864075c6ba176e1f14360afb49e4a4e89a63fdf0607b6149c3f8bc454b20b4dc

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe
Size

204KB
MD5

a5d668f4bfe1fc95f5a3d47989a0258a
SHA1

606572e5c92f0af88b998426eaf6a0d1a450626b
SHA256

864075c6ba176e1f14360afb49e4a4e89a63fdf0607b6149c3f8bc454b20b4dc
SHA512

a78a9d31ea1fd5a60d8ff170054cd7b56e28629b24b5e6656ac48f411097de751d07b5f154cac7b6e041060eac4baa3bd7c93deca2da9d28b25d3712dd1ad1a5
SSDEEP

1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012336-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014171-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3793B36-D7ED-4154-AF5B-3242D605DF6F}\stubpath = "C:\\Windows\\{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe"	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{163FF5A2-35B8-48af-A81C-CA2250CC3854}	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}\stubpath = "C:\\Windows\\{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe"	{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73048097-EBDC-4697-9E67-07B19674DB24}\stubpath = "C:\\Windows\\{73048097-EBDC-4697-9E67-07B19674DB24}.exe"	{68284656-34DC-4f8a-90D6-3025C6116641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E1BEA24-F97E-4f20-9953-4618246CAD74}\stubpath = "C:\\Windows\\{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe"	{73048097-EBDC-4697-9E67-07B19674DB24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}\stubpath = "C:\\Windows\\{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe"	{BBDE73F1-923E-42a5-B395-015646398498}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EB8ADB2-4765-450b-86D4-A5FF058238C3}\stubpath = "C:\\Windows\\{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe"	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3793B36-D7ED-4154-AF5B-3242D605DF6F}	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}	{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68284656-34DC-4f8a-90D6-3025C6116641}\stubpath = "C:\\Windows\\{68284656-34DC-4f8a-90D6-3025C6116641}.exe"	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73048097-EBDC-4697-9E67-07B19674DB24}	{68284656-34DC-4f8a-90D6-3025C6116641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDE73F1-923E-42a5-B395-015646398498}	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}	{BBDE73F1-923E-42a5-B395-015646398498}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D635FBD-68CD-408d-A68C-11CB77D14AA6}	{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D635FBD-68CD-408d-A68C-11CB77D14AA6}\stubpath = "C:\\Windows\\{6D635FBD-68CD-408d-A68C-11CB77D14AA6}.exe"	{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68284656-34DC-4f8a-90D6-3025C6116641}	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E1BEA24-F97E-4f20-9953-4618246CAD74}	{73048097-EBDC-4697-9E67-07B19674DB24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDE73F1-923E-42a5-B395-015646398498}\stubpath = "C:\\Windows\\{BBDE73F1-923E-42a5-B395-015646398498}.exe"	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EB8ADB2-4765-450b-86D4-A5FF058238C3}	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{163FF5A2-35B8-48af-A81C-CA2250CC3854}\stubpath = "C:\\Windows\\{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe"	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}	{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}\stubpath = "C:\\Windows\\{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe"	{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe
2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe
2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe
2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe
2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe
1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe
2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe
3032	{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe
2260	{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe
668	{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe
2832	{6D635FBD-68CD-408d-A68C-11CB77D14AA6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{73048097-EBDC-4697-9E67-07B19674DB24}.exe	{68284656-34DC-4f8a-90D6-3025C6116641}.exe
File created	C:\Windows\{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	{73048097-EBDC-4697-9E67-07B19674DB24}.exe
File created	C:\Windows\{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe
File created	C:\Windows\{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe	{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe
File created	C:\Windows\{6D635FBD-68CD-408d-A68C-11CB77D14AA6}.exe	{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe
File created	C:\Windows\{68284656-34DC-4f8a-90D6-3025C6116641}.exe	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe
File created	C:\Windows\{BBDE73F1-923E-42a5-B395-015646398498}.exe	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe
File created	C:\Windows\{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	{BBDE73F1-923E-42a5-B395-015646398498}.exe
File created	C:\Windows\{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe
File created	C:\Windows\{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe
File created	C:\Windows\{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe	{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe
Token: SeIncBasePriorityPrivilege	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe
Token: SeIncBasePriorityPrivilege	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe
Token: SeIncBasePriorityPrivilege	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe
Token: SeIncBasePriorityPrivilege	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe
Token: SeIncBasePriorityPrivilege	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe
Token: SeIncBasePriorityPrivilege	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe
Token: SeIncBasePriorityPrivilege	3032	{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe
Token: SeIncBasePriorityPrivilege	2260	{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe
Token: SeIncBasePriorityPrivilege	668	{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 3024	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	28
PID 2480 wrote to memory of 3024	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	28
PID 2480 wrote to memory of 3024	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	28
PID 2480 wrote to memory of 3024	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	28
PID 2480 wrote to memory of 2588	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	29
PID 2480 wrote to memory of 2588	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	29
PID 2480 wrote to memory of 2588	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	29
PID 2480 wrote to memory of 2588	2480	2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe	29
PID 3024 wrote to memory of 2740	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	30
PID 3024 wrote to memory of 2740	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	30
PID 3024 wrote to memory of 2740	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	30
PID 3024 wrote to memory of 2740	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	30
PID 3024 wrote to memory of 2516	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	31
PID 3024 wrote to memory of 2516	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	31
PID 3024 wrote to memory of 2516	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	31
PID 3024 wrote to memory of 2516	3024	{68284656-34DC-4f8a-90D6-3025C6116641}.exe	31
PID 2740 wrote to memory of 2564	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	32
PID 2740 wrote to memory of 2564	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	32
PID 2740 wrote to memory of 2564	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	32
PID 2740 wrote to memory of 2564	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	32
PID 2740 wrote to memory of 2456	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	33
PID 2740 wrote to memory of 2456	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	33
PID 2740 wrote to memory of 2456	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	33
PID 2740 wrote to memory of 2456	2740	{73048097-EBDC-4697-9E67-07B19674DB24}.exe	33
PID 2564 wrote to memory of 2632	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	36
PID 2564 wrote to memory of 2632	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	36
PID 2564 wrote to memory of 2632	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	36
PID 2564 wrote to memory of 2632	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	36
PID 2564 wrote to memory of 2656	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	37
PID 2564 wrote to memory of 2656	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	37
PID 2564 wrote to memory of 2656	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	37
PID 2564 wrote to memory of 2656	2564	{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe	37
PID 2632 wrote to memory of 2764	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	38
PID 2632 wrote to memory of 2764	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	38
PID 2632 wrote to memory of 2764	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	38
PID 2632 wrote to memory of 2764	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	38
PID 2632 wrote to memory of 1508	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	39
PID 2632 wrote to memory of 1508	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	39
PID 2632 wrote to memory of 1508	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	39
PID 2632 wrote to memory of 1508	2632	{BBDE73F1-923E-42a5-B395-015646398498}.exe	39
PID 2764 wrote to memory of 1008	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	40
PID 2764 wrote to memory of 1008	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	40
PID 2764 wrote to memory of 1008	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	40
PID 2764 wrote to memory of 1008	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	40
PID 2764 wrote to memory of 1496	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	41
PID 2764 wrote to memory of 1496	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	41
PID 2764 wrote to memory of 1496	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	41
PID 2764 wrote to memory of 1496	2764	{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe	41
PID 1008 wrote to memory of 2364	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	42
PID 1008 wrote to memory of 2364	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	42
PID 1008 wrote to memory of 2364	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	42
PID 1008 wrote to memory of 2364	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	42
PID 1008 wrote to memory of 2376	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	43
PID 1008 wrote to memory of 2376	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	43
PID 1008 wrote to memory of 2376	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	43
PID 1008 wrote to memory of 2376	1008	{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe	43
PID 2364 wrote to memory of 3032	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	44
PID 2364 wrote to memory of 3032	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	44
PID 2364 wrote to memory of 3032	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	44
PID 2364 wrote to memory of 3032	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	44
PID 2364 wrote to memory of 860	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	45
PID 2364 wrote to memory of 860	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	45
PID 2364 wrote to memory of 860	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	45
PID 2364 wrote to memory of 860	2364	{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_a5d668f4bfe1fc95f5a3d47989a0258a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\{68284656-34DC-4f8a-90D6-3025C6116641}.exe
  C:\Windows\{68284656-34DC-4f8a-90D6-3025C6116641}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\{73048097-EBDC-4697-9E67-07B19674DB24}.exe
    C:\Windows\{73048097-EBDC-4697-9E67-07B19674DB24}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe
      C:\Windows\{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{BBDE73F1-923E-42a5-B395-015646398498}.exe
        
        C:\Windows\{BBDE73F1-923E-42a5-B395-015646398498}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe
        
        C:\Windows\{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe
        
        C:\Windows\{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe
        
        C:\Windows\{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe
        
        C:\Windows\{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe
        
        C:\Windows\{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe
        
        C:\Windows\{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\{6D635FBD-68CD-408d-A68C-11CB77D14AA6}.exe
        
        C:\Windows\{6D635FBD-68CD-408d-A68C-11CB77D14AA6}.exe
        12⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BA68~1.EXE > nul
        12⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{584FD~1.EXE > nul
        11⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{163FF~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3793~1.EXE > nul
        9⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EB8A~1.EXE > nul
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA656~1.EXE > nul
        7⤵
        
        PID:1496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBDE7~1.EXE > nul
        6⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E1BE~1.EXE > nul
        5⤵
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73048~1.EXE > nul
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{68284~1.EXE > nul
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EB8ADB2-4765-450b-86D4-A5FF058238C3}.exe

Filesize
204KB

MD5
7e905158ed5e5454777d6ef90f3764f0

SHA1
69b009bc152b83db94d747a3799cd7ce007cf986

SHA256
fc11e945357f79d6875219649e83c1ff3e2e52daca49ec2ac311b2bb82259d4d

SHA512
59853f2ba9ae0cae0ddf5559949203ddd584729ed21d0ec90108e2df9aea5e151fe21ccdce93b1b55fbd48b280b342ae3db4debfa4f9d95458072055fbd816ee

Download Submit
C:\Windows\{163FF5A2-35B8-48af-A81C-CA2250CC3854}.exe

Filesize
204KB

MD5
f0301553129ec418e7d9f910d61927c6

SHA1
1f858c857e52c5dbd6055acb0645253e0eed3eaa

SHA256
d0c0d16716641a7f77c7c139bd91f4120105e35d2181c416bf39afefbbbac2f3

SHA512
3439d1e48a3977efcba5c68a09d59decd5993fec215d63ec2b6741b366edb2ead1bbf36210ec819dfed00f8fe6ceda37fa3c15f15e5e5cf5b4f3c80fb967e664

Download Submit
C:\Windows\{4E1BEA24-F97E-4f20-9953-4618246CAD74}.exe

Filesize
204KB

MD5
dce300f863c65e36d8818c04999a13f8

SHA1
5ba2d0637f364458494191ed119285c91d2d7e14

SHA256
36ca4539fe34165330e3fb00abcdd080542a930b033deadf825a0b55cc3c11be

SHA512
42ddf8e642891a0689e12886467aece928c28c9075027a61a8c385328602df8de6f73469808c6001c30271983f8fed87c2bc39a102f5d6fafcc8fb28f6523e33

Download Submit
C:\Windows\{584FDA0D-7E79-4279-ADC4-A0CD37EBAAC0}.exe

Filesize
204KB

MD5
bf4cc07b035d222c47c9a6a46e5513ce

SHA1
0df76df6f4333d1d4b3c198e71dc0ea26eaa206c

SHA256
0a17531bdc3bbdac6628f6790ffc3430dbf548fccd4a2c2f695fbbd31e4cc415

SHA512
0a1ece3a52415b52b0e1028a9df946330d53e147a90b2807ff67af5f11e5eda434a7c8bfd61366f0aeb1d9330d35d7cdb32e11bf82747517a6921d3626c2acff

Download Submit
C:\Windows\{68284656-34DC-4f8a-90D6-3025C6116641}.exe

Filesize
204KB

MD5
e0c58b17c67ad1c41f0539e9184ca675

SHA1
4560f13638d74583e045cee216b085df90fc1d0e

SHA256
8a70ebbef6a0e10e9dbd100cdce4a74cb12c1187abc65f5ca573f7115dd66991

SHA512
7bb5418246a2e56f5f4de465bd1f777ac31cc11a41b4cd63f9aac10599b9f913d985931a4f6b88db542bb9d837c20d24c35f25b5bf73b3a14bce549603fce3a3

Download Submit
C:\Windows\{6D635FBD-68CD-408d-A68C-11CB77D14AA6}.exe

Filesize
204KB

MD5
8f126be85c5aa46dac35f273c0663a53

SHA1
817255b8771b673f58f99ce831850c9575c945c3

SHA256
51bc824150c6b6e3b99868cbf789d6c3bcc4b260814803ca0527c4687b53de5d

SHA512
d00d91973585a6de73e321391be19a07d050c435a5f0590529edd71d0578f317c04908a4affa64afb10734b6d8f3176431b870de6a4fb5530480540191bbfcb7

Download Submit
C:\Windows\{73048097-EBDC-4697-9E67-07B19674DB24}.exe

Filesize
204KB

MD5
4718839139d01e291202424e626d8c67

SHA1
06a1924d6cbf2789bab25f00786ffec44bc48e5e

SHA256
ad6001a4f90d85d93bb371570886a81b6266acd9b6d9316739675abeacf1e6b6

SHA512
a8a0546c0715aaa05b04a817ac8103c2e3b88be8aadd4e0bfe9771a662373c87cafc592d7e6113959ca1ff374b1f7a7b43530bd2427cb65ce7989d9e20d9d8df

Download Submit
C:\Windows\{9BA68D4B-12E9-485c-8C1F-0BFF88BD09C7}.exe

Filesize
204KB

MD5
b14dadd4f565b66d8eaf629375e63053

SHA1
15e74d42abbf2f542ddf60fc3217f4c24a8fef74

SHA256
b5845151a57fb6806f6b87446374dcc86fc224eeeb122cc5f1e5e8f510e84521

SHA512
a1651685da9825bab58be95b9e4ba83cc22840a4a7c6bc35a7d432d132ef5e731a1f1d51c2759c9705590c96cf7965ae40e1bf6a6336749e52a19c34ac969912

Download Submit
C:\Windows\{BA6569E9-A822-4a39-96F5-EDF9AEAC4BB0}.exe

Filesize
204KB

MD5
0849b0e4166af2a98ca9972d43d94694

SHA1
6c8bd38668f7dc2b8daa4cbedfdab517dafd7d14

SHA256
b1be40ba65312327c2696c4d439f07a100d0b9442b87b5af10bcb50cf73455e0

SHA512
f1d1b6e04cd1f6f973d6e00ed3ec447c2ced498257ab5838895d01237c94950299fc9efe59518d0fa021b7e024664092c6305912cb355c05714894a439e4b907

Download Submit
C:\Windows\{BBDE73F1-923E-42a5-B395-015646398498}.exe

Filesize
204KB

MD5
ca059660b7a340468fda0e1393007d13

SHA1
56e196026cd5efa5612d87e51cb2d7632adc3f8c

SHA256
8c50b92a11cf06b3abaf197939df568e83d3c08cc22494ba656f34230bc7b7e8

SHA512
12db843606948814cb6f555c8b72ff2fefac602b95c9df34b432ee7f829008d998bb4c82e3563865681a8338e71ed61e80caf395f69a9b2ff1ca515a2563c1b8

Download Submit
C:\Windows\{C3793B36-D7ED-4154-AF5B-3242D605DF6F}.exe

Filesize
204KB

MD5
8a01d8216322751455ded69eed336145

SHA1
f30b0ac73b0a20cc858f8d49da0104723ec9ceae

SHA256
dca88d1be4fe78c9f2a9bfa10467f3ffbfb6c2af7e5891ab977d827ab25cba69

SHA512
69072c8e6d6c113429d3b65d1cdb6e462763dbdff6149aa745d9914835e5f1af8938d67f07e20452b6bfdacdc5a9a42d556a7bb7b09e1fd37295abea41675d92

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads