ecbaa4fe41e85e722a341cb586ad28a7f5daf6c6f2b9ef03cea5d60d06404ed5

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
Size

344KB
MD5

d2870f7b5a459697e1b6a421e12d8a50
SHA1

d33410acdd657f540f563698f5fbb9a2aeb911ab
SHA256

ecbaa4fe41e85e722a341cb586ad28a7f5daf6c6f2b9ef03cea5d60d06404ed5
SHA512

9d5722d807eaf8ec7066ce749a2d2d05f1bf63f9f32b463c9da48420d3c9fcd775f3261680add1db79d45760533b52320357dd3a8c1dc5ae9dca607e5cea7fbe
SSDEEP

3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGElqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122ce-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001434f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122ce-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122ce-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122ce-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122ce-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000122ce-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32260011-221A-4de8-99E0-5DBD648EAE04}	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}\stubpath = "C:\\Windows\\{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe"	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}	{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7ABA289-2F60-4d35-9374-C655871B4990}	{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}\stubpath = "C:\\Windows\\{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe"	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D33C6C8-35CF-478e-917D-10CF806D239F}	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D33C6C8-35CF-478e-917D-10CF806D239F}\stubpath = "C:\\Windows\\{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe"	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}\stubpath = "C:\\Windows\\{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe"	{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32260011-221A-4de8-99E0-5DBD648EAE04}\stubpath = "C:\\Windows\\{32260011-221A-4de8-99E0-5DBD648EAE04}.exe"	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}\stubpath = "C:\\Windows\\{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe"	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}\stubpath = "C:\\Windows\\{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe"	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7ABA289-2F60-4d35-9374-C655871B4990}\stubpath = "C:\\Windows\\{D7ABA289-2F60-4d35-9374-C655871B4990}.exe"	{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2297E7A7-8F9A-4d45-AF98-F90809507C76}	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2297E7A7-8F9A-4d45-AF98-F90809507C76}\stubpath = "C:\\Windows\\{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe"	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD10708-9E62-42e0-B583-F007B5BA7BD2}	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD10708-9E62-42e0-B583-F007B5BA7BD2}\stubpath = "C:\\Windows\\{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe"	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}	{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}\stubpath = "C:\\Windows\\{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe"	{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe

Deletes itself 1 IoCs

pid	Process
1148	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe
2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe
2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe
2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe
2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe
2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe
1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe
1712	{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe
2724	{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe
2224	{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe
1544	{D7ABA289-2F60-4d35-9374-C655871B4990}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe	{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe
File created	C:\Windows\{D7ABA289-2F60-4d35-9374-C655871B4990}.exe	{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe
File created	C:\Windows\{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
File created	C:\Windows\{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe
File created	C:\Windows\{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe
File created	C:\Windows\{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe
File created	C:\Windows\{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe
File created	C:\Windows\{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe	{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe
File created	C:\Windows\{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe
File created	C:\Windows\{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe
File created	C:\Windows\{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe
Token: SeIncBasePriorityPrivilege	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe
Token: SeIncBasePriorityPrivilege	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe
Token: SeIncBasePriorityPrivilege	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe
Token: SeIncBasePriorityPrivilege	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe
Token: SeIncBasePriorityPrivilege	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe
Token: SeIncBasePriorityPrivilege	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe
Token: SeIncBasePriorityPrivilege	1712	{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe
Token: SeIncBasePriorityPrivilege	2724	{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe
Token: SeIncBasePriorityPrivilege	2224	{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2824	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	28
PID 2744 wrote to memory of 2824	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	28
PID 2744 wrote to memory of 2824	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	28
PID 2744 wrote to memory of 2824	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	28
PID 2744 wrote to memory of 1148	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	29
PID 2744 wrote to memory of 1148	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	29
PID 2744 wrote to memory of 1148	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	29
PID 2744 wrote to memory of 1148	2744	2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe	29
PID 2824 wrote to memory of 2460	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	30
PID 2824 wrote to memory of 2460	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	30
PID 2824 wrote to memory of 2460	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	30
PID 2824 wrote to memory of 2460	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	30
PID 2824 wrote to memory of 2488	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	31
PID 2824 wrote to memory of 2488	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	31
PID 2824 wrote to memory of 2488	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	31
PID 2824 wrote to memory of 2488	2824	{32260011-221A-4de8-99E0-5DBD648EAE04}.exe	31
PID 2460 wrote to memory of 2528	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	33
PID 2460 wrote to memory of 2528	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	33
PID 2460 wrote to memory of 2528	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	33
PID 2460 wrote to memory of 2528	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	33
PID 2460 wrote to memory of 2412	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	34
PID 2460 wrote to memory of 2412	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	34
PID 2460 wrote to memory of 2412	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	34
PID 2460 wrote to memory of 2412	2460	{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe	34
PID 2528 wrote to memory of 2340	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	36
PID 2528 wrote to memory of 2340	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	36
PID 2528 wrote to memory of 2340	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	36
PID 2528 wrote to memory of 2340	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	36
PID 2528 wrote to memory of 1996	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	37
PID 2528 wrote to memory of 1996	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	37
PID 2528 wrote to memory of 1996	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	37
PID 2528 wrote to memory of 1996	2528	{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe	37
PID 2340 wrote to memory of 2584	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	38
PID 2340 wrote to memory of 2584	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	38
PID 2340 wrote to memory of 2584	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	38
PID 2340 wrote to memory of 2584	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	38
PID 2340 wrote to memory of 2128	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	39
PID 2340 wrote to memory of 2128	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	39
PID 2340 wrote to memory of 2128	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	39
PID 2340 wrote to memory of 2128	2340	{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe	39
PID 2584 wrote to memory of 2124	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	40
PID 2584 wrote to memory of 2124	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	40
PID 2584 wrote to memory of 2124	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	40
PID 2584 wrote to memory of 2124	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	40
PID 2584 wrote to memory of 1912	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	41
PID 2584 wrote to memory of 1912	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	41
PID 2584 wrote to memory of 1912	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	41
PID 2584 wrote to memory of 1912	2584	{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe	41
PID 2124 wrote to memory of 1572	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	42
PID 2124 wrote to memory of 1572	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	42
PID 2124 wrote to memory of 1572	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	42
PID 2124 wrote to memory of 1572	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	42
PID 2124 wrote to memory of 1004	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	43
PID 2124 wrote to memory of 1004	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	43
PID 2124 wrote to memory of 1004	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	43
PID 2124 wrote to memory of 1004	2124	{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe	43
PID 1572 wrote to memory of 1712	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	44
PID 1572 wrote to memory of 1712	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	44
PID 1572 wrote to memory of 1712	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	44
PID 1572 wrote to memory of 1712	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	44
PID 1572 wrote to memory of 2120	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	45
PID 1572 wrote to memory of 2120	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	45
PID 1572 wrote to memory of 2120	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	45
PID 1572 wrote to memory of 2120	1572	{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\{32260011-221A-4de8-99E0-5DBD648EAE04}.exe
  C:\Windows\{32260011-221A-4de8-99E0-5DBD648EAE04}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe
    C:\Windows\{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe
      C:\Windows\{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe
        
        C:\Windows\{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe
        
        C:\Windows\{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe
        
        C:\Windows\{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe
        
        C:\Windows\{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe
        
        C:\Windows\{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe
        
        C:\Windows\{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe
        
        C:\Windows\{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{D7ABA289-2F60-4d35-9374-C655871B4990}.exe
        
        C:\Windows\{D7ABA289-2F60-4d35-9374-C655871B4990}.exe
        12⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C60E3~1.EXE > nul
        12⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF0A2~1.EXE > nul
        11⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D33C~1.EXE > nul
        10⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78CB4~1.EXE > nul
        9⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04D4C~1.EXE > nul
        8⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AE27~1.EXE > nul
        7⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DD10~1.EXE > nul
        6⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2297E~1.EXE > nul
        5⤵
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{77409~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32260~1.EXE > nul
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04D4C496-8D11-4d54-BDC2-B7F24D5E69CB}.exe

Filesize
344KB

MD5
2af1280205d25b287dd4c47d0a2a0107

SHA1
715cea6fff7d293ca3c973665cd58af6d6272255

SHA256
3e1cdbcdc613b5a646d02b5bada2825f1a6f1986cd8453f323e46afc5dd8915e

SHA512
97bef83a77b4d02ff5a9213f2c251aab294260b600c78632b65c49e73091e8379ab9d366b7f06634c7d9e7837701468e873dc438d3c0dde7ff4a9f34bc4cab3c

Download Submit
C:\Windows\{2297E7A7-8F9A-4d45-AF98-F90809507C76}.exe

Filesize
344KB

MD5
5687d1a93b06b0b1051d3bb6be579c7d

SHA1
38b03e7c871b19778d13533f3db94eca5f80ab72

SHA256
6a00c040d633b716929ae3c237f2104a6683db2c2cb7c08816d1bd38e09884cb

SHA512
4f2cddc1eb24577892d103c77006c9df4a1257fe2ce3ed40a0540dd2d7ab0c38f0a5fc4a95e400c1369890b64aabe17b437c64a7c7f2bdc03bc147a07d98881d

Download Submit
C:\Windows\{2AE272E7-C1E8-4e19-903E-97D86DEC4A57}.exe

Filesize
344KB

MD5
af762a46ba004aa299b84b613a604a87

SHA1
72cd6285dc846c85177516217e06f424d4867e47

SHA256
90204fc677599ad2edd1210e8a4414fee517926e7cf47b3855f22991e3367b13

SHA512
8e490ea4e450f2de27038693073f7fa771392f5e7a4613ae78a8eadc70a73258c808a567a8abdc34ba13105673e51ed635765d19bf0c20f4604590393bf7b254

Download Submit
C:\Windows\{2D33C6C8-35CF-478e-917D-10CF806D239F}.exe

Filesize
344KB

MD5
7278c1220cf97a90631653de5b65acad

SHA1
bf5273560fefe54bc021e1c2dc4556397abe2143

SHA256
e2c952eb994f13380475534a519c3785e4c3c474ba9e6cba968d0416dedb7f57

SHA512
834529fe40433f4e0bfc6dd2b542c65b9f69db1293f975cfdfa0e91b911cf13918445f3530e95e94394e92f9d3a98ce72f13a6eb510d922d07a722e84632f35a

Download Submit
C:\Windows\{32260011-221A-4de8-99E0-5DBD648EAE04}.exe

Filesize
344KB

MD5
b8058d1abe52843a0fe34f1765f9e285

SHA1
a19503a2e342ed80986963fce9d5f7dd72783624

SHA256
aa18bcb2702399fe61da22d1239030e7fbd1d61e907c6403a4a082db03c946fb

SHA512
2ee168f976d7bb29c9261c459bb2e2a64df68018146a84c0cb47a0b338eab873975c36b28bc2788a074af9af247b7f36ffafa54b053c9c5f5f15e7bcb39943ad

Download Submit
C:\Windows\{77409B85-442B-42cd-B2F5-F0A7D4D09FD7}.exe

Filesize
344KB

MD5
2605ea1902fd77d59838d4c844bec214

SHA1
671072de4fbb503228d6b5aa91cfcfd3f190c419

SHA256
bccffad4dd0b7ec2587c52e01c03a23aeb18dd3ed47618540bc7650fa0a4a46c

SHA512
38dfee0ea2e7c1279a3583d287b7e3c3fd60323fded65b0860f85676598918518d8044567a96042523336300caf7c5c43d63d6f7271f43922630a9bfb76d9cfc

Download Submit
C:\Windows\{78CB4AC4-C8F4-494c-80A8-EFD4EACA9B3F}.exe

Filesize
344KB

MD5
57b814b49768538dfb998b87cebca40c

SHA1
55e7ffa209394dd13e1542a0ddedd9e203b29a6a

SHA256
2464e3c989949b571568d89b80bd502388812c0958450cd90e38fefffe136f6a

SHA512
9c7d6b9d9287958e82c211b2eb1fcbdcbc6b0421a1470685cd65dcf8820107cd7d4707a3f84e42dafa60a6b612d09bda6c3ded2ac3793843c4b3da18afefa0ed

Download Submit
C:\Windows\{7DD10708-9E62-42e0-B583-F007B5BA7BD2}.exe

Filesize
344KB

MD5
87007ca9e7b01f15050e7ff036dc20f0

SHA1
b94047f2cfc9bf3778dc315d83edf04002b10484

SHA256
cb6f9d58a3b8437bb8e6d7bbdbd7989b409e6130d48307f19c3c921de4735a16

SHA512
b49e6f5577c86d16ea9ba711160a40e3c34b2dd8a9bf893ce2cf0b4ddb0492c4a52a1da16e838017a9de7ae7a1d572482f3324e303e2939b6c976778617fbfed

Download Submit
C:\Windows\{AF0A269C-1BED-48eb-9050-B7AE344EF1E6}.exe

Filesize
344KB

MD5
e837c9c236a1475d750ae64b625abe74

SHA1
dd96dbbaa808e970ce567a45485e47d623734c92

SHA256
4c8c7be20322e21b7750a0f8224df22606c059ff1bcf5b1c51e391e192c8d181

SHA512
6e834145e662ea6d4ea2ef1bb5a545659bbda82ebc489ee039c43f1316c2593f7bc26e29cf5776138182173da9d43ab17e069398766852c3cb06c5f771a4e8ab

Download Submit
C:\Windows\{C60E3B98-9072-4f79-AF27-5B5F6713C5FC}.exe

Filesize
344KB

MD5
9c3fa4bc0abb4e1c38084f4d62657b56

SHA1
bd2d0b98cd43adf781fed20e52c2b4416132befb

SHA256
591e51759b1194d69036cfe16fc4f314372f5c8fe913797ab153c4100ea05278

SHA512
ca84d208b3287c47f09a29135d762f163b7b3cf642462a0993561e76a61817db4c0f1971baaff449dde59dfe563138d5d1c9201ee90359a22fc883d273509a00

Download Submit
C:\Windows\{D7ABA289-2F60-4d35-9374-C655871B4990}.exe

Filesize
344KB

MD5
ee95a68df20cd65ab678cd747beae9bb

SHA1
8a9b249101fc6d2ad57ced8689592ab7237cb85c

SHA256
dae40c2c1f5cc04367e4b2bf37874fc44f9065d2893620e8806bd57bc068797f

SHA512
8c94d09f8208069bd3aa7a39fcfceeacdf38623dbaceca46c14cbec92a95fbd46fc474af3a62e278419acaa92abdf54376d2c80ae3b8b8de85ad052afaa22e50

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads