7e659811f2be64b1eb8a8effa6f5fec378c2f3f1930423be406fe1b331c15b57

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe
Size

197KB
MD5

777754c13d3dc22f08d6082e8e27d82e
SHA1

3e1ba56b7c4918c60a6dcb87af77dba9c2bb9a02
SHA256

7e659811f2be64b1eb8a8effa6f5fec378c2f3f1930423be406fe1b331c15b57
SHA512

a78f9fee8fe4b492da5dd9b70ad2a46ba7646630f1011b7878c37c324c3f3c75c8bde5e713c745a997a69565a3951f41e2aa65dbc54ae83ecaf4c0ae116b9d82
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGRlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012247-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001445e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014738-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014a55-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014aec-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014a55-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014aec-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014a55-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014aec-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014a55-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}\stubpath = "C:\\Windows\\{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe"	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81669B47-2134-457d-9480-31DE21D54E3E}	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E16790D-F393-46e8-8CF1-D3917FABDA8B}	{81669B47-2134-457d-9480-31DE21D54E3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50610501-B3AE-426f-BDB2-DCF75BBD5F97}	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAB4A73-8468-440f-9D84-AC33734C6173}	{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22258E0-C9CC-4c51-906A-B26596D5572E}	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22258E0-C9CC-4c51-906A-B26596D5572E}\stubpath = "C:\\Windows\\{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe"	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81669B47-2134-457d-9480-31DE21D54E3E}\stubpath = "C:\\Windows\\{81669B47-2134-457d-9480-31DE21D54E3E}.exe"	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}\stubpath = "C:\\Windows\\{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe"	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6D786DC-E13F-444f-9C20-2BE8E37A7427}	{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6D786DC-E13F-444f-9C20-2BE8E37A7427}\stubpath = "C:\\Windows\\{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe"	{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAB4A73-8468-440f-9D84-AC33734C6173}\stubpath = "C:\\Windows\\{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe"	{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}	{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}\stubpath = "C:\\Windows\\{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}.exe"	{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}\stubpath = "C:\\Windows\\{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe"	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E16790D-F393-46e8-8CF1-D3917FABDA8B}\stubpath = "C:\\Windows\\{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe"	{81669B47-2134-457d-9480-31DE21D54E3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50610501-B3AE-426f-BDB2-DCF75BBD5F97}\stubpath = "C:\\Windows\\{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe"	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}\stubpath = "C:\\Windows\\{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe"	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe
2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe
2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe
664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe
1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe
1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe
2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe
1656	{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe
2212	{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe
2140	{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe
2772	{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	{81669B47-2134-457d-9480-31DE21D54E3E}.exe
File created	C:\Windows\{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe
File created	C:\Windows\{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe
File created	C:\Windows\{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe	{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe
File created	C:\Windows\{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe
File created	C:\Windows\{81669B47-2134-457d-9480-31DE21D54E3E}.exe	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe
File created	C:\Windows\{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe
File created	C:\Windows\{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe	{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe
File created	C:\Windows\{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}.exe	{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe
File created	C:\Windows\{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe
File created	C:\Windows\{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe
Token: SeIncBasePriorityPrivilege	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe
Token: SeIncBasePriorityPrivilege	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe
Token: SeIncBasePriorityPrivilege	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe
Token: SeIncBasePriorityPrivilege	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe
Token: SeIncBasePriorityPrivilege	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe
Token: SeIncBasePriorityPrivilege	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe
Token: SeIncBasePriorityPrivilege	1656	{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe
Token: SeIncBasePriorityPrivilege	2212	{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe
Token: SeIncBasePriorityPrivilege	2140	{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3036	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	28
PID 2744 wrote to memory of 3036	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	28
PID 2744 wrote to memory of 3036	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	28
PID 2744 wrote to memory of 3036	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	28
PID 2744 wrote to memory of 3020	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	29
PID 2744 wrote to memory of 3020	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	29
PID 2744 wrote to memory of 3020	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	29
PID 2744 wrote to memory of 3020	2744	2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe	29
PID 3036 wrote to memory of 2756	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	30
PID 3036 wrote to memory of 2756	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	30
PID 3036 wrote to memory of 2756	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	30
PID 3036 wrote to memory of 2756	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	30
PID 3036 wrote to memory of 2616	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	31
PID 3036 wrote to memory of 2616	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	31
PID 3036 wrote to memory of 2616	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	31
PID 3036 wrote to memory of 2616	3036	{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe	31
PID 2756 wrote to memory of 2452	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	34
PID 2756 wrote to memory of 2452	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	34
PID 2756 wrote to memory of 2452	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	34
PID 2756 wrote to memory of 2452	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	34
PID 2756 wrote to memory of 2368	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	35
PID 2756 wrote to memory of 2368	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	35
PID 2756 wrote to memory of 2368	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	35
PID 2756 wrote to memory of 2368	2756	{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe	35
PID 2452 wrote to memory of 664	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	36
PID 2452 wrote to memory of 664	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	36
PID 2452 wrote to memory of 664	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	36
PID 2452 wrote to memory of 664	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	36
PID 2452 wrote to memory of 2392	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	37
PID 2452 wrote to memory of 2392	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	37
PID 2452 wrote to memory of 2392	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	37
PID 2452 wrote to memory of 2392	2452	{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe	37
PID 664 wrote to memory of 1616	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	38
PID 664 wrote to memory of 1616	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	38
PID 664 wrote to memory of 1616	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	38
PID 664 wrote to memory of 1616	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	38
PID 664 wrote to memory of 1712	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	39
PID 664 wrote to memory of 1712	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	39
PID 664 wrote to memory of 1712	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	39
PID 664 wrote to memory of 1712	664	{81669B47-2134-457d-9480-31DE21D54E3E}.exe	39
PID 1616 wrote to memory of 1648	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	40
PID 1616 wrote to memory of 1648	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	40
PID 1616 wrote to memory of 1648	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	40
PID 1616 wrote to memory of 1648	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	40
PID 1616 wrote to memory of 2396	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	41
PID 1616 wrote to memory of 2396	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	41
PID 1616 wrote to memory of 2396	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	41
PID 1616 wrote to memory of 2396	1616	{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe	41
PID 1648 wrote to memory of 2508	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	42
PID 1648 wrote to memory of 2508	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	42
PID 1648 wrote to memory of 2508	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	42
PID 1648 wrote to memory of 2508	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	42
PID 1648 wrote to memory of 1248	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	43
PID 1648 wrote to memory of 1248	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	43
PID 1648 wrote to memory of 1248	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	43
PID 1648 wrote to memory of 1248	1648	{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe	43
PID 2508 wrote to memory of 1656	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	44
PID 2508 wrote to memory of 1656	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	44
PID 2508 wrote to memory of 1656	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	44
PID 2508 wrote to memory of 1656	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	44
PID 2508 wrote to memory of 1952	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	45
PID 2508 wrote to memory of 1952	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	45
PID 2508 wrote to memory of 1952	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	45
PID 2508 wrote to memory of 1952	2508	{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_777754c13d3dc22f08d6082e8e27d82e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe
  C:\Windows\{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe
    C:\Windows\{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe
      C:\Windows\{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\{81669B47-2134-457d-9480-31DE21D54E3E}.exe
        
        C:\Windows\{81669B47-2134-457d-9480-31DE21D54E3E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe
        
        C:\Windows\{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe
        
        C:\Windows\{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe
        
        C:\Windows\{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe
        
        C:\Windows\{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe
        
        C:\Windows\{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe
        
        C:\Windows\{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}.exe
        
        C:\Windows\{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}.exe
        12⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6D78~1.EXE > nul
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BAB4~1.EXE > nul
        11⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31D25~1.EXE > nul
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50610~1.EXE > nul
        9⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6891~1.EXE > nul
        8⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E167~1.EXE > nul
        7⤵
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81669~1.EXE > nul
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05DCA~1.EXE > nul
        5⤵
        
        PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{281C5~1.EXE > nul
      4⤵
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F2225~1.EXE > nul
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05DCA29B-1304-4b7b-8A8F-29ABC43293BA}.exe

Filesize
197KB

MD5
b456c3d3650262e8152a3a9ad18c3c4a

SHA1
c22169d12c53ea6e341ce15f7d6d6e9e68da354b

SHA256
5f4697ae422106bb080e9266d2a34dcca459ab3e23452574aba772faa561f1be

SHA512
1ad5280c520f7c88ed61a1516196a377ff43db26635b9d1cd2607f490344f7d3c89d4bd75e9cbda6b21dfd20901f1e163c9a3c5a25a647cdeafd095186556ca4

Download Submit
C:\Windows\{281C5F05-EC2E-4f91-9C18-D48BE9F1D924}.exe

Filesize
197KB

MD5
5b253a45df7159e57acf09297c4b06d3

SHA1
b7d4314171730f42b300c2aebf37a5621cd45335

SHA256
997cd0a22be8880d72b0c391cac3e7b197612a0cad2b47c65d2e9a75a9bb7816

SHA512
acf50ebcb594613149efa1f5adb77cd242118a6bd596e8f90a552b53f87758691b0b998dc21732b7ef49369b7431a0a1d3dadf93db0cb2faa8eb7dc386d76310

Download Submit
C:\Windows\{31D25535-3C3F-4a53-9CA5-EA521E7B60B6}.exe

Filesize
197KB

MD5
6786c21d55574b72811b126bac8018d5

SHA1
b828915184746ae06bfdba03083cbfa7564f53eb

SHA256
0c4bd61987f4b54d16e9fea2773c364e493cab643524ba799a6040e8001f49e1

SHA512
705da0dd01be7a7ba9e61ce3921f166b054b9991c69e51c0c5794083e34bfdcd97520deff4ff499ef4a984399a3efa2044c3bf3881fa78ae5e4196ad70e5f5db

Download Submit
C:\Windows\{4BAB4A73-8468-440f-9D84-AC33734C6173}.exe

Filesize
197KB

MD5
14ebffbc6bb089d0bd149e4c9882d10a

SHA1
0630e52588010d329f66bb6f23b385110601393a

SHA256
986ea1007adfb992b26dab5d658a079821c76f0cb8ce71b1cd25fab71ae74cd3

SHA512
56317248aa82c14a03e397c2979e951b472176e6721a3b59c7f548835850170331b99a603be3275795227bab6300ea7fbe62f9dab2e20ce2db1a3c1403e493d9

Download Submit
C:\Windows\{50610501-B3AE-426f-BDB2-DCF75BBD5F97}.exe

Filesize
197KB

MD5
dd09b3590a9e32d303bc4d4c5c025ea1

SHA1
9125cdc8fbb9b273c19813098a2098517477c0b9

SHA256
ac7715273c0aed9f9285af3b0f215232c0c2b8a69d3ca2fc063fa8a8afe08f11

SHA512
d2b1857cc3642e7dbfa6410c7e15fdf8d6ef68631add0ef9d0df7600f5ed53491b0dec6e5cf0ea0279aadbbe3a961cbc0eff1c97c24cd2b11829ebab45312e27

Download Submit
C:\Windows\{5E16790D-F393-46e8-8CF1-D3917FABDA8B}.exe

Filesize
197KB

MD5
ec349caea601baacd83d119a009a9475

SHA1
d7e0c75a04db896586874bcd1fa1456214468773

SHA256
d056e1333729686edd03a791e93ebd8de766657825048323b1e47157ffa5b3d2

SHA512
d8ece9d2e84cfdb2d4618d32e4facf37f6e2af8f9cbf38c950a8c028bc0f7e541f5816368e11577dea1b9c2e704a233a70ecea65854126fffa05d2cf75b1ab5e

Download Submit
C:\Windows\{68FB38B6-04A9-4aa0-91CC-197CC0BD8409}.exe

Filesize
197KB

MD5
ba38fba1680b7b6047c05f72d0894bc5

SHA1
5abb313f452b98b64a5052f2e804a4a92c95f6d7

SHA256
f8f1b1d9d0fa3a65492d4cc86e6410c141807cb2f861740a46867a057db2dc69

SHA512
e92f7d502965b25734bc9611bbff21224e0e3e4deeab9dbfea98b8d8cc31ac259faf3a7cf708f24ce475c6b8ac28bea0c8942f1822dffe98302db1e3dce07c63

Download Submit
C:\Windows\{81669B47-2134-457d-9480-31DE21D54E3E}.exe

Filesize
197KB

MD5
d7acf8cf2571c5bbd9d0b6bd38d6c370

SHA1
425b3955606f21677c0a151bd665079e1230937d

SHA256
5fd6511d871c879cc2cbfa2f0fffa951b86a30dfb298ab3ad8ec33e70e139bec

SHA512
73d1207bd448d901b6b54ed0743d54d1e5598f946e178a34c4060f439d32220f147726c5ea720e8aef30a15ea3eefac0f91eab5748d0dc7bb9ff5647ed70e985

Download Submit
C:\Windows\{E68915C8-517A-4071-8C1A-2DC6AE33FBDC}.exe

Filesize
197KB

MD5
023803ef617f71b8461f3a0809801a4a

SHA1
30c61cbf7220a95ca9ad9f04d8f498eb2809e996

SHA256
ba787758f6fa4e922474b09eed153c5b2b1c66bd35c6e27fba668c1794835631

SHA512
b803f787346dc05e4da8502819ac3a0e8923176b4aef1334ac0d3d32a3d6eea3a8d1fa515bbe478dee6e515feaa3bccacb944cf0fa39f404658177acc487a790

Download Submit
C:\Windows\{E6D786DC-E13F-444f-9C20-2BE8E37A7427}.exe

Filesize
197KB

MD5
0fbc8a2d8beb1855f72c533d4b8cadf3

SHA1
0248f9fcc198ec808fa9e9f630422095d8b1d581

SHA256
3b09f59025b0295ddd4f35c21e9705203a83419177f6189694e5bbcdf8a50d4e

SHA512
003f7c3f31682b7c3542ce79904f76af981b1538b01f3b11e6f85970ad5dbc30df75b3b44e5499029e4d18f1eb11a45e09325d9f7d66e0d9c5ba990c2a209262

Download Submit
C:\Windows\{F22258E0-C9CC-4c51-906A-B26596D5572E}.exe

Filesize
197KB

MD5
e3174d1ef8f08ce882a7a4dc9134eccc

SHA1
29054916bd74087e4bbf8fa0a8e98ea4b2dd198b

SHA256
a700ce720029820b3ca04051c9468ba520ab65f0e4c128bda0b94efd7c788b3f

SHA512
b7e3f94f45fc38dbeb65d4bb422064c3a5d21d18ff8e5b3090f9eebfe4a60d1f7eeb635021821402d8dd9758c22515c0b2749c2b985a9b8100aa6f6595ff562d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads