24d9a6fc0f82101b6ef2777e35af7cebf3d6ba8d71fc3efff7673bbae84459c8

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Size

408KB
MD5

49bc73a2a4faf4559c14ef64b382cee0
SHA1

86cf75e333ca717841926e1da05eda373584596a
SHA256

24d9a6fc0f82101b6ef2777e35af7cebf3d6ba8d71fc3efff7673bbae84459c8
SHA512

d8b120f8c7767dff837980c87f88b7c775fc8ba8a47b9badf1fed7a0aaa2da42a6183bbe3e90b440de9b5a7369321a1e6fe2299dafec7f80003fbdfd222e4ac7
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012251-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1777E71B-A3CC-4e29-BD31-57176F6EE29A}\stubpath = "C:\\Windows\\{1777E71B-A3CC-4e29-BD31-57176F6EE29A}.exe"	{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6636AE44-E1DC-4e0b-AD27-A78286B049BA}	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798BCBA7-A830-46cb-A801-014D28E3049D}	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24DE185F-D2CF-455a-85B6-435AE781DF31}\stubpath = "C:\\Windows\\{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe"	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}\stubpath = "C:\\Windows\\{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe"	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0888D161-E3B8-4c49-B40B-499473E637B9}\stubpath = "C:\\Windows\\{0888D161-E3B8-4c49-B40B-499473E637B9}.exe"	{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}	{0888D161-E3B8-4c49-B40B-499473E637B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}\stubpath = "C:\\Windows\\{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe"	{0888D161-E3B8-4c49-B40B-499473E637B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6636AE44-E1DC-4e0b-AD27-A78286B049BA}\stubpath = "C:\\Windows\\{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe"	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}\stubpath = "C:\\Windows\\{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe"	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1777E71B-A3CC-4e29-BD31-57176F6EE29A}	{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798BCBA7-A830-46cb-A801-014D28E3049D}\stubpath = "C:\\Windows\\{798BCBA7-A830-46cb-A801-014D28E3049D}.exe"	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}\stubpath = "C:\\Windows\\{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe"	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0888D161-E3B8-4c49-B40B-499473E637B9}	{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021427B9-6C74-46f1-9CB4-F65D73F464F9}	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{021427B9-6C74-46f1-9CB4-F65D73F464F9}\stubpath = "C:\\Windows\\{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe"	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24DE185F-D2CF-455a-85B6-435AE781DF31}	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393D99A5-4508-4849-83F2-7F32AD157EF2}	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393D99A5-4508-4849-83F2-7F32AD157EF2}\stubpath = "C:\\Windows\\{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe"	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe
2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe
2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe
2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe
624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe
1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe
2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe
1964	{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe
1752	{0888D161-E3B8-4c49-B40B-499473E637B9}.exe
2760	{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe
2796	{1777E71B-A3CC-4e29-BD31-57176F6EE29A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe	{0888D161-E3B8-4c49-B40B-499473E637B9}.exe
File created	C:\Windows\{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe
File created	C:\Windows\{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe
File created	C:\Windows\{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe
File created	C:\Windows\{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe
File created	C:\Windows\{0888D161-E3B8-4c49-B40B-499473E637B9}.exe	{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe
File created	C:\Windows\{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
File created	C:\Windows\{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe
File created	C:\Windows\{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe
File created	C:\Windows\{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe
File created	C:\Windows\{1777E71B-A3CC-4e29-BD31-57176F6EE29A}.exe	{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe
Token: SeIncBasePriorityPrivilege	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe
Token: SeIncBasePriorityPrivilege	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe
Token: SeIncBasePriorityPrivilege	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe
Token: SeIncBasePriorityPrivilege	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe
Token: SeIncBasePriorityPrivilege	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe
Token: SeIncBasePriorityPrivilege	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe
Token: SeIncBasePriorityPrivilege	1964	{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe
Token: SeIncBasePriorityPrivilege	1752	{0888D161-E3B8-4c49-B40B-499473E637B9}.exe
Token: SeIncBasePriorityPrivilege	2760	{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2900	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	28
PID 2732 wrote to memory of 2900	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	28
PID 2732 wrote to memory of 2900	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	28
PID 2732 wrote to memory of 2900	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	28
PID 2732 wrote to memory of 2740	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	29
PID 2732 wrote to memory of 2740	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	29
PID 2732 wrote to memory of 2740	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	29
PID 2732 wrote to memory of 2740	2732	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	29
PID 2900 wrote to memory of 2660	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	30
PID 2900 wrote to memory of 2660	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	30
PID 2900 wrote to memory of 2660	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	30
PID 2900 wrote to memory of 2660	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	30
PID 2900 wrote to memory of 2592	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	31
PID 2900 wrote to memory of 2592	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	31
PID 2900 wrote to memory of 2592	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	31
PID 2900 wrote to memory of 2592	2900	{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe	31
PID 2660 wrote to memory of 2596	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	32
PID 2660 wrote to memory of 2596	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	32
PID 2660 wrote to memory of 2596	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	32
PID 2660 wrote to memory of 2596	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	32
PID 2660 wrote to memory of 2524	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	33
PID 2660 wrote to memory of 2524	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	33
PID 2660 wrote to memory of 2524	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	33
PID 2660 wrote to memory of 2524	2660	{798BCBA7-A830-46cb-A801-014D28E3049D}.exe	33
PID 2596 wrote to memory of 2944	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	36
PID 2596 wrote to memory of 2944	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	36
PID 2596 wrote to memory of 2944	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	36
PID 2596 wrote to memory of 2944	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	36
PID 2596 wrote to memory of 2872	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	37
PID 2596 wrote to memory of 2872	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	37
PID 2596 wrote to memory of 2872	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	37
PID 2596 wrote to memory of 2872	2596	{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe	37
PID 2944 wrote to memory of 624	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	38
PID 2944 wrote to memory of 624	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	38
PID 2944 wrote to memory of 624	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	38
PID 2944 wrote to memory of 624	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	38
PID 2944 wrote to memory of 1252	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	39
PID 2944 wrote to memory of 1252	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	39
PID 2944 wrote to memory of 1252	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	39
PID 2944 wrote to memory of 1252	2944	{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe	39
PID 624 wrote to memory of 1836	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	40
PID 624 wrote to memory of 1836	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	40
PID 624 wrote to memory of 1836	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	40
PID 624 wrote to memory of 1836	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	40
PID 624 wrote to memory of 2232	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	41
PID 624 wrote to memory of 2232	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	41
PID 624 wrote to memory of 2232	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	41
PID 624 wrote to memory of 2232	624	{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe	41
PID 1836 wrote to memory of 2348	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	42
PID 1836 wrote to memory of 2348	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	42
PID 1836 wrote to memory of 2348	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	42
PID 1836 wrote to memory of 2348	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	42
PID 1836 wrote to memory of 2200	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	43
PID 1836 wrote to memory of 2200	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	43
PID 1836 wrote to memory of 2200	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	43
PID 1836 wrote to memory of 2200	1836	{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe	43
PID 2348 wrote to memory of 1964	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	44
PID 2348 wrote to memory of 1964	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	44
PID 2348 wrote to memory of 1964	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	44
PID 2348 wrote to memory of 1964	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	44
PID 2348 wrote to memory of 336	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	45
PID 2348 wrote to memory of 336	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	45
PID 2348 wrote to memory of 336	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	45
PID 2348 wrote to memory of 336	2348	{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe
  C:\Windows\{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\{798BCBA7-A830-46cb-A801-014D28E3049D}.exe
    C:\Windows\{798BCBA7-A830-46cb-A801-014D28E3049D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe
      C:\Windows\{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe
        
        C:\Windows\{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe
        
        C:\Windows\{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe
        
        C:\Windows\{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe
        
        C:\Windows\{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe
        
        C:\Windows\{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{0888D161-E3B8-4c49-B40B-499473E637B9}.exe
        
        C:\Windows\{0888D161-E3B8-4c49-B40B-499473E637B9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe
        
        C:\Windows\{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{1777E71B-A3CC-4e29-BD31-57176F6EE29A}.exe
        
        C:\Windows\{1777E71B-A3CC-4e29-BD31-57176F6EE29A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCCD0~1.EXE > nul
        12⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0888D~1.EXE > nul
        11⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC979~1.EXE > nul
        10⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D78AD~1.EXE > nul
        9⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02142~1.EXE > nul
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{393D9~1.EXE > nul
        7⤵
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6482C~1.EXE > nul
        6⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24DE1~1.EXE > nul
        5⤵
        
        PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{798BC~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6636A~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{021427B9-6C74-46f1-9CB4-F65D73F464F9}.exe

Filesize
408KB

MD5
74604872bd64247d4c54d7c09821201d

SHA1
10c62b9187e53af5df081033f84a4789330c220b

SHA256
6c2851ac705e5be353503d128e733e0168f76d92549e02df66fa3c17fffde2d5

SHA512
e2d407b79db03222c9830b4b804579a82347ce3e4d2b08dacf11cbe61458562bfd4a16d1d6d3b72fb60e0778ec9b1964432171479d3a7fbbe09285c1827be691

Download Submit
C:\Windows\{0888D161-E3B8-4c49-B40B-499473E637B9}.exe

Filesize
408KB

MD5
44492e299b2b0d185485c4d0ce4f6851

SHA1
6305b84c355149d414a3f0602321faaf10749ec6

SHA256
a560a63f3539ddecd80e5cdb59a09052ec8cc5185c69596fe1f60c834cc38c36

SHA512
a260b91eda6d948eb16f30ee793927e265299fb3781692a9c285053da1b7b8a407dd5c544b75560350d2f27cbf0f086dab65ad215473f61445bc3c61c34da6c9

Download Submit
C:\Windows\{1777E71B-A3CC-4e29-BD31-57176F6EE29A}.exe

Filesize
408KB

MD5
f35b3983c8c7016fe2cb86dd01894798

SHA1
5fbc3026fe938fb3aa7e62b33cdb8ddee8586b72

SHA256
eb9ba476f68f00d7bd7c185445f5f9a2d65b89ab272be27144e11bed4b286cde

SHA512
cc5f04ab694c9690fa7797b0e2108f28040b33a0aa5dfca2497cee652a57b0629177c4c4a5809ff2e754841eb6964f36b7fe51bb35930b63e038116f198f7e00

Download Submit
C:\Windows\{24DE185F-D2CF-455a-85B6-435AE781DF31}.exe

Filesize
408KB

MD5
769ccbb7a2d0eb8865b94ea095d94c40

SHA1
872bae5535ea862b40178eeddb2ab886b7820d8a

SHA256
6ef305882e47c7e8a594d9fab6099dc2e431d0fca4e1ae4300f7f9348aef1798

SHA512
fe00ab1e264af4e5690dbba54d2f8e3393ea65edbda34defdbcedb6a7a51fa00099a89aefa0e3668e0e1cb50576908978c8e18327a352f76a3fab895dd37e9e6

Download Submit
C:\Windows\{393D99A5-4508-4849-83F2-7F32AD157EF2}.exe

Filesize
408KB

MD5
c1ef7a505c4d0a9ef6ba6ac5567c2993

SHA1
bf94faae9522878e1643dd117ad256c3dc5185f1

SHA256
73b99e687b65760ecea2c693618af639206d8d5e27062b3a6561733299875e37

SHA512
c3d655c51c957996772c73228083885f389c88b97dcb2c2f4ea2e5a53dbb17402bc98b18e25d662299fdca1baa63069a93e7046d064dc345edad55c177729b89

Download Submit
C:\Windows\{6482C015-E9C8-48ac-B3A3-B54DFBFDADA0}.exe

Filesize
408KB

MD5
a5cc23c0ae8daf9b02e6a949bd32cdb6

SHA1
fc70589db0744064195263334d28160ab875d5e4

SHA256
cd01cf4b619d1c77ad41eca4c8b916062489ce06fb828b659ccaf37022649468

SHA512
c94d99a70a5d990503bf0bea8da62353a0ab6b978b0152f4de052ce21a2afdd21bddf434f216c0db4aefc03af399ee84846512a733ee6b7e2780bb835cc7eb9a

Download Submit
C:\Windows\{6636AE44-E1DC-4e0b-AD27-A78286B049BA}.exe

Filesize
408KB

MD5
308822b6c3fd4c2e9b840107944fe330

SHA1
5e9e189912d50cb75fed3b7a1e137e9283f2d1d9

SHA256
69bc48781d5d6ff6e5f994372043d02bcbbe74e3a316ec9cbfb5d5718f37321b

SHA512
27e97a49c2b2da3a2cc28acc656e51896a80435c544cff5c2e80a7f7f221e866b6fe624321c610a63db6c7d41d95245ad770e0d4c561712e626b1a7247544491

Download Submit
C:\Windows\{798BCBA7-A830-46cb-A801-014D28E3049D}.exe

Filesize
408KB

MD5
ab330042d05ce000be417ab02808fa77

SHA1
6d03bc899ebda42dead4ca4b2cb246099a4998ad

SHA256
19e3e73327f5c93362f351d1e9b8500ccfad725283ff9fd1fd9c217e339a7ecb

SHA512
7de19210054271daa5a7170322e83ff5d81c62f7453baa7851e13dd3fe6d5c23ae8e69a4f6674504cda2e274adf2d068b753a81e62d8e98e278a00756b945d79

Download Submit
C:\Windows\{BC979FE1-DABB-419a-A7B6-6FB676BDAD07}.exe

Filesize
408KB

MD5
fed36bab6f81522d631044a249883fe9

SHA1
cb2201162fec299a26a304c5ce32526e63152291

SHA256
da801fdc869f9c8e2c260b6328bfa925a7445414d3ad2bdb2df84013db8f9878

SHA512
1ba69632905d64a84bb636ab9d910a29ebd4ae095dee4bc9de8dbc0be57b3b3a74c99cc57e407933056aa179f9c40897160977f1aaa4496109f35e1a004da719

Download Submit
C:\Windows\{BCCD0EC5-E979-4da9-BB14-DB73C984EC3F}.exe

Filesize
408KB

MD5
3de36e82e6014d11f6d1751a5f49aaa5

SHA1
714d6746957a69b7176aad57130d05adeae019ce

SHA256
875099e0dbd2ab1bf105f28c6ac43b78509822d24c61dd16bcf3ebe8f5fa65c7

SHA512
6a22f4ec76908f9d0447e3390fdda7ddf3b8ad61bb2ba85aa67616e639bd666da25f5ae7070f96b68fef35154ed87838579aa7a9eb1af813c1e93cfa1ce1a636

Download Submit
C:\Windows\{D78AD999-1B8F-495d-9F7E-7F4974BC0F69}.exe

Filesize
408KB

MD5
27d49b0a554a5d8b2d5a1471ce280e6f

SHA1
6bd5a4e85e05578f94144eca6719229760216912

SHA256
c052a74796f1db73369d4c6a62c26d240a22b105216e4aadda0a879a1342416e

SHA512
76392104f3c67b18d77bc2b89d363105fb69f0a9f25a9959818110775ffe69c408c6781d347bd1a51d79836a8fa44105acccd3f0e9067ff6c6a567684d9bf61a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads