ff13ef4b549bc40028932b3d16b9f7c81c3cfb715c705aa272569e94a28f71e0

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 11:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe
Size

180KB
MD5

f00bd0fe7e95b1a7ed83d0017c793790
SHA1

a386bc399ef9e7789976ef21e32fc76a0af99a91
SHA256

ff13ef4b549bc40028932b3d16b9f7c81c3cfb715c705aa272569e94a28f71e0
SHA512

1fb3fe307e9ebaf226560228f918023d23024686c2d7032b26e4002b43679c47d57b3608e5a09a13f9ab3b128bb2346ce4bc985a14b04fd5a0a16073fa0cebad
SSDEEP

3072:jEGh0o9lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013a06-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015cff-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a06-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000015d6b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a06-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a06-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000013a06-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02616F84-256F-41ef-9478-E58903D19904}	{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F0BB340-04FA-4268-8161-8E386A18F6C9}\stubpath = "C:\\Windows\\{1F0BB340-04FA-4268-8161-8E386A18F6C9}.exe"	{02616F84-256F-41ef-9478-E58903D19904}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BC116E-8479-4f61-A1B5-09AACC66121F}\stubpath = "C:\\Windows\\{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe"	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44458437-8C78-42f1-BEFF-0A362D1498FE}\stubpath = "C:\\Windows\\{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe"	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC836480-3432-4662-97C7-DD30F3A9BF9F}\stubpath = "C:\\Windows\\{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe"	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1067355-DC60-4640-B7A4-704CF61BA098}	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1067355-DC60-4640-B7A4-704CF61BA098}\stubpath = "C:\\Windows\\{E1067355-DC60-4640-B7A4-704CF61BA098}.exe"	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C3BE60-DBF4-4e10-B424-E24E38E6165A}	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}\stubpath = "C:\\Windows\\{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe"	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}	{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58449208-2A8F-4552-AEA5-181A842D60DC}\stubpath = "C:\\Windows\\{58449208-2A8F-4552-AEA5-181A842D60DC}.exe"	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC836480-3432-4662-97C7-DD30F3A9BF9F}	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}\stubpath = "C:\\Windows\\{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe"	{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C3BE60-DBF4-4e10-B424-E24E38E6165A}\stubpath = "C:\\Windows\\{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe"	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8BC116E-8479-4f61-A1B5-09AACC66121F}	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44458437-8C78-42f1-BEFF-0A362D1498FE}	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02616F84-256F-41ef-9478-E58903D19904}\stubpath = "C:\\Windows\\{02616F84-256F-41ef-9478-E58903D19904}.exe"	{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F0BB340-04FA-4268-8161-8E386A18F6C9}	{02616F84-256F-41ef-9478-E58903D19904}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}\stubpath = "C:\\Windows\\{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe"	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58449208-2A8F-4552-AEA5-181A842D60DC}	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe
2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe
2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe
2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe
2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe
1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe
2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe
2528	{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe
2112	{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe
1616	{02616F84-256F-41ef-9478-E58903D19904}.exe
580	{1F0BB340-04FA-4268-8161-8E386A18F6C9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{02616F84-256F-41ef-9478-E58903D19904}.exe	{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe
File created	C:\Windows\{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe
File created	C:\Windows\{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe
File created	C:\Windows\{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe
File created	C:\Windows\{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe
File created	C:\Windows\{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe
File created	C:\Windows\{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe
File created	C:\Windows\{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe	{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe
File created	C:\Windows\{1F0BB340-04FA-4268-8161-8E386A18F6C9}.exe	{02616F84-256F-41ef-9478-E58903D19904}.exe
File created	C:\Windows\{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe
File created	C:\Windows\{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe
Token: SeIncBasePriorityPrivilege	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe
Token: SeIncBasePriorityPrivilege	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe
Token: SeIncBasePriorityPrivilege	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe
Token: SeIncBasePriorityPrivilege	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe
Token: SeIncBasePriorityPrivilege	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe
Token: SeIncBasePriorityPrivilege	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe
Token: SeIncBasePriorityPrivilege	2528	{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe
Token: SeIncBasePriorityPrivilege	2112	{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe
Token: SeIncBasePriorityPrivilege	1616	{02616F84-256F-41ef-9478-E58903D19904}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2180	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	28
PID 2972 wrote to memory of 2180	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	28
PID 2972 wrote to memory of 2180	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	28
PID 2972 wrote to memory of 2180	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	28
PID 2972 wrote to memory of 1908	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	29
PID 2972 wrote to memory of 1908	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	29
PID 2972 wrote to memory of 1908	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	29
PID 2972 wrote to memory of 1908	2972	2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe	29
PID 2180 wrote to memory of 2624	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	30
PID 2180 wrote to memory of 2624	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	30
PID 2180 wrote to memory of 2624	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	30
PID 2180 wrote to memory of 2624	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	30
PID 2180 wrote to memory of 2652	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	31
PID 2180 wrote to memory of 2652	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	31
PID 2180 wrote to memory of 2652	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	31
PID 2180 wrote to memory of 2652	2180	{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe	31
PID 2624 wrote to memory of 2552	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	32
PID 2624 wrote to memory of 2552	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	32
PID 2624 wrote to memory of 2552	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	32
PID 2624 wrote to memory of 2552	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	32
PID 2624 wrote to memory of 2696	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	33
PID 2624 wrote to memory of 2696	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	33
PID 2624 wrote to memory of 2696	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	33
PID 2624 wrote to memory of 2696	2624	{58449208-2A8F-4552-AEA5-181A842D60DC}.exe	33
PID 2552 wrote to memory of 2604	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	36
PID 2552 wrote to memory of 2604	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	36
PID 2552 wrote to memory of 2604	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	36
PID 2552 wrote to memory of 2604	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	36
PID 2552 wrote to memory of 2928	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	37
PID 2552 wrote to memory of 2928	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	37
PID 2552 wrote to memory of 2928	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	37
PID 2552 wrote to memory of 2928	2552	{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe	37
PID 2604 wrote to memory of 2788	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	38
PID 2604 wrote to memory of 2788	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	38
PID 2604 wrote to memory of 2788	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	38
PID 2604 wrote to memory of 2788	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	38
PID 2604 wrote to memory of 2812	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	39
PID 2604 wrote to memory of 2812	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	39
PID 2604 wrote to memory of 2812	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	39
PID 2604 wrote to memory of 2812	2604	{E1067355-DC60-4640-B7A4-704CF61BA098}.exe	39
PID 2788 wrote to memory of 1288	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	40
PID 2788 wrote to memory of 1288	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	40
PID 2788 wrote to memory of 1288	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	40
PID 2788 wrote to memory of 1288	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	40
PID 2788 wrote to memory of 1544	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	41
PID 2788 wrote to memory of 1544	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	41
PID 2788 wrote to memory of 1544	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	41
PID 2788 wrote to memory of 1544	2788	{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe	41
PID 1288 wrote to memory of 2176	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	42
PID 1288 wrote to memory of 2176	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	42
PID 1288 wrote to memory of 2176	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	42
PID 1288 wrote to memory of 2176	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	42
PID 1288 wrote to memory of 2188	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	43
PID 1288 wrote to memory of 2188	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	43
PID 1288 wrote to memory of 2188	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	43
PID 1288 wrote to memory of 2188	1288	{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe	43
PID 2176 wrote to memory of 2528	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	44
PID 2176 wrote to memory of 2528	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	44
PID 2176 wrote to memory of 2528	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	44
PID 2176 wrote to memory of 2528	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	44
PID 2176 wrote to memory of 1756	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	45
PID 2176 wrote to memory of 1756	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	45
PID 2176 wrote to memory of 1756	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	45
PID 2176 wrote to memory of 1756	2176	{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_f00bd0fe7e95b1a7ed83d0017c793790_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe
  C:\Windows\{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\{58449208-2A8F-4552-AEA5-181A842D60DC}.exe
    C:\Windows\{58449208-2A8F-4552-AEA5-181A842D60DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe
      C:\Windows\{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{E1067355-DC60-4640-B7A4-704CF61BA098}.exe
        
        C:\Windows\{E1067355-DC60-4640-B7A4-704CF61BA098}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe
        
        C:\Windows\{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe
        
        C:\Windows\{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe
        
        C:\Windows\{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe
        
        C:\Windows\{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe
        
        C:\Windows\{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{02616F84-256F-41ef-9478-E58903D19904}.exe
        
        C:\Windows\{02616F84-256F-41ef-9478-E58903D19904}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{1F0BB340-04FA-4268-8161-8E386A18F6C9}.exe
        
        C:\Windows\{1F0BB340-04FA-4268-8161-8E386A18F6C9}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02616~1.EXE > nul
        12⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3FFC~1.EXE > nul
        11⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB2C~1.EXE > nul
        10⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C3B~1.EXE > nul
        9⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44458~1.EXE > nul
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8BC1~1.EXE > nul
        7⤵
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1067~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC836~1.EXE > nul
        5⤵
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58449~1.EXE > nul
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{070CA~1.EXE > nul
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02616F84-256F-41ef-9478-E58903D19904}.exe

Filesize
180KB

MD5
d0b2d463a435f8187725be28f57f440e

SHA1
08968781ea5e3ae84ebb3b35350151a10e7f8b0d

SHA256
531f42f89f213fde1a064a1b94cbdad73689a21283adb4e02daac017d932c986

SHA512
785eb9ced77188c854e94d2189f699f394509dda80ab7410141c2821c7ce12010b891541438ba38052f9ad07011e5eb8821657d0fb7fa2f395eae15481d657e8

Download Submit
C:\Windows\{070CAC96-6C3F-4cc0-9E27-E9D5ABDC50B2}.exe

Filesize
180KB

MD5
71ed749c1f45d44b48c1655460b66615

SHA1
d47cae1d55a17404f43f5a38619def935f96c8b1

SHA256
fd77bcfd46dee6dabe7f128ee58a3c4638debf6312a49a26e26f6527399d144a

SHA512
bb1cb087967377c985fb12ea95766c0aa79604318632f265c4c2b6017002ce9a9c18707114c660364809ee63af44e0d21721b14d5cc43111ad39799af3a34c29

Download Submit
C:\Windows\{1F0BB340-04FA-4268-8161-8E386A18F6C9}.exe

Filesize
180KB

MD5
5a55636354381b510ea9d32ef19b57af

SHA1
6f3a497ace221fee673344a6876299a7203c0b80

SHA256
6ee531459ef0000d4abe8eef878cd80882643c5c52fc4d0274813a5afcdda1a6

SHA512
6b6509f8a8a48225a6812f70c85488fdbed1085813027a5d173110aa09de6dad62b9a58b6a81dccd0f1a147425bcffacd05893ac6dc018de1600e181165c1fb9

Download Submit
C:\Windows\{44458437-8C78-42f1-BEFF-0A362D1498FE}.exe

Filesize
180KB

MD5
dd035cb1a3b9f22f50535a702bdf5492

SHA1
b708b806ee875a70f3fb23aeff82fa47ebddc462

SHA256
0536c39fcea4a965419df675cf7c1d484241bd71097c9ce3c9bfa04899a1ed34

SHA512
1cff317d35461d28c1337fc8201057f128485427ef5d82e22079f19910b3e965276ca6c04a340d5798925e7654df3442eda578390732ebe2fd0370096f4f6377

Download Submit
C:\Windows\{58449208-2A8F-4552-AEA5-181A842D60DC}.exe

Filesize
180KB

MD5
815242b148d2b5c92bef75329360a8e1

SHA1
6f041900a35b9763552c9ba940dc2a4b4ec942d6

SHA256
e6c682cc2709a3acd93b90797b970cf7cc5b0e0958a22f6d64ffeea75ff1ebfd

SHA512
3248e872c2abfb1ca3927a30fff06ef7a449037ebd25e4089695987c19042dc2ee61e082226d71185929544aacfb05820c8dabffa3706fa08a84149cdee2ef25

Download Submit
C:\Windows\{64C3BE60-DBF4-4e10-B424-E24E38E6165A}.exe

Filesize
180KB

MD5
5bf6d91d886ac9185d703312a0010316

SHA1
4d3c1b15f84c63d87669d0c4cfea25e0da159d45

SHA256
25b14984914c31f57341a3809573f594db57271291c2b980a9adbd69b5169758

SHA512
ed7a206d132301760216a50027b5dbf708b1d5949878893efd2486c08fb4fe9316a0c3b0373a8b7cb34e8e0e17b6ab415d6cd0746718af15b7db8a16ba205c1c

Download Submit
C:\Windows\{6AB2C6A3-2242-41d1-97E2-D733219EEE0E}.exe

Filesize
180KB

MD5
5e56ab7c599956dc625fca51baf51635

SHA1
5f943081a621d6aea5825da9323f4843a9d6c677

SHA256
b2850b969c23e23f6819db591257396e8633b55ffc86b7f7c5411b35cc6429d9

SHA512
ed590a169e8090b1dcd2760d97160086d5015d7fd8bf3cf6f72f1b04410745c707be451f1901585bd6f4e9f7a8273845eff28cf55362cd3c40b27d02e5176bbb

Download Submit
C:\Windows\{A8BC116E-8479-4f61-A1B5-09AACC66121F}.exe

Filesize
180KB

MD5
61eaf0228edd53afb2ee27e0d6e47a1b

SHA1
210f838c5534006c680d693def6859da2b2349e3

SHA256
e6b1309ebd5527ce41b458acb0f1a5ae877675883194d42026d0769eb733e344

SHA512
f86f873bfbf7c4dbc122a20e636e4ac8c2f90f5e7fd67ed3092c9d5278b7763f59f63aed02e490762252b0f2b2f530350ae718dd5dd7a853c1b021b8588ab85b

Download Submit
C:\Windows\{B3FFC0AB-47C4-45f4-AED6-15E8C8AA9C9C}.exe

Filesize
180KB

MD5
af02b85ae4ef5d1abc780b8a6af14d9d

SHA1
d3cdfcac9f60419db2ae318e391604e29fbec74b

SHA256
1b357d6b8f65973ac67472aac305359ea0aa2775f844d0d576dd542131d208f6

SHA512
3f84753c63c4f1d97db397b31c59dccbb3c873b8fa060f97001a45af1a2f2384d9678ae6890ac93412fe30274f545b6d3fb41745978ad5fdd445c6cf257cf428

Download Submit
C:\Windows\{CC836480-3432-4662-97C7-DD30F3A9BF9F}.exe

Filesize
180KB

MD5
e76de89ab19e0c779b42c1e66c7fab8c

SHA1
0891cbd3ee618bd4fa38f630a41cd55ce4651068

SHA256
81fda48f751684328a94bfc49ebe7a84d5467fa83ab7a5295183345fd2ad4c17

SHA512
e5f5402172354cf6a193c71c0102ed872addfe83265646284b671016d114cf3b2d581a6c5547235202d8fbe394775e31584c5f52c14328d68c593b450a0b0513

Download Submit
C:\Windows\{E1067355-DC60-4640-B7A4-704CF61BA098}.exe

Filesize
180KB

MD5
1f7c47b761c6d5bebb420848de386063

SHA1
4fa32c648d5a94c9facbd0d16b05088eee85ab8b

SHA256
44fe84ad887531725e07f3f85638dae2d4b0fbe585171099d7ff4da31c5aa58b

SHA512
35b57eda355ec136e122e5ae7f15cfd4d1e23346ec4c226d657b92e2c61a189816c6f933902de5ce78f4d27a60a5d7edcb87646fa5a9265265d9394c283db0c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads