7dcaa96b4d283bb031ee606b3c1f820074c3fb774a196550c6c0ec9eb64230fa

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
Size

204KB
MD5

eab24f112dab06700cb4b8af986192cd
SHA1

2b93700ccca76082edaddb6f2e6d646bc18b21f5
SHA256

7dcaa96b4d283bb031ee606b3c1f820074c3fb774a196550c6c0ec9eb64230fa
SHA512

a17b84bb5efa5105b9e98e12c3ca61cf1fd74816d99a8f00c7cc0320e604deb790688f2fa4622bb1f85ffea642536e297e11b8663258855ff8b85fcc3b68d2df
SSDEEP

1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000121c5-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001220a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000121c5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000121c5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000121c5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000121c5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000121c5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69C680A8-3131-4da5-AFF5-D3237496FC9A}\stubpath = "C:\\Windows\\{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe"	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}\stubpath = "C:\\Windows\\{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe"	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29AE57D-2048-4b97-99A9-769E8F9E337A}	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A000E7-6C50-418b-8BD7-8418E13429B7}	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58503BC6-41A6-4914-A1ED-30C5D2000A4D}\stubpath = "C:\\Windows\\{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe"	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B68B33D3-D570-43e6-8110-C6009D229DE6}\stubpath = "C:\\Windows\\{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe"	{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A000E7-6C50-418b-8BD7-8418E13429B7}\stubpath = "C:\\Windows\\{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe"	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}\stubpath = "C:\\Windows\\{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe"	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58503BC6-41A6-4914-A1ED-30C5D2000A4D}	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FE129F-3420-40d9-8DB9-22BA692E044A}	{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B68B33D3-D570-43e6-8110-C6009D229DE6}	{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D2828E2-287D-4c91-83FD-B494F4053456}	{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891E6EED-C912-4db6-B92D-B7F4ADC86385}\stubpath = "C:\\Windows\\{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe"	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29AE57D-2048-4b97-99A9-769E8F9E337A}\stubpath = "C:\\Windows\\{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe"	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{891E6EED-C912-4db6-B92D-B7F4ADC86385}	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69C680A8-3131-4da5-AFF5-D3237496FC9A}	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FE129F-3420-40d9-8DB9-22BA692E044A}\stubpath = "C:\\Windows\\{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe"	{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D2828E2-287D-4c91-83FD-B494F4053456}\stubpath = "C:\\Windows\\{0D2828E2-287D-4c91-83FD-B494F4053456}.exe"	{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}\stubpath = "C:\\Windows\\{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe"	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe
2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe
2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe
2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe
2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe
1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe
1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe
464	{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe
1852	{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe
1104	{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe
2192	{0D2828E2-287D-4c91-83FD-B494F4053456}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0D2828E2-287D-4c91-83FD-B494F4053456}.exe	{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe
File created	C:\Windows\{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe
File created	C:\Windows\{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe
File created	C:\Windows\{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe
File created	C:\Windows\{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe	{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe
File created	C:\Windows\{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe
File created	C:\Windows\{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe	{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe
File created	C:\Windows\{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
File created	C:\Windows\{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe
File created	C:\Windows\{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe
File created	C:\Windows\{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe
Token: SeIncBasePriorityPrivilege	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe
Token: SeIncBasePriorityPrivilege	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe
Token: SeIncBasePriorityPrivilege	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe
Token: SeIncBasePriorityPrivilege	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe
Token: SeIncBasePriorityPrivilege	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe
Token: SeIncBasePriorityPrivilege	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe
Token: SeIncBasePriorityPrivilege	464	{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe
Token: SeIncBasePriorityPrivilege	1852	{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe
Token: SeIncBasePriorityPrivilege	1104	{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 1728	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	28
PID 340 wrote to memory of 1728	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	28
PID 340 wrote to memory of 1728	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	28
PID 340 wrote to memory of 1728	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	28
PID 340 wrote to memory of 2252	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	29
PID 340 wrote to memory of 2252	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	29
PID 340 wrote to memory of 2252	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	29
PID 340 wrote to memory of 2252	340	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	29
PID 1728 wrote to memory of 2568	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	30
PID 1728 wrote to memory of 2568	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	30
PID 1728 wrote to memory of 2568	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	30
PID 1728 wrote to memory of 2568	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	30
PID 1728 wrote to memory of 2620	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	31
PID 1728 wrote to memory of 2620	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	31
PID 1728 wrote to memory of 2620	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	31
PID 1728 wrote to memory of 2620	1728	{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe	31
PID 2568 wrote to memory of 2800	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	32
PID 2568 wrote to memory of 2800	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	32
PID 2568 wrote to memory of 2800	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	32
PID 2568 wrote to memory of 2800	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	32
PID 2568 wrote to memory of 2400	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	33
PID 2568 wrote to memory of 2400	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	33
PID 2568 wrote to memory of 2400	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	33
PID 2568 wrote to memory of 2400	2568	{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe	33
PID 2800 wrote to memory of 2888	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	36
PID 2800 wrote to memory of 2888	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	36
PID 2800 wrote to memory of 2888	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	36
PID 2800 wrote to memory of 2888	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	36
PID 2800 wrote to memory of 1868	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	37
PID 2800 wrote to memory of 1868	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	37
PID 2800 wrote to memory of 1868	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	37
PID 2800 wrote to memory of 1868	2800	{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe	37
PID 2888 wrote to memory of 2720	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	38
PID 2888 wrote to memory of 2720	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	38
PID 2888 wrote to memory of 2720	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	38
PID 2888 wrote to memory of 2720	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	38
PID 2888 wrote to memory of 2708	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	39
PID 2888 wrote to memory of 2708	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	39
PID 2888 wrote to memory of 2708	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	39
PID 2888 wrote to memory of 2708	2888	{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe	39
PID 2720 wrote to memory of 1380	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	40
PID 2720 wrote to memory of 1380	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	40
PID 2720 wrote to memory of 1380	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	40
PID 2720 wrote to memory of 1380	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	40
PID 2720 wrote to memory of 1056	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	41
PID 2720 wrote to memory of 1056	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	41
PID 2720 wrote to memory of 1056	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	41
PID 2720 wrote to memory of 1056	2720	{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe	41
PID 1380 wrote to memory of 1808	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	42
PID 1380 wrote to memory of 1808	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	42
PID 1380 wrote to memory of 1808	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	42
PID 1380 wrote to memory of 1808	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	42
PID 1380 wrote to memory of 2656	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	43
PID 1380 wrote to memory of 2656	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	43
PID 1380 wrote to memory of 2656	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	43
PID 1380 wrote to memory of 2656	1380	{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe	43
PID 1808 wrote to memory of 464	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	44
PID 1808 wrote to memory of 464	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	44
PID 1808 wrote to memory of 464	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	44
PID 1808 wrote to memory of 464	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	44
PID 1808 wrote to memory of 1588	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	45
PID 1808 wrote to memory of 1588	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	45
PID 1808 wrote to memory of 1588	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	45
PID 1808 wrote to memory of 1588	1808	{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe
  C:\Windows\{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe
    C:\Windows\{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe
      C:\Windows\{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe
        
        C:\Windows\{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe
        
        C:\Windows\{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe
        
        C:\Windows\{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe
        
        C:\Windows\{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe
        
        C:\Windows\{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe
        
        C:\Windows\{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe
        
        C:\Windows\{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{0D2828E2-287D-4c91-83FD-B494F4053456}.exe
        
        C:\Windows\{0D2828E2-287D-4c91-83FD-B494F4053456}.exe
        12⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B68B3~1.EXE > nul
        12⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09FE1~1.EXE > nul
        11⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58503~1.EXE > nul
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB34E~1.EXE > nul
        9⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09A00~1.EXE > nul
        8⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F29AE~1.EXE > nul
        7⤵
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ED7A~1.EXE > nul
        6⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69C68~1.EXE > nul
        5⤵
        
        PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{891E6~1.EXE > nul
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2CBCE~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A000E7-6C50-418b-8BD7-8418E13429B7}.exe

Filesize
204KB

MD5
d0bf869e1c139b727954d3b0a71c4401

SHA1
a592899d19633c0f9d00ad514bca6a6d5d444a8b

SHA256
b7b03136d76e853043d72c6dddfc619b1dd4b0283e0e7b3d7ecf9c7164c2697a

SHA512
9f0bffbd0d8c1b991ae7edbd07dd3e82521ac62a090150de1565b827e65d92e1377a9da2a2dc2d54b493a9fefbfdfb575e1a72b39f9c873ed85532107db4d450

Download Submit
C:\Windows\{09FE129F-3420-40d9-8DB9-22BA692E044A}.exe

Filesize
204KB

MD5
064279328071825f069322122d59b989

SHA1
e65ad997b961a22b89755c2f5572900c21ae993d

SHA256
d5c250459e4702cbfe6b8216151bd904e74604a26e1de51f5e0743b7d8e56b0c

SHA512
0a490523173148370c7a52ad35c3c2324a4d5295faa0154f0e1c40f49fdaa1e6e33b48417edd23245b9cca87734f4cccaadaca93e90dafdb9b0bd5ef1e4c140c

Download Submit
C:\Windows\{0D2828E2-287D-4c91-83FD-B494F4053456}.exe

Filesize
204KB

MD5
f1ba84b2307fc65e315f0690f61be160

SHA1
4ef2ca0e59ffd2047156bf815c2476132752f10a

SHA256
b8711ae4ba7ad372ac58590d439d1c17b5d5e40fc1641c06d90241a566a87d61

SHA512
f0d0873dbeac0647f20eac5b561aa1545b401c4ff839035c76a48d50f8d038fe6a0dbe5b9aa6ff22813ff2b6c5697c44736105af0f45480d3f572b6d1d5d87a8

Download Submit
C:\Windows\{2CBCE462-72A7-49a9-81D5-AACCCEA77DFC}.exe

Filesize
204KB

MD5
87b1ff0f83b0e604175c7d69f2bb0c3e

SHA1
dd38dbeeaa2bf227913b138a64571f10eb64353b

SHA256
0ae0928a6b7c69adcde605df4d5c432a18c5cc2f3252d02b3c12b3ab879e3e56

SHA512
6019bd57fc4bfa78bbd63de42045e85451869dd8c961664299180b5accf015e1d46c6a6239150e6112df693c17010e4cdedd570dc825697179d1ef7b7ccfb2eb

Download Submit
C:\Windows\{58503BC6-41A6-4914-A1ED-30C5D2000A4D}.exe

Filesize
204KB

MD5
0edd4b9974e1f81577c46f77dca49acf

SHA1
b5443595891001b409eac8aa38fdf4b4ada0c5d4

SHA256
55173838d4aba831dfcced735fe89d12948a4efda12100a60e7a62dc975a94ca

SHA512
09e7b5315f376137d682d39d765a6bccaeddb8f8841e27087cebbf1227e32ff72cd26a3dab7141dc9fdcd45b62a3f4c4c46db450c22b0e04f77d495f84b9fb72

Download Submit
C:\Windows\{69C680A8-3131-4da5-AFF5-D3237496FC9A}.exe

Filesize
204KB

MD5
d63da4f4351de5c6f2b36d0ba7b4a770

SHA1
2b9787fba3f1713614ed078b755753f31dbc3950

SHA256
fd331bea17af6ca14cd410c76bdf305e088f35bee0cd5ab34ca2c449dfe8ea45

SHA512
e4c95f3579205feecfa68dc41854879611a086b3be79234aea5df91743e087ff9592f5ef9aaf645432579139544959e457a61f64a698370ee057303cd2f449c7

Download Submit
C:\Windows\{891E6EED-C912-4db6-B92D-B7F4ADC86385}.exe

Filesize
204KB

MD5
6e0bc28240f8b89e37699360a2f9a25c

SHA1
9279bad440b6001df38d338b653806f6c261ffd1

SHA256
ab4b4f697d431db21a6a16c09e32494e8078c42df5f635bddee4e5c4098a25f4

SHA512
34087c5d7cf7e227e151103564e1e87d985fe4f6de0340be142639cdc9f1aacea2c125ec2bf33d2ef22ee9d54acbaa1c30cf6e6e305278584c0add976cec2eef

Download Submit
C:\Windows\{9ED7AD81-7C81-4977-90DE-5C8C74D7078C}.exe

Filesize
204KB

MD5
583b4962e21a118b1a3a1f4cf6527f0e

SHA1
164be792395e8281340432b947d8adac607cfc2a

SHA256
6104f3a6a288edfdca61c99611effcd7f7a5cde502de3ed64dc6292ef2d73233

SHA512
fb1c354ae777790104586eb15b0c695c2e8f58f7cb24c97cf1611ff60f0e940730a09e07c9f484fff70e1c56b56947a09e22429187cd52245c8462681eccf0f4

Download Submit
C:\Windows\{AB34E1FD-C288-4eb6-BB05-648F618FFAFD}.exe

Filesize
204KB

MD5
b365c54a6a897ff7e8013438a248c37b

SHA1
eee393eb5368ed18978364990dd7771fe31cd82c

SHA256
de28e146a291698cdda6866ebacf5204cf93e0cb53b36e71d4bde9147e690447

SHA512
bdeb981406129b01350abd28456f9e6fface82bcad6ca7c4281e6a5231b5993caa1025b7d40c52c1b85f8ba2c05d49209ad7f21fa28d58d337bcecd42b692c06

Download Submit
C:\Windows\{B68B33D3-D570-43e6-8110-C6009D229DE6}.exe

Filesize
204KB

MD5
4bd5a17c88bcd8f299abe5ddae27b728

SHA1
dddb1e1102370c0d55d7fada6fb987d733479cff

SHA256
6fe0c57e5171570ab1915658023923dd29a2ae93b7a21b0fc750a1f6b5b7acfc

SHA512
bafc062e1a0ab16f80061f8bd9e797676e9b05162f30dae756713b87650d91f1b5f297dde86f345a8c09bc5b1309d1d06c182c030f6f30dc8c7562b5eb38bf64

Download Submit
C:\Windows\{F29AE57D-2048-4b97-99A9-769E8F9E337A}.exe

Filesize
204KB

MD5
a26207ec16e8f9d681d3493bd4d9c631

SHA1
e819916dece0051cb8e97993d624e6cbfa8dfe13

SHA256
22c43b8b0b130297f04f94a34296fa9ece279cca14c3048c756d82a0402800bc

SHA512
602917f76c2f933d706376467f3dc4b085a0860d504df0d3af642e025808a5bd344fb4b415640b0ce809007a7482aba060c8a37ccdd63b8edfaccc20881faef9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads