6531f15956f9d38f1028e2113c64b132a34b1f71e36dffb06b2a726c1993f965

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 16:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe
Size

204KB
MD5

bfddf9bb17b26998d3fe2d3dfd5d6a61
SHA1

3f933ab866a6a48693570feb1e4c5e67f9d24c12
SHA256

6531f15956f9d38f1028e2113c64b132a34b1f71e36dffb06b2a726c1993f965
SHA512

3cb2d6b137097f4afda9cda3779d13f771cf3b34fed3b915fae36852391079a8addab1844d08623842f877a55751ae3337f21b20605c648a9aaf94b5e8e41855
SSDEEP

1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000142c4-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014390-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000142c4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000146a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000142c4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000142c4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000142c4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2705F24D-8C02-4121-B4D4-728C0F3FAB59}	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C82D61CC-DF10-47cc-B5B7-464706F0CB41}	{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD96FD2-08DF-4227-AD9B-D89E98332F62}	{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB12AD77-1B18-4061-A046-0F7B94B4128F}\stubpath = "C:\\Windows\\{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe"	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A36B693D-0898-4efe-93A1-6F256E57AE3F}\stubpath = "C:\\Windows\\{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe"	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8499EC9-C0EE-49e8-AAD1-616960F2998F}	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E102F9-A658-4b42-9B78-32F9C5596EC3}\stubpath = "C:\\Windows\\{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe"	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}\stubpath = "C:\\Windows\\{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe"	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2705F24D-8C02-4121-B4D4-728C0F3FAB59}\stubpath = "C:\\Windows\\{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe"	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}\stubpath = "C:\\Windows\\{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe"	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB12AD77-1B18-4061-A046-0F7B94B4128F}	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A36B693D-0898-4efe-93A1-6F256E57AE3F}	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E102F9-A658-4b42-9B78-32F9C5596EC3}	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08DB8884-24DA-4c76-88E2-9878516343FF}	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C82D61CC-DF10-47cc-B5B7-464706F0CB41}\stubpath = "C:\\Windows\\{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe"	{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8499EC9-C0EE-49e8-AAD1-616960F2998F}\stubpath = "C:\\Windows\\{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe"	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08DB8884-24DA-4c76-88E2-9878516343FF}\stubpath = "C:\\Windows\\{08DB8884-24DA-4c76-88E2-9878516343FF}.exe"	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}	{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}\stubpath = "C:\\Windows\\{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe"	{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD96FD2-08DF-4227-AD9B-D89E98332F62}\stubpath = "C:\\Windows\\{1CD96FD2-08DF-4227-AD9B-D89E98332F62}.exe"	{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe
2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe
2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe
2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe
1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe
1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe
1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe
1668	{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe
2064	{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe
1096	{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe
868	{1CD96FD2-08DF-4227-AD9B-D89E98332F62}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe
File created	C:\Windows\{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe
File created	C:\Windows\{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe
File created	C:\Windows\{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe
File created	C:\Windows\{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe	{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe
File created	C:\Windows\{1CD96FD2-08DF-4227-AD9B-D89E98332F62}.exe	{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe
File created	C:\Windows\{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe
File created	C:\Windows\{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe
File created	C:\Windows\{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe	{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe
File created	C:\Windows\{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe
File created	C:\Windows\{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe
Token: SeIncBasePriorityPrivilege	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe
Token: SeIncBasePriorityPrivilege	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe
Token: SeIncBasePriorityPrivilege	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe
Token: SeIncBasePriorityPrivilege	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe
Token: SeIncBasePriorityPrivilege	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe
Token: SeIncBasePriorityPrivilege	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe
Token: SeIncBasePriorityPrivilege	1668	{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe
Token: SeIncBasePriorityPrivilege	2064	{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe
Token: SeIncBasePriorityPrivilege	1096	{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1692	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	28
PID 2328 wrote to memory of 1692	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	28
PID 2328 wrote to memory of 1692	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	28
PID 2328 wrote to memory of 1692	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	28
PID 2328 wrote to memory of 2888	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	29
PID 2328 wrote to memory of 2888	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	29
PID 2328 wrote to memory of 2888	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	29
PID 2328 wrote to memory of 2888	2328	2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe	29
PID 1692 wrote to memory of 2552	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	30
PID 1692 wrote to memory of 2552	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	30
PID 1692 wrote to memory of 2552	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	30
PID 1692 wrote to memory of 2552	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	30
PID 1692 wrote to memory of 2628	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	31
PID 1692 wrote to memory of 2628	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	31
PID 1692 wrote to memory of 2628	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	31
PID 1692 wrote to memory of 2628	1692	{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe	31
PID 2552 wrote to memory of 2684	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	32
PID 2552 wrote to memory of 2684	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	32
PID 2552 wrote to memory of 2684	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	32
PID 2552 wrote to memory of 2684	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	32
PID 2552 wrote to memory of 2640	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	33
PID 2552 wrote to memory of 2640	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	33
PID 2552 wrote to memory of 2640	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	33
PID 2552 wrote to memory of 2640	2552	{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe	33
PID 2684 wrote to memory of 2496	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	36
PID 2684 wrote to memory of 2496	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	36
PID 2684 wrote to memory of 2496	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	36
PID 2684 wrote to memory of 2496	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	36
PID 2684 wrote to memory of 2764	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	37
PID 2684 wrote to memory of 2764	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	37
PID 2684 wrote to memory of 2764	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	37
PID 2684 wrote to memory of 2764	2684	{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe	37
PID 2496 wrote to memory of 1948	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	38
PID 2496 wrote to memory of 1948	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	38
PID 2496 wrote to memory of 1948	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	38
PID 2496 wrote to memory of 1948	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	38
PID 2496 wrote to memory of 2400	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	39
PID 2496 wrote to memory of 2400	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	39
PID 2496 wrote to memory of 2400	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	39
PID 2496 wrote to memory of 2400	2496	{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe	39
PID 1948 wrote to memory of 1720	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	40
PID 1948 wrote to memory of 1720	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	40
PID 1948 wrote to memory of 1720	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	40
PID 1948 wrote to memory of 1720	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	40
PID 1948 wrote to memory of 2384	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	41
PID 1948 wrote to memory of 2384	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	41
PID 1948 wrote to memory of 2384	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	41
PID 1948 wrote to memory of 2384	1948	{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe	41
PID 1720 wrote to memory of 1936	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	42
PID 1720 wrote to memory of 1936	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	42
PID 1720 wrote to memory of 1936	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	42
PID 1720 wrote to memory of 1936	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	42
PID 1720 wrote to memory of 1456	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	43
PID 1720 wrote to memory of 1456	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	43
PID 1720 wrote to memory of 1456	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	43
PID 1720 wrote to memory of 1456	1720	{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe	43
PID 1936 wrote to memory of 1668	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	44
PID 1936 wrote to memory of 1668	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	44
PID 1936 wrote to memory of 1668	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	44
PID 1936 wrote to memory of 1668	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	44
PID 1936 wrote to memory of 1348	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	45
PID 1936 wrote to memory of 1348	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	45
PID 1936 wrote to memory of 1348	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	45
PID 1936 wrote to memory of 1348	1936	{08DB8884-24DA-4c76-88E2-9878516343FF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_bfddf9bb17b26998d3fe2d3dfd5d6a61_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe
  C:\Windows\{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe
    C:\Windows\{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe
      C:\Windows\{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe
        
        C:\Windows\{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe
        
        C:\Windows\{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe
        
        C:\Windows\{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\{08DB8884-24DA-4c76-88E2-9878516343FF}.exe
        
        C:\Windows\{08DB8884-24DA-4c76-88E2-9878516343FF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe
        
        C:\Windows\{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe
        
        C:\Windows\{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe
        
        C:\Windows\{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\{1CD96FD2-08DF-4227-AD9B-D89E98332F62}.exe
        
        C:\Windows\{1CD96FD2-08DF-4227-AD9B-D89E98332F62}.exe
        12⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C82D6~1.EXE > nul
        12⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34D53~1.EXE > nul
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFFFD~1.EXE > nul
        10⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08DB8~1.EXE > nul
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02E10~1.EXE > nul
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8499~1.EXE > nul
        7⤵
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A36B6~1.EXE > nul
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB12A~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50F4A~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2705F~1.EXE > nul
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02E102F9-A658-4b42-9B78-32F9C5596EC3}.exe

Filesize
204KB

MD5
b941c64c09525f77ccee645be3964fbf

SHA1
8b9427b855676c45c73c46cf4f78e9cfbb938865

SHA256
ec576752c4f005f2a6c951887b720086c09a363044bc471ce2d5a92fb876f2b4

SHA512
3f4b9d61284101f54602bc8ed2ef59a049640e14dd880bf36d41f8b217d0d79b85e645ec61326ccb2b0471ec15057501838491780a14722afba9c79162cc1eb8

Download Submit
C:\Windows\{08DB8884-24DA-4c76-88E2-9878516343FF}.exe

Filesize
204KB

MD5
6b4e637f14b4c9c8cacb36ef6809be8e

SHA1
0e4205ca1a50f58f7a9418682220b634e9ffdc40

SHA256
c927765d639b5ce7d84b8e86df293969341177886df09c479f4eb2e1e9a800ba

SHA512
4d7eaae56e7acf95df7684c7abfb1b23931ff367909de45e450f6e4a74ed6dd85d7d7c3840dd1acc0b0dc150c4597ef7b08942a9385e6267c7219d8fea48d7a5

Download Submit
C:\Windows\{1CD96FD2-08DF-4227-AD9B-D89E98332F62}.exe

Filesize
204KB

MD5
3e425c141e41dd322a17b92b0a978676

SHA1
f771dbcad4dedced4d07b5bb8c91d120abaeef49

SHA256
be9df08969ab9d2bb4106f91c829a3386a144be6c747c3624fb8f07d7c2d6ca3

SHA512
151040a629fec34360999c5f7bd1012c0cee93d9d945c2b9de49ad233271ab64ad7ec24c73fa789027370754c86fcb4ec98c9641bc24f9c04e5fcd6ed37ec934

Download Submit
C:\Windows\{2705F24D-8C02-4121-B4D4-728C0F3FAB59}.exe

Filesize
204KB

MD5
93c0b78e7e4160aa9574b70df99a18be

SHA1
2f478c8efacdc75fea146e710e1e3204f2bc24de

SHA256
182b29fc6c0a958fafdff7aac1adaf6cd140c5975a9c88ac9687595d1d95bec5

SHA512
0ab2c7281544ff886cce38b404ec141cab863c307b68e5a08cc15004fd3368f1231fa1836e11a63913b60738ff2e671dcd48782de2e89c507e110a70c65253eb

Download Submit
C:\Windows\{34D5379E-14B2-4d60-8AB4-2C4BE9B7A0D9}.exe

Filesize
204KB

MD5
bc67a994b3c1a504783116bd2fa66ad2

SHA1
2ec355ce374694d65ecc363c9d9f4f69f7db2c7e

SHA256
6556a80213df503764e76989abb9c4e2428134e774eb5c3425acfb2f078a54d4

SHA512
7a134f92997187d3f8aabf5e8b0f38c8859c61dbceb895168a72ea306384834d597592ad1e6d555796d919780a00dac58d42138dbd4a7f415e7d309da1651a63

Download Submit
C:\Windows\{50F4A5A2-94E5-4f5b-8F34-5372B7DB0E13}.exe

Filesize
204KB

MD5
5613ea3fd8e9ff2878690222de8c182e

SHA1
676f7443ffd69b042a16a2ad71bb4138def7f34c

SHA256
187cbc59c5b22a40bd7b4c0824cd219ea8ad08f9fbbe1d636dc3e9122c17b72b

SHA512
3ece557983c5536a44311b5cc0a98359ccf99c1a043f910230c6fe85e696cf1f8f0d05a7b01938e14ea369765269dac21e36c8b8a1a9ca331849ed6bc84232b1

Download Submit
C:\Windows\{A36B693D-0898-4efe-93A1-6F256E57AE3F}.exe

Filesize
204KB

MD5
7d67313234266de801d821987b579a46

SHA1
e24cae5afbd25f805c8315d02c752c2f65ca4af4

SHA256
a36821b9f0e145f82227cfc91f55a4b4715c9b6d6271269d4d2c60bfdf6f3f12

SHA512
ccb10a6d32c487a052aa0637dd9b57af1b4d009d90999ede5172982beaf80ea80e58cbccbb04b5e9662ac302869acb63cc5547a7a5c402f95ce2ec6fa91d9439

Download Submit
C:\Windows\{A8499EC9-C0EE-49e8-AAD1-616960F2998F}.exe

Filesize
204KB

MD5
5485e7aadf95c3c51670dd00b22053fa

SHA1
9111596f34139d90245b5500d382ba5bb489b37a

SHA256
937096e7fccb10cd191ece6dd1ea3b0faa39d1ab21f00c27ed3966ecd43172d8

SHA512
556a8da5dd58172fc523df91e4b8b1c91cfd6378dc7ced777ddea41207821c4ef9123e1000764fdd5b20102c09bb994cfdfb93be4597d490680c4a48aa203446

Download Submit
C:\Windows\{C82D61CC-DF10-47cc-B5B7-464706F0CB41}.exe

Filesize
204KB

MD5
e72f9f10927e20bb5d1ccb7b35315fe8

SHA1
8c919b723464522ea9d788ba7e1269ccd90fe0d1

SHA256
48ff4a6f7bb46cba8e3c5264e3086fff85cc6b862295d027a74acb944be0f0b4

SHA512
3526a9bd0f2f193a11f2318ffbd5e77072cf9a652e1140c60f5369fd106ac111146556735baa858938f4e70e93c2668829f71366f55c8ef4629096f284aa11c5

Download Submit
C:\Windows\{CB12AD77-1B18-4061-A046-0F7B94B4128F}.exe

Filesize
204KB

MD5
e21bc1e0958b679588f2e0788c73084e

SHA1
0c50e11f062009b457f0032a9e87c7cb53952811

SHA256
7907843b4925fcb0da78d83eb561a1df4597544df5b97e2c60b75a2cb9c8b5c1

SHA512
c45e7528230b6e4eb8d258480722ff8ab62e5dc5cc5fa17dafd7eefb3879b09d22a414f98ff5373eef7ffe7dda428e66c2f2e515e3c708c13e8302cd86464833

Download Submit
C:\Windows\{FFFFDF54-C8AB-4f22-B464-8B2EB3DB12B8}.exe

Filesize
204KB

MD5
033789945f63a1b67a47417480333ff4

SHA1
fef6f2fb00efb14f09a986324a3378c20b20ce09

SHA256
5edfb6000bd31e50f956e8db21cb68f3ea9557cc2bd3f402af3ddfb454e820cc

SHA512
fe1f427933ca9c513708548808ead945fc51b86a470bdeb4ad30729da8df3b58aefc3cbd0182034218d54e5fadea614ec7bf52caabc0a1fe22d819aa458e5dd8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads