a76b0de94fdefedd7e05cb2d870b0a4e1ba1b00decce2f1a87bd030f00b2d9d0

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Size

344KB
MD5

e77cc1c5995b8d825389c4fc17ce9778
SHA1

a22db6d7cafee3f30e4dd8271f8ec01914e7653d
SHA256

a76b0de94fdefedd7e05cb2d870b0a4e1ba1b00decce2f1a87bd030f00b2d9d0
SHA512

2356bd2da0bd368774e2cd096d573d74e63364c9d938408fecc1c84dd57d953b9e73f56a26358e0f530c907b8b7abd172320454cb680e3b3993fe2e8e7b251e4
SSDEEP

3072:mEGh0o2lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGUlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012331-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001342e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012331-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000013adc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012331-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012331-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012331-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{427A7E20-D8D2-49ac-BB48-9E6F45146027}	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37BBD1C8-1856-4419-ACE1-308AEB559595}\stubpath = "C:\\Windows\\{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe"	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E17A03-6DDC-4d97-AB98-F1C42386DA40}	{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B39B83DA-2B61-4bff-8969-6918948A8678}	{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20AFFC33-172A-4694-BF2A-F6DE632DB142}	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F357E3BE-F668-4507-A386-7A5F2EE17F70}\stubpath = "C:\\Windows\\{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe"	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B39B83DA-2B61-4bff-8969-6918948A8678}\stubpath = "C:\\Windows\\{B39B83DA-2B61-4bff-8969-6918948A8678}.exe"	{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32741591-5403-48c5-B617-8180502290F3}\stubpath = "C:\\Windows\\{32741591-5403-48c5-B617-8180502290F3}.exe"	{B39B83DA-2B61-4bff-8969-6918948A8678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDD870E-F6E7-4c46-925F-D915979FC838}\stubpath = "C:\\Windows\\{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe"	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F357E3BE-F668-4507-A386-7A5F2EE17F70}	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{427A7E20-D8D2-49ac-BB48-9E6F45146027}\stubpath = "C:\\Windows\\{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe"	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}\stubpath = "C:\\Windows\\{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe"	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66105A93-C2A3-433d-922C-FD416BFA2B68}	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66105A93-C2A3-433d-922C-FD416BFA2B68}\stubpath = "C:\\Windows\\{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe"	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37BBD1C8-1856-4419-ACE1-308AEB559595}	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E17A03-6DDC-4d97-AB98-F1C42386DA40}\stubpath = "C:\\Windows\\{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe"	{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32741591-5403-48c5-B617-8180502290F3}	{B39B83DA-2B61-4bff-8969-6918948A8678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20AFFC33-172A-4694-BF2A-F6DE632DB142}\stubpath = "C:\\Windows\\{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe"	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDD870E-F6E7-4c46-925F-D915979FC838}	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}\stubpath = "C:\\Windows\\{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe"	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe
2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe
320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe
2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe
2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe
3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe
2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe
1892	{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe
2304	{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe
2376	{B39B83DA-2B61-4bff-8969-6918948A8678}.exe
708	{32741591-5403-48c5-B617-8180502290F3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe
File created	C:\Windows\{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe
File created	C:\Windows\{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe
File created	C:\Windows\{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe	{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe
File created	C:\Windows\{32741591-5403-48c5-B617-8180502290F3}.exe	{B39B83DA-2B61-4bff-8969-6918948A8678}.exe
File created	C:\Windows\{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe
File created	C:\Windows\{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe
File created	C:\Windows\{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe
File created	C:\Windows\{B39B83DA-2B61-4bff-8969-6918948A8678}.exe	{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe
File created	C:\Windows\{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
File created	C:\Windows\{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe
Token: SeIncBasePriorityPrivilege	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe
Token: SeIncBasePriorityPrivilege	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe
Token: SeIncBasePriorityPrivilege	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe
Token: SeIncBasePriorityPrivilege	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe
Token: SeIncBasePriorityPrivilege	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe
Token: SeIncBasePriorityPrivilege	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe
Token: SeIncBasePriorityPrivilege	1892	{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe
Token: SeIncBasePriorityPrivilege	2304	{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe
Token: SeIncBasePriorityPrivilege	2376	{B39B83DA-2B61-4bff-8969-6918948A8678}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2104	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	28
PID 2348 wrote to memory of 2104	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	28
PID 2348 wrote to memory of 2104	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	28
PID 2348 wrote to memory of 2104	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	28
PID 2348 wrote to memory of 2548	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	29
PID 2348 wrote to memory of 2548	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	29
PID 2348 wrote to memory of 2548	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	29
PID 2348 wrote to memory of 2548	2348	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	29
PID 2104 wrote to memory of 2656	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	30
PID 2104 wrote to memory of 2656	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	30
PID 2104 wrote to memory of 2656	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	30
PID 2104 wrote to memory of 2656	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	30
PID 2104 wrote to memory of 2848	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	31
PID 2104 wrote to memory of 2848	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	31
PID 2104 wrote to memory of 2848	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	31
PID 2104 wrote to memory of 2848	2104	{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe	31
PID 2656 wrote to memory of 320	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	32
PID 2656 wrote to memory of 320	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	32
PID 2656 wrote to memory of 320	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	32
PID 2656 wrote to memory of 320	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	32
PID 2656 wrote to memory of 2372	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	33
PID 2656 wrote to memory of 2372	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	33
PID 2656 wrote to memory of 2372	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	33
PID 2656 wrote to memory of 2372	2656	{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe	33
PID 320 wrote to memory of 2928	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	36
PID 320 wrote to memory of 2928	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	36
PID 320 wrote to memory of 2928	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	36
PID 320 wrote to memory of 2928	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	36
PID 320 wrote to memory of 1876	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	37
PID 320 wrote to memory of 1876	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	37
PID 320 wrote to memory of 1876	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	37
PID 320 wrote to memory of 1876	320	{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe	37
PID 2928 wrote to memory of 2796	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	38
PID 2928 wrote to memory of 2796	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	38
PID 2928 wrote to memory of 2796	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	38
PID 2928 wrote to memory of 2796	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	38
PID 2928 wrote to memory of 2828	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	39
PID 2928 wrote to memory of 2828	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	39
PID 2928 wrote to memory of 2828	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	39
PID 2928 wrote to memory of 2828	2928	{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe	39
PID 2796 wrote to memory of 3040	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	40
PID 2796 wrote to memory of 3040	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	40
PID 2796 wrote to memory of 3040	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	40
PID 2796 wrote to memory of 3040	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	40
PID 2796 wrote to memory of 1968	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	41
PID 2796 wrote to memory of 1968	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	41
PID 2796 wrote to memory of 1968	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	41
PID 2796 wrote to memory of 1968	2796	{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe	41
PID 3040 wrote to memory of 2368	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	42
PID 3040 wrote to memory of 2368	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	42
PID 3040 wrote to memory of 2368	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	42
PID 3040 wrote to memory of 2368	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	42
PID 3040 wrote to memory of 1956	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	43
PID 3040 wrote to memory of 1956	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	43
PID 3040 wrote to memory of 1956	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	43
PID 3040 wrote to memory of 1956	3040	{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe	43
PID 2368 wrote to memory of 1892	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	44
PID 2368 wrote to memory of 1892	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	44
PID 2368 wrote to memory of 1892	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	44
PID 2368 wrote to memory of 1892	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	44
PID 2368 wrote to memory of 1440	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	45
PID 2368 wrote to memory of 1440	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	45
PID 2368 wrote to memory of 1440	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	45
PID 2368 wrote to memory of 1440	2368	{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe
  C:\Windows\{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe
    C:\Windows\{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe
      C:\Windows\{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe
        
        C:\Windows\{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe
        
        C:\Windows\{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe
        
        C:\Windows\{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe
        
        C:\Windows\{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe
        
        C:\Windows\{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe
        
        C:\Windows\{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{B39B83DA-2B61-4bff-8969-6918948A8678}.exe
        
        C:\Windows\{B39B83DA-2B61-4bff-8969-6918948A8678}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\{32741591-5403-48c5-B617-8180502290F3}.exe
        
        C:\Windows\{32741591-5403-48c5-B617-8180502290F3}.exe
        12⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B39B8~1.EXE > nul
        12⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10E17~1.EXE > nul
        11⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37BBD~1.EXE > nul
        10⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{427A7~1.EXE > nul
        9⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{920EF~1.EXE > nul
        8⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F357E~1.EXE > nul
        7⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBDD8~1.EXE > nul
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66105~1.EXE > nul
        5⤵
        
        PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80EC1~1.EXE > nul
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20AFF~1.EXE > nul
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10E17A03-6DDC-4d97-AB98-F1C42386DA40}.exe

Filesize
344KB

MD5
c1b17de8d1c90efbd14782cafe8ea4ec

SHA1
6a8a033eabe9288e5de39b492c5dc931165e0e3b

SHA256
92d55a19c508007b635701f35302c428e8ed485cb75b1052e5a0dff58b5c4cad

SHA512
68f3373cd0d8e8c19e25e3c47151f68d5fab785a98cb247eba92d4e0f807d645c5080fffd238c69904f99f9bc006fd3be0789fcde5bd84872f534a1e1373d2a5

Download Submit
C:\Windows\{20AFFC33-172A-4694-BF2A-F6DE632DB142}.exe

Filesize
344KB

MD5
6a064dcdeb5efe1b8cef9c4d8c49e233

SHA1
1278aa3cc408bec3db975b44a3fb17f7cc2bc04c

SHA256
f2d991fdbed8be6de04290e7f012ecfe436c4f3106cff5ebbdba164d40897727

SHA512
e05cc153683976d86c29756fbb8c7b6513bdd36f8d38b63afe474bd3cfef74fbb2909f9ce0a687877701de1cde0f9379d92ffb2897c2fc97b8a38a1815f7e6e4

Download Submit
C:\Windows\{32741591-5403-48c5-B617-8180502290F3}.exe

Filesize
344KB

MD5
2054048f901909274853f074a207e9b9

SHA1
437edc7b9a616f4e38f92e9f787d424680026c3a

SHA256
d245fe4f8418afd33a85e43f6c1e7bd7cedbbb89443561ce0952713b5ef699c2

SHA512
b22f4798f0c1db68029a5d752e0cb5b6794134fc4f243735f05404c9d0630fe2b68dc4f79fbd407ebc9947ded94339b301e13835239e6b7161954fd872b5eb39

Download Submit
C:\Windows\{37BBD1C8-1856-4419-ACE1-308AEB559595}.exe

Filesize
344KB

MD5
d200aabc4d429e31515a6859f4891705

SHA1
1058a511bd5d157e61982608d75e966b4eb70bb3

SHA256
cf51ca12648caaf1dda818ceefd0c64d99183514c83109eca5b27675265ca007

SHA512
880be32312895e6608ce56bed2ca8e2f76498976b6b0528309c2c6db69483827f85869a64c6b5422b5950b036d2f6270a93260ee29100470498e568051f704da

Download Submit
C:\Windows\{427A7E20-D8D2-49ac-BB48-9E6F45146027}.exe

Filesize
344KB

MD5
e4d44c0029280b637fb628c4a5404e1b

SHA1
cb96e3adee098b84801b97e0a572a1885ee447c2

SHA256
3714dfac7065353be42e88041bd61ee68b1dd869f9aa1ab382c9171f11742f32

SHA512
0b8204ce5ba7514b193fc00532cb2daac0128d4c9fb2c71d2aaeb394d132a33eea88f43e860af8299ab74026f4fd4f86d70cae01796bbda85bf25c7716005947

Download Submit
C:\Windows\{66105A93-C2A3-433d-922C-FD416BFA2B68}.exe

Filesize
344KB

MD5
76c24881edb6d245719ead6be8d05433

SHA1
35c4c0a57072011b3e1ef8afb4d4cf3b7e13f853

SHA256
7f8a489c90aeee14fdf3ef83809771c74b5e15c4225dd4b9c367947d70a20bad

SHA512
75ac920aeafddfe5bdf67904a24b1081e1dcb1e767c975d7092f9532b46d5fbfe9841ac401676be421790c295afad8ffdc4e89c5abe0853ab5a4cbc518df4a70

Download Submit
C:\Windows\{80EC1CCB-0427-4963-ACCB-6ED13ABFCF6F}.exe

Filesize
344KB

MD5
32ecab59f155715e349cc72a4ed4f881

SHA1
7149edb21b023bc4694938e258b49638b177bbef

SHA256
e543438efc57e4e3b0bb56355b8bc348a54e7a2e9021d935e891454e4c6de6d9

SHA512
16f2e04c32fee13834a2c887e1bf51f4d8fc008ef4764385198512836a35474c93e4a42e5f1ca5281a2f0a159b3f22d87cac5ccaa9fdaa5925745cd29249ede6

Download Submit
C:\Windows\{920EF768-531F-46c6-ACB9-17B9C9F3C2EE}.exe

Filesize
344KB

MD5
d147757257a1903c9a6ed9e5c71d44d3

SHA1
e2801f7534179111239d0bad37e3e3b2889cbe61

SHA256
e3d17d2b988cbe9e3528efbe57132943f5053f994cbf7d82c0eb0ed95b52514c

SHA512
5de6c165999f9c921b2c52696030205e7206bab7eb8642b822be7ba149b2755c347d17c4850126275ba986324ca0f5fcedb4ee49d15f31317d9661a6f4f3cf34

Download Submit
C:\Windows\{B39B83DA-2B61-4bff-8969-6918948A8678}.exe

Filesize
344KB

MD5
a95096b38ef1e0d76e8cef275147deab

SHA1
6a3c3adc26acbaca36a2a197a25725086b332554

SHA256
65162092d8a4a949e69c8da0991ba6f022323433ffab332081b246cea1e6d4c5

SHA512
221e407b59dcec7d6b96e4774fcc5ae4e65574031394ad8484e9ad450e74d0f01d6d55e4081686ba3407fddc62e5f4d26c182cdc85d3c0106f1388596d38f21c

Download Submit
C:\Windows\{CBDD870E-F6E7-4c46-925F-D915979FC838}.exe

Filesize
344KB

MD5
10461871e7d30709fc65857005aa6ef1

SHA1
28104ce234d92fdc9dc7bd0571fdb476e68e57a8

SHA256
c75a0617d780ed0613fec9f44fc903660f4080caec6eb8b86f557d0f89e80be0

SHA512
1ecb6eada3e5ff21ff86596790518b4c646b7409c3b941950f6afb8359bab0e2742f68d3bd1f632e68abc354c4f35a4b6166b07832ff0fdec1a78a996fb24a88

Download Submit
C:\Windows\{F357E3BE-F668-4507-A386-7A5F2EE17F70}.exe

Filesize
344KB

MD5
549c383cfc6fa6cceaa8bba6fd2a9d59

SHA1
3baa09829f4e91d57f2c151725392d90bdce1fc9

SHA256
22df64278e8bffbc187d8dd52e5ccb189cb287d0dddc62cb80094ab5614b326a

SHA512
a47a545b94d438873b4db647bd2a59a321ea0bc6724df45c4fdac87d908140e8d1047c69593d3bef209640ebacc907139936f9204ce9c17d322ba1e424ea9e80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads