3e35c8b53e40d036bc1756c79dfc3463b7fcba7da6423731e8fe8f4ba1be791a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe
Size

204KB
MD5

62079b0c9c0a8a042ffd3f1f95bd51ff
SHA1

e96dec4dc25a51fafeee286ecf7ecfc5ab295924
SHA256

3e35c8b53e40d036bc1756c79dfc3463b7fcba7da6423731e8fe8f4ba1be791a
SHA512

b563be059ef984d1f3b6542fba4326cee90cf0c6245254f160fb3cb9532fa59382fd0f7427469970ed105420522dc63995a9623ae91eafa66ab28d5e06285e26
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o8l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a32-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000016cc8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016ce9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016cc8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016cc8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016cc8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016cc8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27293CD-F7E4-440e-9E83-2918C2BC85AC}	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27293CD-F7E4-440e-9E83-2918C2BC85AC}\stubpath = "C:\\Windows\\{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe"	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB6E548D-9B2C-483f-B415-B910AF425051}	{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA3138-B94B-44c7-A603-3C642C283C08}	{AB6E548D-9B2C-483f-B415-B910AF425051}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{857DEDBD-2844-4823-9624-54AA86BDB6DB}	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6299C119-AE99-4b6b-95CA-808613A67759}	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6299C119-AE99-4b6b-95CA-808613A67759}\stubpath = "C:\\Windows\\{6299C119-AE99-4b6b-95CA-808613A67759}.exe"	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{857DEDBD-2844-4823-9624-54AA86BDB6DB}\stubpath = "C:\\Windows\\{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe"	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB6E548D-9B2C-483f-B415-B910AF425051}\stubpath = "C:\\Windows\\{AB6E548D-9B2C-483f-B415-B910AF425051}.exe"	{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23FCEE1F-DB29-4527-B5F2-8223A66873B5}	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}\stubpath = "C:\\Windows\\{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe"	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7247D962-A13E-4caf-BB54-717410AD8A90}	{6299C119-AE99-4b6b-95CA-808613A67759}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7247D962-A13E-4caf-BB54-717410AD8A90}\stubpath = "C:\\Windows\\{7247D962-A13E-4caf-BB54-717410AD8A90}.exe"	{6299C119-AE99-4b6b-95CA-808613A67759}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96F2753-F49B-4666-BED8-5A1788A918D4}	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96F2753-F49B-4666-BED8-5A1788A918D4}\stubpath = "C:\\Windows\\{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe"	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}\stubpath = "C:\\Windows\\{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe"	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8CA3138-B94B-44c7-A603-3C642C283C08}\stubpath = "C:\\Windows\\{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe"	{AB6E548D-9B2C-483f-B415-B910AF425051}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C1A5433-23B9-4172-823E-A1324C787F25}	{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C1A5433-23B9-4172-823E-A1324C787F25}\stubpath = "C:\\Windows\\{6C1A5433-23B9-4172-823E-A1324C787F25}.exe"	{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23FCEE1F-DB29-4527-B5F2-8223A66873B5}\stubpath = "C:\\Windows\\{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe"	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe
2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe
2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe
2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe
2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe
1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe
1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe
576	{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe
1516	{AB6E548D-9B2C-483f-B415-B910AF425051}.exe
2292	{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe
2576	{6C1A5433-23B9-4172-823E-A1324C787F25}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6299C119-AE99-4b6b-95CA-808613A67759}.exe	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe
File created	C:\Windows\{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	{6299C119-AE99-4b6b-95CA-808613A67759}.exe
File created	C:\Windows\{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe
File created	C:\Windows\{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe
File created	C:\Windows\{6C1A5433-23B9-4172-823E-A1324C787F25}.exe	{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe
File created	C:\Windows\{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe
File created	C:\Windows\{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe
File created	C:\Windows\{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe
File created	C:\Windows\{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe
File created	C:\Windows\{AB6E548D-9B2C-483f-B415-B910AF425051}.exe	{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe
File created	C:\Windows\{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe	{AB6E548D-9B2C-483f-B415-B910AF425051}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe
Token: SeIncBasePriorityPrivilege	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe
Token: SeIncBasePriorityPrivilege	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe
Token: SeIncBasePriorityPrivilege	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe
Token: SeIncBasePriorityPrivilege	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe
Token: SeIncBasePriorityPrivilege	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe
Token: SeIncBasePriorityPrivilege	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe
Token: SeIncBasePriorityPrivilege	576	{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe
Token: SeIncBasePriorityPrivilege	1516	{AB6E548D-9B2C-483f-B415-B910AF425051}.exe
Token: SeIncBasePriorityPrivilege	2292	{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2044	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	28
PID 2224 wrote to memory of 2044	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	28
PID 2224 wrote to memory of 2044	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	28
PID 2224 wrote to memory of 2044	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	28
PID 2224 wrote to memory of 2040	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	29
PID 2224 wrote to memory of 2040	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	29
PID 2224 wrote to memory of 2040	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	29
PID 2224 wrote to memory of 2040	2224	2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe	29
PID 2044 wrote to memory of 2540	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	30
PID 2044 wrote to memory of 2540	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	30
PID 2044 wrote to memory of 2540	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	30
PID 2044 wrote to memory of 2540	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	30
PID 2044 wrote to memory of 2396	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	31
PID 2044 wrote to memory of 2396	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	31
PID 2044 wrote to memory of 2396	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	31
PID 2044 wrote to memory of 2396	2044	{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe	31
PID 2540 wrote to memory of 2404	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	34
PID 2540 wrote to memory of 2404	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	34
PID 2540 wrote to memory of 2404	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	34
PID 2540 wrote to memory of 2404	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	34
PID 2540 wrote to memory of 2464	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	35
PID 2540 wrote to memory of 2464	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	35
PID 2540 wrote to memory of 2464	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	35
PID 2540 wrote to memory of 2464	2540	{6299C119-AE99-4b6b-95CA-808613A67759}.exe	35
PID 2404 wrote to memory of 2368	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	36
PID 2404 wrote to memory of 2368	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	36
PID 2404 wrote to memory of 2368	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	36
PID 2404 wrote to memory of 2368	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	36
PID 2404 wrote to memory of 524	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	37
PID 2404 wrote to memory of 524	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	37
PID 2404 wrote to memory of 524	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	37
PID 2404 wrote to memory of 524	2404	{7247D962-A13E-4caf-BB54-717410AD8A90}.exe	37
PID 2368 wrote to memory of 2700	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	38
PID 2368 wrote to memory of 2700	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	38
PID 2368 wrote to memory of 2700	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	38
PID 2368 wrote to memory of 2700	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	38
PID 2368 wrote to memory of 688	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	39
PID 2368 wrote to memory of 688	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	39
PID 2368 wrote to memory of 688	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	39
PID 2368 wrote to memory of 688	2368	{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe	39
PID 2700 wrote to memory of 1672	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	40
PID 2700 wrote to memory of 1672	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	40
PID 2700 wrote to memory of 1672	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	40
PID 2700 wrote to memory of 1672	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	40
PID 2700 wrote to memory of 2308	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	41
PID 2700 wrote to memory of 2308	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	41
PID 2700 wrote to memory of 2308	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	41
PID 2700 wrote to memory of 2308	2700	{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe	41
PID 1672 wrote to memory of 1912	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	42
PID 1672 wrote to memory of 1912	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	42
PID 1672 wrote to memory of 1912	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	42
PID 1672 wrote to memory of 1912	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	42
PID 1672 wrote to memory of 2000	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	43
PID 1672 wrote to memory of 2000	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	43
PID 1672 wrote to memory of 2000	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	43
PID 1672 wrote to memory of 2000	1672	{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe	43
PID 1912 wrote to memory of 576	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	44
PID 1912 wrote to memory of 576	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	44
PID 1912 wrote to memory of 576	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	44
PID 1912 wrote to memory of 576	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	44
PID 1912 wrote to memory of 2788	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	45
PID 1912 wrote to memory of 2788	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	45
PID 1912 wrote to memory of 2788	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	45
PID 1912 wrote to memory of 2788	1912	{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_62079b0c9c0a8a042ffd3f1f95bd51ff_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe
  C:\Windows\{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\{6299C119-AE99-4b6b-95CA-808613A67759}.exe
    C:\Windows\{6299C119-AE99-4b6b-95CA-808613A67759}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{7247D962-A13E-4caf-BB54-717410AD8A90}.exe
      C:\Windows\{7247D962-A13E-4caf-BB54-717410AD8A90}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe
        
        C:\Windows\{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe
        
        C:\Windows\{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe
        
        C:\Windows\{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe
        
        C:\Windows\{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe
        
        C:\Windows\{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{AB6E548D-9B2C-483f-B415-B910AF425051}.exe
        
        C:\Windows\{AB6E548D-9B2C-483f-B415-B910AF425051}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe
        
        C:\Windows\{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{6C1A5433-23B9-4172-823E-A1324C787F25}.exe
        
        C:\Windows\{6C1A5433-23B9-4172-823E-A1324C787F25}.exe
        12⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8CA3~1.EXE > nul
        12⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB6E5~1.EXE > nul
        11⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F53~1.EXE > nul
        10⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2729~1.EXE > nul
        9⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F96F2~1.EXE > nul
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64BC8~1.EXE > nul
        7⤵
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{857DE~1.EXE > nul
        6⤵
        
        PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7247D~1.EXE > nul
        5⤵
        
        PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6299C~1.EXE > nul
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23FCE~1.EXE > nul
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23FCEE1F-DB29-4527-B5F2-8223A66873B5}.exe

Filesize
204KB

MD5
616db7f46aea07b498a1aada6c7b12e7

SHA1
74c23948a541c28d83fdad9b9bf93f34ad86c62d

SHA256
9fbf413fd48200bd17a17ddb8b91f8d372319ff0159155e6c03f43d92b8c29e4

SHA512
f67b96bdbd30b1b053d0493ae3bef188a4f74cc064b4a178c1731ea13bff119262db294220cdcc44d06f3f5a1c73f115c68a2fb667b13efacf38fda5d98c3156

Download Submit
C:\Windows\{6299C119-AE99-4b6b-95CA-808613A67759}.exe

Filesize
204KB

MD5
37538e24bcd1522fc6f1bbf8518273d9

SHA1
65da43620476e5d977f465103ba4c6fe83189598

SHA256
e8d89438bf455ef7977131ef26ae53e59be94ff342d670fdb0224e051d6c3cdc

SHA512
8fb825cd0ae08274817a1c28248b28755cbb79c5f21a35e4c5a28160a61ff793e1ddc70703c721c723de5b1316f4abc101a7fe22336e35edc8a9a251776c953e

Download Submit
C:\Windows\{64BC84D4-4FC3-40d6-A4ED-853E6B60BC2A}.exe

Filesize
204KB

MD5
1817b26350be4f16f116354d0989404e

SHA1
350ed056b584c047ab24d36b4f2084afed772867

SHA256
fbc176f2c398f01878949b4fe5f90a62639d508a096640a92ff3ed9f7959e3fd

SHA512
b796ee1e9d424994a76c865827999880cdd325a5ac10bd9a8a8e441a8e0d91bfb82d51ab39beaf77bddba9d5558fcc2d0936de38595823b2ee60ccb9103933bd

Download Submit
C:\Windows\{6C1A5433-23B9-4172-823E-A1324C787F25}.exe

Filesize
204KB

MD5
a7e6d5e399c0f3d0ba47fefe52e95b01

SHA1
8831526084a34fff28c5c69e633511fe8260f928

SHA256
72b033de789adb297404768919f51af19d3f1c275c67fd3af1f17d5660bbfacf

SHA512
6e1218248f7d08ecd9e21e31c711d40adf51ab1d619f22f80771e2d32bb1dc822458e9e1a7ce29f11e863f45764d33b04e9a58de556a1e1556622d7210067cb8

Download Submit
C:\Windows\{7247D962-A13E-4caf-BB54-717410AD8A90}.exe

Filesize
204KB

MD5
507f5922a54c30570a86498970e7cc24

SHA1
b327b03b60d9229ff8ccf8cd1d80c67d2e66fe92

SHA256
71830a8e5aa0ebf823ea1899e532b507b3a4426804f23a4b081b6991c6c1b3bc

SHA512
12ad13949148c40173006c7d3ea2e681b38ba273759ad8ae0ae3fa15969cfd2bc0498582688217117838ac33a720734e69ae09f2bbac0d36812049fbdd73b990

Download Submit
C:\Windows\{857DEDBD-2844-4823-9624-54AA86BDB6DB}.exe

Filesize
204KB

MD5
28cfaa0c8dd38f93758e3ac50bb06fec

SHA1
926c3cf93af132c97f06413e58ad04120b976772

SHA256
888d4ffdcfd04707f39328fac407b61b3946bd5f66e53e3dcd2b2cd82f341282

SHA512
5f3b03b4b7e877d1c15f4d129fae6debc3fe1a13dc3d3a81b0c413877ff8a657083d91497124cdac9416e54a4952decffbaedd0df44f407d5745fe4859b04621

Download Submit
C:\Windows\{A7F53AE2-FC04-47ef-A314-51B6BD87C44E}.exe

Filesize
204KB

MD5
7ec6d229371b7eb8b5296e6ec426843b

SHA1
18b115070eb50828c01998390d0638581d794453

SHA256
ddb4948e7a532b0c0cdbabb836852236bd0ed2e6aa5b59b3961ed081160524d4

SHA512
a33e9a80e46343379d0ab89348ade6ceeb12264657d32c4bdf0869a07df5269992fcd58f403f007f55dfe305cfba72c1cff80988a2ad2cc295defcb5cb3b9a32

Download Submit
C:\Windows\{AB6E548D-9B2C-483f-B415-B910AF425051}.exe

Filesize
204KB

MD5
d07b3ec1e42cb3d1ded9ccb28d3e9f03

SHA1
e1561dd319d66888b337d4a428b9d3321dba302e

SHA256
fa038dfab2865b35b0f9ea3c4b784191237f1e5e38797f21f672ff37c8748574

SHA512
a7587c91fa859651b8f25de26668348fc0bf287af782ac6dd6b1d71e3a49d723577cd5c4d92bc3af2f85bdf78a82ee7c9d59792e1fef8150e8a421af9ceb0783

Download Submit
C:\Windows\{C27293CD-F7E4-440e-9E83-2918C2BC85AC}.exe

Filesize
204KB

MD5
3cdc34e38c1812a44d499e23ebc39c4f

SHA1
c4227408d9237153e301d2d243032ac0f678f91c

SHA256
adce960b4c6999b987a98f9eb116ffd1686f1e92f257ea2e34ad97b1748a4730

SHA512
77035a357165024aa09c226e4210e0696c625dd4c02b676d267e4a311e4c540a208befa7dd3f5487c22cd886189214d5229196c6e080e8ca0457b9cd3daf7e57

Download Submit
C:\Windows\{F8CA3138-B94B-44c7-A603-3C642C283C08}.exe

Filesize
204KB

MD5
743311bf02ef68789a4fbc9c9e895069

SHA1
50744ae848dc27eb73c28482f8278ea76b873e22

SHA256
d111d479c4899a4de9619831371eabc356534148ec090397c1a845b03fb2888a

SHA512
b2c7192170bd129afb16f98aa014efcbe1398b90ff824e55ce33546942c3844795b78dd774f6895610cfecbe55ecc184748b539954e8d405e35a79850bc9ab26

Download Submit
C:\Windows\{F96F2753-F49B-4666-BED8-5A1788A918D4}.exe

Filesize
204KB

MD5
719d4e7898bc1a2465db970d44229829

SHA1
e1ea06d6da1088b62fa7f589ebe7b6f8b91d5f05

SHA256
56384208a7ccc8b8702c496629ff631766ab8f0e8803ca7ae9b11f03a5cb9584

SHA512
f16885f114e3891e8490c286ca7ec720494108cbdeabbe5ff707632f9d73d7efa295463823e85cbb99c6555164feade75248100af3cedebefc95bff8c7e443a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads