55cee9cbe287de4c3eeb6a924903f9bd1c95da67a8f31485978b74e986377da7

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe
Size

344KB
MD5

03c0c6f19ce8fd0fa99d1ab95df33a34
SHA1

59039d057f290efe8556dd151034348fbff26e87
SHA256

55cee9cbe287de4c3eeb6a924903f9bd1c95da67a8f31485978b74e986377da7
SHA512

4d78a5cffdca11e9ecd33ccb2a349be576537fdf5444c0b8626dfebc9b6b210e1f2a5ba0c29064565718c179220deec19cd44880c62ffdad608f2431fe982d07
SSDEEP

3072:mEGh0ojlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGhlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015c3c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015c3c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c5d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015c7c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c5d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015c87-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c5d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF9242ED-35E6-4440-8584-A078E9D685B2}	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50CDE545-F4E1-4da7-9858-9304119348CB}	{9652B2D5-9048-4e25-9042-0727086149C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}\stubpath = "C:\\Windows\\{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe"	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF9242ED-35E6-4440-8584-A078E9D685B2}\stubpath = "C:\\Windows\\{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe"	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9652B2D5-9048-4e25-9042-0727086149C9}\stubpath = "C:\\Windows\\{9652B2D5-9048-4e25-9042-0727086149C9}.exe"	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}\stubpath = "C:\\Windows\\{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe"	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EBAA54C-5332-46cb-B713-3A96F6FBF910}	{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAE5C651-A687-40df-8FA4-65CC53D5C37A}\stubpath = "C:\\Windows\\{EAE5C651-A687-40df-8FA4-65CC53D5C37A}.exe"	{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}\stubpath = "C:\\Windows\\{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe"	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}	{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EBAA54C-5332-46cb-B713-3A96F6FBF910}\stubpath = "C:\\Windows\\{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe"	{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}\stubpath = "C:\\Windows\\{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe"	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9652B2D5-9048-4e25-9042-0727086149C9}	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50CDE545-F4E1-4da7-9858-9304119348CB}\stubpath = "C:\\Windows\\{50CDE545-F4E1-4da7-9858-9304119348CB}.exe"	{9652B2D5-9048-4e25-9042-0727086149C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}\stubpath = "C:\\Windows\\{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe"	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}\stubpath = "C:\\Windows\\{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe"	{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAE5C651-A687-40df-8FA4-65CC53D5C37A}	{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe
2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe
2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe
2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe
1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe
2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe
1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe
2288	{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe
1188	{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe
2244	{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe
580	{EAE5C651-A687-40df-8FA4-65CC53D5C37A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe
File created	C:\Windows\{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	{9652B2D5-9048-4e25-9042-0727086149C9}.exe
File created	C:\Windows\{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe
File created	C:\Windows\{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe	{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe
File created	C:\Windows\{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe	{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe
File created	C:\Windows\{EAE5C651-A687-40df-8FA4-65CC53D5C37A}.exe	{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe
File created	C:\Windows\{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe
File created	C:\Windows\{9652B2D5-9048-4e25-9042-0727086149C9}.exe	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe
File created	C:\Windows\{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe
File created	C:\Windows\{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe
File created	C:\Windows\{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe
Token: SeIncBasePriorityPrivilege	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe
Token: SeIncBasePriorityPrivilege	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe
Token: SeIncBasePriorityPrivilege	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe
Token: SeIncBasePriorityPrivilege	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe
Token: SeIncBasePriorityPrivilege	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe
Token: SeIncBasePriorityPrivilege	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe
Token: SeIncBasePriorityPrivilege	2288	{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe
Token: SeIncBasePriorityPrivilege	1188	{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe
Token: SeIncBasePriorityPrivilege	2244	{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1936	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	28
PID 2304 wrote to memory of 1936	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	28
PID 2304 wrote to memory of 1936	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	28
PID 2304 wrote to memory of 1936	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	28
PID 2304 wrote to memory of 2104	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	29
PID 2304 wrote to memory of 2104	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	29
PID 2304 wrote to memory of 2104	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	29
PID 2304 wrote to memory of 2104	2304	2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe	29
PID 1936 wrote to memory of 2712	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	32
PID 1936 wrote to memory of 2712	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	32
PID 1936 wrote to memory of 2712	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	32
PID 1936 wrote to memory of 2712	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	32
PID 1936 wrote to memory of 2596	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	33
PID 1936 wrote to memory of 2596	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	33
PID 1936 wrote to memory of 2596	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	33
PID 1936 wrote to memory of 2596	1936	{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe	33
PID 2712 wrote to memory of 2344	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	34
PID 2712 wrote to memory of 2344	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	34
PID 2712 wrote to memory of 2344	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	34
PID 2712 wrote to memory of 2344	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	34
PID 2712 wrote to memory of 2404	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	35
PID 2712 wrote to memory of 2404	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	35
PID 2712 wrote to memory of 2404	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	35
PID 2712 wrote to memory of 2404	2712	{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe	35
PID 2344 wrote to memory of 2848	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	36
PID 2344 wrote to memory of 2848	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	36
PID 2344 wrote to memory of 2848	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	36
PID 2344 wrote to memory of 2848	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	36
PID 2344 wrote to memory of 1300	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	37
PID 2344 wrote to memory of 1300	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	37
PID 2344 wrote to memory of 1300	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	37
PID 2344 wrote to memory of 1300	2344	{9652B2D5-9048-4e25-9042-0727086149C9}.exe	37
PID 2848 wrote to memory of 1732	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	38
PID 2848 wrote to memory of 1732	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	38
PID 2848 wrote to memory of 1732	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	38
PID 2848 wrote to memory of 1732	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	38
PID 2848 wrote to memory of 1328	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	39
PID 2848 wrote to memory of 1328	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	39
PID 2848 wrote to memory of 1328	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	39
PID 2848 wrote to memory of 1328	2848	{50CDE545-F4E1-4da7-9858-9304119348CB}.exe	39
PID 1732 wrote to memory of 2840	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	40
PID 1732 wrote to memory of 2840	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	40
PID 1732 wrote to memory of 2840	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	40
PID 1732 wrote to memory of 2840	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	40
PID 1732 wrote to memory of 2932	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	41
PID 1732 wrote to memory of 2932	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	41
PID 1732 wrote to memory of 2932	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	41
PID 1732 wrote to memory of 2932	1732	{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe	41
PID 2840 wrote to memory of 1888	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	42
PID 2840 wrote to memory of 1888	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	42
PID 2840 wrote to memory of 1888	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	42
PID 2840 wrote to memory of 1888	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	42
PID 2840 wrote to memory of 1600	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	43
PID 2840 wrote to memory of 1600	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	43
PID 2840 wrote to memory of 1600	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	43
PID 2840 wrote to memory of 1600	2840	{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe	43
PID 1888 wrote to memory of 2288	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	44
PID 1888 wrote to memory of 2288	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	44
PID 1888 wrote to memory of 2288	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	44
PID 1888 wrote to memory of 2288	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	44
PID 1888 wrote to memory of 2656	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	45
PID 1888 wrote to memory of 2656	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	45
PID 1888 wrote to memory of 2656	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	45
PID 1888 wrote to memory of 2656	1888	{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_03c0c6f19ce8fd0fa99d1ab95df33a34_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe
  C:\Windows\{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe
    C:\Windows\{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{9652B2D5-9048-4e25-9042-0727086149C9}.exe
      C:\Windows\{9652B2D5-9048-4e25-9042-0727086149C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\{50CDE545-F4E1-4da7-9858-9304119348CB}.exe
        
        C:\Windows\{50CDE545-F4E1-4da7-9858-9304119348CB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe
        
        C:\Windows\{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe
        
        C:\Windows\{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe
        
        C:\Windows\{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe
        
        C:\Windows\{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe
        
        C:\Windows\{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe
        
        C:\Windows\{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\{EAE5C651-A687-40df-8FA4-65CC53D5C37A}.exe
        
        C:\Windows\{EAE5C651-A687-40df-8FA4-65CC53D5C37A}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EBAA~1.EXE > nul
        12⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DD0B~1.EXE > nul
        11⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A59AF~1.EXE > nul
        10⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AE61~1.EXE > nul
        9⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED9AA~1.EXE > nul
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF57E~1.EXE > nul
        7⤵
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50CDE~1.EXE > nul
        6⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9652B~1.EXE > nul
        5⤵
        
        PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C27B7~1.EXE > nul
      4⤵
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF924~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AE61A91-3AFE-4a4e-BDCC-BC251043A916}.exe

Filesize
344KB

MD5
9c650bf70172bbcb733bf52e1977c945

SHA1
5c3ba4db41305050ee7d6c824fa21730b2ea44c9

SHA256
c03967bb93513543f7c6bf3ff261677cb8a465a6d06b228d121b6792b73c6506

SHA512
c85073ecc367ac4b9064a0ac616d7f77ce9cfdd01603de5e139b002264e481d3c441bb09ed6850631ef10841c33495a9f5889dc711b3ca0ab81b357e74e73c9a

Download Submit
C:\Windows\{1DD0B308-86F9-499d-B6B1-E7D009EA6FB7}.exe

Filesize
344KB

MD5
0041fea3baf8101fb17c87be21ac3d8f

SHA1
4532af000d83a51528b9e7316d918dcf7d2e37ef

SHA256
0bfdadf0b3ddabc88c274e735f5cc01c177a033d0f08a0dc2e83694017889f87

SHA512
2cda3177d9ba721d84de94beeec501a9a8a46d70a327fa255ea549e19c72b6743d025b87f0f19124754b3e900373d436292f754e7d014ea0e236f8e67ab06e32

Download Submit
C:\Windows\{50CDE545-F4E1-4da7-9858-9304119348CB}.exe

Filesize
344KB

MD5
6320cb82b129ac99c4b1ea0ef01b282f

SHA1
32623a56fb194bbf97123736bd9af32c5680872d

SHA256
b9a66964b3abd5fe659d3ae5af69005914a49bf79fd86d394808e8a2d8e442bc

SHA512
37cb988ee723f6f0a4846ae1ace765ef02ba07cd4cede3fea25f64fed67eea97cfed33ca173a2dc561a39b14aecace783d59eccb30df28e24d209d1f840f7dce

Download Submit
C:\Windows\{7EBAA54C-5332-46cb-B713-3A96F6FBF910}.exe

Filesize
344KB

MD5
9272febc2a0bea4512903d3c5e7b6efb

SHA1
0ab210320a2e95586e3e5d4d73575870176d5fbd

SHA256
d1029dd76cf30baf5a238aed8025b550c9fa5cd12ca3b585c242dbdf268d09be

SHA512
afaadec25bb171972f10998ca213d0aaea47231a674e583678f475b88e68e9eb7dea75aabc1f8196383e212bff316c24aa371fa8a80eeea1b082891612888722

Download Submit
C:\Windows\{9652B2D5-9048-4e25-9042-0727086149C9}.exe

Filesize
344KB

MD5
41cbca5d92666ec551336c9ff409cdb1

SHA1
253e532e27bc09c67b253817a785a87b3b231f1c

SHA256
106e88db68bd31e51e8ed8469a6b3bb733a747a2649ff02addad26eb71a8d20a

SHA512
048495bd795cf302414d42a44cf3fd39e8aa4ce339347a0b7ddfadd5e4491e56549e7811d087fa9d366f0f55caa2773be846d29458d5b8bb2eedda015eb08040

Download Submit
C:\Windows\{A59AFCE1-EF8F-4abe-9440-64F2B44941AD}.exe

Filesize
344KB

MD5
2e662fc70e83c7f4c5e0019d2712ef70

SHA1
7905ba8f479af298c43d75cd6b2c506b5067e6f4

SHA256
38a2125a995fed04ac2e07e61f05f502979a48b040d159c05b22c5ee502f3019

SHA512
d6441d3898dee8f0af16e489980665b003b8c2314e86845bd6ffb520f61395e4f1b8b3401a0b2c892da0761967964a1b7c4993c6db85b8905ef5d7184d1255ba

Download Submit
C:\Windows\{C27B7026-E9F3-4a4e-9AF4-45802C7D0FE3}.exe

Filesize
344KB

MD5
cfce04eba925ea1873c7605174134d19

SHA1
54f2004185ae1964c833dd94ac15d046d67b3ffe

SHA256
4141beab0c4c43d768c3a87a957e33b349f39f05cca76b47cd991067ad3b6525

SHA512
bac7a32a58c8e8ce39e2d227f502714f414d38f88968d9d6c8db80125a808f723503d3063b8566e73dd3f3422b72dde8ee85924146f50b23c81b4560d151aed8

Download Submit
C:\Windows\{CF9242ED-35E6-4440-8584-A078E9D685B2}.exe

Filesize
344KB

MD5
bec6c5bc76c32498002673d77e72440f

SHA1
572df8d6c7c9a84d4cb51b44ebdb8d224aa53eee

SHA256
d36f2f215be5ccc7bb4e98396d558ad0874a81d6086340c5119bbea6caa84fe9

SHA512
09cdb46cd3df8cadd2bae6ad7adc98321f6701354dd1d6e770488ee4e696d3e9eefb8afa06d95897230655eaf4ede99940a3162ba35dc1bce0f0fa2e8c771d90

Download Submit
C:\Windows\{EAE5C651-A687-40df-8FA4-65CC53D5C37A}.exe

Filesize
344KB

MD5
e39e81c53a0f8b3b84ce08e936fe1ed3

SHA1
edba696ead4dbceed15bde786dec48d215912367

SHA256
5489b89fd60f2d9d4249387cbe03d111924ba5e0687ed1f33000a13feb3f8c26

SHA512
76ac410eafa136450344c9f897e8855b49dbbe6d2e5ba070d142d766a89fd573a8ec46e8d9e8194bc3927663c6da90088d4865a056e92267a2db676dd6faed8e

Download Submit
C:\Windows\{ED9AA731-DFB5-4c97-B1A7-E40F0F8520A7}.exe

Filesize
344KB

MD5
f3b1d511a4330f094fefaf8b91097114

SHA1
e875094d36acc240471c2cc875cc604d358827ae

SHA256
f5137900e7f47235eecffa77a6f53b0f21936f7f1ce6ee7df245d096aa975bc3

SHA512
2ab817181288e11dd8f5937197f0ade6937c3cf8051f49d4fa537eee4fe7f1837477afe1427003ff34695525a58e16e655e232c56b6b484fe5920050584f9674

Download Submit
C:\Windows\{EF57EFA4-1C3B-45d8-91C4-49EA1AF82534}.exe

Filesize
344KB

MD5
47c5b8eaf6c7e246eb2af6f2f1987603

SHA1
6d701fbc7ff325f29d9907d558493309e74dda62

SHA256
fb8005e4a2a3ecbd72af0a9170065602f875845a5b434f766e87bac3c45006b1

SHA512
6e39d80e84bd3e10ab54d045f46084b085d45cf6cc1f1405d16c33795ed22059575658cc506305b03263cafabf29f867d9fd02701e4d48b6be6cb803226c770b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads