39b271473ac1d3b4ad99924b083988fa29561cefae8151e2579cc97229bb3daf

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Size

180KB
MD5

5e42f0fa6fc953a37208331982ae2495
SHA1

73fdfe13b45032f32280b3c8e3cfceacc55f3342
SHA256

39b271473ac1d3b4ad99924b083988fa29561cefae8151e2579cc97229bb3daf
SHA512

867af215bea2ac1571e6ec8a5e97e6f0678e9d6f922553e4ae8421159854bc51b1ab89ac8e96a09b2c2cef868772df770b2a63496c61321ed2c99e8f486e3d1d
SSDEEP

3072:jEGh0oHlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012241-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015a2d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015a2d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c52-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015a2d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c52-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015a2d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c52-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015a2d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c52-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A99B4B-BA59-4646-9D89-1E444C92C437}\stubpath = "C:\\Windows\\{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe"	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8321766-B2A2-4a46-805C-9056CBE52FE0}	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8BFFCC0-2B82-457d-844C-D80570604B67}	{17312389-E302-45e5-AB67-EC577256EAA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8BFFCC0-2B82-457d-844C-D80570604B67}\stubpath = "C:\\Windows\\{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe"	{17312389-E302-45e5-AB67-EC577256EAA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}\stubpath = "C:\\Windows\\{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe"	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BC8129-BFC5-42c9-9862-6A4B50D32446}	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A0A932-AE3A-4880-AFEC-95C758D859F7}	{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A0A932-AE3A-4880-AFEC-95C758D859F7}\stubpath = "C:\\Windows\\{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe"	{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}	{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}\stubpath = "C:\\Windows\\{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}.exe"	{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10D50996-2753-4026-9086-CC98EE03CE82}	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BC8129-BFC5-42c9-9862-6A4B50D32446}\stubpath = "C:\\Windows\\{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe"	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}\stubpath = "C:\\Windows\\{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe"	{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A99B4B-BA59-4646-9D89-1E444C92C437}	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17312389-E302-45e5-AB67-EC577256EAA1}\stubpath = "C:\\Windows\\{17312389-E302-45e5-AB67-EC577256EAA1}.exe"	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10D50996-2753-4026-9086-CC98EE03CE82}\stubpath = "C:\\Windows\\{10D50996-2753-4026-9086-CC98EE03CE82}.exe"	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8321766-B2A2-4a46-805C-9056CBE52FE0}\stubpath = "C:\\Windows\\{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe"	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17312389-E302-45e5-AB67-EC577256EAA1}	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914601DA-2D79-4f63-8C1B-59377A70898C}	{10D50996-2753-4026-9086-CC98EE03CE82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914601DA-2D79-4f63-8C1B-59377A70898C}\stubpath = "C:\\Windows\\{914601DA-2D79-4f63-8C1B-59377A70898C}.exe"	{10D50996-2753-4026-9086-CC98EE03CE82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}	{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe

Deletes itself 1 IoCs

pid	Process
1680	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe
2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe
2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe
2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe
2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe
2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe
1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe
1704	{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe
2220	{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe
2700	{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe
1708	{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{10D50996-2753-4026-9086-CC98EE03CE82}.exe	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe
File created	C:\Windows\{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	{10D50996-2753-4026-9086-CC98EE03CE82}.exe
File created	C:\Windows\{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe
File created	C:\Windows\{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
File created	C:\Windows\{17312389-E302-45e5-AB67-EC577256EAA1}.exe	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe
File created	C:\Windows\{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	{17312389-E302-45e5-AB67-EC577256EAA1}.exe
File created	C:\Windows\{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe
File created	C:\Windows\{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe	{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe
File created	C:\Windows\{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe	{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe
File created	C:\Windows\{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}.exe	{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe
File created	C:\Windows\{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe
Token: SeIncBasePriorityPrivilege	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe
Token: SeIncBasePriorityPrivilege	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe
Token: SeIncBasePriorityPrivilege	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe
Token: SeIncBasePriorityPrivilege	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe
Token: SeIncBasePriorityPrivilege	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe
Token: SeIncBasePriorityPrivilege	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe
Token: SeIncBasePriorityPrivilege	1704	{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe
Token: SeIncBasePriorityPrivilege	2220	{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe
Token: SeIncBasePriorityPrivilege	2700	{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1292	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	28
PID 2180 wrote to memory of 1292	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	28
PID 2180 wrote to memory of 1292	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	28
PID 2180 wrote to memory of 1292	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	28
PID 2180 wrote to memory of 1680	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	29
PID 2180 wrote to memory of 1680	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	29
PID 2180 wrote to memory of 1680	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	29
PID 2180 wrote to memory of 1680	2180	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	29
PID 1292 wrote to memory of 2540	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	30
PID 1292 wrote to memory of 2540	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	30
PID 1292 wrote to memory of 2540	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	30
PID 1292 wrote to memory of 2540	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	30
PID 1292 wrote to memory of 2608	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	31
PID 1292 wrote to memory of 2608	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	31
PID 1292 wrote to memory of 2608	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	31
PID 1292 wrote to memory of 2608	1292	{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe	31
PID 2540 wrote to memory of 2028	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	34
PID 2540 wrote to memory of 2028	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	34
PID 2540 wrote to memory of 2028	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	34
PID 2540 wrote to memory of 2028	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	34
PID 2540 wrote to memory of 2440	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	35
PID 2540 wrote to memory of 2440	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	35
PID 2540 wrote to memory of 2440	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	35
PID 2540 wrote to memory of 2440	2540	{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe	35
PID 2028 wrote to memory of 2468	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	36
PID 2028 wrote to memory of 2468	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	36
PID 2028 wrote to memory of 2468	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	36
PID 2028 wrote to memory of 2468	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	36
PID 2028 wrote to memory of 2812	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	37
PID 2028 wrote to memory of 2812	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	37
PID 2028 wrote to memory of 2812	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	37
PID 2028 wrote to memory of 2812	2028	{17312389-E302-45e5-AB67-EC577256EAA1}.exe	37
PID 2468 wrote to memory of 2376	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	38
PID 2468 wrote to memory of 2376	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	38
PID 2468 wrote to memory of 2376	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	38
PID 2468 wrote to memory of 2376	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	38
PID 2468 wrote to memory of 1004	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	39
PID 2468 wrote to memory of 1004	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	39
PID 2468 wrote to memory of 1004	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	39
PID 2468 wrote to memory of 1004	2468	{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe	39
PID 2376 wrote to memory of 2352	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	40
PID 2376 wrote to memory of 2352	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	40
PID 2376 wrote to memory of 2352	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	40
PID 2376 wrote to memory of 2352	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	40
PID 2376 wrote to memory of 2336	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	41
PID 2376 wrote to memory of 2336	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	41
PID 2376 wrote to memory of 2336	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	41
PID 2376 wrote to memory of 2336	2376	{10D50996-2753-4026-9086-CC98EE03CE82}.exe	41
PID 2352 wrote to memory of 1552	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	42
PID 2352 wrote to memory of 1552	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	42
PID 2352 wrote to memory of 1552	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	42
PID 2352 wrote to memory of 1552	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	42
PID 2352 wrote to memory of 1808	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	43
PID 2352 wrote to memory of 1808	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	43
PID 2352 wrote to memory of 1808	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	43
PID 2352 wrote to memory of 1808	2352	{914601DA-2D79-4f63-8C1B-59377A70898C}.exe	43
PID 1552 wrote to memory of 1704	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	44
PID 1552 wrote to memory of 1704	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	44
PID 1552 wrote to memory of 1704	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	44
PID 1552 wrote to memory of 1704	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	44
PID 1552 wrote to memory of 1856	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	45
PID 1552 wrote to memory of 1856	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	45
PID 1552 wrote to memory of 1856	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	45
PID 1552 wrote to memory of 1856	1552	{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe
  C:\Windows\{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe
    C:\Windows\{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{17312389-E302-45e5-AB67-EC577256EAA1}.exe
      C:\Windows\{17312389-E302-45e5-AB67-EC577256EAA1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe
        
        C:\Windows\{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\{10D50996-2753-4026-9086-CC98EE03CE82}.exe
        
        C:\Windows\{10D50996-2753-4026-9086-CC98EE03CE82}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{914601DA-2D79-4f63-8C1B-59377A70898C}.exe
        
        C:\Windows\{914601DA-2D79-4f63-8C1B-59377A70898C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe
        
        C:\Windows\{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe
        
        C:\Windows\{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe
        
        C:\Windows\{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe
        
        C:\Windows\{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}.exe
        
        C:\Windows\{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3473B~1.EXE > nul
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7A0A~1.EXE > nul
        11⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8BC8~1.EXE > nul
        10⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1DDE~1.EXE > nul
        9⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91460~1.EXE > nul
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10D50~1.EXE > nul
        7⤵
        
        PID:2336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8BFF~1.EXE > nul
        6⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17312~1.EXE > nul
        5⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8321~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B4A99~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10D50996-2753-4026-9086-CC98EE03CE82}.exe

Filesize
180KB

MD5
2e8da5352a4445415e0343e1a0573d90

SHA1
f7f1a760d783eb98f6d76a58466adda8d9ae0e9c

SHA256
e01c0c95e8dd38ce34e08879f30f58ddba05ccbc302b5e406f93826c3f9bd198

SHA512
9b8c1c1a721b42382086d5c6a0040cff0cdfcf11be89b3b83fc183968bd88330d9fce1dbdce1e89f25f4a1672097b3ddf06b591fb496175ec0cf920f74676403

Download Submit
C:\Windows\{17312389-E302-45e5-AB67-EC577256EAA1}.exe

Filesize
180KB

MD5
bea2dfb1d6af0595bca427dccd6bd200

SHA1
a85886f2aa62d2ba9d0435633b589a83a314a998

SHA256
81501a6c9b5d3f6f884a4c1d6a7f1c215a259d745dc421d275a187a24dcb544b

SHA512
2793db4822b801e5d69033942ef7630c6bbd5255c20b4550db1eaf9a54612ff1ba11738e260af9d528da99cf399579b78578778ace7565c318afb7f7c7eeb1ba

Download Submit
C:\Windows\{3473BC42-5BF0-40c1-8B00-E6E2D0A551C4}.exe

Filesize
180KB

MD5
877f71c539ed60678d66fa342dceeec8

SHA1
83b2713fb0a5060c88b1421d60d292973bffc33f

SHA256
81e155cd6cccc0379ebec215f446ee1af06d6189fba3f1248463dec40951cb4f

SHA512
68eb943ca7333da91770981e3d3e5f31f6a63d750e7ccd2c42a8297a71a13cb6057ebfe0f41b1ad82177faf8989a153ac23974ac91e054eefea092349de87c98

Download Submit
C:\Windows\{914601DA-2D79-4f63-8C1B-59377A70898C}.exe

Filesize
180KB

MD5
aebaf3beb54b59e69ab4b95e600d659c

SHA1
2395831bdde8f26ef750df48a233371206c0a16c

SHA256
6ddd3f70b3d191484743f83e96f75536a35597ddff1b1cfd5fcab3ebd294eaa9

SHA512
6cd0a9c409c5ee80761d01d9e1ca2d75d0ca69fefc724e70a61f482b596e48c5dce07804c4b372e61d4bb15e1084b2e423fa56508d040bff6fd46ae198fdba78

Download Submit
C:\Windows\{A1DDE882-CBC1-4854-B266-D4E95EFA6B51}.exe

Filesize
180KB

MD5
3071137b485f9766be87d2575776cc3b

SHA1
af9afabbc80a1eed9adbe676d7b4daf41f160409

SHA256
af005b113f5087c934d47d91c6a036ee16e913848e63ec8d38f8312872c9de6d

SHA512
171af7fcd07d11ea6ba1fff70f25d614f3d4e063ca5569fb69c669016a38e4f5dac05da561bdfdb6976924276a2fc47c5b851b0eeb516c7aaca2788bf4af0bf8

Download Submit
C:\Windows\{A8BC8129-BFC5-42c9-9862-6A4B50D32446}.exe

Filesize
180KB

MD5
f4410d010c108c56cf6928652d35e0ae

SHA1
2e418d589392d353cdee7828506438fe617600a6

SHA256
a4d8ca3bb8515473cacb137a3fca45d55930f52bc99ca55e38da8d4dedf9136a

SHA512
b38478597ed7ac68077672af347da6d1c0c00e87f89da2fb821b59a6213d158da027fe1a5a920a5098ffbcccf9b1f7e56db7dd493214fc1b936daf688b2321d4

Download Submit
C:\Windows\{B4A99B4B-BA59-4646-9D89-1E444C92C437}.exe

Filesize
180KB

MD5
9b6f272aff743123bfbfff3025684505

SHA1
f15c3a9321368fa1c7d1f6a2eefb9605b384203e

SHA256
0298314df563cf0a9f13bb298dc0b8e0359aa83b03158edc1acffa23405eda00

SHA512
45b6a9e1a41d9b6769f0a93646b39adaadb916d21134ab0477d77c281804cf2b9ba2cf580e00397eeef17796c94322922ec54dcb2370ffbe760e0cb4d424ae6c

Download Submit
C:\Windows\{D8BFFCC0-2B82-457d-844C-D80570604B67}.exe

Filesize
180KB

MD5
b1e3f304f9542f74a191211e47fb4468

SHA1
ade75a511e4ae2a23d5a3c80d24d4c4438b93bce

SHA256
d3f9027b03681eeaf59bfc9b079992345a8ec3f72414637bc51268ca7661f898

SHA512
efa68ad7454dbd5a099b6b57f26de78dc274d0246ebfd8b3e747755979bf0a96faf0ffa4e235deda47e0068496f68c991238e982056b4e477dc12f6c31930386

Download Submit
C:\Windows\{D8D08EAD-E2BF-48cf-9980-3F43E09387BF}.exe

Filesize
180KB

MD5
07b566befb3673a0ec1d5d30a310b0f0

SHA1
49ab17fda8b53967c763e2c4e89796689788b5ec

SHA256
fabc85b7c7a2bc70559f52421f4f110b57c475ffed60d5dccdb45f59059734dc

SHA512
dd1138536c2be0da084db90afa57049f334425eef422022c9fe1273a12979ebed6daaf567ac76aa97369ae0b28463a87b61b4f9caf8eb832e1e1777291214b96

Download Submit
C:\Windows\{E7A0A932-AE3A-4880-AFEC-95C758D859F7}.exe

Filesize
180KB

MD5
a89747a632f4eef0bb9f7dde970242f1

SHA1
040e5a0250dbd26c4ba11ac5915e9643a144f895

SHA256
e58f8a6e3baa59047ca7632b8f4a95af324be23ff779522659a3e4c260bd5ce3

SHA512
1e64f426e2cbb362f4a9d9901ebb2ac56df431f51f67f88a2840191f0161f9f84258a023b9d93cf1c73a983a5cdc0e10a8c44aec3ff081cc322f98a20b375832

Download Submit
C:\Windows\{F8321766-B2A2-4a46-805C-9056CBE52FE0}.exe

Filesize
180KB

MD5
5dea705f352149eccfebde50616e48a9

SHA1
5f2371f291ba0383144fa26505d9c991d8b8264e

SHA256
29e4f8aa9bab5e73a72c70c642a846527bbcb2b88e00151dd3a11b04de370f3b

SHA512
c5b4e827db9629f69e800f10523027ae778bcc7aed569ec87253343d3842075a8cc791321f5807a22155e31b28afcb98275d737463bf58d89305ffde407ccd40

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads