82c3f2a39b1cb9b73c015bc9e62b9922ea42fde7d663ad98f4a3ec72554581f9

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe
Size

204KB
MD5

4b5eb739454a2c236bef477ea28d5bbf
SHA1

f8869baa983a74cef0a52f2b4045690176f35a8d
SHA256

82c3f2a39b1cb9b73c015bc9e62b9922ea42fde7d663ad98f4a3ec72554581f9
SHA512

05227427c5671d08d8defa631d7d40cba01e71690ad81c8c5f6395cb1ab490bbd9da3e03c074adbe743f775ac807d0780a9b0133bf3547426db960d14bd8db54
SSDEEP

1536:1EGh0oWCl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWCl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015a2d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c7c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015a2d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015a2d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015a2d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015a2d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22E79497-481C-4c4e-8DE6-21685A59660F}\stubpath = "C:\\Windows\\{22E79497-481C-4c4e-8DE6-21685A59660F}.exe"	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A439D78-A49D-4b28-8497-D06115B16C9A}	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{377EC447-AC48-48eb-9ADE-5F7F6638FD58}	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}\stubpath = "C:\\Windows\\{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe"	{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{377EC447-AC48-48eb-9ADE-5F7F6638FD58}\stubpath = "C:\\Windows\\{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe"	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06333A53-5198-414e-94B5-3F21A2731C5A}	{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A439D78-A49D-4b28-8497-D06115B16C9A}\stubpath = "C:\\Windows\\{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe"	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5702C73B-2E04-4a99-9C51-AD022BC8364A}\stubpath = "C:\\Windows\\{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe"	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54070D4D-7127-4972-A201-DB20C07BB71F}\stubpath = "C:\\Windows\\{54070D4D-7127-4972-A201-DB20C07BB71F}.exe"	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC854965-12EF-4520-8060-813E108B7166}	{06333A53-5198-414e-94B5-3F21A2731C5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59722ED9-DF44-42c5-BD5A-F55D3E08110A}	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}\stubpath = "C:\\Windows\\{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe"	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5702C73B-2E04-4a99-9C51-AD022BC8364A}	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}	{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06333A53-5198-414e-94B5-3F21A2731C5A}\stubpath = "C:\\Windows\\{06333A53-5198-414e-94B5-3F21A2731C5A}.exe"	{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC854965-12EF-4520-8060-813E108B7166}\stubpath = "C:\\Windows\\{AC854965-12EF-4520-8060-813E108B7166}.exe"	{06333A53-5198-414e-94B5-3F21A2731C5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}\stubpath = "C:\\Windows\\{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe"	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22E79497-481C-4c4e-8DE6-21685A59660F}	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59722ED9-DF44-42c5-BD5A-F55D3E08110A}\stubpath = "C:\\Windows\\{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe"	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54070D4D-7127-4972-A201-DB20C07BB71F}	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe
2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe
2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe
2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe
2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe
2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe
1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe
1908	{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe
1668	{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe
2224	{06333A53-5198-414e-94B5-3F21A2731C5A}.exe
2016	{AC854965-12EF-4520-8060-813E108B7166}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe
File created	C:\Windows\{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe
File created	C:\Windows\{06333A53-5198-414e-94B5-3F21A2731C5A}.exe	{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe
File created	C:\Windows\{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe
File created	C:\Windows\{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe
File created	C:\Windows\{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe
File created	C:\Windows\{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe
File created	C:\Windows\{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe
File created	C:\Windows\{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe	{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe
File created	C:\Windows\{AC854965-12EF-4520-8060-813E108B7166}.exe	{06333A53-5198-414e-94B5-3F21A2731C5A}.exe
File created	C:\Windows\{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe
Token: SeIncBasePriorityPrivilege	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe
Token: SeIncBasePriorityPrivilege	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe
Token: SeIncBasePriorityPrivilege	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe
Token: SeIncBasePriorityPrivilege	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe
Token: SeIncBasePriorityPrivilege	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe
Token: SeIncBasePriorityPrivilege	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe
Token: SeIncBasePriorityPrivilege	1908	{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe
Token: SeIncBasePriorityPrivilege	1668	{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe
Token: SeIncBasePriorityPrivilege	2224	{06333A53-5198-414e-94B5-3F21A2731C5A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2992	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	28
PID 2956 wrote to memory of 2992	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	28
PID 2956 wrote to memory of 2992	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	28
PID 2956 wrote to memory of 2992	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	28
PID 2956 wrote to memory of 2544	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	29
PID 2956 wrote to memory of 2544	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	29
PID 2956 wrote to memory of 2544	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	29
PID 2956 wrote to memory of 2544	2956	2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe	29
PID 2992 wrote to memory of 2644	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	32
PID 2992 wrote to memory of 2644	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	32
PID 2992 wrote to memory of 2644	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	32
PID 2992 wrote to memory of 2644	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	32
PID 2992 wrote to memory of 2460	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	33
PID 2992 wrote to memory of 2460	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	33
PID 2992 wrote to memory of 2460	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	33
PID 2992 wrote to memory of 2460	2992	{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe	33
PID 2644 wrote to memory of 2360	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	34
PID 2644 wrote to memory of 2360	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	34
PID 2644 wrote to memory of 2360	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	34
PID 2644 wrote to memory of 2360	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	34
PID 2644 wrote to memory of 2404	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	35
PID 2644 wrote to memory of 2404	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	35
PID 2644 wrote to memory of 2404	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	35
PID 2644 wrote to memory of 2404	2644	{22E79497-481C-4c4e-8DE6-21685A59660F}.exe	35
PID 2360 wrote to memory of 2788	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	36
PID 2360 wrote to memory of 2788	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	36
PID 2360 wrote to memory of 2788	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	36
PID 2360 wrote to memory of 2788	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	36
PID 2360 wrote to memory of 588	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	37
PID 2360 wrote to memory of 588	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	37
PID 2360 wrote to memory of 588	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	37
PID 2360 wrote to memory of 588	2360	{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe	37
PID 2788 wrote to memory of 2344	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	38
PID 2788 wrote to memory of 2344	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	38
PID 2788 wrote to memory of 2344	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	38
PID 2788 wrote to memory of 2344	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	38
PID 2788 wrote to memory of 1648	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	39
PID 2788 wrote to memory of 1648	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	39
PID 2788 wrote to memory of 1648	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	39
PID 2788 wrote to memory of 1648	2788	{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe	39
PID 2344 wrote to memory of 2348	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	40
PID 2344 wrote to memory of 2348	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	40
PID 2344 wrote to memory of 2348	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	40
PID 2344 wrote to memory of 2348	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	40
PID 2344 wrote to memory of 2664	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	41
PID 2344 wrote to memory of 2664	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	41
PID 2344 wrote to memory of 2664	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	41
PID 2344 wrote to memory of 2664	2344	{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe	41
PID 2348 wrote to memory of 1768	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	42
PID 2348 wrote to memory of 1768	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	42
PID 2348 wrote to memory of 1768	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	42
PID 2348 wrote to memory of 1768	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	42
PID 2348 wrote to memory of 1740	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	43
PID 2348 wrote to memory of 1740	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	43
PID 2348 wrote to memory of 1740	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	43
PID 2348 wrote to memory of 1740	2348	{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe	43
PID 1768 wrote to memory of 1908	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	44
PID 1768 wrote to memory of 1908	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	44
PID 1768 wrote to memory of 1908	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	44
PID 1768 wrote to memory of 1908	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	44
PID 1768 wrote to memory of 832	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	45
PID 1768 wrote to memory of 832	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	45
PID 1768 wrote to memory of 832	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	45
PID 1768 wrote to memory of 832	1768	{54070D4D-7127-4972-A201-DB20C07BB71F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_4b5eb739454a2c236bef477ea28d5bbf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe
  C:\Windows\{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{22E79497-481C-4c4e-8DE6-21685A59660F}.exe
    C:\Windows\{22E79497-481C-4c4e-8DE6-21685A59660F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe
      C:\Windows\{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe
        
        C:\Windows\{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe
        
        C:\Windows\{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe
        
        C:\Windows\{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{54070D4D-7127-4972-A201-DB20C07BB71F}.exe
        
        C:\Windows\{54070D4D-7127-4972-A201-DB20C07BB71F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe
        
        C:\Windows\{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe
        
        C:\Windows\{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\{06333A53-5198-414e-94B5-3F21A2731C5A}.exe
        
        C:\Windows\{06333A53-5198-414e-94B5-3F21A2731C5A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{AC854965-12EF-4520-8060-813E108B7166}.exe
        
        C:\Windows\{AC854965-12EF-4520-8060-813E108B7166}.exe
        12⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06333~1.EXE > nul
        12⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{166D1~1.EXE > nul
        11⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{377EC~1.EXE > nul
        10⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54070~1.EXE > nul
        9⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5702C~1.EXE > nul
        8⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A439~1.EXE > nul
        7⤵
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD73~1.EXE > nul
        6⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59722~1.EXE > nul
        5⤵
        
        PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22E79~1.EXE > nul
      4⤵
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1872~1.EXE > nul
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06333A53-5198-414e-94B5-3F21A2731C5A}.exe

Filesize
204KB

MD5
390658b27e3ee80b06cd5762bd74cae0

SHA1
a64eda8a791e68dab02ab41d99a2d9bbc00cf612

SHA256
889bc5cf566424cbfd8b0f64253297571dc719866c9da1b6fdf7263db67432c8

SHA512
052f3031c13d62c9a5c1008e94344fa17f251181ac9eb1508a8d399d745f831260dac90a33652267b38b7f017e8f4f5ece12df39347ecd86f745798dbc3064bc

Download Submit
C:\Windows\{166D1FFD-AFBD-44b1-B5C9-C80CA8B46638}.exe

Filesize
204KB

MD5
91ae224e075ea46d743fbcac7220226c

SHA1
2620c04f8b50e6d21d475db50074dbeb6626f337

SHA256
8bc5c82349d1641b3dff06a00991b85ebd00590b7cbaf9363c47014411f5d8ce

SHA512
2531bfabeff3033c8cac3532ea93ce46f11a9cbf4d61badd71729a8e1b264f2c1b51bc1cae78722f9ea8bc7333b9e83dcf8b4761a798ba991ab7f5337bdd4179

Download Submit
C:\Windows\{22E79497-481C-4c4e-8DE6-21685A59660F}.exe

Filesize
204KB

MD5
76b414e1ec6a5fd980302fa4087c30bf

SHA1
9085408715ba4cfadb0f14d7480c4db5724c03d7

SHA256
2e8c56da92462ad138976ed146db31d418f2f6689a6fb3009aa8e0613c1577b2

SHA512
29f25aa99b8ae330b38973a793410ea1b9cf7b2e523466e208f555d52a2cc1a1c163b4e63b7edc87520e3ff3033c8dd8124eafd23d7d8587f028f4ee39179d24

Download Submit
C:\Windows\{2A439D78-A49D-4b28-8497-D06115B16C9A}.exe

Filesize
204KB

MD5
1200b7da033b4e983dfa85336696fa9e

SHA1
2c156e85c8b494fdf81aa32044610c4108fa7a2c

SHA256
1d491ff7e5677c69006ad38a524c9176839405eaf999d1862fa55201ac3e65b4

SHA512
12faf45bce9133c6b9b0eebb08ed5b1f77b52bd5bda23eb95b75e2551a70f57d19f0dd3de4f69291e64b73f11473d64fcca8f4d8c4bd3dbd4a9c3f027d8720a1

Download Submit
C:\Windows\{377EC447-AC48-48eb-9ADE-5F7F6638FD58}.exe

Filesize
204KB

MD5
e7453bb94abf1a1624e3026ab97e3b3a

SHA1
2c7454c49221a5186af037f8cea4972294866fbd

SHA256
0041baa6686dea62f90c2a6c30347ee96080c6d002d2bfc35214d645b8ec642a

SHA512
631167a9b7eb48c3ca370ec566152d8e28d392b43296ad295234a377a20d4c009467ef2dc1815638ce08345b6b2f7765b0dad0be916d3bb816b51a28440c01aa

Download Submit
C:\Windows\{54070D4D-7127-4972-A201-DB20C07BB71F}.exe

Filesize
204KB

MD5
689551f837aaf711a77286d86c2c351b

SHA1
c99a0391fbfb8e11dd3d83f55796bce6d0e8b9a0

SHA256
7462ced6b6d54ffaf05241681549a5131dd538f177d5d087b762735d6667518f

SHA512
3c548b4397f4a3325f00cb5460a16839ba05922d3c0dc98176298c425e0b6f28f8eac7e8ee26efc7edf7f6746ad1347d1f6d283e28d81ac51329e4537100070d

Download Submit
C:\Windows\{5702C73B-2E04-4a99-9C51-AD022BC8364A}.exe

Filesize
204KB

MD5
43592ca084ea2d17ea516230c7157623

SHA1
a6c9359c11af0e9ad02dc891bb14d68b597f0207

SHA256
c3644091f41e7429ad2039c502d5b9b73cb783c5e935479cc8827fc398b54395

SHA512
52cf6295280729e156e248cbf5a77f03acd41889037672cfb9f095a8155f8c1340b186cc73d9fb968210e11be02375f0842e1e78a6249e53f119c742daae71cb

Download Submit
C:\Windows\{59722ED9-DF44-42c5-BD5A-F55D3E08110A}.exe

Filesize
204KB

MD5
dd07ba907ca4b482f47c7763e909c7c6

SHA1
ce35c326e67cd1910006abcafe528e5a1da2eac7

SHA256
6f9cef675b9f0288d6a2e8627a363630b9c96bf3172f6327fa5739b938164746

SHA512
91c527544bb484fdba267f8a6245be17e280203148ecd49666965153e680184c5d05017a141f8895ee32bf64a3c61ec5a04fe48e1a125df77e6a36e436dfe636

Download Submit
C:\Windows\{5CD73BDE-C3DB-4ba6-AB08-EF0B27F3DCB5}.exe

Filesize
204KB

MD5
ef7299810a67ed88e93a9d25b87d2a6a

SHA1
25d670542198700f8574f4dac2715f57bf783934

SHA256
57ea3539a1c2a02a3fd57fc9394a79e97e88168e5d1218e31754e2ee53396088

SHA512
e721d41536257cdf136099f504deeea13e23f09dbceed925e562b4d51147775970e37d60b8c4c898f9f9e2f55fb0dd33235c33a7ac8354e016816e57509b5991

Download Submit
C:\Windows\{AC854965-12EF-4520-8060-813E108B7166}.exe

Filesize
204KB

MD5
cb7b45d2cbd0bf8386d66de59b68b2b9

SHA1
1be60928abab91d9679e1b0bcfe5352206ae6a84

SHA256
49e347b496895b14f00e76ab45bc618840ef6dc1d4fb07574ecc204f219ca935

SHA512
eac5534c48e69b8a6724d20d34d284090d08c8a542fb86e0e58702dce1110c8ece3cf62b2b138851fc79f01f60e2584ca220625357e0531041f9c046bb94c997

Download Submit
C:\Windows\{F1872057-D7B1-4f91-8300-ADFE8C5CAD09}.exe

Filesize
204KB

MD5
a4fbb91211cd8eb1f6782dd55b8dcf17

SHA1
5accf54f551028ef013ab5d0445d28526ae22346

SHA256
f77e239465cccc538a481df1baec124005f050a8f840170de1816645293a323c

SHA512
a022c362c0bf7d6c584dfb565e54e61881102c1f5d0a2ad5c34d8e708f5a7173a4d6ed0d4a953bf0cdd21a2c6ba54bd6613e43826b0e5ebcb0ff58fde1bfac31

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads