719811872fcbcc1fd4a0d2d550e4b55bc0cdb4047b02ae201ffc772282c5b22f

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 06:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Size

372KB
MD5

f78260489f4f9b48574ba079ba7acff5
SHA1

f8f7de60ca41435c62b29e04b00399a3d1a20b56
SHA256

719811872fcbcc1fd4a0d2d550e4b55bc0cdb4047b02ae201ffc772282c5b22f
SHA512

44d11ddb279463dc469e00b4f3ba51171df882d98ce4a20226ecfc25ad493c65d1b5ca4db165072ac9e89ae4b64cb1dac454a9b6129dbe1463409115f51ab942
SSDEEP

3072:CEGh0oylMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGMlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012242-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001316b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61FA423E-3D61-4449-8756-C7548938EF98}\stubpath = "C:\\Windows\\{61FA423E-3D61-4449-8756-C7548938EF98}.exe"	{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}	{61FA423E-3D61-4449-8756-C7548938EF98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}\stubpath = "C:\\Windows\\{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe"	{61FA423E-3D61-4449-8756-C7548938EF98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}\stubpath = "C:\\Windows\\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe"	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61FA423E-3D61-4449-8756-C7548938EF98}	{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}\stubpath = "C:\\Windows\\{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe"	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{525856C3-AB38-48a6-9F73-78E44F4A0474}	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{525856C3-AB38-48a6-9F73-78E44F4A0474}\stubpath = "C:\\Windows\\{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe"	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}\stubpath = "C:\\Windows\\{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe"	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37BA95E4-A218-4820-B176-E61F6BFB30AA}	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}\stubpath = "C:\\Windows\\{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe"	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}\stubpath = "C:\\Windows\\{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe"	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}	{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}\stubpath = "C:\\Windows\\{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}.exe"	{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}\stubpath = "C:\\Windows\\{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe"	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37BA95E4-A218-4820-B176-E61F6BFB30AA}\stubpath = "C:\\Windows\\{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe"	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe

Deletes itself 1 IoCs

pid	Process
1936	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe
2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe
2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe
2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe
2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe
1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe
2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe
956	{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe
1348	{61FA423E-3D61-4449-8756-C7548938EF98}.exe
2716	{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe
2212	{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
File created	C:\Windows\{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe
File created	C:\Windows\{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe
File created	C:\Windows\{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe
File created	C:\Windows\{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}.exe	{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe
File created	C:\Windows\{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe	{61FA423E-3D61-4449-8756-C7548938EF98}.exe
File created	C:\Windows\{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe
File created	C:\Windows\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe
File created	C:\Windows\{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe
File created	C:\Windows\{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe
File created	C:\Windows\{61FA423E-3D61-4449-8756-C7548938EF98}.exe	{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe
Token: SeIncBasePriorityPrivilege	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe
Token: SeIncBasePriorityPrivilege	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe
Token: SeIncBasePriorityPrivilege	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe
Token: SeIncBasePriorityPrivilege	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe
Token: SeIncBasePriorityPrivilege	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe
Token: SeIncBasePriorityPrivilege	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe
Token: SeIncBasePriorityPrivilege	956	{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe
Token: SeIncBasePriorityPrivilege	1348	{61FA423E-3D61-4449-8756-C7548938EF98}.exe
Token: SeIncBasePriorityPrivilege	2716	{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2148	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	28
PID 848 wrote to memory of 2148	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	28
PID 848 wrote to memory of 2148	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	28
PID 848 wrote to memory of 2148	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	28
PID 848 wrote to memory of 1936	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	29
PID 848 wrote to memory of 1936	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	29
PID 848 wrote to memory of 1936	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	29
PID 848 wrote to memory of 1936	848	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	29
PID 2148 wrote to memory of 2476	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	30
PID 2148 wrote to memory of 2476	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	30
PID 2148 wrote to memory of 2476	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	30
PID 2148 wrote to memory of 2476	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	30
PID 2148 wrote to memory of 2560	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	31
PID 2148 wrote to memory of 2560	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	31
PID 2148 wrote to memory of 2560	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	31
PID 2148 wrote to memory of 2560	2148	{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe	31
PID 2476 wrote to memory of 2612	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	34
PID 2476 wrote to memory of 2612	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	34
PID 2476 wrote to memory of 2612	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	34
PID 2476 wrote to memory of 2612	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	34
PID 2476 wrote to memory of 2536	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	35
PID 2476 wrote to memory of 2536	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	35
PID 2476 wrote to memory of 2536	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	35
PID 2476 wrote to memory of 2536	2476	{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe	35
PID 2612 wrote to memory of 2440	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	36
PID 2612 wrote to memory of 2440	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	36
PID 2612 wrote to memory of 2440	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	36
PID 2612 wrote to memory of 2440	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	36
PID 2612 wrote to memory of 2840	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	37
PID 2612 wrote to memory of 2840	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	37
PID 2612 wrote to memory of 2840	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	37
PID 2612 wrote to memory of 2840	2612	{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe	37
PID 2440 wrote to memory of 2040	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	38
PID 2440 wrote to memory of 2040	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	38
PID 2440 wrote to memory of 2040	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	38
PID 2440 wrote to memory of 2040	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	38
PID 2440 wrote to memory of 576	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	39
PID 2440 wrote to memory of 576	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	39
PID 2440 wrote to memory of 576	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	39
PID 2440 wrote to memory of 576	2440	{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe	39
PID 2040 wrote to memory of 1080	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	40
PID 2040 wrote to memory of 1080	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	40
PID 2040 wrote to memory of 1080	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	40
PID 2040 wrote to memory of 1080	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	40
PID 2040 wrote to memory of 1088	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	41
PID 2040 wrote to memory of 1088	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	41
PID 2040 wrote to memory of 1088	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	41
PID 2040 wrote to memory of 1088	2040	{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe	41
PID 1080 wrote to memory of 2308	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	42
PID 1080 wrote to memory of 2308	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	42
PID 1080 wrote to memory of 2308	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	42
PID 1080 wrote to memory of 2308	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	42
PID 1080 wrote to memory of 1644	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	43
PID 1080 wrote to memory of 1644	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	43
PID 1080 wrote to memory of 1644	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	43
PID 1080 wrote to memory of 1644	1080	{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe	43
PID 2308 wrote to memory of 956	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	44
PID 2308 wrote to memory of 956	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	44
PID 2308 wrote to memory of 956	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	44
PID 2308 wrote to memory of 956	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	44
PID 2308 wrote to memory of 2356	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	45
PID 2308 wrote to memory of 2356	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	45
PID 2308 wrote to memory of 2356	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	45
PID 2308 wrote to memory of 2356	2308	{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe
  C:\Windows\{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe
    C:\Windows\{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe
      C:\Windows\{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe
        
        C:\Windows\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Windows\{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe
        
        C:\Windows\{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe
        
        C:\Windows\{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe
        
        C:\Windows\{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe
        
        C:\Windows\{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\{61FA423E-3D61-4449-8756-C7548938EF98}.exe
        
        C:\Windows\{61FA423E-3D61-4449-8756-C7548938EF98}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe
        
        C:\Windows\{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}.exe
        
        C:\Windows\{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E6DD~1.EXE > nul
        12⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61FA4~1.EXE > nul
        11⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37BA9~1.EXE > nul
        10⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4516D~1.EXE > nul
        9⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB4C~1.EXE > nul
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52585~1.EXE > nul
        7⤵
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE884~1.EXE > nul
        6⤵
        
        PID:576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF11B~1.EXE > nul
        5⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DBFD5~1.EXE > nul
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB89~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AB4CE6C-52B2-4c92-B903-35FE29AAE844}.exe

Filesize
372KB

MD5
b03fd2d23d870f8bb7443918d1752295

SHA1
7d14cb0a21c0d3ab10a23f9f0a20dacd52ec402f

SHA256
4c017c5ccb18652fb41ce6b11fec398d3035463a94bd0e1fe9b38f5cbc2a11cd

SHA512
b4d52e49a5b2ff1f63e9433b1f8b4e80690d36e45fb07d09a3eb5996c22ba7fcde557ba6c2add5403cb25eb9399e74e1a59871f320c958740c44d80c990a6caa

Download Submit
C:\Windows\{0E6DD258-0EE7-4330-B2B6-EEB55B48E93A}.exe

Filesize
372KB

MD5
7a5bad633969edf1ed135314860cffbd

SHA1
8b17c21c6cc3cba5a93f9ef22043040b59ca5da5

SHA256
b2fa784336f53035e618b67ba18d4055f3bf334b1c86e0265006c5326486c8f2

SHA512
8ebc186d2a0a914ea96c3b1a88025f7b0d132a7b08057e731a5268034074ff4e708247ea343474620a0e1564ae43dab99a1a0a3ded8f7294d05e7458a033cfe9

Download Submit
C:\Windows\{37BA95E4-A218-4820-B176-E61F6BFB30AA}.exe

Filesize
372KB

MD5
1aa35a4f5a154ef0a15a6293a11bfb1a

SHA1
8bec233fe44bbba07120a16939c6621bb7ecd75e

SHA256
8c327b18d84b4b3393a71b24bda83a99e1230470756595d898e0af7174883ccd

SHA512
abc6494d2acf70e6ba2772f234f2e3b9cf00f1f6e3ed9591743ac28f386d71e624f4753aa85f9fbd51bddfc63655d9b3d144a98899d976bcbf2533e684c69294

Download Submit
C:\Windows\{4516DE0F-42B5-4f84-B2EC-D3CA1D7302AA}.exe

Filesize
372KB

MD5
64a67f149659a6dbe07f9730de6c314f

SHA1
23a18f47e98c29a1b3990bbcbbce591a89b5d5f7

SHA256
9637ebe4f4f0fe6b1d1ef2554f7cc7533a4e0c7c0d62535e2ab3f86b1c38756d

SHA512
bc16bb39af0384a9eb0faa36da1e923ef1de5b97580645f55ac8ac282ace8dfe4d088ee01d22229403f54d4f7f0a8ea0107d135fba165e9946f604009b2b0a13

Download Submit
C:\Windows\{525856C3-AB38-48a6-9F73-78E44F4A0474}.exe

Filesize
372KB

MD5
57e55a8e8363675ab5697288626a8627

SHA1
15bea7814a04a8225f63ff54c82f869d10ac52e9

SHA256
ebabc2787b6e36240ba2a81ba3454a34a726315bf53b12e3f98fe194a6f06a3f

SHA512
0279a74fb1ffdecbf1ee18d4ef49a0961ef91aa3c3d97647a168d1c8804539f0bd9c712c5fa4ab48bcff91d5ce438eefbafb6b5f9dbdc7d2ff627f063943ae27

Download Submit
C:\Windows\{61FA423E-3D61-4449-8756-C7548938EF98}.exe

Filesize
372KB

MD5
6bb61ef61d813f4fdd091b930dd344c1

SHA1
0ceb5dd89096685a07a7fad13b7fad73961adc47

SHA256
7751fa9a9c0ae1dc61e187ffd8160fca1e8ff37f95261dc9adc0fab62bb1d12c

SHA512
47a29174cb96ce09d3ade0ef56c929ec20a6e5650235073bd1f2158d2404ff225d275655fa35659107bb1d367abf403a81db72475842e93af0338dd926fb9201

Download Submit
C:\Windows\{8BB89CF7-AE48-40c2-BC2F-642ECBD1E6F9}.exe

Filesize
372KB

MD5
c7d10f2b2708c4a80498c4d1d7055066

SHA1
ada35a68b69e84a23a37988b03adbbb972a3fe7b

SHA256
e97fc9ad8c13fc0e8a90d1beed9c5417ac909607e4c3bdfebd1a261c5fd2ccac

SHA512
45c796aeead00a3723e5bd9526053f04809c56c7dde57477db081b9d6596f4b600d89ba1983b0c40f668c194072da3c131ce0769bd718b459fcffe9d0c772d8a

Download Submit
C:\Windows\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe

Filesize
128KB

MD5
f12d9becbd738d3213bee0c995790709

SHA1
2c313788eea574a92297af7e6bc7b34f2c684ee5

SHA256
dd7f2863f84044131936472d35a0c20a5efe6a978f4eb16afa91dce8d65405f5

SHA512
f0624bed32d1dd0a9b802430e260ee6af585213983c4b328e71f3264c7e0168f11e1e53cb5f762bfef83c19caee605c8dd4249e5f406b09efacf261dc5eb9e97

Download Submit
C:\Windows\{CE884AE2-54A5-48a1-A12E-5B4E9D5D2AFC}.exe

Filesize
372KB

MD5
864b3e132db58123a4b4e175f2e407b0

SHA1
c42525947ac942b336b6512d2ccb5fd4b0363ee8

SHA256
83863cacb33231470dcf6a7c872b9e2fbf91c96d204176431fa5af66fedf06f6

SHA512
917cb666f95fdb7e60f26223be6d11db5c3c608c63288d9df812a00a516f79e3f1b9a8fc71c8e01714016dbbb793f8cf4d606896f33406b1d8c56dbf27606db2

Download Submit
C:\Windows\{DBFD5244-15FC-4cb3-A78C-EF57E97ADA07}.exe

Filesize
372KB

MD5
e4e6fe89e1c4290928bdeb3b1ce6ccdf

SHA1
853acda7b8bb4a29b4b7673581b7abd6a97a21ce

SHA256
6dd30c1b4b6e19c83df58e172d9f3298c3a89831d7ed684901688608b27cb575

SHA512
1cc68c7121df1ffb0eb984835b18559463a285ad3166d36745653cc8e3047b10b21d2fdd59c9d702582d1153a60c074012d1a1bfeecf0ce39362552a27347212

Download Submit
C:\Windows\{FEAB6CDD-A9C8-42ae-9D4D-79094BD7D20D}.exe

Filesize
372KB

MD5
08ee2dad2274723f5177b9db2395d3b7

SHA1
0a520fe7508f73ab5e5a0d010ad1ac6544ad45cb

SHA256
878251b42dc7e14ed6871f22a9f0979951703c20130ddedfe5ad5acebc3a444f

SHA512
6d463f2f0fd53e4c29fb535cc574d01f50046d6f1aba39a8fc21bec62e762470bc0c32f3f433a17d58a0780a261d9875de4d51a6f0f9681820e965875be0d5de

Download Submit
C:\Windows\{FF11B3FC-FED2-4277-A68C-C2D8FC7C793C}.exe

Filesize
372KB

MD5
2c900d594e6e307844238079e350bc89

SHA1
23561fbf9cedd123dd653012a89da9e5395b54f8

SHA256
92d1be93717b23622bcb7899124aac11db5e6c5a8b9cf0c80cb92372336fae15

SHA512
47e9357f88a740faad686548e2e2479e0680ee2415e7f2fe69d02ecd2fd7450ef67597207f77ff832dbb3437f1d34b631fc767a641ba12e0f5b316e58d43448f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads