1a22b80a2ec066eb464788b8840adc31569dbf1c4cd600dcc40128e840298b0e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Size

168KB
MD5

7a2f22b707a0ad0080e3bad72b251743
SHA1

b585b7803dc4fb2efb5455c1c5fc2ef6bde676a3
SHA256

1a22b80a2ec066eb464788b8840adc31569dbf1c4cd600dcc40128e840298b0e
SHA512

af9934b0b78e3c0e4f733e6eed624409ae4802f5e6c6d76cef7a8ed19f6640c0215d3a20eb44505cdf325a34425acf3a21d5f0c6c22cd19eab268d6ac0cbdeda
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014120-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000141e6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014120-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001447e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014120-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014120-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014120-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{105FBCB4-B119-4833-B96C-7DD82AFE16D6}\stubpath = "C:\\Windows\\{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe"	{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}\stubpath = "C:\\Windows\\{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe"	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}\stubpath = "C:\\Windows\\{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe"	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16043986-9CD3-4af5-B8DE-B4614C02D5B9}\stubpath = "C:\\Windows\\{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe"	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}\stubpath = "C:\\Windows\\{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe"	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}\stubpath = "C:\\Windows\\{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe"	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{299B9095-3D9A-430e-A093-4F4DE205424F}	{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{299B9095-3D9A-430e-A093-4F4DE205424F}\stubpath = "C:\\Windows\\{299B9095-3D9A-430e-A093-4F4DE205424F}.exe"	{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}\stubpath = "C:\\Windows\\{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe"	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE409AAB-C104-4754-8FA1-3228C1471D08}\stubpath = "C:\\Windows\\{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe"	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}\stubpath = "C:\\Windows\\{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe"	{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{105FBCB4-B119-4833-B96C-7DD82AFE16D6}	{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16043986-9CD3-4af5-B8DE-B4614C02D5B9}	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE409AAB-C104-4754-8FA1-3228C1471D08}	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60488F01-2E57-42d5-BAAB-5887200AB43C}	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60488F01-2E57-42d5-BAAB-5887200AB43C}\stubpath = "C:\\Windows\\{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe"	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}	{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe
2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe
2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe
2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe
1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe
1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe
876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe
1564	{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe
2752	{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe
1104	{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe
284	{299B9095-3D9A-430e-A093-4F4DE205424F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
File created	C:\Windows\{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe
File created	C:\Windows\{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe
File created	C:\Windows\{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe
File created	C:\Windows\{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe
File created	C:\Windows\{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe	{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe
File created	C:\Windows\{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe
File created	C:\Windows\{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe
File created	C:\Windows\{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe
File created	C:\Windows\{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe	{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe
File created	C:\Windows\{299B9095-3D9A-430e-A093-4F4DE205424F}.exe	{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe
Token: SeIncBasePriorityPrivilege	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe
Token: SeIncBasePriorityPrivilege	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe
Token: SeIncBasePriorityPrivilege	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe
Token: SeIncBasePriorityPrivilege	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe
Token: SeIncBasePriorityPrivilege	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe
Token: SeIncBasePriorityPrivilege	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe
Token: SeIncBasePriorityPrivilege	1564	{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe
Token: SeIncBasePriorityPrivilege	2752	{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe
Token: SeIncBasePriorityPrivilege	1104	{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2808	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	28
PID 836 wrote to memory of 2808	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	28
PID 836 wrote to memory of 2808	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	28
PID 836 wrote to memory of 2808	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	28
PID 836 wrote to memory of 2424	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	29
PID 836 wrote to memory of 2424	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	29
PID 836 wrote to memory of 2424	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	29
PID 836 wrote to memory of 2424	836	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	29
PID 2808 wrote to memory of 2564	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	30
PID 2808 wrote to memory of 2564	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	30
PID 2808 wrote to memory of 2564	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	30
PID 2808 wrote to memory of 2564	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	30
PID 2808 wrote to memory of 2664	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	31
PID 2808 wrote to memory of 2664	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	31
PID 2808 wrote to memory of 2664	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	31
PID 2808 wrote to memory of 2664	2808	{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe	31
PID 2564 wrote to memory of 2576	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	32
PID 2564 wrote to memory of 2576	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	32
PID 2564 wrote to memory of 2576	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	32
PID 2564 wrote to memory of 2576	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	32
PID 2564 wrote to memory of 2584	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	33
PID 2564 wrote to memory of 2584	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	33
PID 2564 wrote to memory of 2584	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	33
PID 2564 wrote to memory of 2584	2564	{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe	33
PID 2576 wrote to memory of 2536	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	36
PID 2576 wrote to memory of 2536	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	36
PID 2576 wrote to memory of 2536	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	36
PID 2576 wrote to memory of 2536	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	36
PID 2576 wrote to memory of 2792	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	37
PID 2576 wrote to memory of 2792	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	37
PID 2576 wrote to memory of 2792	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	37
PID 2576 wrote to memory of 2792	2576	{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe	37
PID 2536 wrote to memory of 1860	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	38
PID 2536 wrote to memory of 1860	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	38
PID 2536 wrote to memory of 1860	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	38
PID 2536 wrote to memory of 1860	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	38
PID 2536 wrote to memory of 1756	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	39
PID 2536 wrote to memory of 1756	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	39
PID 2536 wrote to memory of 1756	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	39
PID 2536 wrote to memory of 1756	2536	{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe	39
PID 1860 wrote to memory of 1988	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	40
PID 1860 wrote to memory of 1988	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	40
PID 1860 wrote to memory of 1988	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	40
PID 1860 wrote to memory of 1988	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	40
PID 1860 wrote to memory of 1716	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	41
PID 1860 wrote to memory of 1716	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	41
PID 1860 wrote to memory of 1716	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	41
PID 1860 wrote to memory of 1716	1860	{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe	41
PID 1988 wrote to memory of 876	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	42
PID 1988 wrote to memory of 876	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	42
PID 1988 wrote to memory of 876	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	42
PID 1988 wrote to memory of 876	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	42
PID 1988 wrote to memory of 2648	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	43
PID 1988 wrote to memory of 2648	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	43
PID 1988 wrote to memory of 2648	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	43
PID 1988 wrote to memory of 2648	1988	{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe	43
PID 876 wrote to memory of 1564	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	44
PID 876 wrote to memory of 1564	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	44
PID 876 wrote to memory of 1564	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	44
PID 876 wrote to memory of 1564	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	44
PID 876 wrote to memory of 636	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	45
PID 876 wrote to memory of 636	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	45
PID 876 wrote to memory of 636	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	45
PID 876 wrote to memory of 636	876	{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe
  C:\Windows\{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe
    C:\Windows\{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe
      C:\Windows\{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe
        
        C:\Windows\{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe
        
        C:\Windows\{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe
        
        C:\Windows\{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe
        
        C:\Windows\{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe
        
        C:\Windows\{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe
        
        C:\Windows\{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe
        
        C:\Windows\{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{299B9095-3D9A-430e-A093-4F4DE205424F}.exe
        
        C:\Windows\{299B9095-3D9A-430e-A093-4F4DE205424F}.exe
        12⤵
        Executes dropped EXE
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{105FB~1.EXE > nul
        12⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F34~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02E36~1.EXE > nul
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC2B9~1.EXE > nul
        9⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60488~1.EXE > nul
        8⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE409~1.EXE > nul
        7⤵
        
        PID:1716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16043~1.EXE > nul
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1F84~1.EXE > nul
        5⤵
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2C6D8~1.EXE > nul
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FAA08~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02E36EE4-D8E7-4564-88E7-2A806AE6CC80}.exe

Filesize
168KB

MD5
67dbae0b81e69caf40c7ac4d682f04d2

SHA1
085f0d1feb76aa3dc5efc0d42397f2a226f4b442

SHA256
93923a520938130da6d9c2ce4e4e7bfc5f9af1f340273817cb6796ff4b6bc324

SHA512
bcb80b9d511229c7b0538a9d6f21cb42101e40e77a46964474d1634582478f9e8304de648b7966a0b79bbb07fadea049eaeb3bb1ed0dd63a4573b81a28dfb852

Download Submit
C:\Windows\{105FBCB4-B119-4833-B96C-7DD82AFE16D6}.exe

Filesize
168KB

MD5
a59318799461fb993785a850aeb87693

SHA1
006538652210dddcfa397ad2da7d36f0f9f743bb

SHA256
4dc6dfdf86aff338b3eb593eafcb345f4b0d3593f8b77760dffdbd1403474f22

SHA512
be73ff2ed224868cb789329aa534766e064bd882515fd2d2608f29a64416572a66b777c533899db929edef201dffc67ded2b724cdef4165f9b25c72810bc0005

Download Submit
C:\Windows\{16043986-9CD3-4af5-B8DE-B4614C02D5B9}.exe

Filesize
168KB

MD5
aefea3224fbaa07e0c0fc81c7c89b8e3

SHA1
76419a6bbcbe879410a6dd5a4bb28ab4a9e644f4

SHA256
1de8531f2defe5562a9f1644df0bd98375528c38ea292ecb917b7cf8ccc51952

SHA512
e857fb7ef65d41692a7b81247c2a171cfb172442dc89a226b8845ff0f426f21227d5447defd0188b39c842808cec2e7c56f669cfeedac6ea852f5a417b7567ed

Download Submit
C:\Windows\{299B9095-3D9A-430e-A093-4F4DE205424F}.exe

Filesize
168KB

MD5
74bc108a25bd331adc726bc6ae48a652

SHA1
6f2a892d74a0a9189eeafe8d4578196d1dc3e287

SHA256
b559b557d92a5d00ba8a0c750c4fec0cea905846c8545805e6054cbe1887bed5

SHA512
0010970ca6299de65f9756c823ae75effe34d7772a28472f28499b0b341c5c1c1380bf9c108a417acbca8c2219bdb1ec36c6358f251796c0f67da0744922f904

Download Submit
C:\Windows\{2C6D8CB9-E199-4734-BF4F-D82A91D53E60}.exe

Filesize
168KB

MD5
5c7d2f82332696283751810c76b7ad02

SHA1
282181e6eb9534bb057f62f406cadc402226be72

SHA256
c5127a2365b4850c415c2517b56f34b50682b298b72608be8cbf8d747e63d894

SHA512
ce72d79544bddaef0a32f5dd122721f544bd15a8b831f5820b2494c7ebb4c8078cd18294c9cd9be44332b8f1c25e4d013aff86027490a367b40eaf50db27ef9a

Download Submit
C:\Windows\{60488F01-2E57-42d5-BAAB-5887200AB43C}.exe

Filesize
168KB

MD5
151b2cc558ed8a1f48ff9b8f0b5afafe

SHA1
afff06e6a280386a388327936699f86f18bf5707

SHA256
b6df0cf1aa7272716df2858147833e93ba885caea6daff6e728958a28e8f4b53

SHA512
2facfd19052c0a88010eaf4a7aa2a2b8d50236d3aba630c5f59162cd32a3dd17a2f3a8f22705155ddedb580a2edd69eacdc07edaf73a718e23cbb64530b4c91e

Download Submit
C:\Windows\{C8F3452B-EEE9-4a38-B648-E9C15DE7E28B}.exe

Filesize
168KB

MD5
53328815a5e8960ae5ee0f24bc3e811c

SHA1
794797b81c993f67a8c3b09d85b1fd56c5fc57a7

SHA256
16c4c8875f5f2aaf254fb052ca6013d937bf98c2c3f0ee7663cc2f7ed124f17b

SHA512
b996714a4424af594f7a17bfcfc5406a8add7663390f9b9d1712ac76add19c449f67264d8c30c69d1dc9c438762a913a54ba1220222824199b944b92fb6ddf81

Download Submit
C:\Windows\{CC2B98D5-9FD8-4f70-AF0B-C0E59BCCF1A6}.exe

Filesize
168KB

MD5
7c4c6e771ae059e29e057862f9d09033

SHA1
76eea25c39168a0cd09470dea70e5b662062e6c9

SHA256
75c9776466dd6ec33e3ae677c0216e080a8163ca93ce1a506aed1d144f04b9b3

SHA512
633cffb86d0803897344604eaf95eeb22156b05fd2872ebd50310f2a3533e14fe975fa2de38a5f1bf48c5d3db8eaf4e4fcd155695c2f4308a67ee64fd94b8b56

Download Submit
C:\Windows\{CE409AAB-C104-4754-8FA1-3228C1471D08}.exe

Filesize
168KB

MD5
ebb5abf907952430fbe50c9197cbb0d9

SHA1
e54524134fda165de9bd5c5d2417f57d90fcdbab

SHA256
e1e018de0dee4243e598088659786b7135cf2d53051c0f3f855d56184ba4242f

SHA512
9756072b32120527a691d73865bde34a7779853bb3d66b34bfdadcb6745902d1ee33309592c73d7b246ff3bc6a86dc738dc859fad30c7e1cbbdb6ca3b11b9782

Download Submit
C:\Windows\{F1F841FD-4F81-4bbd-8899-3EAFFDB9AF82}.exe

Filesize
168KB

MD5
7b1928c7db55d0c75859ae0ec542c0a3

SHA1
081a4c9808840524d990be11502eae16ed9d708a

SHA256
fc2a6a541f50af87bac1e50bc9c56a3fb309a0599d2e4112d95193df416372ed

SHA512
89615ef2c7403171c995a78c55ff2cfaffb74054cb705796ea33c9ea91b468e04d184b6128a9b44fa7c63018cb6cfff39b8a6750806d75b7853b97b133143058

Download Submit
C:\Windows\{FAA08026-A768-480d-AAE2-9A1C9CDDC36A}.exe

Filesize
168KB

MD5
a566594434d956227360beff1a91b908

SHA1
a53c282bc156a36dbfdae876f598adc38f507aa1

SHA256
bd542c280f329f288bba447f921193abe468c39b641e2e87dd933e87012d8bfc

SHA512
0f13161a97a5eec425338f542e2819377c9e5095a77ff4b2ee6135a50622f38e10c22c0bc90dbe647036bd1529185a39d0c4806daf3f455c40dabb5e26ea1160

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads