85191e34335b692c38d5fc04abeaca72356354ed7a5f400decefad04dd2a897f

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Size

204KB
MD5

e7c8f53262da78b713698ed11e4403c6
SHA1

89c4322d4d592e303243c0ceca1861c5aa8d2376
SHA256

85191e34335b692c38d5fc04abeaca72356354ed7a5f400decefad04dd2a897f
SHA512

754d9a72967b5ee9af16c103fe23f700d3098f772adef9e1f7dd1dd6be89e55ab92996f3e37a4a8a5ba98f6c2e87e4d137aee64db9e659ae86c5da0e50ecb2a9
SSDEEP

1536:1EGh0o0l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o0l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000001567f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001568c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001567f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001568c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015cba-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001568c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015cba-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{984AEC56-1FAD-47e1-91E5-DE1EA9247005}\stubpath = "C:\\Windows\\{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe"	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}\stubpath = "C:\\Windows\\{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe"	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{984AEC56-1FAD-47e1-91E5-DE1EA9247005}	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{663D4B7F-C4B9-4d72-BF95-32F54D515D15}	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}\stubpath = "C:\\Windows\\{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe"	{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}	{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}\stubpath = "C:\\Windows\\{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe"	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7724DED6-974B-414d-9C14-C29E2F0F853A}	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}\stubpath = "C:\\Windows\\{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe"	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{663D4B7F-C4B9-4d72-BF95-32F54D515D15}\stubpath = "C:\\Windows\\{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe"	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1341F80B-263C-4a19-9BD1-8145CDA80B4C}	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DE2DA46-61D4-460c-BAD5-8C538FD60260}	{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}	{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}\stubpath = "C:\\Windows\\{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}.exe"	{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}\stubpath = "C:\\Windows\\{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe"	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7724DED6-974B-414d-9C14-C29E2F0F853A}\stubpath = "C:\\Windows\\{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe"	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1341F80B-263C-4a19-9BD1-8145CDA80B4C}\stubpath = "C:\\Windows\\{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe"	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DE2DA46-61D4-460c-BAD5-8C538FD60260}\stubpath = "C:\\Windows\\{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe"	{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe
2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe
2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe
2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe
1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe
556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe
2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe
1060	{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe
1340	{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe
1920	{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe
1424	{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe
File created	C:\Windows\{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe	{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe
File created	C:\Windows\{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe	{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe
File created	C:\Windows\{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe
File created	C:\Windows\{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe
File created	C:\Windows\{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe
File created	C:\Windows\{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe
File created	C:\Windows\{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe
File created	C:\Windows\{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}.exe	{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe
File created	C:\Windows\{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
File created	C:\Windows\{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe
Token: SeIncBasePriorityPrivilege	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe
Token: SeIncBasePriorityPrivilege	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe
Token: SeIncBasePriorityPrivilege	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe
Token: SeIncBasePriorityPrivilege	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe
Token: SeIncBasePriorityPrivilege	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe
Token: SeIncBasePriorityPrivilege	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe
Token: SeIncBasePriorityPrivilege	1060	{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe
Token: SeIncBasePriorityPrivilege	1340	{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe
Token: SeIncBasePriorityPrivilege	1920	{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2236	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	28
PID 996 wrote to memory of 2236	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	28
PID 996 wrote to memory of 2236	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	28
PID 996 wrote to memory of 2236	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	28
PID 996 wrote to memory of 2600	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	29
PID 996 wrote to memory of 2600	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	29
PID 996 wrote to memory of 2600	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	29
PID 996 wrote to memory of 2600	996	2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe	29
PID 2236 wrote to memory of 2632	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	30
PID 2236 wrote to memory of 2632	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	30
PID 2236 wrote to memory of 2632	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	30
PID 2236 wrote to memory of 2632	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	30
PID 2236 wrote to memory of 2508	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	31
PID 2236 wrote to memory of 2508	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	31
PID 2236 wrote to memory of 2508	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	31
PID 2236 wrote to memory of 2508	2236	{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe	31
PID 2632 wrote to memory of 2556	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	32
PID 2632 wrote to memory of 2556	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	32
PID 2632 wrote to memory of 2556	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	32
PID 2632 wrote to memory of 2556	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	32
PID 2632 wrote to memory of 304	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	33
PID 2632 wrote to memory of 304	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	33
PID 2632 wrote to memory of 304	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	33
PID 2632 wrote to memory of 304	2632	{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe	33
PID 2556 wrote to memory of 2480	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	36
PID 2556 wrote to memory of 2480	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	36
PID 2556 wrote to memory of 2480	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	36
PID 2556 wrote to memory of 2480	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	36
PID 2556 wrote to memory of 2784	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	37
PID 2556 wrote to memory of 2784	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	37
PID 2556 wrote to memory of 2784	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	37
PID 2556 wrote to memory of 2784	2556	{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe	37
PID 2480 wrote to memory of 1904	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	38
PID 2480 wrote to memory of 1904	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	38
PID 2480 wrote to memory of 1904	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	38
PID 2480 wrote to memory of 1904	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	38
PID 2480 wrote to memory of 1444	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	39
PID 2480 wrote to memory of 1444	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	39
PID 2480 wrote to memory of 1444	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	39
PID 2480 wrote to memory of 1444	2480	{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe	39
PID 1904 wrote to memory of 556	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	40
PID 1904 wrote to memory of 556	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	40
PID 1904 wrote to memory of 556	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	40
PID 1904 wrote to memory of 556	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	40
PID 1904 wrote to memory of 2680	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	41
PID 1904 wrote to memory of 2680	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	41
PID 1904 wrote to memory of 2680	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	41
PID 1904 wrote to memory of 2680	1904	{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe	41
PID 556 wrote to memory of 2672	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	42
PID 556 wrote to memory of 2672	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	42
PID 556 wrote to memory of 2672	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	42
PID 556 wrote to memory of 2672	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	42
PID 556 wrote to memory of 2664	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	43
PID 556 wrote to memory of 2664	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	43
PID 556 wrote to memory of 2664	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	43
PID 556 wrote to memory of 2664	556	{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe	43
PID 2672 wrote to memory of 1060	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	44
PID 2672 wrote to memory of 1060	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	44
PID 2672 wrote to memory of 1060	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	44
PID 2672 wrote to memory of 1060	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	44
PID 2672 wrote to memory of 1428	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	45
PID 2672 wrote to memory of 1428	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	45
PID 2672 wrote to memory of 1428	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	45
PID 2672 wrote to memory of 1428	2672	{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_e7c8f53262da78b713698ed11e4403c6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe
  C:\Windows\{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe
    C:\Windows\{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe
      C:\Windows\{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe
        
        C:\Windows\{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe
        
        C:\Windows\{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe
        
        C:\Windows\{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe
        
        C:\Windows\{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe
        
        C:\Windows\{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe
        
        C:\Windows\{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe
        
        C:\Windows\{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}.exe
        
        C:\Windows\{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}.exe
        12⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C8A9~1.EXE > nul
        12⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DE2D~1.EXE > nul
        11⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1341F~1.EXE > nul
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{663D4~1.EXE > nul
        9⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC15A~1.EXE > nul
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7724D~1.EXE > nul
        7⤵
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{984AE~1.EXE > nul
        6⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B2B8~1.EXE > nul
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9F3DC~1.EXE > nul
      4⤵
      PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86E7F~1.EXE > nul
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1341F80B-263C-4a19-9BD1-8145CDA80B4C}.exe

Filesize
204KB

MD5
1b9fe7fd24af695cd0b728c494a6b362

SHA1
e071b7187f7e6192a7e8c819d4a1d37db74f5de0

SHA256
47f4f4328520a217721a89c4120f8fb27d6cbf21c110e441dc5b3e77999bcc02

SHA512
728aa5e5d3fc04575401ab5a0dbcc912f590376e67a4a44bb211e6127cc39787bff99177f80fa5d08adedc4f17f84ec31962b95370a462ed341b995d7d38ad62

Download Submit
C:\Windows\{1DE2DA46-61D4-460c-BAD5-8C538FD60260}.exe

Filesize
204KB

MD5
3744b7764e7991d892e18c5c30198697

SHA1
38e36c9ad11d6530ed02b9ef128aa1d8ec147ca0

SHA256
d82e26c5acd6c381c58d9c14129e06c5590e7f01b8a5fe0310a6023425cb3e98

SHA512
b122ee5b5e3fd71a9911ff867825748e94f4fd6ffc0d91dda465094f93d94d192302e10e6b29ba36d98b81e4972aa9210944a94a70baf02b5663db927d08ee52

Download Submit
C:\Windows\{33EA3314-335E-49c1-9AB1-CE7C08FAAC26}.exe

Filesize
204KB

MD5
ca1cf0d1ca0ac14f495b1eceaf2ee129

SHA1
8848a427a4f2b2069a737b9c5a6d726801e08c14

SHA256
a8010be7690b9f31e80d83e17855caba7254013c8c581a5e0d00afb1edb9067f

SHA512
3e9c08c18f9b4b86e863a12718454b58c0f87760ba691ba8648199dd77df93e3609727513eaff48d465ad331223d5e10d56746060c28cce50b520aa86841229a

Download Submit
C:\Windows\{3C8A933F-4935-4d67-8FD6-6C64A2D81BF3}.exe

Filesize
204KB

MD5
cede7581cf0686dddedd3503aee123ab

SHA1
02976f571a36ca7054e664eb930b097a7884a9dd

SHA256
9f22131e135734d3553e751fd355965348129601ba0566f3971f1533f9e5d020

SHA512
cb7ecabec747c50fcf06f2703aa96188f098d44971d9b22cbca50d88cb99f946bb3f87c9ad87b8b12adccbfa6e65192f657e5ad5e9823f7e51de910fcfaddcbf

Download Submit
C:\Windows\{663D4B7F-C4B9-4d72-BF95-32F54D515D15}.exe

Filesize
204KB

MD5
89166499e23cc295df75aa750ecbb3c5

SHA1
1fb140961c6611fd0f63fad71521a04693fe06ac

SHA256
18088edb0a40fde1c641d940d4378f92275f8c2664e100ded05963548ac16044

SHA512
7bbd1bb7956864ae72320c6e0d38b2cf6f0000bd99b2d4029f005d8b989869a8bde2208814a99c87795050ce6f240d86af878f8368a51970891957a6b6749be7

Download Submit
C:\Windows\{7724DED6-974B-414d-9C14-C29E2F0F853A}.exe

Filesize
204KB

MD5
4712b9c9e821098d544d082896bc3592

SHA1
9db232d09a3e5fd5835e5a064c51a24d9d5b706e

SHA256
f4ea2296befb7ef179b37e8441602d2845e4ff0633379db437d19ac83eca3a16

SHA512
6a3f354889af84b65c6d3b560213ea257204e1c9d18a66a4e4ee2165d346bceeee611c1bd8a1f3463cfb971a09922875ca02f4c144a65e4079d5e6212377af3a

Download Submit
C:\Windows\{86E7FAE9-0D46-4ec7-BE97-2AE5CFB01E87}.exe

Filesize
204KB

MD5
fada73ba29e0f6d5112f27204d6e9d7d

SHA1
7dff2adfeafe527352bc80ac232cd97fb815c216

SHA256
e69b889e5802e6739b8230ce035267b59bdc811ed351f36ee1a41f2de384de3b

SHA512
4e5f1fcdfaaeaf526157ebe1e67d59aba5a8ea1709ddfaba13483b319cc3bab9ca44a2bc1178080e7925be6a0d4b6e71bde54cc5ec0533d1734da6e1af5629fa

Download Submit
C:\Windows\{8B2B865D-B107-47cd-9AEE-BCFE03153FF9}.exe

Filesize
204KB

MD5
f0c0cd95a33b2df1c7956b6ee065321c

SHA1
6131b9124bf9c6dfbe1e2f167ae7a9d68c8aa297

SHA256
344d9a46fc0f55391e02aa1a913bdcbc306bfd5788710c1ea8cf34f10213c798

SHA512
4fd21e59dadcd8b1f2145dbb3b4c3b612817236948250673d1d76d09fe90d548209748f31629776866de89bfa2a67eef3068e070fd74ab57c27aae00f4d5d66f

Download Submit
C:\Windows\{984AEC56-1FAD-47e1-91E5-DE1EA9247005}.exe

Filesize
204KB

MD5
f00fe48321e3663691f031ffc3d6b288

SHA1
85344ce45f199475cf232fc7238c2e1022a1c734

SHA256
ba1b29ce88aca4124caa9340ce328ad532433e1aa81070f069651566938172f9

SHA512
08deff00c73d878cadc20bd64cacf88f4906d3178e54554ffc143276b3dba0f6ad83edb54bbbf159dd008d6fdab76801fdf2c04e67a87b135971d32c8536ac93

Download Submit
C:\Windows\{9F3DCB51-2418-4c48-AB38-18B9A97CA67A}.exe

Filesize
204KB

MD5
08197114e93e905287b8a23dc748e53a

SHA1
2ec4bcb59ca3ec5eef3c8d47e58dbb8db2702edd

SHA256
c8492b619e97d1607e8ac846a965cc5bae4a5f18a4572e7aa525dc8ad8983750

SHA512
1a3c15726185d1a6785ce9370353f1af84fbdd2c8cb7c693bcd53e59f7d513a6b18be48310846497195595a647a483fb20c8571923eebedb120dde0a637d6397

Download Submit
C:\Windows\{EC15A809-A7D1-42af-BF22-E2F3A4E0C7A6}.exe

Filesize
204KB

MD5
8731c8c4904b12aa07a7a5d2021d44d4

SHA1
92b080084738d7e5bc1823c62862d0d72e39c7aa

SHA256
881efaa52deaa686d32d6ef63f8e18ec22a8649f28307a0e4ccfff4f44fdc0c2

SHA512
04008e4dc5249909505ad406e5eb3281a13f012ef97c607f4907659cbc3686fd855a3aa9379347b1eac1b69152a28917b48e3f61063653d9a077705c1f8db63e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads