bcdef0a8f8bcfa0421d9716cc48cf5b3c88c653171bd61b1ed5d822b46973eed

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe
Size

216KB
MD5

b4b0f4edebab3d2fb68db1d7b1319bea
SHA1

b6219fe62cfa07f910034a10b83dc21e23637faa
SHA256

bcdef0a8f8bcfa0421d9716cc48cf5b3c88c653171bd61b1ed5d822b46973eed
SHA512

6772e20ad0e9e6caf343f67057dde7f8ed92b2436c03f20ead911fa2dc702acdca4a3ba6e6ae08045264d829522afca0e4b5c3147203fe8a9de117553329f93f
SSDEEP

3072:jEGh0ojl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGplEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001223a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122d9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001223a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD5826FC-5F6A-4394-81A4-1385B250CC88}	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}\stubpath = "C:\\Windows\\{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe"	{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59016C4A-4143-494e-AB41-B91EE247E00C}\stubpath = "C:\\Windows\\{59016C4A-4143-494e-AB41-B91EE247E00C}.exe"	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1FAF47F-8308-48bd-9725-29963151E6BF}\stubpath = "C:\\Windows\\{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe"	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}\stubpath = "C:\\Windows\\{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe"	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD5826FC-5F6A-4394-81A4-1385B250CC88}\stubpath = "C:\\Windows\\{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe"	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}	{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}\stubpath = "C:\\Windows\\{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}.exe"	{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F93BBB2-41E5-4581-A4D8-66105006E646}	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1FAF47F-8308-48bd-9725-29963151E6BF}	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA93D4D-3B20-4531-880A-3D607EEF89D5}\stubpath = "C:\\Windows\\{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe"	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F93BBB2-41E5-4581-A4D8-66105006E646}\stubpath = "C:\\Windows\\{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe"	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}\stubpath = "C:\\Windows\\{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe"	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59016C4A-4143-494e-AB41-B91EE247E00C}	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA93D4D-3B20-4531-880A-3D607EEF89D5}	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}\stubpath = "C:\\Windows\\{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe"	{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}	{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}	{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}\stubpath = "C:\\Windows\\{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe"	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe
2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe
2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe
2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe
2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe
1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe
2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe
1440	{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe
836	{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe
2104	{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe
2076	{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe
File created	C:\Windows\{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe	{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe
File created	C:\Windows\{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe
File created	C:\Windows\{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe
File created	C:\Windows\{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe
File created	C:\Windows\{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe
File created	C:\Windows\{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe	{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe
File created	C:\Windows\{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}.exe	{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe
File created	C:\Windows\{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe
File created	C:\Windows\{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe
File created	C:\Windows\{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe
Token: SeIncBasePriorityPrivilege	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe
Token: SeIncBasePriorityPrivilege	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe
Token: SeIncBasePriorityPrivilege	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe
Token: SeIncBasePriorityPrivilege	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe
Token: SeIncBasePriorityPrivilege	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe
Token: SeIncBasePriorityPrivilege	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe
Token: SeIncBasePriorityPrivilege	1440	{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe
Token: SeIncBasePriorityPrivilege	836	{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe
Token: SeIncBasePriorityPrivilege	2104	{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3064	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	28
PID 1620 wrote to memory of 3064	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	28
PID 1620 wrote to memory of 3064	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	28
PID 1620 wrote to memory of 3064	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	28
PID 1620 wrote to memory of 1716	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	29
PID 1620 wrote to memory of 1716	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	29
PID 1620 wrote to memory of 1716	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	29
PID 1620 wrote to memory of 1716	1620	2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe	29
PID 3064 wrote to memory of 2776	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	30
PID 3064 wrote to memory of 2776	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	30
PID 3064 wrote to memory of 2776	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	30
PID 3064 wrote to memory of 2776	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	30
PID 3064 wrote to memory of 2652	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	31
PID 3064 wrote to memory of 2652	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	31
PID 3064 wrote to memory of 2652	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	31
PID 3064 wrote to memory of 2652	3064	{59016C4A-4143-494e-AB41-B91EE247E00C}.exe	31
PID 2776 wrote to memory of 2448	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	34
PID 2776 wrote to memory of 2448	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	34
PID 2776 wrote to memory of 2448	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	34
PID 2776 wrote to memory of 2448	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	34
PID 2776 wrote to memory of 2536	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	35
PID 2776 wrote to memory of 2536	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	35
PID 2776 wrote to memory of 2536	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	35
PID 2776 wrote to memory of 2536	2776	{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe	35
PID 2448 wrote to memory of 2392	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	36
PID 2448 wrote to memory of 2392	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	36
PID 2448 wrote to memory of 2392	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	36
PID 2448 wrote to memory of 2392	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	36
PID 2448 wrote to memory of 1660	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	37
PID 2448 wrote to memory of 1660	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	37
PID 2448 wrote to memory of 1660	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	37
PID 2448 wrote to memory of 1660	2448	{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe	37
PID 2392 wrote to memory of 2516	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	38
PID 2392 wrote to memory of 2516	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	38
PID 2392 wrote to memory of 2516	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	38
PID 2392 wrote to memory of 2516	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	38
PID 2392 wrote to memory of 2728	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	39
PID 2392 wrote to memory of 2728	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	39
PID 2392 wrote to memory of 2728	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	39
PID 2392 wrote to memory of 2728	2392	{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe	39
PID 2516 wrote to memory of 1924	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	40
PID 2516 wrote to memory of 1924	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	40
PID 2516 wrote to memory of 1924	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	40
PID 2516 wrote to memory of 1924	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	40
PID 2516 wrote to memory of 1892	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	41
PID 2516 wrote to memory of 1892	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	41
PID 2516 wrote to memory of 1892	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	41
PID 2516 wrote to memory of 1892	2516	{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe	41
PID 1924 wrote to memory of 2736	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	42
PID 1924 wrote to memory of 2736	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	42
PID 1924 wrote to memory of 2736	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	42
PID 1924 wrote to memory of 2736	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	42
PID 1924 wrote to memory of 472	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	43
PID 1924 wrote to memory of 472	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	43
PID 1924 wrote to memory of 472	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	43
PID 1924 wrote to memory of 472	1924	{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe	43
PID 2736 wrote to memory of 1440	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	44
PID 2736 wrote to memory of 1440	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	44
PID 2736 wrote to memory of 1440	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	44
PID 2736 wrote to memory of 1440	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	44
PID 2736 wrote to memory of 2332	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	45
PID 2736 wrote to memory of 2332	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	45
PID 2736 wrote to memory of 2332	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	45
PID 2736 wrote to memory of 2332	2736	{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_b4b0f4edebab3d2fb68db1d7b1319bea_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\{59016C4A-4143-494e-AB41-B91EE247E00C}.exe
  C:\Windows\{59016C4A-4143-494e-AB41-B91EE247E00C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe
    C:\Windows\{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe
      C:\Windows\{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe
        
        C:\Windows\{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe
        
        C:\Windows\{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe
        
        C:\Windows\{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe
        
        C:\Windows\{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe
        
        C:\Windows\{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe
        
        C:\Windows\{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe
        
        C:\Windows\{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}.exe
        
        C:\Windows\{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1CB8~1.EXE > nul
        12⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FAA7~1.EXE > nul
        11⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD582~1.EXE > nul
        10⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DB79~1.EXE > nul
        9⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C347D~1.EXE > nul
        8⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1FAF~1.EXE > nul
        7⤵
        
        PID:1892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F93B~1.EXE > nul
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFA93~1.EXE > nul
        5⤵
        
        PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2E37~1.EXE > nul
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{59016~1.EXE > nul
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4FAA7B2D-C27A-4b15-A78D-9B91FADF7993}.exe

Filesize
216KB

MD5
de70fb4fdc5971cddbbcaacac40e50e2

SHA1
6efb4aadf8c6b5f39b4bf45af768fcdbb39ff929

SHA256
856ab6dfbe6a5ff61c917b9e93c1ce6b7a7c064ee71e88aad798099b509000ab

SHA512
26223ef66e99aa8c3acaa5ebf8bc3e5e4873830c718a659d8d55130182716664c47c8a129cf81ac83fb70887db5e8b3454eb38391230c6a88fb74dfdd0f3f3f3

Download Submit
C:\Windows\{59016C4A-4143-494e-AB41-B91EE247E00C}.exe

Filesize
216KB

MD5
013aeb695f512849c8deb8c53302399a

SHA1
0d2d33a033f6f9abf7e0f592b5d6f6279a737932

SHA256
6a97d13f6c343612aee38404e96b0da5d5451d3881cc3915b71aeb6d82883407

SHA512
5c7122fb2695843b18442387eca1f5c8d665d97f1cb3963cbd936855da031b2da97f6ba501344548a915b3c3d257c1c3886dd2b74f20878a6232433406a3db46

Download Submit
C:\Windows\{6E30FD6E-3A6A-4ed8-9E86-6529169A173B}.exe

Filesize
216KB

MD5
d950ace1d77118e78eaeca3df0d8b75d

SHA1
5f21b0e017286784434b83b34d5880a9eaf1bdf1

SHA256
62e245942dbb6b1ce71c258bf389ac28bb5b46fdc1d4dedfb8f668ee53e33ed6

SHA512
da66b65348070619c84bf857b398dae1131caca2569e7a31f3df1da2a45df4ac5cd2c16d37b11a8a87ab8af0fc6c6f39ec848a2b766aefc9cfd0398867df251a

Download Submit
C:\Windows\{7DB79C3D-E1EA-42a9-89CA-E13B9C9C4B60}.exe

Filesize
216KB

MD5
93f74c300a33abd613a61f15975ecac3

SHA1
79e111707a341b5d68d6037b016d1f795bdb40cd

SHA256
4ff16fef490de4c88aaa7c6d1d87ec1d8f711b03b1622b01729c6913f746f94a

SHA512
8ebeb1d98f20c0a9e2946dfce160e647d9fccb98ff797514db8d231a59a02edfca47fb8f7857951f7d519a55e8c2a5175473d98ec1c94daa0e3d47c13a54f00a

Download Submit
C:\Windows\{7F93BBB2-41E5-4581-A4D8-66105006E646}.exe

Filesize
216KB

MD5
dc5ccc762ca586c85139207ce6250194

SHA1
0e71a8451fbf5c8d2cdabfaafe7c8d7c1e84f79c

SHA256
f413eff01b9d30b4b2b487af872c906f3dce018db30a956668d612c4e11dade8

SHA512
3bb4f167939c415e381caa2e4f03c775294b4182e5a352ac2785484aa5a470164d6d35281bc292ac0a354fe7770477ecf9dd6a189b9b622517bc3bda56f165e6

Download Submit
C:\Windows\{A1FAF47F-8308-48bd-9725-29963151E6BF}.exe

Filesize
216KB

MD5
397ad2ae6533ece727359337bc785e85

SHA1
e62f6a6bb51d2ab7089b1486f3e6c1614f428c40

SHA256
2740e4e2fccfc929a44d67bfd493ddd31d49ab0d0f5270800e634e140612349f

SHA512
a3eddf740ccf5ea802e3093c7202607a515fd074b1c86b3d2cb21b327d586cd7e441d787d1f0c39454dd758b5a51505d774b9c5e131578dab6b8e2d305449ce4

Download Submit
C:\Windows\{A2E37D53-F5D9-4c9e-A3C3-61EB6B49CE57}.exe

Filesize
216KB

MD5
9e1b0f1288b48dbcb4304c50a666594a

SHA1
15b77b91e163a9fab34919bd6834d69c9aaa6ee5

SHA256
c1424cef66c317346ec929e3b6133902c47c10924f1bad19f64b5c68e8bd5d1b

SHA512
fb2ba5024838c79416162e3337098b6a677c0267bc384d6c90d33f4cb6cfed6243daa3c41b8a24fe1de1d92bd9df7392c3adf948497bca28414e2f1c8d8016fa

Download Submit
C:\Windows\{C347D8EA-2F88-406a-8E44-6ECFC0F781D7}.exe

Filesize
216KB

MD5
d51e764aa78fb6d022e9d98ee74c120c

SHA1
5ee348dabd3c6dcf9940794c22a35080c610a238

SHA256
e067b01bc1593c8282477d6794338f42a16d2d646783305b78331ba1afbf1b78

SHA512
4600f7d35e1b9c66b699cd1383541ef255e9d139b6acda403a13715e02c56ed81c0cb9d8a0f92ef96924e2d01a6e1d4ac4126d98bf16a8419505d30d9123a8b4

Download Submit
C:\Windows\{CFA93D4D-3B20-4531-880A-3D607EEF89D5}.exe

Filesize
216KB

MD5
2da3919a857827878f7473a7495533fd

SHA1
58b1ac5708dbdb888bc159ffa5d8fcbec7757dd4

SHA256
a4489be2b86a3d6f5a11479fa6c67fd26ab244d0dc45b419fb77da2e4b7c07ed

SHA512
a11dc7afbd99f41595ea5897843e3a304f94083d4eb765380fe09d47e5d48d9781d6c53a2d8e390ccfc3738a936c24248f53d5f17c9898da5f6c20eb6e6b8e56

Download Submit
C:\Windows\{F1CB8807-BAFF-4b12-9425-3E03EAACEC5C}.exe

Filesize
216KB

MD5
b2fbed91e6e2c9f74e4ff8e6e1f0df18

SHA1
22cdd0bf542dc9998567c14a78d6a577bf249afa

SHA256
39782d11b0962942606fe4cc593f65b9430b8ccb4b397f709ac93f38022edbf2

SHA512
5badd2e44e3c5ac26f86aadefb1cfe2d0d8b6e6e02d06a8f28f1f1eee8061b575f17d4441ee0c3fb309efce0d3ae1f52f53b36c8d64b66522b0bcadcbcbfa61c

Download Submit
C:\Windows\{FD5826FC-5F6A-4394-81A4-1385B250CC88}.exe

Filesize
216KB

MD5
2c53b191ff2588fd1d33a70523d62fc2

SHA1
436d003f88279401da47df0fa80ce2794e6b4b93

SHA256
1060bd419235bcd6148047486d02fae8aeb59414e6a567e0cd68dc7f6231a263

SHA512
bcde98f786bdc0a13681ce7fbed0cdf73e46ca4e3c9d47e9fe5f3644778866cd019bcbd7e651b6de7513483818443f653572bb5a0dddf7032d86456cdb527161

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads