2478ee977fdad419354796062ec76a69c2ed2799b77451eaabf31d488bd4f474

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Size

180KB
MD5

3fffeef5581fb6beaa474c4d61381576
SHA1

a7072bb850452316c4328925a41cdbf31a7473ff
SHA256

2478ee977fdad419354796062ec76a69c2ed2799b77451eaabf31d488bd4f474
SHA512

1859ee3aa9445d30484f93aefa95d23244fcd746656bbd563e5549f9b1105805b5d10bd133e4811abb755c003395baad2b5f7e0271be37f50c8c9f34d20bd494
SSDEEP

3072:jEGh0o+lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGYl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000121c5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001220a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000121c5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000121c5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000121c5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000121c5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000121c5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28B54131-4AC0-496a-A196-4BA57BE60E4F}\stubpath = "C:\\Windows\\{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe"	{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}\stubpath = "C:\\Windows\\{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe"	{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}\stubpath = "C:\\Windows\\{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe"	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA3677D-3977-4ab4-9B6F-72708B37D443}\stubpath = "C:\\Windows\\{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe"	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{301DC6D6-930C-4360-AC79-E8C7B3D65810}\stubpath = "C:\\Windows\\{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe"	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF0E1CA-8524-4096-A885-F6656AC75673}\stubpath = "C:\\Windows\\{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe"	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B630B208-8F5C-4baa-931B-94F5DFD379D4}	{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAA3677D-3977-4ab4-9B6F-72708B37D443}	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B630B208-8F5C-4baa-931B-94F5DFD379D4}\stubpath = "C:\\Windows\\{B630B208-8F5C-4baa-931B-94F5DFD379D4}.exe"	{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85D88CE3-3A6A-4392-90A1-D36FAF409B30}\stubpath = "C:\\Windows\\{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe"	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6628510-E002-4b7b-8862-ECAF9884BE6D}	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28B54131-4AC0-496a-A196-4BA57BE60E4F}	{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}	{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{301DC6D6-930C-4360-AC79-E8C7B3D65810}	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF0E1CA-8524-4096-A885-F6656AC75673}	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}\stubpath = "C:\\Windows\\{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe"	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85D88CE3-3A6A-4392-90A1-D36FAF409B30}	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6628510-E002-4b7b-8862-ECAF9884BE6D}\stubpath = "C:\\Windows\\{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe"	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}\stubpath = "C:\\Windows\\{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe"	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe
2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe
2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe
2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe
2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe
1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe
1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe
680	{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe
1168	{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe
1632	{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe
2840	{B630B208-8F5C-4baa-931B-94F5DFD379D4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe
File created	C:\Windows\{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe
File created	C:\Windows\{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe
File created	C:\Windows\{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe
File created	C:\Windows\{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe	{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe
File created	C:\Windows\{B630B208-8F5C-4baa-931B-94F5DFD379D4}.exe	{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe
File created	C:\Windows\{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe
File created	C:\Windows\{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe
File created	C:\Windows\{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe
File created	C:\Windows\{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe	{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe
File created	C:\Windows\{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe
Token: SeIncBasePriorityPrivilege	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe
Token: SeIncBasePriorityPrivilege	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe
Token: SeIncBasePriorityPrivilege	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe
Token: SeIncBasePriorityPrivilege	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe
Token: SeIncBasePriorityPrivilege	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe
Token: SeIncBasePriorityPrivilege	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe
Token: SeIncBasePriorityPrivilege	680	{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe
Token: SeIncBasePriorityPrivilege	1168	{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe
Token: SeIncBasePriorityPrivilege	1632	{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2068	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	28
PID 1580 wrote to memory of 2068	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	28
PID 1580 wrote to memory of 2068	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	28
PID 1580 wrote to memory of 2068	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	28
PID 1580 wrote to memory of 2700	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	29
PID 1580 wrote to memory of 2700	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	29
PID 1580 wrote to memory of 2700	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	29
PID 1580 wrote to memory of 2700	1580	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	29
PID 2068 wrote to memory of 2760	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	30
PID 2068 wrote to memory of 2760	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	30
PID 2068 wrote to memory of 2760	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	30
PID 2068 wrote to memory of 2760	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	30
PID 2068 wrote to memory of 2560	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	31
PID 2068 wrote to memory of 2560	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	31
PID 2068 wrote to memory of 2560	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	31
PID 2068 wrote to memory of 2560	2068	{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe	31
PID 2760 wrote to memory of 2528	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	32
PID 2760 wrote to memory of 2528	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	32
PID 2760 wrote to memory of 2528	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	32
PID 2760 wrote to memory of 2528	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	32
PID 2760 wrote to memory of 2772	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	33
PID 2760 wrote to memory of 2772	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	33
PID 2760 wrote to memory of 2772	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	33
PID 2760 wrote to memory of 2772	2760	{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe	33
PID 2528 wrote to memory of 2972	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	36
PID 2528 wrote to memory of 2972	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	36
PID 2528 wrote to memory of 2972	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	36
PID 2528 wrote to memory of 2972	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	36
PID 2528 wrote to memory of 2912	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	37
PID 2528 wrote to memory of 2912	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	37
PID 2528 wrote to memory of 2912	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	37
PID 2528 wrote to memory of 2912	2528	{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe	37
PID 2972 wrote to memory of 2744	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	38
PID 2972 wrote to memory of 2744	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	38
PID 2972 wrote to memory of 2744	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	38
PID 2972 wrote to memory of 2744	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	38
PID 2972 wrote to memory of 2768	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	39
PID 2972 wrote to memory of 2768	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	39
PID 2972 wrote to memory of 2768	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	39
PID 2972 wrote to memory of 2768	2972	{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe	39
PID 2744 wrote to memory of 1224	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	40
PID 2744 wrote to memory of 1224	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	40
PID 2744 wrote to memory of 1224	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	40
PID 2744 wrote to memory of 1224	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	40
PID 2744 wrote to memory of 1072	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	41
PID 2744 wrote to memory of 1072	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	41
PID 2744 wrote to memory of 1072	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	41
PID 2744 wrote to memory of 1072	2744	{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe	41
PID 1224 wrote to memory of 1884	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	42
PID 1224 wrote to memory of 1884	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	42
PID 1224 wrote to memory of 1884	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	42
PID 1224 wrote to memory of 1884	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	42
PID 1224 wrote to memory of 1444	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	43
PID 1224 wrote to memory of 1444	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	43
PID 1224 wrote to memory of 1444	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	43
PID 1224 wrote to memory of 1444	1224	{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe	43
PID 1884 wrote to memory of 680	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	44
PID 1884 wrote to memory of 680	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	44
PID 1884 wrote to memory of 680	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	44
PID 1884 wrote to memory of 680	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	44
PID 1884 wrote to memory of 848	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	45
PID 1884 wrote to memory of 848	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	45
PID 1884 wrote to memory of 848	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	45
PID 1884 wrote to memory of 848	1884	{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe
  C:\Windows\{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe
    C:\Windows\{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe
      C:\Windows\{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe
        
        C:\Windows\{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe
        
        C:\Windows\{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe
        
        C:\Windows\{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe
        
        C:\Windows\{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe
        
        C:\Windows\{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe
        
        C:\Windows\{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe
        
        C:\Windows\{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\{B630B208-8F5C-4baa-931B-94F5DFD379D4}.exe
        
        C:\Windows\{B630B208-8F5C-4baa-931B-94F5DFD379D4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{427CC~1.EXE > nul
        12⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28B54~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF0E~1.EXE > nul
        10⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{301DC~1.EXE > nul
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDC9~1.EXE > nul
        8⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6628~1.EXE > nul
        7⤵
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85D88~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAA36~1.EXE > nul
        5⤵
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F2EE~1.EXE > nul
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17D98~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17D985CD-EADB-40e1-BF2E-2559AA62F7A8}.exe

Filesize
180KB

MD5
437934d54f8a210a972f68883788f32a

SHA1
caeb5f671d09bb3fde5f6a65bdeaeaca029d2380

SHA256
a5915fe50afadbf906752708ea1c6675b5351e4729bc7de33735238186c04025

SHA512
bcece4551d1cf818e340c68cff9f0ad4c07599be6dc6b2140e3a084df8ff8d2869f8489ca7a897667d0a053f32049ab37cb64600e5a7892cc5f87c34bf81881c

Download Submit
C:\Windows\{28B54131-4AC0-496a-A196-4BA57BE60E4F}.exe

Filesize
180KB

MD5
821f00d360a78493ceaa7f60c237fec6

SHA1
2d457fbede3cb4dd7e801d3690356691bc0c983b

SHA256
d86d6b68e4cd105ea910c3876bd9301aa21f60aa47d8d749e76866e09fd46cf9

SHA512
bb7a88b9ed18501eb681625f0dc15235d8805f78f76e26afee265203390454de106ba2038c7040c6585722f0e083bd735c7576c8e5da504fd333eec9486922e4

Download Submit
C:\Windows\{301DC6D6-930C-4360-AC79-E8C7B3D65810}.exe

Filesize
180KB

MD5
6b5d34243163b355be36f3d251ae1730

SHA1
f15648c40bf00bcdc7f6d90b62bde2e01b3836c1

SHA256
dbb5bcc77323ca5a0944f02270c321cb356d06335a8e85397990088190bd558b

SHA512
073b48602f75eea164244112c1eb1209116d3ae5169c45bb5164ec684530bb6e83fa37c8610cae471000144efe00d3c16ecf5b4a5ae4e27c91e72fada611f97c

Download Submit
C:\Windows\{427CC9DA-F2D8-470c-9834-1A7C0A253EF1}.exe

Filesize
180KB

MD5
f087e23818e370d12fd92a00738e7159

SHA1
34019b75a534bac49754f3ea9b2f3f0500a87a65

SHA256
d562a17e34f594839a21ce270e3e7a0d43327c071ddfc3d10047f47ceaa61146

SHA512
1bddf304ba64bcff5880894db210b0f34dae5d5d7ffe15e24e441ddda579c044d43be319e9bfc2afe6cfd108c0e710aae17c5d6380c09b216a72c4cab495ca2f

Download Submit
C:\Windows\{5FF0E1CA-8524-4096-A885-F6656AC75673}.exe

Filesize
180KB

MD5
c25872fc5038a5fc146a9db27b760169

SHA1
0e25ebad9abc37a5d440c66105ec3e363decbc71

SHA256
a98b8059b9eaf5a9fad73ec58a684b31546e21232f9a3db99ed7efed13c5aeb9

SHA512
95b397fde14d7fa9c3bd594b074118a8eb62f60cfa74234d89bc107d90b8562568278263567915b724415ff2eb4ccf19b48df5218613420ff79b276b36f765a6

Download Submit
C:\Windows\{6F2EED5B-0469-4ce0-8AA0-65D6630D140E}.exe

Filesize
180KB

MD5
70927951209c5bc2394b05e97fb1aa02

SHA1
9aba9149f8b4b6c60f1d91b01ac89d70c264ee89

SHA256
1e48302368bee87f43b7fbc878dcfaf9082c1299ee396b6ae254c77fd6e890b0

SHA512
8c4898af0f5a33862b55206a42f30f46f0ec6936929e317897f261ec8179aaf9af417176077202aa3258ec1575fe5c4ebb093dd01106f386342394522ce97896

Download Submit
C:\Windows\{7EDC939B-68EA-4c61-B9A7-068BC3CE9570}.exe

Filesize
180KB

MD5
7fec9bc046d970e97fc05b76f3f73cff

SHA1
4a40403272b65c4f3150f125f98ce830327d4c31

SHA256
8f38635bef7b8f71a1947ee89f2080ee75aa8c5bd7ce446e78606a00ae7b6e75

SHA512
bd5a38acb25f8940244587575750bdc548c68c8c20d7b80d48e56dfe4353df38247edd48f52ebc890e216f2339b645bcf4bf4102b79877f4d2918537dfe40cb6

Download Submit
C:\Windows\{85D88CE3-3A6A-4392-90A1-D36FAF409B30}.exe

Filesize
180KB

MD5
bea2bbb4a6c608c906ec1e34bb8034ed

SHA1
23eaa75579747153072fc2c650f8cf92e5e41f1c

SHA256
6946f0d04ce41fbafb586d14a2989b46a6aaf0cac9413ef42057967c0cd64175

SHA512
5f095398b6575d7ee9244d92e9667a8200b2fc6749e65906ac9a7b1dd90393e9276a419c925949398a0b768d7f18d296304e6d64639e142092ae52e67073ebe5

Download Submit
C:\Windows\{B630B208-8F5C-4baa-931B-94F5DFD379D4}.exe

Filesize
180KB

MD5
23c9a10e3f23e8698754187b0debf9fd

SHA1
731d31c424501af5c0ad2abd8ebfa1b4dfb9b85f

SHA256
1f84394abbc68657ff740ed61d007040c16a5de4d961ab6b9a3774807a26696a

SHA512
f678c106782c3d429915ca5a3c83ae5b682ddfd18db8fd86ecc965a5ed0a55e10cb9dc4c83ea68db335e69904819884aa965ae6cac7cf5c919b1115ee9644bfb

Download Submit
C:\Windows\{D6628510-E002-4b7b-8862-ECAF9884BE6D}.exe

Filesize
180KB

MD5
eb70f4271f39af82a1d590582bcd06a3

SHA1
81d125638bff4efd3f68ddf6ee27b91f2a86f8f0

SHA256
1ea727a93ea5e9199d9c0ae7f705d756f2f7a3fc4e556d4df77446aa20e4ceb8

SHA512
e3c3f67ce63e5025147c59b3d536470f5c41f8b8a656f96a8fd8f6dce68817a47ba5d7045f4a116b6fe53e554351b28637fd5369797819ce61d84d14be7791c5

Download Submit
C:\Windows\{EAA3677D-3977-4ab4-9B6F-72708B37D443}.exe

Filesize
180KB

MD5
a2da88d2ab15264c72ed7102c07c84f0

SHA1
bf42c96941be7c25bf67feee203d58480d67d3a4

SHA256
03126b88d24c7527ccd2ed983b1f4a970cdecc45d0e792ed4218063a44413e36

SHA512
c388957ca19f6fcdafe86f5fc739388b665674e11913e81d607803e885d28741682c68e3349dabffa905fcafad60ab68c9b6e2a2c6fc02dcad56e30392bebdd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads