3a3af06efa633c8aeaf0312e888305c1d7e89bcab4f8bd63b3908ac4ed9a98a7

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
Size

168KB
MD5

530610d952f0c27e886e4fd074824cd1
SHA1

fc5549a325c3302f40c2a5d267ad0e92f094297a
SHA256

3a3af06efa633c8aeaf0312e888305c1d7e89bcab4f8bd63b3908ac4ed9a98a7
SHA512

c28260e0f5c5d4d1434e33348fbc17e4ae312341dbc86ec29bce331640819b8a7c935aa75fa42835b592cfd470bc00f782284206aae4910549512fc9ea3f4623
SSDEEP

1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000133c5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016576-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000133c5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000133c5-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016576-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000133c5-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016576-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000133c5-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016576-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE72640A-F419-4662-88C4-B6ACABCA3A2E}	{A835F41B-D021-4570-A443-36B8E027D041}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{508B7403-20AC-4301-8C38-C504226D9C0C}\stubpath = "C:\\Windows\\{508B7403-20AC-4301-8C38-C504226D9C0C}.exe"	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}\stubpath = "C:\\Windows\\{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe"	{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}\stubpath = "C:\\Windows\\{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}.exe"	{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C988243A-6FC4-4f04-B3C5-59EC5E153374}\stubpath = "C:\\Windows\\{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe"	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06A5E16-C733-4b5f-875C-92498DDAA6EF}	{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE72640A-F419-4662-88C4-B6ACABCA3A2E}\stubpath = "C:\\Windows\\{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe"	{A835F41B-D021-4570-A443-36B8E027D041}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C988243A-6FC4-4f04-B3C5-59EC5E153374}	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}\stubpath = "C:\\Windows\\{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe"	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{508B7403-20AC-4301-8C38-C504226D9C0C}	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}\stubpath = "C:\\Windows\\{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe"	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06A5E16-C733-4b5f-875C-92498DDAA6EF}\stubpath = "C:\\Windows\\{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe"	{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33F9227-C8F6-44e2-9DEB-D959B22D9470}	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33F9227-C8F6-44e2-9DEB-D959B22D9470}\stubpath = "C:\\Windows\\{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe"	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A835F41B-D021-4570-A443-36B8E027D041}	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A835F41B-D021-4570-A443-36B8E027D041}\stubpath = "C:\\Windows\\{A835F41B-D021-4570-A443-36B8E027D041}.exe"	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}\stubpath = "C:\\Windows\\{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe"	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}	{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}	{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe
2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe
2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe
2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe
560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe
2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe
1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe
2384	{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe
1524	{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe
2084	{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe
3036	{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
File created	C:\Windows\{A835F41B-D021-4570-A443-36B8E027D041}.exe	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe
File created	C:\Windows\{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	{A835F41B-D021-4570-A443-36B8E027D041}.exe
File created	C:\Windows\{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe
File created	C:\Windows\{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe
File created	C:\Windows\{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe
File created	C:\Windows\{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe
File created	C:\Windows\{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe
File created	C:\Windows\{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe	{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe
File created	C:\Windows\{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe	{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe
File created	C:\Windows\{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}.exe	{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe
Token: SeIncBasePriorityPrivilege	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe
Token: SeIncBasePriorityPrivilege	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe
Token: SeIncBasePriorityPrivilege	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe
Token: SeIncBasePriorityPrivilege	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe
Token: SeIncBasePriorityPrivilege	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe
Token: SeIncBasePriorityPrivilege	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe
Token: SeIncBasePriorityPrivilege	2384	{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe
Token: SeIncBasePriorityPrivilege	1524	{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe
Token: SeIncBasePriorityPrivilege	2084	{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2680	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	28
PID 2244 wrote to memory of 2680	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	28
PID 2244 wrote to memory of 2680	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	28
PID 2244 wrote to memory of 2680	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	28
PID 2244 wrote to memory of 1956	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	29
PID 2244 wrote to memory of 1956	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	29
PID 2244 wrote to memory of 1956	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	29
PID 2244 wrote to memory of 1956	2244	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	29
PID 2680 wrote to memory of 2444	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	32
PID 2680 wrote to memory of 2444	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	32
PID 2680 wrote to memory of 2444	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	32
PID 2680 wrote to memory of 2444	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	32
PID 2680 wrote to memory of 2732	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	33
PID 2680 wrote to memory of 2732	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	33
PID 2680 wrote to memory of 2732	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	33
PID 2680 wrote to memory of 2732	2680	{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe	33
PID 2444 wrote to memory of 2420	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	34
PID 2444 wrote to memory of 2420	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	34
PID 2444 wrote to memory of 2420	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	34
PID 2444 wrote to memory of 2420	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	34
PID 2444 wrote to memory of 2480	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	35
PID 2444 wrote to memory of 2480	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	35
PID 2444 wrote to memory of 2480	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	35
PID 2444 wrote to memory of 2480	2444	{A835F41B-D021-4570-A443-36B8E027D041}.exe	35
PID 2420 wrote to memory of 2892	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	36
PID 2420 wrote to memory of 2892	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	36
PID 2420 wrote to memory of 2892	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	36
PID 2420 wrote to memory of 2892	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	36
PID 2420 wrote to memory of 340	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	37
PID 2420 wrote to memory of 340	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	37
PID 2420 wrote to memory of 340	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	37
PID 2420 wrote to memory of 340	2420	{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe	37
PID 2892 wrote to memory of 560	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	38
PID 2892 wrote to memory of 560	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	38
PID 2892 wrote to memory of 560	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	38
PID 2892 wrote to memory of 560	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	38
PID 2892 wrote to memory of 1920	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	39
PID 2892 wrote to memory of 1920	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	39
PID 2892 wrote to memory of 1920	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	39
PID 2892 wrote to memory of 1920	2892	{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe	39
PID 560 wrote to memory of 2496	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	40
PID 560 wrote to memory of 2496	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	40
PID 560 wrote to memory of 2496	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	40
PID 560 wrote to memory of 2496	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	40
PID 560 wrote to memory of 2448	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	41
PID 560 wrote to memory of 2448	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	41
PID 560 wrote to memory of 2448	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	41
PID 560 wrote to memory of 2448	560	{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe	41
PID 2496 wrote to memory of 1884	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	42
PID 2496 wrote to memory of 1884	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	42
PID 2496 wrote to memory of 1884	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	42
PID 2496 wrote to memory of 1884	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	42
PID 2496 wrote to memory of 1332	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	43
PID 2496 wrote to memory of 1332	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	43
PID 2496 wrote to memory of 1332	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	43
PID 2496 wrote to memory of 1332	2496	{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe	43
PID 1884 wrote to memory of 2384	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	44
PID 1884 wrote to memory of 2384	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	44
PID 1884 wrote to memory of 2384	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	44
PID 1884 wrote to memory of 2384	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	44
PID 1884 wrote to memory of 1588	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	45
PID 1884 wrote to memory of 1588	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	45
PID 1884 wrote to memory of 1588	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	45
PID 1884 wrote to memory of 1588	1884	{508B7403-20AC-4301-8C38-C504226D9C0C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe
  C:\Windows\{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\{A835F41B-D021-4570-A443-36B8E027D041}.exe
    C:\Windows\{A835F41B-D021-4570-A443-36B8E027D041}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe
      C:\Windows\{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe
        
        C:\Windows\{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe
        
        C:\Windows\{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe
        
        C:\Windows\{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{508B7403-20AC-4301-8C38-C504226D9C0C}.exe
        
        C:\Windows\{508B7403-20AC-4301-8C38-C504226D9C0C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe
        
        C:\Windows\{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BAC7~1.EXE > nul
        10⤵
        
        PID:1620
        
        C:\Windows\{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe
        
        C:\Windows\{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe
        
        C:\Windows\{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}.exe
        
        C:\Windows\{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}.exe
        12⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC80D~1.EXE > nul
        12⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B06A5~1.EXE > nul
        11⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{508B7~1.EXE > nul
        9⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D6DB~1.EXE > nul
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F61~1.EXE > nul
        7⤵
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9882~1.EXE > nul
        6⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE726~1.EXE > nul
        5⤵
        
        PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A835F~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F33F9~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{508B7403-20AC-4301-8C38-C504226D9C0C}.exe

Filesize
168KB

MD5
3c0f35ee8719368b5f83dddeb931a0a8

SHA1
f1dc31e8c3bb8b5dd2d6bf40028ddc37d54e8034

SHA256
480af77392a7350e32fb82138023cdb7bef3227818d45eda23b011bff4ed9ce8

SHA512
d821042a2c12b0aec254b3735ce33aa39187760341f2be32930de1bac9e331b3b5ea0e4e5accc24175bc09ef96278c993857baa686ef04ea1e758845a517539d

Download Submit
C:\Windows\{674BE597-1FF6-4e6f-934D-8191AD9DFAB5}.exe

Filesize
168KB

MD5
7deda9abd41cd82ede3c7b5c44bbed0c

SHA1
2515e7360a296f2e911573ce732a8ee800fc1422

SHA256
19825b1d858ab99370f417c195f16b3450c01a83fcf02b107a47027ce6cc4a7d

SHA512
c0c694a00782fb868df0410385227155bf0a6d754cce758299a1bc6ef03ec389458519c9a241cdee1e2620fdd82b4125de7dc7a52074eba3d50ab82dc053dd1b

Download Submit
C:\Windows\{6BAC75CF-5489-4bb9-848B-E649E5F3BD14}.exe

Filesize
168KB

MD5
c31c98e2036bfa7e89f26b0225d17804

SHA1
e4fc91a64b3c02b6c659057cfe963bdeabdfe11b

SHA256
2ef9fbdc9ba704416ac870987e315947988866cbda2233ed61e77269d3f43220

SHA512
a8914d63fd8857d5ebfd2986b95d7442457b3fce82455422a1b35fa59adb0360d0c45675dc8f9fd219e9d4d696e1690b3ca45230ac4f97a8ab4f2ff07b541428

Download Submit
C:\Windows\{8D6DB648-6CB0-44f4-B9AF-7B8136980C84}.exe

Filesize
168KB

MD5
e6b39dcdb61435f74cf13141628f824e

SHA1
c66d606d1e6b5ab6338e12200770a6e1efd6ba88

SHA256
c29afd756e8c46609d563f4fff9fef9ad83a35bba62c6c15509afd77c226e3ff

SHA512
a42113bcd11c98e23edb020be7d03cab24f4b10ee289acc2079eac6b83009f0d146b300ee459fa3ceb23a08456c5673b3475d9eed9d4da440852d74d8462f7ad

Download Submit
C:\Windows\{A835F41B-D021-4570-A443-36B8E027D041}.exe

Filesize
168KB

MD5
5e8777ad17454d25d0d7f6af33e5ec2c

SHA1
b7d49ad6bcd93ca49b84eac7dc0fe0d85e58a25c

SHA256
3caf17e629b3ff120e3e5bb28fd144c477a6c9c2d065462f4ed2f2b02b82ac13

SHA512
d57655d02ae0c9d23ddd1da1c8f594c61e39fd9a373a5687db7f69a95d7e5f86b03b6fe9305cb72f7f7d44d76c8e3bdb6584b3a9e8b82cf16e3823e20f1603b1

Download Submit
C:\Windows\{AC80DDDB-60EC-4dcf-9158-28201AD74B0A}.exe

Filesize
168KB

MD5
c85f7a57927577dc53753843d58429e3

SHA1
e1191f8213ab8d3af21c75e980ac0431a57e3f4f

SHA256
a0bc1b1d0b6405af2e2476ecdf1c193bd15bc6e67dbfa8116c19acf69f79b4c7

SHA512
d646cb322919db78eb1b9cc896771263e300271cd80e0c5b78ff18c44c152562a900c6df620e2379626fcec5866b56316f839588f563639176f3bdf982c0634d

Download Submit
C:\Windows\{B06A5E16-C733-4b5f-875C-92498DDAA6EF}.exe

Filesize
168KB

MD5
3a207262a7e81f7482f4299af31204cd

SHA1
6d95b51e0df30e825b2c6861c1d83342f9799329

SHA256
ce50c78c74624fcf8ca7f20f33770eeec8081467bbf47301979c923b4b15732e

SHA512
03c500aaa75523e458ea27bd1c32d1007b4bb671b7f151a584242e919dcd906b2dafeeecea0369743ad06cc67880568930d9832153efd88fa90c9e5616e43d86

Download Submit
C:\Windows\{C988243A-6FC4-4f04-B3C5-59EC5E153374}.exe

Filesize
168KB

MD5
49b1174cdfa5b1edbf7749bd3c7b685a

SHA1
2bead25757e2cccdb1577e04574e608f96fb21f4

SHA256
500ee17b79f6f946924b3aff6ddbf21414e1b8d16b2362114a8aea165a4df1b1

SHA512
a3e0fe7ef6b40cfebe21e0e33618c1a060a8cbc52a59c75f80f75b8c0febbe205b290eb224c072645a53944480580e887906dc3bf6e4a7ed05cff0256a40e52c

Download Submit
C:\Windows\{CE72640A-F419-4662-88C4-B6ACABCA3A2E}.exe

Filesize
168KB

MD5
ac11817c3be4b3231298a10db023f4da

SHA1
d06ad90f43475cbc9d652049d3fe8ec750e76f15

SHA256
7f9b278969a89629ae1278197ba32b662d34b10a0b748356bf4c43eeed092777

SHA512
b30747bbb90640de9039147e1420eeca81bbf3d5572dc64321aa23aa32b88ca6e6cf32bce6becd996655617219bfb03c56b8990fb8a49f66aa7c31649902ef36

Download Submit
C:\Windows\{F0F61E9B-C3B8-4c47-A1FA-2A33A4F5E4F9}.exe

Filesize
168KB

MD5
3862b9782af47060d2d9a7b8b0271ae9

SHA1
8e148a8ecea981c7a2665ba54c0de80de7314a9d

SHA256
a141c29f588ed91ead16dba37bc13b8ad7aae02f9c1a814b4fa22e5e8799a7bf

SHA512
a45691567c6ba4882db8703aa6e0f51c27abac3a99ad66350b50f590cbaa9424d26079d4fc30af8c645e0cab0ec5378952cbf2e691ba838407b7cf1e24770458

Download Submit
C:\Windows\{F33F9227-C8F6-44e2-9DEB-D959B22D9470}.exe

Filesize
168KB

MD5
6b18a916645b6196bfcca986db8f69bc

SHA1
6879ba72932ad6d75a3fcdb2cab34f7d695a4880

SHA256
b2689dc1b34617dd90011fc6721de8a93b12e791244ff07f442724db6bcc5929

SHA512
23107a063f54549533e89f78172a0ad062ec1e17debf36ca35f1c139c875785a61c9a6d97694d3dc0e1ec34fd446974c4be532e923de3bef8df78a3364664b31

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads