83640df13d8cb3ee6c3a5dd90d34cf52389cec864f2c2cbdd9f89fdf53d86943

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe
Size

204KB
MD5

30331ec0198981951c8f05e72bc8e6a4
SHA1

636daa1fdbe256361de990b2a8af98dc4aed7624
SHA256

83640df13d8cb3ee6c3a5dd90d34cf52389cec864f2c2cbdd9f89fdf53d86943
SHA512

8742ce2b3bebcd5be1e3a2399be52f6fc95889fc60426adafeecb5ac9822015458e0652a5189f4c587a9c324e04db5c549357317aba809a3c42e10a88a0400fb
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012324-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003100000001341c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}\stubpath = "C:\\Windows\\{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe"	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}	{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3205E0DE-D7C7-4816-9066-3FDF4A14A848}\stubpath = "C:\\Windows\\{3205E0DE-D7C7-4816-9066-3FDF4A14A848}.exe"	{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E65717B-4B94-4411-AD7C-3503CDACFC1C}\stubpath = "C:\\Windows\\{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe"	{240ED265-1615-4096-B824-D06D566A59D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}\stubpath = "C:\\Windows\\{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe"	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240ED265-1615-4096-B824-D06D566A59D9}\stubpath = "C:\\Windows\\{240ED265-1615-4096-B824-D06D566A59D9}.exe"	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F3882A3-8C67-4ab8-BA06-57897889BF39}\stubpath = "C:\\Windows\\{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe"	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43A9D2DE-6BF4-408f-81C8-8040C0231B15}\stubpath = "C:\\Windows\\{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe"	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{722EBDE2-F5F0-4802-AF94-C92E67698B46}\stubpath = "C:\\Windows\\{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe"	{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741AFF30-1F0D-462b-B534-C026F20A97D5}\stubpath = "C:\\Windows\\{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe"	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240ED265-1615-4096-B824-D06D566A59D9}	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3205E0DE-D7C7-4816-9066-3FDF4A14A848}	{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F3882A3-8C67-4ab8-BA06-57897889BF39}	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}\stubpath = "C:\\Windows\\{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe"	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43A9D2DE-6BF4-408f-81C8-8040C0231B15}	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{722EBDE2-F5F0-4802-AF94-C92E67698B46}	{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}\stubpath = "C:\\Windows\\{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe"	{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741AFF30-1F0D-462b-B534-C026F20A97D5}	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E65717B-4B94-4411-AD7C-3503CDACFC1C}	{240ED265-1615-4096-B824-D06D566A59D9}.exe

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe
2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe
2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe
1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe
1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe
1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe
924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe
2372	{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe
2300	{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe
2808	{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe
1512	{3205E0DE-D7C7-4816-9066-3FDF4A14A848}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3205E0DE-D7C7-4816-9066-3FDF4A14A848}.exe	{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe
File created	C:\Windows\{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe
File created	C:\Windows\{240ED265-1615-4096-B824-D06D566A59D9}.exe	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe
File created	C:\Windows\{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe
File created	C:\Windows\{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe
File created	C:\Windows\{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe	{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe
File created	C:\Windows\{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	{240ED265-1615-4096-B824-D06D566A59D9}.exe
File created	C:\Windows\{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe
File created	C:\Windows\{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe
File created	C:\Windows\{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe
File created	C:\Windows\{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe	{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe
Token: SeIncBasePriorityPrivilege	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe
Token: SeIncBasePriorityPrivilege	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe
Token: SeIncBasePriorityPrivilege	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe
Token: SeIncBasePriorityPrivilege	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe
Token: SeIncBasePriorityPrivilege	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe
Token: SeIncBasePriorityPrivilege	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe
Token: SeIncBasePriorityPrivilege	2372	{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe
Token: SeIncBasePriorityPrivilege	2300	{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe
Token: SeIncBasePriorityPrivilege	2808	{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2748	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	28
PID 2964 wrote to memory of 2748	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	28
PID 2964 wrote to memory of 2748	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	28
PID 2964 wrote to memory of 2748	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	28
PID 2964 wrote to memory of 2928	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	29
PID 2964 wrote to memory of 2928	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	29
PID 2964 wrote to memory of 2928	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	29
PID 2964 wrote to memory of 2928	2964	2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe	29
PID 2748 wrote to memory of 2616	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	30
PID 2748 wrote to memory of 2616	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	30
PID 2748 wrote to memory of 2616	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	30
PID 2748 wrote to memory of 2616	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	30
PID 2748 wrote to memory of 1352	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	31
PID 2748 wrote to memory of 1352	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	31
PID 2748 wrote to memory of 1352	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	31
PID 2748 wrote to memory of 1352	2748	{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe	31
PID 2616 wrote to memory of 2644	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	32
PID 2616 wrote to memory of 2644	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	32
PID 2616 wrote to memory of 2644	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	32
PID 2616 wrote to memory of 2644	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	32
PID 2616 wrote to memory of 2600	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	33
PID 2616 wrote to memory of 2600	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	33
PID 2616 wrote to memory of 2600	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	33
PID 2616 wrote to memory of 2600	2616	{240ED265-1615-4096-B824-D06D566A59D9}.exe	33
PID 2644 wrote to memory of 1672	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	36
PID 2644 wrote to memory of 1672	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	36
PID 2644 wrote to memory of 1672	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	36
PID 2644 wrote to memory of 1672	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	36
PID 2644 wrote to memory of 1756	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	37
PID 2644 wrote to memory of 1756	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	37
PID 2644 wrote to memory of 1756	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	37
PID 2644 wrote to memory of 1756	2644	{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe	37
PID 1672 wrote to memory of 1468	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	38
PID 1672 wrote to memory of 1468	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	38
PID 1672 wrote to memory of 1468	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	38
PID 1672 wrote to memory of 1468	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	38
PID 1672 wrote to memory of 2532	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	39
PID 1672 wrote to memory of 2532	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	39
PID 1672 wrote to memory of 2532	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	39
PID 1672 wrote to memory of 2532	1672	{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe	39
PID 1468 wrote to memory of 1852	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	40
PID 1468 wrote to memory of 1852	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	40
PID 1468 wrote to memory of 1852	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	40
PID 1468 wrote to memory of 1852	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	40
PID 1468 wrote to memory of 1988	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	41
PID 1468 wrote to memory of 1988	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	41
PID 1468 wrote to memory of 1988	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	41
PID 1468 wrote to memory of 1988	1468	{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe	41
PID 1852 wrote to memory of 924	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	42
PID 1852 wrote to memory of 924	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	42
PID 1852 wrote to memory of 924	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	42
PID 1852 wrote to memory of 924	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	42
PID 1852 wrote to memory of 1820	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	43
PID 1852 wrote to memory of 1820	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	43
PID 1852 wrote to memory of 1820	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	43
PID 1852 wrote to memory of 1820	1852	{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe	43
PID 924 wrote to memory of 2372	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	44
PID 924 wrote to memory of 2372	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	44
PID 924 wrote to memory of 2372	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	44
PID 924 wrote to memory of 2372	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	44
PID 924 wrote to memory of 1212	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	45
PID 924 wrote to memory of 1212	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	45
PID 924 wrote to memory of 1212	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	45
PID 924 wrote to memory of 1212	924	{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_30331ec0198981951c8f05e72bc8e6a4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe
  C:\Windows\{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\{240ED265-1615-4096-B824-D06D566A59D9}.exe
    C:\Windows\{240ED265-1615-4096-B824-D06D566A59D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe
      C:\Windows\{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe
        
        C:\Windows\{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe
        
        C:\Windows\{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe
        
        C:\Windows\{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe
        
        C:\Windows\{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe
        
        C:\Windows\{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe
        
        C:\Windows\{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe
        
        C:\Windows\{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\{3205E0DE-D7C7-4816-9066-3FDF4A14A848}.exe
        
        C:\Windows\{3205E0DE-D7C7-4816-9066-3FDF4A14A848}.exe
        12⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AADE5~1.EXE > nul
        12⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{722EB~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0D88~1.EXE > nul
        10⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43A9D~1.EXE > nul
        9⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06C5F~1.EXE > nul
        8⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F388~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE89~1.EXE > nul
        6⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E657~1.EXE > nul
        5⤵
        
        PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{240ED~1.EXE > nul
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{741AF~1.EXE > nul
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06C5F02A-0B8E-4b69-B11C-2C4E4A5C537B}.exe

Filesize
204KB

MD5
7f2880c1ce31930a024623f9b5a416b3

SHA1
1ee8fd23099c1b3949fa41adce00899323d7a716

SHA256
19ae74b8bacf0d097746bca79543eb773a409ded51d24cb88396d89f4b0eba9a

SHA512
32c973c6bedc4ca1e92a479e919152662bb2163785c23e13c238c62c7b1fbb5cd1cd98df2085d36285bba6931a58d543d30d840584ac958e5e5ac230eb2555ff

Download Submit
C:\Windows\{240ED265-1615-4096-B824-D06D566A59D9}.exe

Filesize
204KB

MD5
7ba912505e3e9a5f1d8a6ff81eefc98c

SHA1
9dff3927145c3a0bb768beeeb0100877b742ed7c

SHA256
e9d8d946762116a64becfffc35de2920796c8e2997c1c9bc140a3023c2467007

SHA512
9f979b7978db34289d6c7dd2827f3fc8d5721765f4668741b971b3cfc8f1605f0b7234d5c8b3e0b5ff3aa1e606efeafe22e056987da75993b54567b1cc9d9ce3

Download Submit
C:\Windows\{3205E0DE-D7C7-4816-9066-3FDF4A14A848}.exe

Filesize
204KB

MD5
83d628fe9113dc56568de33396bd7248

SHA1
9e747477749c32524382584b9616bdd314bc616c

SHA256
d097fb789a3b68dfd35939a14535a898ac4846ea7314ee0f369fb3f9786be511

SHA512
104f37b9608ed4755f8a9adbd7e74436b2320c717c64556998842cebc8272d914a67e97018266c647777eca74737a9d0cb20d64de2576f58d7c523717850b4ed

Download Submit
C:\Windows\{43A9D2DE-6BF4-408f-81C8-8040C0231B15}.exe

Filesize
204KB

MD5
47bed49239c333a4c5117c4c517e0164

SHA1
615a0dbe75e1b01a696e762a584a56889eb97e6a

SHA256
23a4a1bd423db656960377f45f589abef461f55e47a2b72b6c6f04a9e33b1ad5

SHA512
e1a18fa5dec028235e6d2af4560abb86da166dc25713f93c2300f680918f410c6492446a1091c3f38645f29ec26e67e012454afd1c71811359d5192136b1de9b

Download Submit
C:\Windows\{722EBDE2-F5F0-4802-AF94-C92E67698B46}.exe

Filesize
204KB

MD5
5dfc14dadee8485f523d9a851c580d80

SHA1
c5a356e5c05f109897fe82b7cebb15e69800bc02

SHA256
03d87fba129a8ce5d2dc748036ba9be11d7af40f122318f00d4de485ee850611

SHA512
91814a198b6c5855053c1d7b22825811f9581f4e4050d4e373f7f1bdc237de510a276172f0a23ce48113527d77e14f8d806038849f7db80812d6f8c5ef4f9113

Download Submit
C:\Windows\{741AFF30-1F0D-462b-B534-C026F20A97D5}.exe

Filesize
204KB

MD5
5f9080dcf4c1d99df834ad5546fbf0ee

SHA1
2a77cfebd3f13d02979e77c49e91ad59127b4717

SHA256
c7166d7aec8b838d624d2ddf22f68e3c7f8257420a1f299cbf40a8a61d81e6b7

SHA512
cf89ddb7a38ee7095128a3d44e22f8697d9c24da27e7fbf603bf4577e9d5f57215a06756d6e835915a5df226bc1e027165d36b826df5178ca2274eea48a84435

Download Submit
C:\Windows\{9E65717B-4B94-4411-AD7C-3503CDACFC1C}.exe

Filesize
204KB

MD5
48290a3e7c8114df3da37e58f2097aa0

SHA1
0f5aaebe9c4ab5933912ef8f43330631f1bdaf07

SHA256
f30c9d5674fd652db39cec6e4e00c038af4487928fdb6a374751a6331f53ed38

SHA512
6c262072c7d2334408eb30fca0b5b019ee5dfc09000820a6f0bf2220e517aeea090f73a23cb4bad428ee3da21c220a0c9d36bbc481e491b116e1023793d6e822

Download Submit
C:\Windows\{9F3882A3-8C67-4ab8-BA06-57897889BF39}.exe

Filesize
204KB

MD5
fe32d6eb41d103fe75410819f3391d40

SHA1
9680a7cff6799ece55eada1bb825cdab8e1de410

SHA256
92eca9aefdffb1d208d0b5a08f2e5799f7e35f1a2d351d2465fd357223f8c3f6

SHA512
93689509530e99c6f837b2a0ebfb3acae4240dc774c71eb04e29ea1cd1a91fc823d9954c02c90349050b6cff52de6f19480343c89342e069d8a99ccb993131da

Download Submit
C:\Windows\{AADE5C6E-A592-4e93-8941-FA262D9A6BC6}.exe

Filesize
204KB

MD5
0a1db4ca5bf1a7690ca42f64f67ef254

SHA1
7c9457629fc6eaf9e9f5ed43df76112e727924d5

SHA256
154cffc0fbeefcd3df9dd3f0cc318d39647af63093d40519eea4ce5a4f897d75

SHA512
6d06301912b1dd9dff2d49fd46924038aba3c29a86e9e5b8058cadf759e43f85ecdaea2d97d3124da28408047ca338f20beca534b52c16898a1c147ad999ee36

Download Submit
C:\Windows\{D0D88E50-1BC4-4e97-B3E0-4FDC34D8530C}.exe

Filesize
204KB

MD5
87b0c2c99116010862c48d3200861ce8

SHA1
ce53b36ec11b0d075d30aec959b80455d7e6992b

SHA256
da11c0654bb3c1e49efcb09ce38282014d6dba3e0f1ec4943ee3bffa4cdd1482

SHA512
b5b811cb7b8a26a32c7bd220b7c61fbd8b18688131bfba724ee33f06737620f0a639cdb072c1e44a695acb4aa302a06fb8c8b556d94aec901ecafc4f5757c4cb

Download Submit
C:\Windows\{FBE89F96-C4AA-480c-9CFA-15A1AF56B117}.exe

Filesize
204KB

MD5
ab36af57701e1bc246c70eef0a48dfde

SHA1
76067455ed123f621b1e9fa5bf4fc921689d4e40

SHA256
467fafc8bc1bcffa7df69dc5577c7243ed5e9c797622e9eedde49d084574b72d

SHA512
8e9e14748624509d769701dc3352466661c842dfc320e0689af6840bb87b021dedd1070cf4de4dc9f13d53195089765f75035addefff48c516a92572a0ed6040

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads