0709c233e528bc86cf24aecd8194f0869270d8c530b391b215aa57862c0f8d3d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Size

216KB
MD5

8e2597679e8f0bafd6c6cf97628753a4
SHA1

e2fd0db230962e6890b8cae9b16e5f0c5744156b
SHA256

0709c233e528bc86cf24aecd8194f0869270d8c530b391b215aa57862c0f8d3d
SHA512

16e248ad8a4dc62e25ea9f16bc2b9de725bc4b440de5cb65121522258271702f58436db11394cd72d3dcab40bd7ff5273e26ae8b3494a4d1b1b499d9a1be2614
SSDEEP

3072:jEGh0o0Zl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015c7b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0021000000015e1a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC4240C5-382C-4417-A34D-8AAE85F4B73D}\stubpath = "C:\\Windows\\{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe"	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3321CCDC-6FE3-4327-B679-DC6AF903C05B}	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D51413A1-DA4C-48ab-949A-72A38C66C6D4}	{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC4240C5-382C-4417-A34D-8AAE85F4B73D}	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}\stubpath = "C:\\Windows\\{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe"	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}\stubpath = "C:\\Windows\\{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe"	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}\stubpath = "C:\\Windows\\{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe"	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}\stubpath = "C:\\Windows\\{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe"	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}\stubpath = "C:\\Windows\\{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe"	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3321CCDC-6FE3-4327-B679-DC6AF903C05B}\stubpath = "C:\\Windows\\{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe"	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D51413A1-DA4C-48ab-949A-72A38C66C6D4}\stubpath = "C:\\Windows\\{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe"	{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AB8C68-BD5C-4845-AC83-E7B5323FB075}\stubpath = "C:\\Windows\\{60AB8C68-BD5C-4845-AC83-E7B5323FB075}.exe"	{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FEA4856-F554-47a7-B40C-26228F71D404}	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FEA4856-F554-47a7-B40C-26228F71D404}\stubpath = "C:\\Windows\\{5FEA4856-F554-47a7-B40C-26228F71D404}.exe"	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}	{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}\stubpath = "C:\\Windows\\{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe"	{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AB8C68-BD5C-4845-AC83-E7B5323FB075}	{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe
2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe
2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe
2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe
1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe
624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe
1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe
804	{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe
2744	{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe
1988	{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe
2204	{60AB8C68-BD5C-4845-AC83-E7B5323FB075}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe
File created	C:\Windows\{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe
File created	C:\Windows\{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe
File created	C:\Windows\{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe
File created	C:\Windows\{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe	{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe
File created	C:\Windows\{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe	{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe
File created	C:\Windows\{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
File created	C:\Windows\{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe
File created	C:\Windows\{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe
File created	C:\Windows\{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe
File created	C:\Windows\{60AB8C68-BD5C-4845-AC83-E7B5323FB075}.exe	{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe
Token: SeIncBasePriorityPrivilege	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe
Token: SeIncBasePriorityPrivilege	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe
Token: SeIncBasePriorityPrivilege	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe
Token: SeIncBasePriorityPrivilege	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe
Token: SeIncBasePriorityPrivilege	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe
Token: SeIncBasePriorityPrivilege	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe
Token: SeIncBasePriorityPrivilege	804	{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe
Token: SeIncBasePriorityPrivilege	2744	{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe
Token: SeIncBasePriorityPrivilege	1988	{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2300	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	28
PID 2172 wrote to memory of 2300	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	28
PID 2172 wrote to memory of 2300	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	28
PID 2172 wrote to memory of 2300	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	28
PID 2172 wrote to memory of 2224	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	29
PID 2172 wrote to memory of 2224	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	29
PID 2172 wrote to memory of 2224	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	29
PID 2172 wrote to memory of 2224	2172	2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe	29
PID 2300 wrote to memory of 2468	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	30
PID 2300 wrote to memory of 2468	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	30
PID 2300 wrote to memory of 2468	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	30
PID 2300 wrote to memory of 2468	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	30
PID 2300 wrote to memory of 2616	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	31
PID 2300 wrote to memory of 2616	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	31
PID 2300 wrote to memory of 2616	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	31
PID 2300 wrote to memory of 2616	2300	{5FEA4856-F554-47a7-B40C-26228F71D404}.exe	31
PID 2468 wrote to memory of 2376	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	34
PID 2468 wrote to memory of 2376	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	34
PID 2468 wrote to memory of 2376	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	34
PID 2468 wrote to memory of 2376	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	34
PID 2468 wrote to memory of 2436	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	35
PID 2468 wrote to memory of 2436	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	35
PID 2468 wrote to memory of 2436	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	35
PID 2468 wrote to memory of 2436	2468	{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe	35
PID 2376 wrote to memory of 2348	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	36
PID 2376 wrote to memory of 2348	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	36
PID 2376 wrote to memory of 2348	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	36
PID 2376 wrote to memory of 2348	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	36
PID 2376 wrote to memory of 1944	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	37
PID 2376 wrote to memory of 1944	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	37
PID 2376 wrote to memory of 1944	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	37
PID 2376 wrote to memory of 1944	2376	{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe	37
PID 2348 wrote to memory of 1500	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	38
PID 2348 wrote to memory of 1500	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	38
PID 2348 wrote to memory of 1500	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	38
PID 2348 wrote to memory of 1500	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	38
PID 2348 wrote to memory of 924	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	39
PID 2348 wrote to memory of 924	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	39
PID 2348 wrote to memory of 924	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	39
PID 2348 wrote to memory of 924	2348	{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe	39
PID 1500 wrote to memory of 624	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	40
PID 1500 wrote to memory of 624	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	40
PID 1500 wrote to memory of 624	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	40
PID 1500 wrote to memory of 624	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	40
PID 1500 wrote to memory of 1536	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	41
PID 1500 wrote to memory of 1536	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	41
PID 1500 wrote to memory of 1536	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	41
PID 1500 wrote to memory of 1536	1500	{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe	41
PID 624 wrote to memory of 1220	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	42
PID 624 wrote to memory of 1220	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	42
PID 624 wrote to memory of 1220	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	42
PID 624 wrote to memory of 1220	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	42
PID 624 wrote to memory of 1948	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	43
PID 624 wrote to memory of 1948	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	43
PID 624 wrote to memory of 1948	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	43
PID 624 wrote to memory of 1948	624	{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe	43
PID 1220 wrote to memory of 804	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	44
PID 1220 wrote to memory of 804	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	44
PID 1220 wrote to memory of 804	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	44
PID 1220 wrote to memory of 804	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	44
PID 1220 wrote to memory of 1848	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	45
PID 1220 wrote to memory of 1848	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	45
PID 1220 wrote to memory of 1848	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	45
PID 1220 wrote to memory of 1848	1220	{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e2597679e8f0bafd6c6cf97628753a4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{5FEA4856-F554-47a7-B40C-26228F71D404}.exe
  C:\Windows\{5FEA4856-F554-47a7-B40C-26228F71D404}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe
    C:\Windows\{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe
      C:\Windows\{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe
        
        C:\Windows\{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe
        
        C:\Windows\{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe
        
        C:\Windows\{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe
        
        C:\Windows\{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe
        
        C:\Windows\{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe
        
        C:\Windows\{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe
        
        C:\Windows\{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\{60AB8C68-BD5C-4845-AC83-E7B5323FB075}.exe
        
        C:\Windows\{60AB8C68-BD5C-4845-AC83-E7B5323FB075}.exe
        12⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE59E~1.EXE > nul
        12⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5141~1.EXE > nul
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3321C~1.EXE > nul
        10⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A729B~1.EXE > nul
        9⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3727~1.EXE > nul
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC424~1.EXE > nul
        7⤵
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0550~1.EXE > nul
        6⤵
        
        PID:924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF643~1.EXE > nul
        5⤵
        
        PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5E26~1.EXE > nul
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5FEA4~1.EXE > nul
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3321CCDC-6FE3-4327-B679-DC6AF903C05B}.exe

Filesize
216KB

MD5
02e201fc6dcca6b532f45e8bd054deb9

SHA1
861574949bbe8c3e2f846a4d8e7d94e9ad9824bd

SHA256
c55f936d5debbf74ee8ebfc43a3e02c9ff83c314a4ab71bfea2b09f445eb61ae

SHA512
f7c3ad978cb545f35583ad8d65899c3aa14a6285699db57d3e4732299c2c9ff0f137f853badafe34df8b556290d323726cbf1604c1ab76422969f1cc274f37e1

Download Submit
C:\Windows\{5FEA4856-F554-47a7-B40C-26228F71D404}.exe

Filesize
216KB

MD5
fc237d44c8a21a6494cb245c97bd700c

SHA1
44ec8624b563eda29aec0cd86c2a75d74d73f2a6

SHA256
ddad04b9553df6d6b582109169801cdd3b5521243523a60214da813d1bbf01ec

SHA512
a4e6fba48e76e28c64115968ee26c59b87c050f55bedc2677a016a53f2549bf516beac883bd059342c0fd19c4cf43b0f453283f35574070f339da896a8c2543b

Download Submit
C:\Windows\{60AB8C68-BD5C-4845-AC83-E7B5323FB075}.exe

Filesize
216KB

MD5
0a2e9bbae75e3d64ad9cbd36dcec6d0c

SHA1
f270621720712ce02711394b12b23a5903a6c20a

SHA256
d3d2ecbc89d4231fb29eac71a6f284898ddcbf1e4a9e6d96c91eb7030029f776

SHA512
747f2a6efe4037e2e79791193285299e54588fdeebb9e85641158aa34999e598b32481605deafff0fcdbe8d0761d74648ff8b49912421aef8e1c12a44c473c4d

Download Submit
C:\Windows\{A729BEFE-A8DB-4254-B816-3AF2ACE10ADF}.exe

Filesize
216KB

MD5
1ea93e3191a39575d3b9c5b4d8ee581f

SHA1
75019c652d3300b8785a75f03a4dfd23af190bb0

SHA256
dbfebb3a887c2d2fc678c688fbc07ea6ec9e7c47d4ab85a5af16f0bd362dcada

SHA512
3d488c44ce248f0b14334aa634c7d2de4628d785f07a146bd441e027b9b9ad47717a993c254e5063a4efe0bd43b3c10bc988cad4df4217f35646730ecb67bac8

Download Submit
C:\Windows\{AE59ED58-AF28-4c7d-9043-1C7D76E8D019}.exe

Filesize
216KB

MD5
208d01f12dd37a827615556de96136ba

SHA1
d0f13c575d1b43e296d610539e495be4d9a077d1

SHA256
183207a5c8dff9a1063e8eda609d88340970fa3bbf32f2bf9d717e6f1d6428fe

SHA512
15dabf1ae71a60d75ed08ffe3e7c3939406dc86bb57cc67a7db029009964c3dcb69f43413f90f24047fc07948f291a71836f2c9df24927e8c5f3a26e201b45c1

Download Submit
C:\Windows\{B0550F0B-4CF1-4a43-BE32-0173C3AB1EFE}.exe

Filesize
216KB

MD5
ce615a40d713f23760b1e99be4aa2717

SHA1
1b815a1e55ce5689bf7f6743276d6f7e393ada6f

SHA256
47830d720e5931e2791b408a6f6aaa72887e45d8b301c1c9f9afdde081c81956

SHA512
252e23c4cda74104d521ff21703475166da928a11ab80b6052bf6a1c41746578718c3c4e346008775592ccf1a48b951c32f3ce55bd88e781bfcb4d4f6522f747

Download Submit
C:\Windows\{BF643AAD-E6A5-4684-8A51-12CA6E0E24E7}.exe

Filesize
216KB

MD5
4a62c3bc0296b55941a5ae9468c3a64a

SHA1
b553744e07beb2145a8936f01973887e365a6cea

SHA256
d522dac51baf3a787be0ba6d9d537ab2a079cfe70a6b264e911325c61cef74d2

SHA512
50864183e720d2f27407f343951ec06c2d17d70ac46b1329f4d0a2c2ebfeada125d8ae50aaa11c1e893ea37383add58ea5efdb14137d1a0b83ec7443cc668518

Download Submit
C:\Windows\{CC4240C5-382C-4417-A34D-8AAE85F4B73D}.exe

Filesize
216KB

MD5
c943416e1c17fcc5a9e9c9223252d406

SHA1
482e9977cb2b5e89fecaad3e5f264a82a8c366bf

SHA256
b91fa3d22eef768ee994ebd38238312fc8c9a8ba1d4520be0b7f8a51816d51ac

SHA512
339c601bbcda3f33f51735d6e01049b71121d9cc799245c2596f93aaf376220c8654164c8a19070e5154a8a29d67de06faa030aba23f8a2ac0c3873bb01704fd

Download Submit
C:\Windows\{D37272B8-3F63-48a6-A68E-5EDE0ADA85AB}.exe

Filesize
216KB

MD5
dde1940690515ef35e86c85302ea8760

SHA1
543a2e8192b442dd506a92bf267872d1940c88d7

SHA256
665900926bea960d73749fa7664787ea6aa44f425b1494f6ce1686c0ab028a9f

SHA512
31dd75d7c9014809cd483bdbeb3629f415c437e6732c68e618115d88414917b61d54989be930c921fbaf9440cf15c0db5e1bb5822f0414ccf21cff43fe5521bb

Download Submit
C:\Windows\{D51413A1-DA4C-48ab-949A-72A38C66C6D4}.exe

Filesize
216KB

MD5
44e0f3a73030093ab872849115a01a0f

SHA1
774d3f961b875f534d2923d4a4349035f5b5af72

SHA256
5f3583db976a58107f80ec6549bedfa3f99f9e5e3dc9a80ca5308f13164c3a9c

SHA512
98bb751973f1d7975fd31f2ab9f83461baaf88a43b9eaed86467bc402419eed338c5b307cdcb7af02850242c0fe77ba96e184da4cce0a80ee4f146db3bae868d

Download Submit
C:\Windows\{F5E26119-6829-42d6-B5A3-7CAB4931D5B6}.exe

Filesize
216KB

MD5
74d2db65efbc2649c400deb1bbf525ab

SHA1
61b862549bf398871d39436b6271e5e612c10818

SHA256
ce2cb23018be0b40397b900b5801782cc06020f1d722c6ebc4eb51f418b13c55

SHA512
747aaa65193c010614467acee32cf280004afb72a92dda99eead54558e08f304681ffd6ddddbff047b31c9e8d9715f612aa58dc8dd589d2773d10f2d9a4ac195

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads