85c4632be6f7f609526f12d39444f67c386a16183537e6d22f0ed4535e5ce028

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Size

408KB
MD5

b8e3b8466d67c42687b726dd959b5172
SHA1

e33b0566f8e6e30d6a198cf3defc91cd78b458e3
SHA256

85c4632be6f7f609526f12d39444f67c386a16183537e6d22f0ed4535e5ce028
SHA512

9530dfb3f7507d0e52b44fbebce915c6fa4405f4a8916e4e44cd6ba59bc0e2601ab56f275fbe8f924982d537fa38f0c4f2dd689451dfe7724d46b68832d49292
SSDEEP

3072:CEGh0oxl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGLldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122bf-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122bf-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014588-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122bf-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122bf-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122bf-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FAE964-669B-41a1-B2BC-C3464E4C84B7}\stubpath = "C:\\Windows\\{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe"	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A5B02C0-376E-499c-B4DF-AB95623DF64B}	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E97A76-49B3-4238-B19D-3EA4F5B1002D}\stubpath = "C:\\Windows\\{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe"	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A5A980-3142-4ae2-B383-0CE009F8909A}	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}\stubpath = "C:\\Windows\\{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe"	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}	{987026E5-E434-4bea-B001-216C3BE72D25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}\stubpath = "C:\\Windows\\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe"	{987026E5-E434-4bea-B001-216C3BE72D25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FC66A0A-5715-413b-A3E7-20542E946683}\stubpath = "C:\\Windows\\{4FC66A0A-5715-413b-A3E7-20542E946683}.exe"	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987026E5-E434-4bea-B001-216C3BE72D25}\stubpath = "C:\\Windows\\{987026E5-E434-4bea-B001-216C3BE72D25}.exe"	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80312402-2F28-4915-A182-9610F9F104A9}	{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}	{80312402-2F28-4915-A182-9610F9F104A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E97A76-49B3-4238-B19D-3EA4F5B1002D}	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FAE964-669B-41a1-B2BC-C3464E4C84B7}	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7A5A980-3142-4ae2-B383-0CE009F8909A}\stubpath = "C:\\Windows\\{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe"	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FC66A0A-5715-413b-A3E7-20542E946683}	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A5B02C0-376E-499c-B4DF-AB95623DF64B}\stubpath = "C:\\Windows\\{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe"	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987026E5-E434-4bea-B001-216C3BE72D25}	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80312402-2F28-4915-A182-9610F9F104A9}\stubpath = "C:\\Windows\\{80312402-2F28-4915-A182-9610F9F104A9}.exe"	{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}\stubpath = "C:\\Windows\\{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}.exe"	{80312402-2F28-4915-A182-9610F9F104A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}\stubpath = "C:\\Windows\\{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe"	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe
2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe
2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe
2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe
2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe
1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe
292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe
1888	{987026E5-E434-4bea-B001-216C3BE72D25}.exe
1276	{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe
2292	{80312402-2F28-4915-A182-9610F9F104A9}.exe
720	{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe	{987026E5-E434-4bea-B001-216C3BE72D25}.exe
File created	C:\Windows\{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe
File created	C:\Windows\{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe
File created	C:\Windows\{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe
File created	C:\Windows\{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe
File created	C:\Windows\{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe
File created	C:\Windows\{987026E5-E434-4bea-B001-216C3BE72D25}.exe	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe
File created	C:\Windows\{80312402-2F28-4915-A182-9610F9F104A9}.exe	{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe
File created	C:\Windows\{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}.exe	{80312402-2F28-4915-A182-9610F9F104A9}.exe
File created	C:\Windows\{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
File created	C:\Windows\{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe
Token: SeIncBasePriorityPrivilege	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe
Token: SeIncBasePriorityPrivilege	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe
Token: SeIncBasePriorityPrivilege	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe
Token: SeIncBasePriorityPrivilege	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe
Token: SeIncBasePriorityPrivilege	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe
Token: SeIncBasePriorityPrivilege	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe
Token: SeIncBasePriorityPrivilege	1888	{987026E5-E434-4bea-B001-216C3BE72D25}.exe
Token: SeIncBasePriorityPrivilege	1276	{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe
Token: SeIncBasePriorityPrivilege	2292	{80312402-2F28-4915-A182-9610F9F104A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2680	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	28
PID 1756 wrote to memory of 2680	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	28
PID 1756 wrote to memory of 2680	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	28
PID 1756 wrote to memory of 2680	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	28
PID 1756 wrote to memory of 2560	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	29
PID 1756 wrote to memory of 2560	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	29
PID 1756 wrote to memory of 2560	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	29
PID 1756 wrote to memory of 2560	1756	2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe	29
PID 2680 wrote to memory of 2884	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	30
PID 2680 wrote to memory of 2884	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	30
PID 2680 wrote to memory of 2884	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	30
PID 2680 wrote to memory of 2884	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	30
PID 2680 wrote to memory of 2476	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	31
PID 2680 wrote to memory of 2476	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	31
PID 2680 wrote to memory of 2476	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	31
PID 2680 wrote to memory of 2476	2680	{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe	31
PID 2884 wrote to memory of 2804	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	32
PID 2884 wrote to memory of 2804	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	32
PID 2884 wrote to memory of 2804	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	32
PID 2884 wrote to memory of 2804	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	32
PID 2884 wrote to memory of 2784	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	33
PID 2884 wrote to memory of 2784	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	33
PID 2884 wrote to memory of 2784	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	33
PID 2884 wrote to memory of 2784	2884	{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe	33
PID 2804 wrote to memory of 2188	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	36
PID 2804 wrote to memory of 2188	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	36
PID 2804 wrote to memory of 2188	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	36
PID 2804 wrote to memory of 2188	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	36
PID 2804 wrote to memory of 2024	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	37
PID 2804 wrote to memory of 2024	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	37
PID 2804 wrote to memory of 2024	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	37
PID 2804 wrote to memory of 2024	2804	{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe	37
PID 2188 wrote to memory of 2832	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	38
PID 2188 wrote to memory of 2832	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	38
PID 2188 wrote to memory of 2832	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	38
PID 2188 wrote to memory of 2832	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	38
PID 2188 wrote to memory of 2952	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	39
PID 2188 wrote to memory of 2952	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	39
PID 2188 wrote to memory of 2952	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	39
PID 2188 wrote to memory of 2952	2188	{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe	39
PID 2832 wrote to memory of 1684	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	40
PID 2832 wrote to memory of 1684	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	40
PID 2832 wrote to memory of 1684	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	40
PID 2832 wrote to memory of 1684	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	40
PID 2832 wrote to memory of 1788	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	41
PID 2832 wrote to memory of 1788	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	41
PID 2832 wrote to memory of 1788	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	41
PID 2832 wrote to memory of 1788	2832	{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe	41
PID 1684 wrote to memory of 292	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	42
PID 1684 wrote to memory of 292	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	42
PID 1684 wrote to memory of 292	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	42
PID 1684 wrote to memory of 292	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	42
PID 1684 wrote to memory of 2528	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	43
PID 1684 wrote to memory of 2528	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	43
PID 1684 wrote to memory of 2528	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	43
PID 1684 wrote to memory of 2528	1684	{4FC66A0A-5715-413b-A3E7-20542E946683}.exe	43
PID 292 wrote to memory of 1888	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	44
PID 292 wrote to memory of 1888	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	44
PID 292 wrote to memory of 1888	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	44
PID 292 wrote to memory of 1888	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	44
PID 292 wrote to memory of 1636	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	45
PID 292 wrote to memory of 1636	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	45
PID 292 wrote to memory of 1636	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	45
PID 292 wrote to memory of 1636	292	{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_b8e3b8466d67c42687b726dd959b5172_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe
  C:\Windows\{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe
    C:\Windows\{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe
      C:\Windows\{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe
        
        C:\Windows\{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe
        
        C:\Windows\{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{4FC66A0A-5715-413b-A3E7-20542E946683}.exe
        
        C:\Windows\{4FC66A0A-5715-413b-A3E7-20542E946683}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe
        
        C:\Windows\{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\{987026E5-E434-4bea-B001-216C3BE72D25}.exe
        
        C:\Windows\{987026E5-E434-4bea-B001-216C3BE72D25}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe
        
        C:\Windows\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\{80312402-2F28-4915-A182-9610F9F104A9}.exe
        
        C:\Windows\{80312402-2F28-4915-A182-9610F9F104A9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}.exe
        
        C:\Windows\{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}.exe
        12⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80312~1.EXE > nul
        12⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F61~1.EXE > nul
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98702~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A5B0~1.EXE > nul
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FC66~1.EXE > nul
        8⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB5B~1.EXE > nul
        7⤵
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A5A~1.EXE > nul
        6⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92FAE~1.EXE > nul
        5⤵
        
        PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1ABF1~1.EXE > nul
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90E97~1.EXE > nul
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1ABF19D6-1158-42e2-9D5F-39CED632B0D2}.exe

Filesize
408KB

MD5
874567d33cc9f7cce8bdae32a0275534

SHA1
0242648eb2750f4a1170fb486802869855eb9289

SHA256
3ab462cceae0683f54c2c852fdca3220654ad31d1b37a55459fde2dc24a23d00

SHA512
0a32c028a4243ddc307168b5706e6b487747131a3a645225884774c8efa7ebb7829b9469228fa076ab07fff98e1a3cc8f8c60de8dc369a924aa75de8472927ba

Download Submit
C:\Windows\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe

Filesize
408KB

MD5
3e9de6c99a1adc7ab54aad6a433de620

SHA1
45b9f068b50f3cd7ff0ab25ae7dc01e8572148c3

SHA256
75a89c250e8f91c6847db2024ce532647bcc84a0098d2fa2715f7954a2022036

SHA512
09af9ce7addca218a82251550626eb31c3164f35c9c9d27deac0a2c1aa75b2449390d8c4da6a07b06e0a3c3d3a4908ab5323868b88c87c3d70bc1d8d786d848e

Download Submit
C:\Windows\{34F61C6B-7A22-403a-83A6-A17DC5DC0984}.exe

Filesize
359KB

MD5
0cd589b68efe1885372864d423feac7a

SHA1
1b0b14ba7c6c936ec766395cce951cdc81fac80c

SHA256
8427f76ea44b2039f217bf34f930985ef4214b571b389267663f3e15611faf74

SHA512
5a8c3f4673f33413f0d96b5641117b70aa81727615eb6e9e3a22e37b8e27ad4b75adadb361a94e140557bd021af7282eb20a1bf769ef130e030d3acb10b9c7a9

Download Submit
C:\Windows\{4FC66A0A-5715-413b-A3E7-20542E946683}.exe

Filesize
408KB

MD5
a549f784882cb6f932f9533f4626571a

SHA1
2bef426dc5794bcedc31161843a8f4218f32b039

SHA256
427632162b76f54e31bdd1b44daff909c06d06b563e32e45d906381fd5d430ae

SHA512
aa7e8a400375749b1713c281d14a229f3aa8d0aa5e56546754d8fbaafa397c255dd3a1225015c4d9165117c1a796d3153f38b57c94c609eeec5743bd1648cd18

Download Submit
C:\Windows\{80312402-2F28-4915-A182-9610F9F104A9}.exe

Filesize
408KB

MD5
e5f66f61b6b309a9549420c7ef567c79

SHA1
8ac5eb25ec405008a23238871cc22c751edd7e5e

SHA256
935878b749b3a7b0ac8c411a3758dd45f3291d6c887d266b9874038d9870017f

SHA512
875f71775b4ec7bb763f1a7280f540640e921dd2af4a20e63f7374a9f1109502452e5fc44eb49dd858bef3fa6c09eb49d65996f11421902d4c5032037b1bf214

Download Submit
C:\Windows\{90E97A76-49B3-4238-B19D-3EA4F5B1002D}.exe

Filesize
408KB

MD5
7f3f6fe81ee82dce9f2c3a105c48ea32

SHA1
07c24414cd0933fc039346610573a62860c160ac

SHA256
b2994951cec43dc6fa55d14b6675e5d2806c6e8d820f28e928758381eaacf63f

SHA512
30d96c98bba9fe7567942e9271c1bd72684f8318530328e610bb877c442ee9043764ca670109084928a7d702efc1d48cf629c7203961c8545599c2566402e39b

Download Submit
C:\Windows\{92FAE964-669B-41a1-B2BC-C3464E4C84B7}.exe

Filesize
408KB

MD5
1b9719d70c75cc9c9892722cc30128e3

SHA1
a006ee702d2470e8dc965beb4849506679168cfa

SHA256
0bdbf0550470ffa79bc462a8b390517b01979652ecafa4f48c730827d3efc501

SHA512
533f1b01dc24b75606715154c1999965d726004237b0ea2a7137c885230535dff51b62af7a833a7e1c750dd02e01a5cfe0c0b6389509cd7a66b6cca78c7f390d

Download Submit
C:\Windows\{987026E5-E434-4bea-B001-216C3BE72D25}.exe

Filesize
408KB

MD5
cddfc91bcc749ea7bf6facbe7daa29f6

SHA1
05ae7c403ec95f267592e54dd328f787132d610f

SHA256
0c82c00cd8acb8154d9ba3a27e82a36a0097d3989489ebbc76e5468a051993bb

SHA512
1f2d71228a859d3b60a8dbd031440fe657385bffa3573721e22a973793ab672278ced97f3ab3b54bd2b0e57c921e14481ba1d445d59c1614c14f03ce8a35b5cc

Download Submit
C:\Windows\{9A5B02C0-376E-499c-B4DF-AB95623DF64B}.exe

Filesize
408KB

MD5
7f7fd1bd243408e33fcbb1a730933a22

SHA1
9d4a004cdbd7a32fe7addbd76429f9759ea7e271

SHA256
eaac2b1819ec1f77790dafa44a2452ef38d04df7a46b921b61bf667e4769ca29

SHA512
d4346c70a76ffe6617d6b56f12e9ec92130008458fcb6ba7733e4fa4197c2fc4588b9579097689dc09ebf0177b6f7ee9faf25c866b1107098c79ce73bb493f2a

Download Submit
C:\Windows\{BCB5BA58-122A-4e6e-815B-5228D13B8AFF}.exe

Filesize
408KB

MD5
6a2aaab0e345a55bcd01cc391b498fb7

SHA1
2cf99d0291edc357ac35e66883c81dd67b41f58d

SHA256
cddd5ee58f3fafe21585c2eda3b1a3a9f38cf84253c12607444427572739d16b

SHA512
4d41a561c5c672beafe8917a279acb6ab76cb7741255b4cb1c3125a6567fd98dbbcfd494cb5b7955d1942805ab55c7f2dc2a8aaae71d2ebded19ac105824ddf2

Download Submit
C:\Windows\{C7A5A980-3142-4ae2-B383-0CE009F8909A}.exe

Filesize
408KB

MD5
8f5b65990b029f11ae7424f822f61ba2

SHA1
78aeeac5f29efd38f2a90c5cdaaec311af401d01

SHA256
83cf30b708e39d4007ec12649ad8776d02f7b49243558a0f457e6e4a2470fbf2

SHA512
77d30586435c10f46b6a19c8c6235c43c8108ac71f883fbbed36a67e45f38098e07a018b4ea00998a708d37b3bff9ff7a31714e9fd6b73d09062a3dff6f49320

Download Submit
C:\Windows\{F8301A0F-DE1D-446b-8ADA-518AC15E25EF}.exe

Filesize
408KB

MD5
57323453083834964a09aba215374d2e

SHA1
f787a791780a1b69442856c07db634e3c041076e

SHA256
74fce17ff311b92e0f63eb2d10440c68cb9549692dfce79fad896aaebf251a90

SHA512
a0b1c067887ad12a421648965ad29a06940d6ea2856fa51595244eff820ec3f66f00d877666186a468b7be6779bbdbbdc3c402c7197677baa6b13d952cdf65d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads