a67882e897555523ecb3e1de3b8dd6b3ace0f5d104a47badb8359d7a50975efd

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe
Size

197KB
MD5

cd15fa97891c8af713617ca8c67ba747
SHA1

5f0f18c020b63dc0282197bea8300e42300d7d98
SHA256

a67882e897555523ecb3e1de3b8dd6b3ace0f5d104a47badb8359d7a50975efd
SHA512

c47857c76751b3becf37bdaa59c716c0724ce53393b385bef05e881d5a2cfdabff6c8b93a221fd709ab70664db27a49e8fe908a6d6d9febccb4431a1eac139f7
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGvlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015f01-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016176-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015f01-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016a29-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015f01-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015f01-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015f01-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}\stubpath = "C:\\Windows\\{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe"	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25B414CB-E3DE-42ec-8E31-4F21C50098A6}\stubpath = "C:\\Windows\\{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe"	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB580680-8FDB-4bf5-85FB-BB329A096FF1}	{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB580680-8FDB-4bf5-85FB-BB329A096FF1}\stubpath = "C:\\Windows\\{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe"	{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}\stubpath = "C:\\Windows\\{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe"	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA25CCCB-7E2D-4dab-BB48-52629207288F}	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA25CCCB-7E2D-4dab-BB48-52629207288F}\stubpath = "C:\\Windows\\{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe"	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25B414CB-E3DE-42ec-8E31-4F21C50098A6}	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}\stubpath = "C:\\Windows\\{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe"	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}\stubpath = "C:\\Windows\\{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe"	{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}\stubpath = "C:\\Windows\\{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe"	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7678B291-5773-43f8-89C8-BADF43ADA2C2}\stubpath = "C:\\Windows\\{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe"	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}	{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C8C11E-7B3C-4b34-96C8-FE112F395A48}\stubpath = "C:\\Windows\\{28C8C11E-7B3C-4b34-96C8-FE112F395A48}.exe"	{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}\stubpath = "C:\\Windows\\{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe"	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7678B291-5773-43f8-89C8-BADF43ADA2C2}	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C8C11E-7B3C-4b34-96C8-FE112F395A48}	{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe
2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe
2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe
2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe
3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe
2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe
1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe
2772	{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe
1676	{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe
2280	{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe
356	{28C8C11E-7B3C-4b34-96C8-FE112F395A48}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe
File created	C:\Windows\{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe
File created	C:\Windows\{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe
File created	C:\Windows\{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe
File created	C:\Windows\{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe
File created	C:\Windows\{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe	{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe
File created	C:\Windows\{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe	{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe
File created	C:\Windows\{28C8C11E-7B3C-4b34-96C8-FE112F395A48}.exe	{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe
File created	C:\Windows\{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe
File created	C:\Windows\{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe
File created	C:\Windows\{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe
Token: SeIncBasePriorityPrivilege	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe
Token: SeIncBasePriorityPrivilege	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe
Token: SeIncBasePriorityPrivilege	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe
Token: SeIncBasePriorityPrivilege	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe
Token: SeIncBasePriorityPrivilege	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe
Token: SeIncBasePriorityPrivilege	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe
Token: SeIncBasePriorityPrivilege	2772	{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe
Token: SeIncBasePriorityPrivilege	1676	{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe
Token: SeIncBasePriorityPrivilege	2280	{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2172	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	28
PID 1972 wrote to memory of 2172	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	28
PID 1972 wrote to memory of 2172	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	28
PID 1972 wrote to memory of 2172	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	28
PID 1972 wrote to memory of 1616	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	29
PID 1972 wrote to memory of 1616	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	29
PID 1972 wrote to memory of 1616	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	29
PID 1972 wrote to memory of 1616	1972	2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe	29
PID 2172 wrote to memory of 2908	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	30
PID 2172 wrote to memory of 2908	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	30
PID 2172 wrote to memory of 2908	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	30
PID 2172 wrote to memory of 2908	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	30
PID 2172 wrote to memory of 2540	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	31
PID 2172 wrote to memory of 2540	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	31
PID 2172 wrote to memory of 2540	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	31
PID 2172 wrote to memory of 2540	2172	{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe	31
PID 2908 wrote to memory of 2628	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	32
PID 2908 wrote to memory of 2628	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	32
PID 2908 wrote to memory of 2628	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	32
PID 2908 wrote to memory of 2628	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	32
PID 2908 wrote to memory of 2708	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	33
PID 2908 wrote to memory of 2708	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	33
PID 2908 wrote to memory of 2708	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	33
PID 2908 wrote to memory of 2708	2908	{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe	33
PID 2628 wrote to memory of 2432	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	36
PID 2628 wrote to memory of 2432	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	36
PID 2628 wrote to memory of 2432	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	36
PID 2628 wrote to memory of 2432	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	36
PID 2628 wrote to memory of 2464	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	37
PID 2628 wrote to memory of 2464	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	37
PID 2628 wrote to memory of 2464	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	37
PID 2628 wrote to memory of 2464	2628	{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe	37
PID 2432 wrote to memory of 3052	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	38
PID 2432 wrote to memory of 3052	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	38
PID 2432 wrote to memory of 3052	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	38
PID 2432 wrote to memory of 3052	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	38
PID 2432 wrote to memory of 2392	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	39
PID 2432 wrote to memory of 2392	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	39
PID 2432 wrote to memory of 2392	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	39
PID 2432 wrote to memory of 2392	2432	{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe	39
PID 3052 wrote to memory of 2760	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	40
PID 3052 wrote to memory of 2760	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	40
PID 3052 wrote to memory of 2760	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	40
PID 3052 wrote to memory of 2760	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	40
PID 3052 wrote to memory of 1976	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	41
PID 3052 wrote to memory of 1976	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	41
PID 3052 wrote to memory of 1976	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	41
PID 3052 wrote to memory of 1976	3052	{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe	41
PID 2760 wrote to memory of 1940	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	42
PID 2760 wrote to memory of 1940	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	42
PID 2760 wrote to memory of 1940	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	42
PID 2760 wrote to memory of 1940	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	42
PID 2760 wrote to memory of 2408	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	43
PID 2760 wrote to memory of 2408	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	43
PID 2760 wrote to memory of 2408	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	43
PID 2760 wrote to memory of 2408	2760	{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe	43
PID 1940 wrote to memory of 2772	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	44
PID 1940 wrote to memory of 2772	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	44
PID 1940 wrote to memory of 2772	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	44
PID 1940 wrote to memory of 2772	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	44
PID 1940 wrote to memory of 1184	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	45
PID 1940 wrote to memory of 1184	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	45
PID 1940 wrote to memory of 1184	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	45
PID 1940 wrote to memory of 1184	1940	{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_cd15fa97891c8af713617ca8c67ba747_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe
  C:\Windows\{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe
    C:\Windows\{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe
      C:\Windows\{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe
        
        C:\Windows\{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe
        
        C:\Windows\{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe
        
        C:\Windows\{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe
        
        C:\Windows\{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe
        
        C:\Windows\{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe
        
        C:\Windows\{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe
        
        C:\Windows\{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{28C8C11E-7B3C-4b34-96C8-FE112F395A48}.exe
        
        C:\Windows\{28C8C11E-7B3C-4b34-96C8-FE112F395A48}.exe
        12⤵
        Executes dropped EXE
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB580~1.EXE > nul
        12⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0F7E~1.EXE > nul
        11⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDAFB~1.EXE > nul
        10⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25B41~1.EXE > nul
        9⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7678B~1.EXE > nul
        8⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2DF8~1.EXE > nul
        7⤵
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA25C~1.EXE > nul
        6⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBBF3~1.EXE > nul
        5⤵
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0EC~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{406BD~1.EXE > nul
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A0EC4CE-9FC2-461b-BE62-8A26E0373201}.exe

Filesize
197KB

MD5
8610c9b9ae639a3a8d7490d9b84c908f

SHA1
afc7db5d9063ff02a87d554a3bef1c95c8f041e8

SHA256
f52a4f9f9b43882e04ccb5e055201451cea21dde4a8f9742a8d4549b3f5a6a41

SHA512
6dbf41b5c876e29b7dc86793afc452d3835d37951db32228dc227c6ccaba5ab9030a3be09ebb0315f2f3fe21d549b1ca0c567c66cb3d2778e2bcb03160939658

Download Submit
C:\Windows\{25B414CB-E3DE-42ec-8E31-4F21C50098A6}.exe

Filesize
197KB

MD5
8bbe4170bef718352ae1bd7b42616914

SHA1
50a1d40842d7d3d86b3e05b3774c809f89d4ab40

SHA256
c76f3b87c0c77975bfcee13207866b7d4fb8062cb6b0099a425aec11255f6bd9

SHA512
3ee384573bed15f9fb7eadf386fd34507221a1d8d6bfe50b5cb7f1156601d1f1dabc09d3754a7f8669870f2d60ceb6d184611375eb65d99c00ee5c90a2b383f2

Download Submit
C:\Windows\{28C8C11E-7B3C-4b34-96C8-FE112F395A48}.exe

Filesize
197KB

MD5
bb46ef0faf0ce0e897968ca21cb75fa6

SHA1
e7c7d6eb0cba0dc8ba63a8a8dcf07c966342ccae

SHA256
8c77f18c4d333aa32346ce5fc3b4432b3d3ede9e81fbd3800c00f10fef810bbe

SHA512
ba74d9cd804e0f36ae264ce4760fb8c10b2206378a3a78a4098455011399e97884c950b9b5e4802878773d82012bf43cd9a80e6422e22c8fa33f827f27af689d

Download Submit
C:\Windows\{406BD0AB-9EE7-41bc-A33F-F62D4A08A870}.exe

Filesize
197KB

MD5
62214b18e99d7d33274b71b249690975

SHA1
d72b5b13f6b9a506274bf9dd27cb03cc22ef07da

SHA256
e8b98af0b10b084ecd268d7dff9ca7b968ce4f66fe59cc1457fc56f099048914

SHA512
913949dcdd5a4684e190758f1ae27713fda695363580c6a00af355c2b0a6bbc2747c4b86cede3f1004ed9a3dba542e01ef95ef14945b2e694f9d0e5c8f7662ad

Download Submit
C:\Windows\{7678B291-5773-43f8-89C8-BADF43ADA2C2}.exe

Filesize
197KB

MD5
084aeaf3f0dab3c89064b34b34cb8430

SHA1
edaf5c2aaaf64a4f1b45c857c0f2313407f0c722

SHA256
10d78d3ac50741e5fb9309df02ba4e2926e6d494961a00932e7168aa061113c4

SHA512
57db4cfbb8aa7092a4d6e2217b9ffceaa26dab316e1652dded2b5bc050aa7e1f077eff255fafce295d383a13581ac1737634d064efbe7b8b2e77682a0441f353

Download Submit
C:\Windows\{A0F7EA28-92B0-49fc-B2B3-BE18C1DA47F9}.exe

Filesize
197KB

MD5
588abab083e1b66f1be1a2ebdb412f1e

SHA1
3d23e3d46e8414d501cd678572547be6ff576207

SHA256
59cd9de7d666edb1125a2ff3de555a9b43524ade52656bfd29a96a44bdef5524

SHA512
730d1c5c04d6b619b2013abba95c71736fa74176fcaf53269878685e423a9e072ab9348b023be8acc98051f32a24145a6c23816200ef2105b94ded75bfb98ef2

Download Submit
C:\Windows\{B2DF8A8F-AC5F-4a44-B5D2-498938CAE56E}.exe

Filesize
197KB

MD5
c36579736b856e0b8a6c66cc8d795f90

SHA1
e51dd19b7c6ebfa003b078e2b29d8a8632bdc08a

SHA256
7d8d9520dce2b4f9bdbfa331c1717d3b9e39598356b71b1043ab96005bf1ed60

SHA512
89f6e453b104660865f94a8d78d7bd2eb6a131b2bd24cc2562eb753d1321bc7aa22c6f5583785ac6956b6496f318222a00ebb078d0abce061f4753dc129ab341

Download Submit
C:\Windows\{BA25CCCB-7E2D-4dab-BB48-52629207288F}.exe

Filesize
197KB

MD5
5432d0307d89bfa1078e1f6924950fa9

SHA1
d8ca610a741322c412dfd8dc749cc77979e21acb

SHA256
cd8dcd9d137a7e72b3c6c0af5377917a99f078f0b402b725d4d857ee5ccf63bf

SHA512
a6a3ae5628890fe64ea3fee6bdeff22e1ab086ac70d8dce4a296b661c5ed0ae142f524c155b53639709bfe4ba0c32cf7c35b758908c7de3bb1cad1dae977cb01

Download Submit
C:\Windows\{DDAFB319-B9D3-4a63-BF6C-2F57921FAEBE}.exe

Filesize
197KB

MD5
370df1ee023f9099f36c21072203bfc1

SHA1
d434e0220d5ba77fc372ff2a726cf42b0b275c32

SHA256
251b19ca0ecfea5db4b03dd8a37917b60703428011f1a82e6cd458c2e288301a

SHA512
72cf38d27595d6e9dcccb57fd4440ccdad51744bababca4d14d35ed5a01f6cf65e37eaba6f336d884fe146412345827aabf1c18783ae3fc05125f01e4bbf6b5e

Download Submit
C:\Windows\{EB580680-8FDB-4bf5-85FB-BB329A096FF1}.exe

Filesize
197KB

MD5
0d5c8d7026d737087cb029270d1271a6

SHA1
19525a6ee44752458013d12230920f0e211da34d

SHA256
75372f22c54eaf743ef2b8829286ad12faa600904203b99a79b86bfb181008b9

SHA512
92835f59d2eb766950b759691af3e142297c7948518bb20274977ed33a257560dce9701ccc07d2161c448eda64084a4ec4f16839276d6c5dc5de825270ba6712

Download Submit
C:\Windows\{FBBF3FC6-3986-4fe0-A19F-0E081E5A73F3}.exe

Filesize
197KB

MD5
4464e10461b93adaae062f95c4444746

SHA1
f38b5cd295e3df4fe97da3192be6423f2cf475f9

SHA256
1fb3f66f5e4e5ab39d5e37c3c12377bb8a6bab0a0a6278112969508644244955

SHA512
023a8504c887ca3a286c927b0d99c9b136049c370830c8361322129df8f21fe4921e7954b076ae0a8b8bb6ebd90f3e6e50342b2eb2699db452974b2db354a784

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads