cbc1bcc43a8332fa6d8a275d2af7d8b36d84c5b66dbef4486150b05d57a5c793

Analysis

max time kernel
144s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 20:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe
Size

380KB
MD5

6a298898f6e217a220b024f0ca297ae9
SHA1

0054ae861e8d2b592eaa100a7d322223d21e23bd
SHA256

cbc1bcc43a8332fa6d8a275d2af7d8b36d84c5b66dbef4486150b05d57a5c793
SHA512

3f19aa9ff3e416b9e5db8b87b875e1eb060033a2b1b89ff39588ef4722f2c71d2dda81a388f34d76814eea8b1754c8f60b4ab99771c0af67051038cda749a4f9
SSDEEP

3072:mEGh0oLlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001227e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001c000000015c88-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001c000000015c99-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0BA797-D925-42e8-B64A-D3FA9E96915B}\stubpath = "C:\\Windows\\{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe"	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0676AEDF-C535-4d0f-B399-605F4EBD04DD}\stubpath = "C:\\Windows\\{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe"	{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}\stubpath = "C:\\Windows\\{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe"	{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}\stubpath = "C:\\Windows\\{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe"	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E36D6B8-D174-4410-A63C-52306EA41349}\stubpath = "C:\\Windows\\{5E36D6B8-D174-4410-A63C-52306EA41349}.exe"	{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}\stubpath = "C:\\Windows\\{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe"	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6DDC8EE-809E-4738-86C1-C92D24945891}\stubpath = "C:\\Windows\\{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe"	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}\stubpath = "C:\\Windows\\{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe"	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}\stubpath = "C:\\Windows\\{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe"	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0BA797-D925-42e8-B64A-D3FA9E96915B}	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}	{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E36D6B8-D174-4410-A63C-52306EA41349}	{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C09372-83CE-46e6-A5AB-92B3D25A2206}\stubpath = "C:\\Windows\\{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe"	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C09372-83CE-46e6-A5AB-92B3D25A2206}	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0676AEDF-C535-4d0f-B399-605F4EBD04DD}	{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{483CD2CF-651A-4bea-B9EE-B06C5C63C553}	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{483CD2CF-651A-4bea-B9EE-B06C5C63C553}\stubpath = "C:\\Windows\\{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe"	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6DDC8EE-809E-4738-86C1-C92D24945891}	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe
2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe
2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe
2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe
2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe
1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe
1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe
572	{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe
1364	{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe
2816	{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe
1184	{5E36D6B8-D174-4410-A63C-52306EA41349}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe
File created	C:\Windows\{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe
File created	C:\Windows\{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe
File created	C:\Windows\{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe
File created	C:\Windows\{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe
File created	C:\Windows\{5E36D6B8-D174-4410-A63C-52306EA41349}.exe	{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe
File created	C:\Windows\{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe
File created	C:\Windows\{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe
File created	C:\Windows\{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe
File created	C:\Windows\{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe	{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe
File created	C:\Windows\{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe	{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe
Token: SeIncBasePriorityPrivilege	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe
Token: SeIncBasePriorityPrivilege	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe
Token: SeIncBasePriorityPrivilege	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe
Token: SeIncBasePriorityPrivilege	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe
Token: SeIncBasePriorityPrivilege	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe
Token: SeIncBasePriorityPrivilege	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe
Token: SeIncBasePriorityPrivilege	572	{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe
Token: SeIncBasePriorityPrivilege	1364	{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe
Token: SeIncBasePriorityPrivilege	2816	{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2888	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	28
PID 2840 wrote to memory of 2888	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	28
PID 2840 wrote to memory of 2888	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	28
PID 2840 wrote to memory of 2888	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	28
PID 2840 wrote to memory of 2952	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	29
PID 2840 wrote to memory of 2952	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	29
PID 2840 wrote to memory of 2952	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	29
PID 2840 wrote to memory of 2952	2840	2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe	29
PID 2888 wrote to memory of 2584	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	30
PID 2888 wrote to memory of 2584	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	30
PID 2888 wrote to memory of 2584	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	30
PID 2888 wrote to memory of 2584	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	30
PID 2888 wrote to memory of 2496	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	31
PID 2888 wrote to memory of 2496	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	31
PID 2888 wrote to memory of 2496	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	31
PID 2888 wrote to memory of 2496	2888	{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe	31
PID 2584 wrote to memory of 2640	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	34
PID 2584 wrote to memory of 2640	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	34
PID 2584 wrote to memory of 2640	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	34
PID 2584 wrote to memory of 2640	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	34
PID 2584 wrote to memory of 2504	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	35
PID 2584 wrote to memory of 2504	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	35
PID 2584 wrote to memory of 2504	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	35
PID 2584 wrote to memory of 2504	2584	{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe	35
PID 2640 wrote to memory of 2512	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	36
PID 2640 wrote to memory of 2512	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	36
PID 2640 wrote to memory of 2512	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	36
PID 2640 wrote to memory of 2512	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	36
PID 2640 wrote to memory of 2936	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	37
PID 2640 wrote to memory of 2936	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	37
PID 2640 wrote to memory of 2936	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	37
PID 2640 wrote to memory of 2936	2640	{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe	37
PID 2512 wrote to memory of 2716	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	38
PID 2512 wrote to memory of 2716	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	38
PID 2512 wrote to memory of 2716	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	38
PID 2512 wrote to memory of 2716	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	38
PID 2512 wrote to memory of 2740	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	39
PID 2512 wrote to memory of 2740	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	39
PID 2512 wrote to memory of 2740	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	39
PID 2512 wrote to memory of 2740	2512	{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe	39
PID 2716 wrote to memory of 1096	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	40
PID 2716 wrote to memory of 1096	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	40
PID 2716 wrote to memory of 1096	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	40
PID 2716 wrote to memory of 1096	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	40
PID 2716 wrote to memory of 1592	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	41
PID 2716 wrote to memory of 1592	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	41
PID 2716 wrote to memory of 1592	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	41
PID 2716 wrote to memory of 1592	2716	{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe	41
PID 1096 wrote to memory of 1564	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	42
PID 1096 wrote to memory of 1564	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	42
PID 1096 wrote to memory of 1564	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	42
PID 1096 wrote to memory of 1564	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	42
PID 1096 wrote to memory of 2492	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	43
PID 1096 wrote to memory of 2492	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	43
PID 1096 wrote to memory of 2492	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	43
PID 1096 wrote to memory of 2492	1096	{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe	43
PID 1564 wrote to memory of 572	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	44
PID 1564 wrote to memory of 572	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	44
PID 1564 wrote to memory of 572	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	44
PID 1564 wrote to memory of 572	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	44
PID 1564 wrote to memory of 1640	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	45
PID 1564 wrote to memory of 1640	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	45
PID 1564 wrote to memory of 1640	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	45
PID 1564 wrote to memory of 1640	1564	{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_6a298898f6e217a220b024f0ca297ae9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe
  C:\Windows\{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe
    C:\Windows\{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe
      C:\Windows\{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe
        
        C:\Windows\{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe
        
        C:\Windows\{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe
        
        C:\Windows\{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe
        
        C:\Windows\{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe
        
        C:\Windows\{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe
        
        C:\Windows\{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe
        
        C:\Windows\{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{5E36D6B8-D174-4410-A63C-52306EA41349}.exe
        
        C:\Windows\{5E36D6B8-D174-4410-A63C-52306EA41349}.exe
        12⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED61~1.EXE > nul
        12⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0676A~1.EXE > nul
        11⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB0BA~1.EXE > nul
        10⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F6D~1.EXE > nul
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4C09~1.EXE > nul
        8⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BFC9~1.EXE > nul
        7⤵
        
        PID:1592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17B25~1.EXE > nul
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6DDC~1.EXE > nul
        5⤵
        
        PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6DEA1~1.EXE > nul
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{483CD~1.EXE > nul
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0676AEDF-C535-4d0f-B399-605F4EBD04DD}.exe

Filesize
380KB

MD5
98475c80ce25baf9b9a355dce832129e

SHA1
c5ea5d3d5c2a481da27675b88be08ce5d611b327

SHA256
8d80c7b78cacf15791d4968b6f0751a602ed3a33582feb8b84a5ba1cadb99b9f

SHA512
c38426ac095803d078499232454ab65413c16d2dcfc0ac9b6adc04355255d46c7b36b8f8952b129262e7e84425edac4adbbecc234e4ca1cf0d81cbd5eaa10f58

Download Submit
C:\Windows\{17B25C15-B8C3-4ab1-9FDB-E7C182888C44}.exe

Filesize
380KB

MD5
6be92e6edd638e8d996e3647e6831547

SHA1
483dc2328b65cbb35b6a440762ebf9d6ee701026

SHA256
a9d613ae92544dde1497434f02ba227e7052cd0226874da6f6ec86a6fc27e77f

SHA512
fc903d7fa680140d1a980b90cc08f23042d0e55313e63ba50dea8fa375e60885a9aa7e591f345b40470268801ca2b73029ed498c17f2502dfaa448a669ba6be6

Download Submit
C:\Windows\{1ED611BD-0FAA-4957-AE59-1C906AF47F5A}.exe

Filesize
380KB

MD5
52f117285f9c4fb4e51e39c83ad77051

SHA1
8ac406e371bb0ca32c167584a9e5ac96a4b25e5e

SHA256
11817c93f7df7d21a160356dc95dad1be2ee186072bc335f0346ee9ac0e57db1

SHA512
a23491ca8076d9941c2ca7ab6a573626bb217d612727c999488d1701bbe1ffecf1dca61076479a76bafc5020c9f2b8310f81db59b8677bcd39ff963a8e37da94

Download Submit
C:\Windows\{483CD2CF-651A-4bea-B9EE-B06C5C63C553}.exe

Filesize
380KB

MD5
21be258848d89f00b6ae172588b330fb

SHA1
537cf5eb008fadc530a3c69f3a41ccaa15a52b2b

SHA256
0ae61c414901db78cb7a15f42805aa93af3670de2c87d8742185701ea243ec45

SHA512
a45d426b37bebc7795e5b3fb2d09f989bceb2b0ae090608678cf4d3b32e687f5fb03a40a7f6435b98fea8081a35c0b87b69704f1e78ca44d3e278d4954a77f3a

Download Submit
C:\Windows\{4BFC9A08-D259-412b-B4D7-D8E97AD0E790}.exe

Filesize
380KB

MD5
03a86e5be7b6de416c3f0496becb92b2

SHA1
9f0a5ec3357a0f819ef8d4447a08ccb5503d60dc

SHA256
0f240cd3dd8255345f4049116254200e3c6c86b720da569aa9c01f53d56ee096

SHA512
3d74d408c88931e107234e69fcae9dd6cd7cc7b68516823c6b1cec2d1eeb05a7c82e4cdc4867b0eeea89438ed41a29b6373a16e26230db488007c4659bb8499f

Download Submit
C:\Windows\{5E36D6B8-D174-4410-A63C-52306EA41349}.exe

Filesize
380KB

MD5
b5dc32c5846bb5149dda81cb92941b58

SHA1
9faca1bf116cbedd023adfc14a30c415a659ba32

SHA256
769de6b0f0110e97927f545680450dbb60559ed3e0cf3dd7cf32cd8148c57a62

SHA512
fcec83f1df04794ec524c44df7770fc4748d86c75082bccbf907a101b432c5caaa92407a95007d33bda88ac0bd115a2e8eef791a4aee1c68c227c64e7115bc47

Download Submit
C:\Windows\{6DEA11F2-B1E0-4343-9A20-4CB6DB6ED66B}.exe

Filesize
380KB

MD5
8e689465d74667a742bd916a89a140cc

SHA1
e8f65a23c5d34d121938b5f42488bfc237182732

SHA256
70532d423930ab3e798cea6daecad8ea5e9eb6b8f6930353272ee950f8314d9c

SHA512
955ef4098190f634bb66d9a226e5b142c6df13f7a64255db18faacb41678c82d4418fd0743aa462c3ed9817f72099275e5f1797ac7ba264be8c4d877238f82d1

Download Submit
C:\Windows\{B6DDC8EE-809E-4738-86C1-C92D24945891}.exe

Filesize
380KB

MD5
82a85c1c29c65e2fa1670f1afa06f855

SHA1
5a96abf96ad83dbdd95cd2da477b6d72c1d0aceb

SHA256
eabbfa015f1c7edd046a451a60158765e4a05917662dfff1d653a5bc952a3ed3

SHA512
9292711315c813d29d97bb5dbd82735ffd19ab39124f092bc0abce25cae1f09f4a2745e189dfb230e766951f30c763dd535029c9181c9240475034884f3d1b27

Download Submit
C:\Windows\{BB0BA797-D925-42e8-B64A-D3FA9E96915B}.exe

Filesize
380KB

MD5
484a39f725d48aa6fe8ef7f5ab28a55c

SHA1
dcef45c21af72f9050294c1079c05bbf67c82682

SHA256
65d9c076a5750b16487615ff0dfa13a6bb0e184d82b08ace3fc267797b52de2a

SHA512
34e7a94b178364a11a3d4d0092c0552373a8bb9c010cb53df57ed6ea3ce96cbe2c03f056d3151470a30ab94de2a53256a7a1e38803201feed600aa12019db7b9

Download Submit
C:\Windows\{C4C09372-83CE-46e6-A5AB-92B3D25A2206}.exe

Filesize
380KB

MD5
b3552cb3a913323edb217b605c54213f

SHA1
14d81ad3801a0088d8f166dc47de9c7a5af36bc1

SHA256
0ab51308721b3da7da89513ecf3f65e654cd7225a3942b8380e1a57d7090dc71

SHA512
88874797cbd9e01ac363354fbb54114bb52b0f33ec0caadcc0254991fcd44863b869eca621ee70f400e15a0b42b9ef94bff0eb39952ef59b1c6c6f4a8643d285

Download Submit
C:\Windows\{D5F6DB48-A0B5-4ea7-93AA-490D5971B368}.exe

Filesize
380KB

MD5
356d98999c95c475fc77d7cb273d6e37

SHA1
497ed57eeb8c8a8579af46a5162c536c59282fe0

SHA256
bc3b893e2708d387a0c98c2f9cee43157279b596bca067fc1db47921c5ed1e92

SHA512
7d10bf792bfc2c01da59c437f89bd69592f0f2aed859e45064dfbdfabf2abbbf7e7eb2a7c559f8def8c0cf6e5e402cf23e3c9a06736257dd5b5d3320b2311c99

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads