186a07aac6cec5fd49bf4bcec01a32e744b95a0467ce06ad3feb9baa965dc02d

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Size

168KB
MD5

b154ca9d59307346fe77450ccc21ac14
SHA1

32148aaa995008507ad45c67a63303a3689538e8
SHA256

186a07aac6cec5fd49bf4bcec01a32e744b95a0467ce06ad3feb9baa965dc02d
SHA512

b114569b4bbc363705943eeed2dd36afa8e517edacf32d7c2fce6b3b64d3d6ae369ca3be0a0aa41ce4b09cc2ff031fce444619a909b422146db49620e404186f
SSDEEP

1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122bf-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122bf-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014588-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122bf-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122bf-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122bf-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43DCAC1D-C54E-4787-B170-6E4A14C6F453}	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}\stubpath = "C:\\Windows\\{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe"	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4762D58-89E0-48c3-99B1-618CE0A53B2C}	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4762D58-89E0-48c3-99B1-618CE0A53B2C}\stubpath = "C:\\Windows\\{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe"	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5914C54F-A527-4223-867A-87F59BEB5A52}	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}\stubpath = "C:\\Windows\\{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe"	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}\stubpath = "C:\\Windows\\{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe"	{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83B00C79-9F0D-451c-9227-E8D884499CE6}	{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43DCAC1D-C54E-4787-B170-6E4A14C6F453}\stubpath = "C:\\Windows\\{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe"	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2393FFFD-127E-4a20-9096-F5571B1736C2}	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5914C54F-A527-4223-867A-87F59BEB5A52}\stubpath = "C:\\Windows\\{5914C54F-A527-4223-867A-87F59BEB5A52}.exe"	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C52FA76-0B12-4392-A4D5-A79696CA87D7}	{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}	{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2393FFFD-127E-4a20-9096-F5571B1736C2}\stubpath = "C:\\Windows\\{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe"	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0984F4D-78C0-4289-A64B-FAB52045021F}\stubpath = "C:\\Windows\\{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe"	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}\stubpath = "C:\\Windows\\{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe"	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0984F4D-78C0-4289-A64B-FAB52045021F}	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C52FA76-0B12-4392-A4D5-A79696CA87D7}\stubpath = "C:\\Windows\\{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe"	{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83B00C79-9F0D-451c-9227-E8D884499CE6}\stubpath = "C:\\Windows\\{83B00C79-9F0D-451c-9227-E8D884499CE6}.exe"	{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe
2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe
2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe
2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe
2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe
1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe
1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe
312	{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe
2016	{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe
2292	{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe
592	{83B00C79-9F0D-451c-9227-E8D884499CE6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe
File created	C:\Windows\{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe
File created	C:\Windows\{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe
File created	C:\Windows\{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe	{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe
File created	C:\Windows\{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
File created	C:\Windows\{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe
File created	C:\Windows\{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe
File created	C:\Windows\{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe
File created	C:\Windows\{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe
File created	C:\Windows\{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe	{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe
File created	C:\Windows\{83B00C79-9F0D-451c-9227-E8D884499CE6}.exe	{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe
Token: SeIncBasePriorityPrivilege	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe
Token: SeIncBasePriorityPrivilege	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe
Token: SeIncBasePriorityPrivilege	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe
Token: SeIncBasePriorityPrivilege	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe
Token: SeIncBasePriorityPrivilege	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe
Token: SeIncBasePriorityPrivilege	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe
Token: SeIncBasePriorityPrivilege	312	{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe
Token: SeIncBasePriorityPrivilege	2016	{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe
Token: SeIncBasePriorityPrivilege	2292	{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 3060	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	28
PID 1804 wrote to memory of 3060	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	28
PID 1804 wrote to memory of 3060	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	28
PID 1804 wrote to memory of 3060	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	28
PID 1804 wrote to memory of 2252	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	29
PID 1804 wrote to memory of 2252	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	29
PID 1804 wrote to memory of 2252	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	29
PID 1804 wrote to memory of 2252	1804	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	29
PID 3060 wrote to memory of 2692	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	30
PID 3060 wrote to memory of 2692	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	30
PID 3060 wrote to memory of 2692	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	30
PID 3060 wrote to memory of 2692	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	30
PID 3060 wrote to memory of 2600	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	31
PID 3060 wrote to memory of 2600	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	31
PID 3060 wrote to memory of 2600	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	31
PID 3060 wrote to memory of 2600	3060	{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe	31
PID 2692 wrote to memory of 2684	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	32
PID 2692 wrote to memory of 2684	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	32
PID 2692 wrote to memory of 2684	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	32
PID 2692 wrote to memory of 2684	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	32
PID 2692 wrote to memory of 2496	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	33
PID 2692 wrote to memory of 2496	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	33
PID 2692 wrote to memory of 2496	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	33
PID 2692 wrote to memory of 2496	2692	{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe	33
PID 2684 wrote to memory of 2712	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	36
PID 2684 wrote to memory of 2712	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	36
PID 2684 wrote to memory of 2712	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	36
PID 2684 wrote to memory of 2712	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	36
PID 2684 wrote to memory of 764	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	37
PID 2684 wrote to memory of 764	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	37
PID 2684 wrote to memory of 764	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	37
PID 2684 wrote to memory of 764	2684	{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe	37
PID 2712 wrote to memory of 2824	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	38
PID 2712 wrote to memory of 2824	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	38
PID 2712 wrote to memory of 2824	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	38
PID 2712 wrote to memory of 2824	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	38
PID 2712 wrote to memory of 2944	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	39
PID 2712 wrote to memory of 2944	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	39
PID 2712 wrote to memory of 2944	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	39
PID 2712 wrote to memory of 2944	2712	{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe	39
PID 2824 wrote to memory of 1684	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	40
PID 2824 wrote to memory of 1684	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	40
PID 2824 wrote to memory of 1684	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	40
PID 2824 wrote to memory of 1684	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	40
PID 2824 wrote to memory of 1788	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	41
PID 2824 wrote to memory of 1788	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	41
PID 2824 wrote to memory of 1788	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	41
PID 2824 wrote to memory of 1788	2824	{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe	41
PID 1684 wrote to memory of 1736	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	42
PID 1684 wrote to memory of 1736	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	42
PID 1684 wrote to memory of 1736	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	42
PID 1684 wrote to memory of 1736	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	42
PID 1684 wrote to memory of 1416	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	43
PID 1684 wrote to memory of 1416	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	43
PID 1684 wrote to memory of 1416	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	43
PID 1684 wrote to memory of 1416	1684	{5914C54F-A527-4223-867A-87F59BEB5A52}.exe	43
PID 1736 wrote to memory of 312	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	44
PID 1736 wrote to memory of 312	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	44
PID 1736 wrote to memory of 312	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	44
PID 1736 wrote to memory of 312	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	44
PID 1736 wrote to memory of 1532	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	45
PID 1736 wrote to memory of 1532	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	45
PID 1736 wrote to memory of 1532	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	45
PID 1736 wrote to memory of 1532	1736	{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe
  C:\Windows\{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe
    C:\Windows\{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe
      C:\Windows\{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe
        
        C:\Windows\{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe
        
        C:\Windows\{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{5914C54F-A527-4223-867A-87F59BEB5A52}.exe
        
        C:\Windows\{5914C54F-A527-4223-867A-87F59BEB5A52}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe
        
        C:\Windows\{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe
        
        C:\Windows\{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe
        
        C:\Windows\{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe
        
        C:\Windows\{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{83B00C79-9F0D-451c-9227-E8D884499CE6}.exe
        
        C:\Windows\{83B00C79-9F0D-451c-9227-E8D884499CE6}.exe
        12⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D7DD~1.EXE > nul
        12⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C52F~1.EXE > nul
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89C9B~1.EXE > nul
        10⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8540~1.EXE > nul
        9⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5914C~1.EXE > nul
        8⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4762~1.EXE > nul
        7⤵
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01E00~1.EXE > nul
        6⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0984~1.EXE > nul
        5⤵
        
        PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2393F~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{43DCA~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01E00A94-541C-4c4d-9E1C-055A7FFDB4DE}.exe

Filesize
168KB

MD5
f76d5a49d8c51474046f6758bab96a79

SHA1
0b43666816ab05aca999969b27aaf1d61e52cc6b

SHA256
44221fe1c255d9bae5f1db4a189edeba86bdafce2d1a9f5ff536b9449ec785c9

SHA512
4ac18805e086cad9757e0c5d24018714260117f81b10aa2e56b7ae51d27b4da1c6b776451268bf16399b89a4469c67da54f1d45f04e478268a31f23c567e5f65

Download Submit
C:\Windows\{2393FFFD-127E-4a20-9096-F5571B1736C2}.exe

Filesize
168KB

MD5
b0d801ba1eaa251a4babad53a59fe30b

SHA1
5cf0c7fc526ba40bd19ac18b9ed908c0a355dab7

SHA256
6ac706e54c5b98c9e75b42db6df6859dfae83601a638a62c14e0366507c54b74

SHA512
49d567ace2c42917ea3bd93cf109a63465c30f2c4dcabf2ee19101602434f98fc1737e4b566f157df4db0dc8cc06349acf8e30fdf75d9017327afac016496465

Download Submit
C:\Windows\{43DCAC1D-C54E-4787-B170-6E4A14C6F453}.exe

Filesize
168KB

MD5
9126bae0551df3f3942669dcc83a89c4

SHA1
0188806e6db6f90a808077b30384cd0c5e153bc8

SHA256
84d2e820bc7ea6dc15fcd3e2626080efde5c61736a0f43932714df8663348018

SHA512
41120eb54ed126dc1c63a3ecd35ab1735fdab62900d215802f6515a87f53e1b1c23e0e0c6e77a9cf5b2aec58b0a69e2b4dff6fdd7b85f2306aa4c2266584d1cf

Download Submit
C:\Windows\{4D7DDBFC-CA0D-4abf-97D5-58E75E45FB27}.exe

Filesize
168KB

MD5
28f3fcc0a52cbbabb6f5c63c794b6b26

SHA1
8b92e91c26331f76df0d66025f4edc9eda4997cd

SHA256
25c4e9b7b2db2c5dc1a62a14813bfcaa625a5047ca317d3a5c318d4046c2d8bd

SHA512
5fa1ceeefdd7b87ac4530c98fca7633011759d9921dfc4891b6d3eb20ff826ef968e9efd14b5e3a5137f896d23e0798934839132e0adf1444b0caef16717d6fd

Download Submit
C:\Windows\{5914C54F-A527-4223-867A-87F59BEB5A52}.exe

Filesize
168KB

MD5
80660ce653e52adda283b2b960505403

SHA1
467dcaba10b1b624cddca8cd952dbd13a07ea34d

SHA256
15ef253e994e60fa7981bbe420851baa2b6fe3158a1963589cf4b7310c325439

SHA512
d118ce858fb9c3c115a6c3069809be553094507ed168b7ffcd6dd2af33f8ffb76e2cdffdf64a665a228fd2be282038d7c1f18696e665b5a4678b6360f27a8082

Download Submit
C:\Windows\{83B00C79-9F0D-451c-9227-E8D884499CE6}.exe

Filesize
168KB

MD5
83e901254db9c3bdcf03fa1a4d5e67eb

SHA1
ab0988c01b62be33897baf7077eeafeefd284c4b

SHA256
7e06b5b313a4170b71a3b44c605f759efcded876194f544819b89dc84491c1ba

SHA512
e31fe43b9374abeecf4fed605379399e48d8fa7136071ed102a53b5f0db1322d949296e45e0ea8c6720f73a6efb9860539a55218d5d6126881587c0113749421

Download Submit
C:\Windows\{89C9BEBD-30FB-4046-90EC-D7496C7A0E68}.exe

Filesize
168KB

MD5
5b627e13b6befb0cf2b2c2da4bbd9a8a

SHA1
2094be4d759910fdaabbd2bef9321b02f03a4df8

SHA256
c338307ebac4eba3ad7612fa84163b38540271eb4977c6f9eadbd79577898867

SHA512
aa0f7b96215ff847fdd2eb6eef83c36222dffd29064242e14d323b23ef5d6839d94f2dde9c2e5e90107db47f76bfe3e0b8a7b75a9ca87b4f5e6a9f9232cf8097

Download Submit
C:\Windows\{8C52FA76-0B12-4392-A4D5-A79696CA87D7}.exe

Filesize
168KB

MD5
e96bef785b9b5f9653ee35a85503ed54

SHA1
85d316b5a4dca922a845fdeddb2d162fe7bcdc9f

SHA256
200f31df1d255ad639c3547e07c982d8159d7c42c407ef76d68b1c59ccd7b525

SHA512
7e57762132730c43029ddb65a7cc07172edc84e0813d12279ee180dca77b0c0964ed2bcb322f4b4cde0c3d41ac210b9edc3c85a8ec48dc883596697c23e8762c

Download Submit
C:\Windows\{B0984F4D-78C0-4289-A64B-FAB52045021F}.exe

Filesize
168KB

MD5
e3e344b318e100bf277718127db78648

SHA1
dd4291e91017d3dc45dfc8b2c5316fbd675f1557

SHA256
475f79870e31314a16151a9bebc49f13de6e20b54211f6d1aae11b8ee5eaf5f5

SHA512
8cd42bc5b3f998c12fee79299d0f10a0db8de2785ca48feb22be6f524029ab808a44f5203f0ea6e8c0e5269b91d1564d19ba6c0adff4db6a9eb46fa22313b8f5

Download Submit
C:\Windows\{D85406A8-0F29-4853-AFD1-9F38A8A7E48E}.exe

Filesize
168KB

MD5
436afcd8efadcfc8c08589ab180a76e2

SHA1
50b1a83169b2b8134e7bbdfac5a98d708f59710e

SHA256
33222b3571dd30b2c2aa19ee8c797aec6a6065e1f9b707901f14cb2f7ca3b9eb

SHA512
628952dc18ba33ddb681b42da9aa345ab42b463acf855602aa2af09912e09091a43fd83d53bd3072dace9234ae71c967b7b135e1d4274b34d3801e7a11971146

Download Submit
C:\Windows\{F4762D58-89E0-48c3-99B1-618CE0A53B2C}.exe

Filesize
168KB

MD5
f17e4f9ee7f771d1036b4368f36b7fe6

SHA1
1d9586e63785fe9302fa558494666dfcdc0e6135

SHA256
36e0568bf2ee2e7f690ec092fa16d96d77a34144ff67b2d4aa746f897c5a7bea

SHA512
739ad49446a1935851810662ae3974f2b37cb06b164dda757be627b5f7b09acb21ddad778e13bdcdd82d991eb98ccc5f8ee46be8360d29a400354fdcd693488b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads