of 2680	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	39
PID 816 wrote to memory of 1532	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	38
PID 816 wrote to memory of 1532	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	38
PID 816 wrote to memory of 1532	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	38
PID 816 wrote to memory of 1532	816	{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe	38
PID 2680 wrote to memory of 2172	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	41
PID 2680 wrote to memory of 2172	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	41
PID 2680 wrote to memory of 2172	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	41
PID 2680 wrote to memory of 2172	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	41
PID 2680 wrote to memory of 1572	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	40
PID 2680 wrote to memory of 1572	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	40
PID 2680 wrote to memory of 1572	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	40
PID 2680 wrote to memory of 1572	2680	{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe	40
PID 2172 wrote to memory of 1048	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	42
PID 2172 wrote to memory of 1048	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	42
PID 2172 wrote to memory of 1048	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	42
PID 2172 wrote to memory of 1048	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	42
PID 2172 wrote to memory of 2564	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	43
PID 2172 wrote to memory of 2564	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	43
PID 2172 wrote to memory of 2564	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	43
PID 2172 wrote to memory of 2564	2172	{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe	43
PID 1048 wrote to memory of 2040	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	44
PID 1048 wrote to memory of 2040	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	44
PID 1048 wrote to memory of 2040	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	44
PID 1048 wrote to memory of 2040	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	44
PID 1048 wrote to memory of 2024	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	45
PID 1048 wrote to memory of 2024	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	45
PID 1048 wrote to memory of 2024	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	45
PID 1048 wrote to memory of 2024	1048	{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_062ad1ee08c7842304d6c3d282ceb164_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe
  C:\Windows\{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe
    C:\Windows\{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08D8F~1.EXE > nul
      4⤵
      PID:2552
  - - C:\Windows\{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe
      C:\Windows\{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe
        
        C:\Windows\{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B053~1.EXE > nul
        6⤵
        
        PID:1532
      - C:\Windows\{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe
        
        C:\Windows\{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB002~1.EXE > nul
        7⤵
        
        PID:1572
        
        C:\Windows\{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe
        
        C:\Windows\{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe
        
        C:\Windows\{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe
        
        C:\Windows\{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe
        
        C:\Windows\{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe
        
        C:\Windows\{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}.exe
        
        C:\Windows\{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}.exe
        12⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C306~1.EXE > nul
        12⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E6C~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{720DC~1.EXE > nul
        10⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEFAC~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4BFC~1.EXE > nul
        8⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6A95~1.EXE > nul
        5⤵
        
        PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA03~1.EXE > nul
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08D8F1A5-E0FC-4e58-A348-768BD6CAA3C9}.exe

Filesize
408KB

MD5
1a74affd48cc46b48c912ac8b3e5258a

SHA1
6dcb8287935852cb013a9dc61b11ba2ce7da7ad0

SHA256
8c2ae3967a9ca3402999031f8bfce5c2e5568bc0939620ecc98bba313f474dfa

SHA512
6af034aa1e786bb52754547d1661d6c2d2b9f6dc147a00bd1aa35f04f7b617f9b48ad5b56fadd47481d323904c35651e9a7887cb9f4a70007752d46eaf9a96db

Download Submit
C:\Windows\{24E6CAA8-C02E-465b-91E0-26B05EA6AE2B}.exe

Filesize
408KB

MD5
b0895014ad6f162d24705bc4edd11683

SHA1
58a164287918d549fbb4d88db74763497caf9340

SHA256
34dd505a851ec8f7b363cdd742c400df1aae2bbde9f8c135539b7cfbf5c54575

SHA512
612af63fc6bf115b47f273aed18ad3c7293f99318f5c9a61ed5b41f4c94ae1256dd3e537a6886f9cb3fb8602b8a64588d930cd2f1decc4f5b928e55f2cdce6c7

Download Submit
C:\Windows\{2B053C4D-EFBE-4b84-B79F-38249FAEA753}.exe

Filesize
408KB

MD5
e4f83d25d017138d9a7077262d987930

SHA1
58619c94b2f467a1473127472207d2ffb66caa6b

SHA256
d4026178be9e45c49c8d9cc989a591944ba5a036dd2bbac9dca19bb647499d1b

SHA512
f35099bc4c8debab93ddd28f27171eecd955fb494988c5a9da7971eb0cde0709eee18b6d5fc61996c54d3db082bbea09e45b19e2778c88eafe67413edbdd48a3

Download Submit
C:\Windows\{3C306A02-0D2E-435d-A8E6-9FDC0DBB4BEE}.exe

Filesize
408KB

MD5
2e1ff621f27226d6c763f4864d2fd53d

SHA1
35f310363c178176b98e0654926f1f7f06597660

SHA256
108ef35946a5b780578094b7d803b557e21c719fe29a7f91af045d7216303128

SHA512
d81bcd0fb4800af9090e0b89ed0b348b4e96c905723ea4d062eab6412693051ef966ba7d57208aa1cbe61a24f2d6f85667c508857613c868e03350a64c1e5b45

Download Submit
C:\Windows\{5AA036C6-327C-441e-A783-5617DEB6A01E}.exe

Filesize
408KB

MD5
2908e94dce441335d5216727c37b8a61

SHA1
07b7c3ab27377c9b3b3ad90add6ccdbb4d689ea2

SHA256
5262df97108bfbbb0665d4595e11883ca600f8631ed6cb34bdcede1c8e41590f

SHA512
f9ce20602196811d73717ead7f9bd9fc9bf1ecd96bbb5bc8261ff70a6efb2362286077e6676559a679ae0b619ce381c2d0b893eaf1d290476c5942d7de417e7c

Download Submit
C:\Windows\{720DC5CE-0A54-4ba7-B6DE-5B34CFAD619A}.exe

Filesize
408KB

MD5
ae97731785783d7e3aa9588b5aa05bfe

SHA1
fd9b2560b97717dab794659336eb0881d5cce740

SHA256
1797d3f737fa482251bd92d0d1aa5963aceca53c295ca129651e908c6fb6a3b7

SHA512
f34fe6ef4c701ec58e9cc7a2886fdf143ac1062ae3174ca4044f0b6b46cb57d44aa23db58032e9db27cbbf079e803526887bb7ebde05d4ab5e7406dff949bd93

Download Submit
C:\Windows\{CB002859-8295-4d96-9B7C-CB17FE2B314B}.exe

Filesize
408KB

MD5
c75df083fdd54baab9716e77f09a1675

SHA1
9e5697cdba39982c2951bd3f1fea99f380d2d6e2

SHA256
e02ae487067a535d6c75756f80fc5c43d4c7474ff45e6185bd0c31514a454a99

SHA512
f75895162e09ab3be95cd5e3a3023841e47bca526b1014175541d63229bde065d358d3e644fbf609aad473bc837d024b4341efe328f1f826ccb90f3998005ca6

Download Submit
C:\Windows\{D33AC144-9EC3-4664-9C4C-E6A6DDFC67CE}.exe

Filesize
408KB

MD5
070cba34e15d73a9011d11b14c31ef78

SHA1
66940c7ead76aff79a3fd508ba7981c77560a1b2

SHA256
2dce99dee71483a3bf76808471fe56bd2fc6114d40460a823fe1e05486ffc46f

SHA512
c14f396ea7df2e2fb86bafcb3b4721cb860ff62753f2e1e0bff05b9c8de2a84a5f5a297eb81c2011495edbbc33dda40609378b6f4a0f69bd99a12b0e039ae7ad

Download Submit
C:\Windows\{D6A95AF9-51C6-4908-A72B-14C16408632A}.exe

Filesize
408KB

MD5
8fef39421ed10300ad1f544762734f83

SHA1
c603f8918d4d56ac37e083baae4ef4666f3b97a5

SHA256
35eac89f5d7c4a1954973a9298b929e34fcd4a9d177551e83be5d9b00a884732

SHA512
7a83736e06e749ebbca79b47898df5e28df3a0b217846774bebb7c7514910cf518d62687a0fbd458b2829cafb37e47b43913f2e6a8ee07599ea10728a8e00e1d

Download Submit
C:\Windows\{E4BFC2A6-4BD3-4db3-9ADB-6F6C80AE3C59}.exe

Filesize
408KB

MD5
e5be14f9786cb4a84f4bf1a5843d7f5d

SHA1
28f08112e5e4651846636d0e39160d20af1440bb

SHA256
be54195a4516f09e0ca34d784821cdfc88ca57ff657615c30e8188af90c86157

SHA512
52e9aca8608fa3574cab6203c485cde650671d6e1ca360e6026d0ea9b058e606445ebcef973a25eb77d73e6094ef47fc9c5e233314596e203e158a66ea46eb48

Download Submit
C:\Windows\{FEFAC8A0-37E4-4cc0-A0FE-A4AC19C01E42}.exe

Filesize
408KB

MD5
3871ee4db58e71dc1ad302c3416d7fbb

SHA1
c4b6440e18fa47c73685981d73b5d0176938a2c5

SHA256
a2b289e77e2400e3d052d50447f3acc539b690a748e26e398d80e01f1bbfa80e

SHA512
bcc1033d694e215f3ed4b8f033991893db81734e5e6e6f3d239a250f4f3d5dfc24f2355451facdfdeaf17b0e53e014077ee7563ca0260941e796eebb78e1f1a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads