85a083fbef249b1262b39e78a6466f1fc2f0584455d71eab1dd19fedbdace727

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe
Size

408KB
MD5

1be85fc73534ed8bf5202dcfe75ca233
SHA1

79b7f5098f40f72c7d32b6f8ff74b13fb4975bab
SHA256

85a083fbef249b1262b39e78a6466f1fc2f0584455d71eab1dd19fedbdace727
SHA512

6e1b8a34300ccc265c0bcc560b84b248bac1e2a8bad4748b1098958c16722d24cc7f420b53a7717cfb654a48d45a1ff8a2506a21c97b77a1715db69b5c774864
SSDEEP

3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGRldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012306-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001315b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012306-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001340c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012306-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012306-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012306-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}\stubpath = "C:\\Windows\\{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe"	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED642A9-9E16-4cbc-8601-964925DB7D51}	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32496C92-CA90-42b1-8223-7E3B8364F62B}\stubpath = "C:\\Windows\\{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe"	{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF849E26-EE7B-4702-B04C-17ADA7130A11}\stubpath = "C:\\Windows\\{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe"	{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}\stubpath = "C:\\Windows\\{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe"	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47FAECBB-1404-4319-8C48-07C0F926E0FF}	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D8B63C7-5C4A-49fd-9402-266FAF36727B}\stubpath = "C:\\Windows\\{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe"	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}\stubpath = "C:\\Windows\\{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe"	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C092A009-1532-4687-ABC7-3BBF5F8F61F7}	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}	{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}\stubpath = "C:\\Windows\\{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}.exe"	{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59402123-DA9F-4f3d-B2FC-19EFE855DD52}	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59402123-DA9F-4f3d-B2FC-19EFE855DD52}\stubpath = "C:\\Windows\\{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe"	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C092A009-1532-4687-ABC7-3BBF5F8F61F7}\stubpath = "C:\\Windows\\{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe"	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32496C92-CA90-42b1-8223-7E3B8364F62B}	{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47FAECBB-1404-4319-8C48-07C0F926E0FF}\stubpath = "C:\\Windows\\{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe"	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D8B63C7-5C4A-49fd-9402-266FAF36727B}	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED642A9-9E16-4cbc-8601-964925DB7D51}\stubpath = "C:\\Windows\\{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe"	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF849E26-EE7B-4702-B04C-17ADA7130A11}	{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe
2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe
1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe
2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe
2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe
1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe
2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe
868	{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe
2188	{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe
2764	{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe
1172	{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe
File created	C:\Windows\{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe
File created	C:\Windows\{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe
File created	C:\Windows\{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe
File created	C:\Windows\{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe
File created	C:\Windows\{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe	{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe
File created	C:\Windows\{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe
File created	C:\Windows\{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe
File created	C:\Windows\{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe
File created	C:\Windows\{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe	{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe
File created	C:\Windows\{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}.exe	{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe
Token: SeIncBasePriorityPrivilege	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe
Token: SeIncBasePriorityPrivilege	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe
Token: SeIncBasePriorityPrivilege	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe
Token: SeIncBasePriorityPrivilege	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe
Token: SeIncBasePriorityPrivilege	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe
Token: SeIncBasePriorityPrivilege	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe
Token: SeIncBasePriorityPrivilege	868	{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe
Token: SeIncBasePriorityPrivilege	2188	{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe
Token: SeIncBasePriorityPrivilege	2764	{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2896	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	28
PID 2460 wrote to memory of 2896	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	28
PID 2460 wrote to memory of 2896	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	28
PID 2460 wrote to memory of 2896	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	28
PID 2460 wrote to memory of 2508	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	29
PID 2460 wrote to memory of 2508	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	29
PID 2460 wrote to memory of 2508	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	29
PID 2460 wrote to memory of 2508	2460	2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe	29
PID 2896 wrote to memory of 2920	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	30
PID 2896 wrote to memory of 2920	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	30
PID 2896 wrote to memory of 2920	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	30
PID 2896 wrote to memory of 2920	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	30
PID 2896 wrote to memory of 2412	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	31
PID 2896 wrote to memory of 2412	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	31
PID 2896 wrote to memory of 2412	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	31
PID 2896 wrote to memory of 2412	2896	{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe	31
PID 2920 wrote to memory of 1656	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	32
PID 2920 wrote to memory of 1656	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	32
PID 2920 wrote to memory of 1656	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	32
PID 2920 wrote to memory of 1656	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	32
PID 2920 wrote to memory of 2492	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	33
PID 2920 wrote to memory of 2492	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	33
PID 2920 wrote to memory of 2492	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	33
PID 2920 wrote to memory of 2492	2920	{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe	33
PID 1656 wrote to memory of 2108	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	36
PID 1656 wrote to memory of 2108	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	36
PID 1656 wrote to memory of 2108	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	36
PID 1656 wrote to memory of 2108	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	36
PID 1656 wrote to memory of 884	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	37
PID 1656 wrote to memory of 884	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	37
PID 1656 wrote to memory of 884	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	37
PID 1656 wrote to memory of 884	1656	{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe	37
PID 2108 wrote to memory of 2692	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	38
PID 2108 wrote to memory of 2692	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	38
PID 2108 wrote to memory of 2692	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	38
PID 2108 wrote to memory of 2692	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	38
PID 2108 wrote to memory of 1976	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	39
PID 2108 wrote to memory of 1976	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	39
PID 2108 wrote to memory of 1976	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	39
PID 2108 wrote to memory of 1976	2108	{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe	39
PID 2692 wrote to memory of 1580	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	40
PID 2692 wrote to memory of 1580	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	40
PID 2692 wrote to memory of 1580	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	40
PID 2692 wrote to memory of 1580	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	40
PID 2692 wrote to memory of 1576	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	41
PID 2692 wrote to memory of 1576	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	41
PID 2692 wrote to memory of 1576	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	41
PID 2692 wrote to memory of 1576	2692	{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe	41
PID 1580 wrote to memory of 2112	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	42
PID 1580 wrote to memory of 2112	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	42
PID 1580 wrote to memory of 2112	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	42
PID 1580 wrote to memory of 2112	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	42
PID 1580 wrote to memory of 2284	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	43
PID 1580 wrote to memory of 2284	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	43
PID 1580 wrote to memory of 2284	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	43
PID 1580 wrote to memory of 2284	1580	{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe	43
PID 2112 wrote to memory of 868	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	44
PID 2112 wrote to memory of 868	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	44
PID 2112 wrote to memory of 868	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	44
PID 2112 wrote to memory of 868	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	44
PID 2112 wrote to memory of 2016	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	45
PID 2112 wrote to memory of 2016	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	45
PID 2112 wrote to memory of 2016	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	45
PID 2112 wrote to memory of 2016	2112	{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_1be85fc73534ed8bf5202dcfe75ca233_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe
  C:\Windows\{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe
    C:\Windows\{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe
      C:\Windows\{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe
        
        C:\Windows\{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe
        
        C:\Windows\{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe
        
        C:\Windows\{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe
        
        C:\Windows\{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe
        
        C:\Windows\{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe
        
        C:\Windows\{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe
        
        C:\Windows\{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}.exe
        
        C:\Windows\{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF849~1.EXE > nul
        12⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32496~1.EXE > nul
        11⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ED64~1.EXE > nul
        10⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C092A~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59402~1.EXE > nul
        8⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEBDF~1.EXE > nul
        7⤵
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D8B6~1.EXE > nul
        6⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47FAE~1.EXE > nul
        5⤵
        
        PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D6BFE~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B773~1.EXE > nul
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ED642A9-9E16-4cbc-8601-964925DB7D51}.exe

Filesize
408KB

MD5
430647e9475ab49d60a3e9aebc76bd46

SHA1
8fb0bba8e33781f832739031e355bb62e5e944fb

SHA256
aef41b9bfc45721488a2f9789d84d86d3c9f86f84e6e65ddd1f851e6bfee1561

SHA512
0e3f96e55eb30eb6e3899e34cf7c813735d69891031cc68e909ba49fc08afdf30e663915dbdd8e745dd824830f14458f6acd55e3c754940477762f309a79ecf9

Download Submit
C:\Windows\{2B773AC3-ECFA-4859-B3CD-CEEB35716DEB}.exe

Filesize
408KB

MD5
90ad2ce68287ed935cf2fc6d528effcb

SHA1
dc8ac147fe4d089022170f8f3e359eba38ef2d68

SHA256
a138a606742dd78068e4638c6efb035426d0255f07de1d5625d1217e1c81bc89

SHA512
99f734718a5be0f931d43479595310ae1a6b589612c9eddd06456f7907d707aa1304022d79922d2d2c85e34400c9405b246ada91b7348ca20d900aba33d303fe

Download Submit
C:\Windows\{2D8B63C7-5C4A-49fd-9402-266FAF36727B}.exe

Filesize
408KB

MD5
82dc2247692ca6ee301d38429e5266d6

SHA1
54b0e111eff6c0e2916464b8395621e033c16268

SHA256
a0dd65c01b78505744bba88023e5c39e4d893060273dc0310391c7cf973721ef

SHA512
74c31670b43182d01821b1f71e1d431dee08894e703d8c8328fab871fbeaef09e06f11eb1339c3ad8be56d19dc986a091490dcc8695760d67e46df3f576de3de

Download Submit
C:\Windows\{32496C92-CA90-42b1-8223-7E3B8364F62B}.exe

Filesize
408KB

MD5
020caa5bc9491c3389c83d786fc60bf9

SHA1
2414d5f0bee7032c81f7c4db28b6080a287bee4a

SHA256
1a8be3c68b2d6f27ad84869e138c7e0f1eb4ca91813bf6976c7f1f62d659cc23

SHA512
61a64a3e089b962cf629989804528d503d436772020d23cedc586275ae75519b5e2423a29ebcc2ab6b61501f21373ab77b33d585571a7c9258564c1fd2e4cc73

Download Submit
C:\Windows\{47FAECBB-1404-4319-8C48-07C0F926E0FF}.exe

Filesize
408KB

MD5
720c8587f51f8ca02f3ade638f7e402d

SHA1
b1942763f3701feee1852a11981b73d05e484c6b

SHA256
31243ce3eb869d4672ad689f33ed1e58429d6db2a97b1065310bae1fa5bb15af

SHA512
bb6308cecca9dfb3be7a011c755fd3d007cc8a9a215ded538ae7ec5ec1ec69fabd3e58f4a1be7e03cfcfbf57de0616f2b5e4ae8d4e4a1f6f88231a50ee70ab3b

Download Submit
C:\Windows\{59402123-DA9F-4f3d-B2FC-19EFE855DD52}.exe

Filesize
408KB

MD5
e50ab4fc94f7f5acfd0caf90a56f615e

SHA1
ea786b9882a67ef477a21c081e6349004ebfffe2

SHA256
680a6cca3c4a7feee4869448289920e79f5ffe03a79a6d53a9f5b952eafd368e

SHA512
5263123e810fce7615a33e29dbd0057321c129ae8c0b6a368cb1972fb337aaa46733dd07c11fa0d7b7ff8eb7320d54457a9c2d74ae9c025bd8775ad2882c498e

Download Submit
C:\Windows\{8EAE81AA-14DD-420c-B5FF-160DC42FCFBD}.exe

Filesize
408KB

MD5
6fa32323b66110c343767d78ede0a276

SHA1
7636eac99a54e9cb17f34ab4ae9bc4f0e8c1884d

SHA256
ae2240940a04795a8c99e0c932dec25041014c91a53989886d9d1383bb8d80c8

SHA512
ce3384a4021730103301d4f940b2e2cd00e090c1d7d2687bfa60b73cbafce696d7e5321dab651d0cc03920aa39bf3d664573c810d86591934502a9ed1ea78488

Download Submit
C:\Windows\{BEBDF04A-DCD3-4f2f-8A25-5B6B51050BD3}.exe

Filesize
408KB

MD5
4c74d1ee1becf9a3ddf5a9d051b69dc8

SHA1
a64004853578900abe7d874725f4ff6a16b4e269

SHA256
6eda7a1a69793d72baf45509756211383359913a8b6efb81007d6769d129fb94

SHA512
010819823efa87a9fbe505fa768cd99d9af2fc1527654102cab96fdc7049716a6ec69135e6259130e806803851f50b82ec37f3cc65b95e0d3c679d15feb44609

Download Submit
C:\Windows\{C092A009-1532-4687-ABC7-3BBF5F8F61F7}.exe

Filesize
408KB

MD5
78f486e01f9a0d87794f7a33550b4ee4

SHA1
2d756cb18998a426b3f60fb6a72643734957873d

SHA256
72b2304a66b706c8a0fb8f34bdeb576dc9b7ff3cc1124dfedcd5e4c1ff225f0c

SHA512
1621cd5c34acb3f06e63149a9f27df8bcc2e76c91d36e03a5fe3eae85613d44dc2ff350ffcb68060a551cd181d2642b767dd403a832e3a88ab2ffa97ad1cf0ac

Download Submit
C:\Windows\{D6BFE507-7259-40fb-BA53-1090BAAC0B4E}.exe

Filesize
408KB

MD5
b4f900fc31bd23212fb673f33352816e

SHA1
907a635cce1822da7a8477e840318086be398ccc

SHA256
193094f24cce3cb3bf5b96b71e420a5ba9c14f34f711d8e78b744d913a32199d

SHA512
22ae1c83621a3a200fd3d2c19e8a0790eadecf32c75405e7186a41cb596ff28213f8485b5d4e39132a5ad9a075161ee3c261c1a3dae03cd75ce675ad8b6f545e

Download Submit
C:\Windows\{EF849E26-EE7B-4702-B04C-17ADA7130A11}.exe

Filesize
408KB

MD5
4c6afe62ba737f1b081183ebc6402214

SHA1
6cdfe59d96c1565d807bd31748e7b3ce119eebe4

SHA256
49db0870663c2ffbda4be4f76a4c978ea030acde3d7f3a1606715faa6f9c18f5

SHA512
88afc3a54de56b9e8d2f46222a90109b1e385232e25e1485fbd6c20ef53cc0f615110183c8ef0798fe4617388c870e05d73b0a26d6f434739cb868c605c61e26

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads