f5b71caf894fb5f50f88d162e5a4ce119c0823cec207b0f00b414e330b225fee

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe
Size

180KB
MD5

47a12bf9c16848b900a001fd00083c04
SHA1

4360dd715ad3506b3e26eff7463e9bab3855eb95
SHA256

f5b71caf894fb5f50f88d162e5a4ce119c0823cec207b0f00b414e330b225fee
SHA512

554e8d7b7d9550ec528295cf5256c297aebbe1f5f9147cca3dbfc111e43a1d5865fde57ec31770b41a42ea47a5b319de7e582888ff70fb0954b977d23e94d7f4
SSDEEP

3072:jEGh0oclfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGGl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000700000001227e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122df-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015546-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874B0581-1AC9-4110-B0C3-B05E58297373}	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874B0581-1AC9-4110-B0C3-B05E58297373}\stubpath = "C:\\Windows\\{874B0581-1AC9-4110-B0C3-B05E58297373}.exe"	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94A46F77-8A20-4686-BB13-D796924ABF96}	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5330C513-5F4A-4270-AA39-E1873FB39A23}\stubpath = "C:\\Windows\\{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe"	{94A46F77-8A20-4686-BB13-D796924ABF96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}\stubpath = "C:\\Windows\\{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe"	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF5D840-F871-4c7b-8404-9FFC85183712}\stubpath = "C:\\Windows\\{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe"	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE04D8B-9CC3-4937-8E3D-310144F1213D}\stubpath = "C:\\Windows\\{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe"	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94A46F77-8A20-4686-BB13-D796924ABF96}\stubpath = "C:\\Windows\\{94A46F77-8A20-4686-BB13-D796924ABF96}.exe"	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}\stubpath = "C:\\Windows\\{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe"	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}	{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}\stubpath = "C:\\Windows\\{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe"	{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE04D8B-9CC3-4937-8E3D-310144F1213D}	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{106E86AD-E9E9-4b25-B131-EC101C5002D4}	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{106E86AD-E9E9-4b25-B131-EC101C5002D4}\stubpath = "C:\\Windows\\{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe"	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5330C513-5F4A-4270-AA39-E1873FB39A23}	{94A46F77-8A20-4686-BB13-D796924ABF96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87C76491-B65D-4815-A12B-761CE68DC8D9}	{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87C76491-B65D-4815-A12B-761CE68DC8D9}\stubpath = "C:\\Windows\\{87C76491-B65D-4815-A12B-761CE68DC8D9}.exe"	{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF5D840-F871-4c7b-8404-9FFC85183712}	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}\stubpath = "C:\\Windows\\{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe"	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe
2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe
2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe
2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe
2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe
2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe
1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe
928	{94A46F77-8A20-4686-BB13-D796924ABF96}.exe
392	{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe
2900	{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe
2020	{87C76491-B65D-4815-A12B-761CE68DC8D9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe
File created	C:\Windows\{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe
File created	C:\Windows\{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe
File created	C:\Windows\{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe
File created	C:\Windows\{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe	{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe
File created	C:\Windows\{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe
File created	C:\Windows\{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe
File created	C:\Windows\{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe
File created	C:\Windows\{94A46F77-8A20-4686-BB13-D796924ABF96}.exe	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe
File created	C:\Windows\{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe	{94A46F77-8A20-4686-BB13-D796924ABF96}.exe
File created	C:\Windows\{87C76491-B65D-4815-A12B-761CE68DC8D9}.exe	{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe
Token: SeIncBasePriorityPrivilege	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe
Token: SeIncBasePriorityPrivilege	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe
Token: SeIncBasePriorityPrivilege	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe
Token: SeIncBasePriorityPrivilege	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe
Token: SeIncBasePriorityPrivilege	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe
Token: SeIncBasePriorityPrivilege	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe
Token: SeIncBasePriorityPrivilege	928	{94A46F77-8A20-4686-BB13-D796924ABF96}.exe
Token: SeIncBasePriorityPrivilege	392	{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe
Token: SeIncBasePriorityPrivilege	2900	{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2944	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	28
PID 2180 wrote to memory of 2944	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	28
PID 2180 wrote to memory of 2944	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	28
PID 2180 wrote to memory of 2944	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	28
PID 2180 wrote to memory of 2040	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	29
PID 2180 wrote to memory of 2040	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	29
PID 2180 wrote to memory of 2040	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	29
PID 2180 wrote to memory of 2040	2180	2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe	29
PID 2944 wrote to memory of 2496	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	30
PID 2944 wrote to memory of 2496	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	30
PID 2944 wrote to memory of 2496	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	30
PID 2944 wrote to memory of 2496	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	30
PID 2944 wrote to memory of 2632	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	31
PID 2944 wrote to memory of 2632	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	31
PID 2944 wrote to memory of 2632	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	31
PID 2944 wrote to memory of 2632	2944	{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe	31
PID 2496 wrote to memory of 2948	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	34
PID 2496 wrote to memory of 2948	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	34
PID 2496 wrote to memory of 2948	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	34
PID 2496 wrote to memory of 2948	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	34
PID 2496 wrote to memory of 2480	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	35
PID 2496 wrote to memory of 2480	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	35
PID 2496 wrote to memory of 2480	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	35
PID 2496 wrote to memory of 2480	2496	{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe	35
PID 2948 wrote to memory of 2444	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	36
PID 2948 wrote to memory of 2444	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	36
PID 2948 wrote to memory of 2444	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	36
PID 2948 wrote to memory of 2444	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	36
PID 2948 wrote to memory of 2880	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	37
PID 2948 wrote to memory of 2880	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	37
PID 2948 wrote to memory of 2880	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	37
PID 2948 wrote to memory of 2880	2948	{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe	37
PID 2444 wrote to memory of 2156	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	38
PID 2444 wrote to memory of 2156	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	38
PID 2444 wrote to memory of 2156	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	38
PID 2444 wrote to memory of 2156	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	38
PID 2444 wrote to memory of 528	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	39
PID 2444 wrote to memory of 528	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	39
PID 2444 wrote to memory of 528	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	39
PID 2444 wrote to memory of 528	2444	{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe	39
PID 2156 wrote to memory of 2688	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	40
PID 2156 wrote to memory of 2688	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	40
PID 2156 wrote to memory of 2688	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	40
PID 2156 wrote to memory of 2688	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	40
PID 2156 wrote to memory of 1872	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	41
PID 2156 wrote to memory of 1872	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	41
PID 2156 wrote to memory of 1872	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	41
PID 2156 wrote to memory of 1872	2156	{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe	41
PID 2688 wrote to memory of 1640	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	42
PID 2688 wrote to memory of 1640	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	42
PID 2688 wrote to memory of 1640	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	42
PID 2688 wrote to memory of 1640	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	42
PID 2688 wrote to memory of 2752	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	43
PID 2688 wrote to memory of 2752	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	43
PID 2688 wrote to memory of 2752	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	43
PID 2688 wrote to memory of 2752	2688	{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe	43
PID 1640 wrote to memory of 928	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	44
PID 1640 wrote to memory of 928	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	44
PID 1640 wrote to memory of 928	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	44
PID 1640 wrote to memory of 928	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	44
PID 1640 wrote to memory of 2572	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	45
PID 1640 wrote to memory of 2572	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	45
PID 1640 wrote to memory of 2572	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	45
PID 1640 wrote to memory of 2572	1640	{874B0581-1AC9-4110-B0C3-B05E58297373}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_47a12bf9c16848b900a001fd00083c04_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe
  C:\Windows\{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe
    C:\Windows\{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe
      C:\Windows\{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe
        
        C:\Windows\{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe
        
        C:\Windows\{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe
        
        C:\Windows\{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{874B0581-1AC9-4110-B0C3-B05E58297373}.exe
        
        C:\Windows\{874B0581-1AC9-4110-B0C3-B05E58297373}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{94A46F77-8A20-4686-BB13-D796924ABF96}.exe
        
        C:\Windows\{94A46F77-8A20-4686-BB13-D796924ABF96}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe
        
        C:\Windows\{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe
        
        C:\Windows\{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{87C76491-B65D-4815-A12B-761CE68DC8D9}.exe
        
        C:\Windows\{87C76491-B65D-4815-A12B-761CE68DC8D9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD90F~1.EXE > nul
        12⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5330C~1.EXE > nul
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94A46~1.EXE > nul
        10⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{874B0~1.EXE > nul
        9⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5FE4~1.EXE > nul
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{106E8~1.EXE > nul
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE04~1.EXE > nul
        6⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EECBB~1.EXE > nul
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF5D~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1043~1.EXE > nul
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{106E86AD-E9E9-4b25-B131-EC101C5002D4}.exe

Filesize
180KB

MD5
b36bdbbc7901d0f3410b35ce3cfd19a6

SHA1
28bff64ebf1c76eb07035fdbf8dab86872676a92

SHA256
e31fade48f1bddfcf71007fd1a336df0760961709ae6ca2d06a8f35598c7f63e

SHA512
58b85842f9fadf4663a8ae44c1b8db087ecc626944c3b932dcfb8567ce5ecd87ca7bd5c1b9f59eb2b016e0441c262bb3051904317f82bd3a10a1eda00bd87d7d

Download Submit
C:\Windows\{5330C513-5F4A-4270-AA39-E1873FB39A23}.exe

Filesize
180KB

MD5
49cd0a47fbe0f3d121baf219bfdb948f

SHA1
07239bea00d5677c6a148ee7a0dca9121af354f2

SHA256
6c84a97ca77b04dbf0170205866ec410dd22fc04fa36ec6f93ed1c1254109db5

SHA512
2193e4819012c0adbfd29cd0430ec9ff568a37f28abb0aa2e8266566492841a6b811760f9cccdf082e0052143c4766c1aec156a818d2faa155e07d74e324615f

Download Submit
C:\Windows\{5FF5D840-F871-4c7b-8404-9FFC85183712}.exe

Filesize
180KB

MD5
99ef3cabef8f3d01a9c71f4afa86fa5f

SHA1
672f8df96073256add657a933bb389cdf06bc4a2

SHA256
a4026d6665c5db2d42b53f8b7ce60b4cbac9f15f03e29de39d002dd00ca1bd94

SHA512
64c598ff5e6d56711f2f10291ab603d4f53d87155bbeda90a25398ccd7af13ac0e464bd47fa4e755b54fd282170350b6a4fb7db055e79cfac1e294bd3bc026b8

Download Submit
C:\Windows\{874B0581-1AC9-4110-B0C3-B05E58297373}.exe

Filesize
180KB

MD5
944f8f4201facdb163d2c96eb93194b6

SHA1
f0472a67bdc21f2a7e6b889b8d8a486cc2439b91

SHA256
4ac5de8ee988c3cada44939772f758decca7478a080bd7894838b0bca81a517f

SHA512
5e6731021623ef4ab2cd16bcb11528f14500bb10a2de049d01bf2ae7e6df468a4cec1f454a108401e256d758ac6f6c0928a13fbf20830a28706a677dfb00caf2

Download Submit
C:\Windows\{87C76491-B65D-4815-A12B-761CE68DC8D9}.exe

Filesize
180KB

MD5
a0f364b842df117f4d455c4cb8056611

SHA1
e34ea4be3055f55b2fe89d5f69537a5acd741c20

SHA256
04c087c2630f3a4e16eaa3dbdcebf6406a7fd0a4dcaa70f77bc5d994a3ff2f75

SHA512
63b96a55807ae5e2edc124f486e223373c865bfea5a8874e3e3573fff61ae73b6119b0e1bd9406dc316175514ec643c8997024d93f7c4fc399b58dd93d698fa8

Download Submit
C:\Windows\{8DE04D8B-9CC3-4937-8E3D-310144F1213D}.exe

Filesize
180KB

MD5
57cc318b9efccfff001755d0310bdd5e

SHA1
1ee85d76ec0b49c9f833822cfa42694f90117670

SHA256
2668c54c32acdb970b02eb62a80e4132c9fbb30441ad4ba4513d9d3f5dd0536e

SHA512
876b8fe9804210c3d96837dc5bed3b94eb71f6a19e45c8f423d0377868d3042f8bd45170848b639409d9022936858e79727c24c8298022742dda4adc8c8ed844

Download Submit
C:\Windows\{94A46F77-8A20-4686-BB13-D796924ABF96}.exe

Filesize
180KB

MD5
77ec5d2495cc2872047b3f38707c6022

SHA1
16df820f41e1f209cf719605af6da557d9544ff4

SHA256
83020b9239b267635076b2a307e2046c8080824b2e55ecf1799311c210e45aa7

SHA512
0eae945401aa22b7291bf3b53ca61d23e3547f795f520fb25faaf90c81b3d9ceab564a7d9d07d8f8c37bea692aa935358bae61d6af851401e8d099cb158b86ce

Download Submit
C:\Windows\{A1043CEA-61E6-4a31-B1B0-DA5B9F233648}.exe

Filesize
180KB

MD5
6c622b766e03c3db1336facbc8d67699

SHA1
833bbe843919e8992669f596c0838eea14c508b8

SHA256
dedb4159528a537a497d4ea24329b6d8f23a0187c08bf03cfb892cde94d02355

SHA512
4b923930d1a40601b73d3bdcfb489659aa2fcc4d85293ccd717b245a99b7ef75b90eeae7de41539b92592f2b45f8d8ca190891de123d2fe0e27e608f36d433aa

Download Submit
C:\Windows\{E5FE4183-8523-4bac-8B0C-EDB83B5B5E1C}.exe

Filesize
180KB

MD5
7758866c4e534dbce5491994f65be3ee

SHA1
425a77ac929c48ac393a273dfd3a9a5bde8bb42f

SHA256
b6281f7cb8aef1d554e3ecfad4e3bd4889e6d58654e74e74799a2027b70a07ff

SHA512
84c803a66bf4907cca2e5d6bed941acd541764ff23f629736617ea191232128f049c28a1668253f42dc853c6d2d1959044d1e2771094aaec016cf90887a510e5

Download Submit
C:\Windows\{EECBB3D9-3D2F-4bc9-8DDE-1F4E22294393}.exe

Filesize
180KB

MD5
04e932fc6378584f01bef378cf31f673

SHA1
3163408d8fdd4a8980d2de635dc6b9dbe7f55b2c

SHA256
74e349dff8683ee549ca625354f84d2f000a1e4438f5d1c5e677175a0a792091

SHA512
17dab020589c0d1e70dce941dd7a634b53ecb58e58c0a7e332ea36cb34957cebfc9045e72eeeb382095cb19199e2d011545fddd15c5a357da2e8046f26696d6c

Download Submit
C:\Windows\{FD90F96C-62D5-4fb9-A0F0-D9B9A582788D}.exe

Filesize
180KB

MD5
7a53108c5256810f051d750dbe8a63a1

SHA1
eb3dc5dbd59079d673e54c4672bc138a5b8d1d3e

SHA256
8455a464b53b752e99eaed5c9c2c2a1a8fdad8df929841908de7a090d2a36251

SHA512
462cd400247cfb4af9ff913074d2a2e4d8e89a8477ac732955ae479c7885314ce006a06af2fd778038c9f1c88024dd0b9cd808d29e4689443c9beb65be1fa215

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads