2cbf73b59d8883b39503a8957465aca64e97ef7838f200a39f9955612353e42f

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Size

372KB
MD5

9697825d0ad61534375222c95642a42b
SHA1

7d8aff23051a41d794a1f32c5c41a3fe440a0a9d
SHA256

2cbf73b59d8883b39503a8957465aca64e97ef7838f200a39f9955612353e42f
SHA512

c7a8b137a6cc2e2f88f51a77201fdca32eaf5b223225f7a6bf3af9e196680bce4eda3b39d94c909804de84287c74b4c0c272330f8e3a026a4e8f2c07384be76d
SSDEEP

3072:CEGh0o/lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGNlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012265-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00040000000130fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012265-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012265-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012265-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012265-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012265-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432A6484-F128-4e14-99F5-1A28A8D02242}	{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8345D04-0499-40ea-821F-B0A498553A01}	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}\stubpath = "C:\\Windows\\{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe"	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}\stubpath = "C:\\Windows\\{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe"	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8345D04-0499-40ea-821F-B0A498553A01}\stubpath = "C:\\Windows\\{E8345D04-0499-40ea-821F-B0A498553A01}.exe"	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350AF325-4E51-4645-AB21-EC07230877E9}\stubpath = "C:\\Windows\\{350AF325-4E51-4645-AB21-EC07230877E9}.exe"	{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{389C9C61-44EB-4668-BABA-A90737EA68DD}	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350AF325-4E51-4645-AB21-EC07230877E9}	{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27D1454-0DAE-44c3-A811-91832D5D88CF}	{350AF325-4E51-4645-AB21-EC07230877E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}	{E8345D04-0499-40ea-821F-B0A498553A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}\stubpath = "C:\\Windows\\{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe"	{E8345D04-0499-40ea-821F-B0A498553A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94EFFC5-EA91-4279-A7CA-D041A0537015}\stubpath = "C:\\Windows\\{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe"	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432A6484-F128-4e14-99F5-1A28A8D02242}\stubpath = "C:\\Windows\\{432A6484-F128-4e14-99F5-1A28A8D02242}.exe"	{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}\stubpath = "C:\\Windows\\{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe"	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27D1454-0DAE-44c3-A811-91832D5D88CF}\stubpath = "C:\\Windows\\{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe"	{350AF325-4E51-4645-AB21-EC07230877E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94EFFC5-EA91-4279-A7CA-D041A0537015}	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{389C9C61-44EB-4668-BABA-A90737EA68DD}\stubpath = "C:\\Windows\\{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe"	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}\stubpath = "C:\\Windows\\{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe"	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe
2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe
2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe
2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe
3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe
1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe
2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe
568	{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe
1640	{350AF325-4E51-4645-AB21-EC07230877E9}.exe
1472	{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe
2220	{432A6484-F128-4e14-99F5-1A28A8D02242}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe
File created	C:\Windows\{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe
File created	C:\Windows\{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe	{350AF325-4E51-4645-AB21-EC07230877E9}.exe
File created	C:\Windows\{432A6484-F128-4e14-99F5-1A28A8D02242}.exe	{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe
File created	C:\Windows\{E8345D04-0499-40ea-821F-B0A498553A01}.exe	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe
File created	C:\Windows\{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe
File created	C:\Windows\{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe
File created	C:\Windows\{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe
File created	C:\Windows\{350AF325-4E51-4645-AB21-EC07230877E9}.exe	{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe
File created	C:\Windows\{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
File created	C:\Windows\{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	{E8345D04-0499-40ea-821F-B0A498553A01}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe
Token: SeIncBasePriorityPrivilege	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe
Token: SeIncBasePriorityPrivilege	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe
Token: SeIncBasePriorityPrivilege	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe
Token: SeIncBasePriorityPrivilege	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe
Token: SeIncBasePriorityPrivilege	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe
Token: SeIncBasePriorityPrivilege	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe
Token: SeIncBasePriorityPrivilege	568	{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe
Token: SeIncBasePriorityPrivilege	1640	{350AF325-4E51-4645-AB21-EC07230877E9}.exe
Token: SeIncBasePriorityPrivilege	1472	{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3036	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	28
PID 2356 wrote to memory of 3036	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	28
PID 2356 wrote to memory of 3036	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	28
PID 2356 wrote to memory of 3036	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	28
PID 2356 wrote to memory of 2560	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	29
PID 2356 wrote to memory of 2560	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	29
PID 2356 wrote to memory of 2560	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	29
PID 2356 wrote to memory of 2560	2356	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	29
PID 3036 wrote to memory of 2424	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	30
PID 3036 wrote to memory of 2424	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	30
PID 3036 wrote to memory of 2424	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	30
PID 3036 wrote to memory of 2424	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	30
PID 3036 wrote to memory of 2712	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	31
PID 3036 wrote to memory of 2712	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	31
PID 3036 wrote to memory of 2712	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	31
PID 3036 wrote to memory of 2712	3036	{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe	31
PID 2424 wrote to memory of 2700	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	33
PID 2424 wrote to memory of 2700	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	33
PID 2424 wrote to memory of 2700	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	33
PID 2424 wrote to memory of 2700	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	33
PID 2424 wrote to memory of 2436	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	34
PID 2424 wrote to memory of 2436	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	34
PID 2424 wrote to memory of 2436	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	34
PID 2424 wrote to memory of 2436	2424	{E8345D04-0499-40ea-821F-B0A498553A01}.exe	34
PID 2700 wrote to memory of 2780	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	36
PID 2700 wrote to memory of 2780	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	36
PID 2700 wrote to memory of 2780	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	36
PID 2700 wrote to memory of 2780	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	36
PID 2700 wrote to memory of 2812	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	37
PID 2700 wrote to memory of 2812	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	37
PID 2700 wrote to memory of 2812	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	37
PID 2700 wrote to memory of 2812	2700	{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe	37
PID 2780 wrote to memory of 3068	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	38
PID 2780 wrote to memory of 3068	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	38
PID 2780 wrote to memory of 3068	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	38
PID 2780 wrote to memory of 3068	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	38
PID 2780 wrote to memory of 1072	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	39
PID 2780 wrote to memory of 1072	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	39
PID 2780 wrote to memory of 1072	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	39
PID 2780 wrote to memory of 1072	2780	{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe	39
PID 3068 wrote to memory of 1708	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	40
PID 3068 wrote to memory of 1708	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	40
PID 3068 wrote to memory of 1708	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	40
PID 3068 wrote to memory of 1708	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	40
PID 3068 wrote to memory of 1744	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	41
PID 3068 wrote to memory of 1744	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	41
PID 3068 wrote to memory of 1744	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	41
PID 3068 wrote to memory of 1744	3068	{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe	41
PID 1708 wrote to memory of 2800	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	42
PID 1708 wrote to memory of 2800	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	42
PID 1708 wrote to memory of 2800	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	42
PID 1708 wrote to memory of 2800	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	42
PID 1708 wrote to memory of 584	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	43
PID 1708 wrote to memory of 584	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	43
PID 1708 wrote to memory of 584	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	43
PID 1708 wrote to memory of 584	1708	{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe	43
PID 2800 wrote to memory of 568	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	44
PID 2800 wrote to memory of 568	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	44
PID 2800 wrote to memory of 568	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	44
PID 2800 wrote to memory of 568	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	44
PID 2800 wrote to memory of 2748	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	45
PID 2800 wrote to memory of 2748	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	45
PID 2800 wrote to memory of 2748	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	45
PID 2800 wrote to memory of 2748	2800	{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe
  C:\Windows\{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{E8345D04-0499-40ea-821F-B0A498553A01}.exe
    C:\Windows\{E8345D04-0499-40ea-821F-B0A498553A01}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe
      C:\Windows\{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe
        
        C:\Windows\{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe
        
        C:\Windows\{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe
        
        C:\Windows\{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe
        
        C:\Windows\{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe
        
        C:\Windows\{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{350AF325-4E51-4645-AB21-EC07230877E9}.exe
        
        C:\Windows\{350AF325-4E51-4645-AB21-EC07230877E9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe
        
        C:\Windows\{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\{432A6484-F128-4e14-99F5-1A28A8D02242}.exe
        
        C:\Windows\{432A6484-F128-4e14-99F5-1A28A8D02242}.exe
        12⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C27D1~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{350AF~1.EXE > nul
        11⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF947~1.EXE > nul
        10⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37766~1.EXE > nul
        9⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4D58~1.EXE > nul
        8⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{389C9~1.EXE > nul
        7⤵
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C94EF~1.EXE > nul
        6⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF575~1.EXE > nul
        5⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E8345~1.EXE > nul
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44C06~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{350AF325-4E51-4645-AB21-EC07230877E9}.exe

Filesize
372KB

MD5
73459c83c1266cb5401cfcab78a08959

SHA1
b73e12987b2c1638f91b1e618405e85e94a86954

SHA256
1ea952c501ac07a08d056971a7443b1c2fefdd80e798ea79c78d83be1275eb08

SHA512
dd272ce5f2abc55f6708ffd12ef70e65121157a967258443d876eaa408c8859f10e2201c9ac68167c0cd3b176d5cd69e4d9b77fcd9436f144de1e45143c4ff5f

Download Submit
C:\Windows\{37766FD8-638A-4dbc-AC61-97C8D55FC7A7}.exe

Filesize
372KB

MD5
ef48fa9e8bbe0f93bc1d17de5d23c681

SHA1
53ba1ab466e70c6d3aa742618bfc3aea39576894

SHA256
3ce02ec97831eff503177f7c33553e1388242c887760afe5134bf48de4f8b623

SHA512
30bc6cc3b6b5e3dd7aa8ce4f206bbbe5e6f66c692e2d57ba0895eafb6d8a0172d490145c1565f267953f5d1577e5ea746f41b251588134f1d69c8d66c2a67c7e

Download Submit
C:\Windows\{389C9C61-44EB-4668-BABA-A90737EA68DD}.exe

Filesize
372KB

MD5
320cefba02cc19f02413358a2bbd719f

SHA1
1e4d7284f19bfea8748d897d688c5ef02c11a680

SHA256
aacdb084ef6d149b41faf45767e2a3943f1bb6cfa6356b680b07ad9c891f6a25

SHA512
e20860d016e372092be2882516a44a78f0f823b04c8215d7b5bdbe09b2a713651ef9c5bc90a0b3571c8405a54ab90f00b793f0ef57b71765fc1ebffb82358a9a

Download Submit
C:\Windows\{432A6484-F128-4e14-99F5-1A28A8D02242}.exe

Filesize
372KB

MD5
79bd645b66ddcfdad127cccce9595486

SHA1
8eb0e44a111205115e1546d90d8d097d6db7a904

SHA256
2750c00fccb0def542e9cef8164faddce30a600ccffb242ce443feec8b657a4b

SHA512
8d81a095ef5d3da97845994c2f92da6f93a48a77aa0f2f60c352274892840d9ebb6c84f14a93f914888772202088f295d47925f893b9134d48a2a637ae642b4b

Download Submit
C:\Windows\{44C06FD4-6426-4ca9-BAF1-5826BBA4B1DA}.exe

Filesize
372KB

MD5
518ff2fe6180712aae11b125ae275a40

SHA1
f35c808992b93611e0cd92c2ad2fb9d79059902b

SHA256
612e9cb760cdb30d89366e06d4c7e81c2a504d29f78829d078c6ecc6d61e30a0

SHA512
601e088d0531ac2c9569e8021fa2d368334937557cf97f0473a873cd575f3e1fe3cea00d1ac4ba918a83bfadb766d5c0136e04bf44b970dc36b0ac89e1faddd8

Download Submit
C:\Windows\{A4D588B9-FD07-4555-9912-EE0B0BD0C5AB}.exe

Filesize
372KB

MD5
4be7e89dd003dbf313e474c2570a7b22

SHA1
87a94cb302828621f678b618f0d649772b6d88f8

SHA256
ee8d8e9f25996c8a70d6b95110dbb5d21b35db5ecb04e273ff8102471fae6b1f

SHA512
3ee1850a8fc8308838c23212b68f3c56d00b8aafffa13a6c27ba0c3d6613e2b58512a95fd3ed56d1f36f74bdbd8057d815170e729258603ecb0c22e1e0092ef0

Download Submit
C:\Windows\{C27D1454-0DAE-44c3-A811-91832D5D88CF}.exe

Filesize
372KB

MD5
081d935579421041389a3befc1f3490e

SHA1
c83f124b1b85b14ac00688bb96057d5f8a682a28

SHA256
66cc0dc9de7f6a9be2e1f286c7f8d101adbddcfe099f092a74cd443856ce5969

SHA512
3cef60e973a4579e0e4b31ed0c49f0d21f4416ca65675fb4e2dd63af093ec41b8e90bc792d82dd99a06c7240c76e44bd2e260f6404513fe63f62fd92027ddafb

Download Submit
C:\Windows\{C94EFFC5-EA91-4279-A7CA-D041A0537015}.exe

Filesize
372KB

MD5
98ef5dc3c458043922b3b8050507a6d0

SHA1
b5aa34e7d4084645aff0b7dc972fc21694fef6d8

SHA256
b771e9d82f3c53cb19d5798140a400c1a9072f5e4dae1348e49c624bcaa1e1b3

SHA512
9ba16618c4e166371dc47356f19f0993a508bc43d1ced4cabdacced37d67cedf7eaf66bf70f591222cda216d42554cb589f1af99d08053656f8f118becce8246

Download Submit
C:\Windows\{CF575B5C-EAE2-40cd-9976-0EBEF3A96C66}.exe

Filesize
372KB

MD5
a861bfd7a875ad87ca3a18ecfd9a1b47

SHA1
49a644f8e13d8f7cd72eb10610e9fdccfa7656c2

SHA256
a28dff4b174b2e05f0ec64c3c01302dd105985fa2ac84dce4799c01d6a170866

SHA512
692358dd4a7a097bf3ff48e0939cdbd01c9a8ef41e9414ea6876ff47b0d417dc8f36e1cd7829100b3768246020012b23e6f7afa461d083931d6b21e868378d10

Download Submit
C:\Windows\{DF9472BC-0228-47c9-837E-C1A55DAF1CE4}.exe

Filesize
372KB

MD5
9c5b959412187443f5dc54a3d362024f

SHA1
7486dfc32755fb8c6ab945776f88d27f89aa2eb3

SHA256
8b884d9bdbb4a3519c5a374ed0312960c7bd99a19c3aceac7a12c46241ee8a1d

SHA512
6a37b7548d35373a63b4479604ea9901a1b5b512a53d5c81965bbf303a7940effc321cc7fbf4aa651c2742c8bb3e93e97019f7f3727ec019ada3a27713ca6d4f

Download Submit
C:\Windows\{E8345D04-0499-40ea-821F-B0A498553A01}.exe

Filesize
372KB

MD5
6bd439a578d2caa3e7470d0475f29192

SHA1
2e811db9e08de42e13ba561768c2dceab2a9baf1

SHA256
67d400d0a0062b087a47c8b4e80c8ed40c38a3510ad16768c6fac8c783e23987

SHA512
d83bd88a959adcede0d28aa4bc368a13815dee6a9c1c3609a283f2898387e65b8439977627257c905e6744b15ebb8adcbd339cc9bfcf1040a72218d5fbc1acaa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads