238abc117a0479481424865fa47ce3141b062bca539db5113e515508aea7802b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Size

180KB
MD5

fbb99ef155747fcd5a35d4a595f7b4b3
SHA1

5d57f9fe9331737f71c64500a075896f21844dfd
SHA256

238abc117a0479481424865fa47ce3141b062bca539db5113e515508aea7802b
SHA512

9cd1338343fde2c24b1634e7fcb308a78c812b65cc67453342c0ef34de7281a8d9e80fd9504ad3e355addf72cc5c76c69c6040c11dac18ba25e3d99adde76206
SSDEEP

3072:jEGh0oAlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001234b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000143e5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001234b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000146f4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001234b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001234b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001234b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40FACE44-17B4-441b-9419-FC3502F01B6B}\stubpath = "C:\\Windows\\{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe"	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CCF2821-B0C0-4448-B725-587309552E76}	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82832785-06AF-4a02-ACA8-2A9926A6FE24}\stubpath = "C:\\Windows\\{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe"	{1CCF2821-B0C0-4448-B725-587309552E76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}\stubpath = "C:\\Windows\\{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe"	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}\stubpath = "C:\\Windows\\{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe"	{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3AD385F-2396-43da-B51C-CA4492448A23}	{A9584C59-E809-4a62-8E29-815373593064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82832785-06AF-4a02-ACA8-2A9926A6FE24}	{1CCF2821-B0C0-4448-B725-587309552E76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9584C59-E809-4a62-8E29-815373593064}	{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CCF2821-B0C0-4448-B725-587309552E76}\stubpath = "C:\\Windows\\{1CCF2821-B0C0-4448-B725-587309552E76}.exe"	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}\stubpath = "C:\\Windows\\{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe"	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}	{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9584C59-E809-4a62-8E29-815373593064}\stubpath = "C:\\Windows\\{A9584C59-E809-4a62-8E29-815373593064}.exe"	{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}\stubpath = "C:\\Windows\\{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe"	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40FACE44-17B4-441b-9419-FC3502F01B6B}	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64781E4D-6990-4e77-B33D-77A666D9259E}	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64781E4D-6990-4e77-B33D-77A666D9259E}\stubpath = "C:\\Windows\\{64781E4D-6990-4e77-B33D-77A666D9259E}.exe"	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}\stubpath = "C:\\Windows\\{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe"	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3AD385F-2396-43da-B51C-CA4492448A23}\stubpath = "C:\\Windows\\{C3AD385F-2396-43da-B51C-CA4492448A23}.exe"	{A9584C59-E809-4a62-8E29-815373593064}.exe

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe
2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe
2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe
2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe
1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe
1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe
1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe
1448	{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe
2868	{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe
788	{A9584C59-E809-4a62-8E29-815373593064}.exe
836	{C3AD385F-2396-43da-B51C-CA4492448A23}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe	{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe
File created	C:\Windows\{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
File created	C:\Windows\{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe
File created	C:\Windows\{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	{1CCF2821-B0C0-4448-B725-587309552E76}.exe
File created	C:\Windows\{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe
File created	C:\Windows\{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe
File created	C:\Windows\{A9584C59-E809-4a62-8E29-815373593064}.exe	{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe
File created	C:\Windows\{C3AD385F-2396-43da-B51C-CA4492448A23}.exe	{A9584C59-E809-4a62-8E29-815373593064}.exe
File created	C:\Windows\{1CCF2821-B0C0-4448-B725-587309552E76}.exe	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe
File created	C:\Windows\{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe
File created	C:\Windows\{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe
Token: SeIncBasePriorityPrivilege	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe
Token: SeIncBasePriorityPrivilege	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe
Token: SeIncBasePriorityPrivilege	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe
Token: SeIncBasePriorityPrivilege	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe
Token: SeIncBasePriorityPrivilege	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe
Token: SeIncBasePriorityPrivilege	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe
Token: SeIncBasePriorityPrivilege	1448	{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe
Token: SeIncBasePriorityPrivilege	2868	{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe
Token: SeIncBasePriorityPrivilege	788	{A9584C59-E809-4a62-8E29-815373593064}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2960	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	28
PID 2004 wrote to memory of 2960	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	28
PID 2004 wrote to memory of 2960	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	28
PID 2004 wrote to memory of 2960	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	28
PID 2004 wrote to memory of 2988	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	29
PID 2004 wrote to memory of 2988	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	29
PID 2004 wrote to memory of 2988	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	29
PID 2004 wrote to memory of 2988	2004	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	29
PID 2960 wrote to memory of 2504	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	30
PID 2960 wrote to memory of 2504	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	30
PID 2960 wrote to memory of 2504	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	30
PID 2960 wrote to memory of 2504	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	30
PID 2960 wrote to memory of 2608	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	31
PID 2960 wrote to memory of 2608	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	31
PID 2960 wrote to memory of 2608	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	31
PID 2960 wrote to memory of 2608	2960	{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe	31
PID 2504 wrote to memory of 2240	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	32
PID 2504 wrote to memory of 2240	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	32
PID 2504 wrote to memory of 2240	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	32
PID 2504 wrote to memory of 2240	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	32
PID 2504 wrote to memory of 2648	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	33
PID 2504 wrote to memory of 2648	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	33
PID 2504 wrote to memory of 2648	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	33
PID 2504 wrote to memory of 2648	2504	{64781E4D-6990-4e77-B33D-77A666D9259E}.exe	33
PID 2240 wrote to memory of 2520	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	36
PID 2240 wrote to memory of 2520	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	36
PID 2240 wrote to memory of 2520	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	36
PID 2240 wrote to memory of 2520	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	36
PID 2240 wrote to memory of 2632	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	37
PID 2240 wrote to memory of 2632	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	37
PID 2240 wrote to memory of 2632	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	37
PID 2240 wrote to memory of 2632	2240	{1CCF2821-B0C0-4448-B725-587309552E76}.exe	37
PID 2520 wrote to memory of 1872	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	38
PID 2520 wrote to memory of 1872	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	38
PID 2520 wrote to memory of 1872	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	38
PID 2520 wrote to memory of 1872	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	38
PID 2520 wrote to memory of 1744	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	39
PID 2520 wrote to memory of 1744	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	39
PID 2520 wrote to memory of 1744	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	39
PID 2520 wrote to memory of 1744	2520	{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe	39
PID 1872 wrote to memory of 1936	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	40
PID 1872 wrote to memory of 1936	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	40
PID 1872 wrote to memory of 1936	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	40
PID 1872 wrote to memory of 1936	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	40
PID 1872 wrote to memory of 1604	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	41
PID 1872 wrote to memory of 1604	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	41
PID 1872 wrote to memory of 1604	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	41
PID 1872 wrote to memory of 1604	1872	{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe	41
PID 1936 wrote to memory of 1368	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	42
PID 1936 wrote to memory of 1368	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	42
PID 1936 wrote to memory of 1368	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	42
PID 1936 wrote to memory of 1368	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	42
PID 1936 wrote to memory of 552	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	43
PID 1936 wrote to memory of 552	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	43
PID 1936 wrote to memory of 552	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	43
PID 1936 wrote to memory of 552	1936	{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe	43
PID 1368 wrote to memory of 1448	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	44
PID 1368 wrote to memory of 1448	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	44
PID 1368 wrote to memory of 1448	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	44
PID 1368 wrote to memory of 1448	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	44
PID 1368 wrote to memory of 2808	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	45
PID 1368 wrote to memory of 2808	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	45
PID 1368 wrote to memory of 2808	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	45
PID 1368 wrote to memory of 2808	1368	{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe
  C:\Windows\{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\{64781E4D-6990-4e77-B33D-77A666D9259E}.exe
    C:\Windows\{64781E4D-6990-4e77-B33D-77A666D9259E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\{1CCF2821-B0C0-4448-B725-587309552E76}.exe
      C:\Windows\{1CCF2821-B0C0-4448-B725-587309552E76}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe
        
        C:\Windows\{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe
        
        C:\Windows\{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe
        
        C:\Windows\{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe
        
        C:\Windows\{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe
        
        C:\Windows\{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe
        
        C:\Windows\{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\{A9584C59-E809-4a62-8E29-815373593064}.exe
        
        C:\Windows\{A9584C59-E809-4a62-8E29-815373593064}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\{C3AD385F-2396-43da-B51C-CA4492448A23}.exe
        
        C:\Windows\{C3AD385F-2396-43da-B51C-CA4492448A23}.exe
        12⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9584~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F655~1.EXE > nul
        11⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2AC7~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEC03~1.EXE > nul
        9⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{244B1~1.EXE > nul
        8⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{874D0~1.EXE > nul
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82832~1.EXE > nul
        6⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CCF2~1.EXE > nul
        5⤵
        
        PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64781~1.EXE > nul
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{40FAC~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CCF2821-B0C0-4448-B725-587309552E76}.exe

Filesize
180KB

MD5
2cc3edf79225a5107b69aab5b942f99f

SHA1
147b1d81d68e2a2f36bf5835eb868c3d38a64816

SHA256
e81182cd8b7cff5348a5d77c4443df518f7df04a8ffd0c15c583b7a92670103a

SHA512
11f0f13617ed848e6f1c3abcd978c34dfa674280fabc39d2e98b5e428147cf45186e25c5662f09697bc1e6e363f41b229ade539fb186847a5472a51dc703fb10

Download Submit
C:\Windows\{244B1FCD-FB81-4e6c-BEDD-69E0E0F4238A}.exe

Filesize
180KB

MD5
67ff0ab344acaa840a3b62bce3629b68

SHA1
8e56e842d233aee55015025d773f0cfdf0a6533d

SHA256
fcff36f06aa5f853549701b2b090966e515632583751a6c87d9f5e29549a7d12

SHA512
9933d91b3cc379b6513b32898048d412e77c9875827d4e73e4725629746d5f6b10aa84a63a0cfa9ffa3fe56ec2b6ecf38a999c290f2f64ca7ee33aa5898bd9a6

Download Submit
C:\Windows\{40FACE44-17B4-441b-9419-FC3502F01B6B}.exe

Filesize
180KB

MD5
43418bbd2e58ad2548f46392178a6e42

SHA1
926f1549366e35054902ed70b6324443fc29b1c3

SHA256
e50daa29c806e07ca675af608280068064ff6b8218f2e2115b1ae12ac97f5036

SHA512
7160c74b1bd88d21c44f911288171f4ce5e4a9ca07a1561aeb4e7dc8b8fd98a468123e30a8025ce48ae4469a94ac1cb10dc2bf52001fcbf28a6e84ae7a636de0

Download Submit
C:\Windows\{64781E4D-6990-4e77-B33D-77A666D9259E}.exe

Filesize
180KB

MD5
2f7a72fe01fa126f782e20c6c6b827b8

SHA1
2139b3a609a74a0925c89957e970580d84c112f2

SHA256
689b405bbc16f5d713a9125529a48c10ae2551f84f1c06ad137edc89e7b1a553

SHA512
ea404564018bca7f9dcd9d0f2326e2ff363e24b832511ad196c8777e076d4e2bdc5f6e7f54536767b0cc04c80909bcc12a69f6cac6b4926423bbf1caf6ab9284

Download Submit
C:\Windows\{82832785-06AF-4a02-ACA8-2A9926A6FE24}.exe

Filesize
180KB

MD5
f3f33ac0f503bff0b3905629489e42e4

SHA1
ff866f84853c8ebb24f59809abda1b3c43ab45c6

SHA256
aca1f895676679c55b71bc28ede41aea8c5c962d5e1f02e9fa31a1ae6bf0dd1f

SHA512
f7270e3503b27709face96855f2b64f6a30366abb9f746cc3840315c0eee34c3c46da23d13cac8bfe0ff21ead487fdae6db7e9d036c766d3e66f1c017ed30f29

Download Submit
C:\Windows\{874D0A14-F470-4f3e-BC50-DF8103D4EE2C}.exe

Filesize
180KB

MD5
5090bcb314e731a36b5741af99fd0bd3

SHA1
ea8e89d5526777e9cfe52d5dbe7efeddda5452ef

SHA256
848b7940e36ad6687f23ee3c9d796fb74b97d836e8c4ff0e13e6525938816c62

SHA512
f74487bf8df75b275df9a2a845bd53696bc2c6d856c8f67bd91fbd1adb084833b6394860a733e3116d980e3c0feaa24e1c2f1cfb307b2f1d335fd68dc277a5e8

Download Submit
C:\Windows\{8F655BB5-AA37-4cac-A7AA-90C54B9BB6CE}.exe

Filesize
180KB

MD5
0e5b1428bd9e6058675ef45100f3c82f

SHA1
f1da83b62cf7d14a293d09b8272bd9b251174ea5

SHA256
5f6f14e78e8fade3330085da26aff10beab53ab662537648e51a431241b606ba

SHA512
00fb29ccf1ea1af6b9aacbc09f289481c4a5e255e0c03916d22c6d932a5959ede6b72107cbbf80d1d423aef583d1c4a43479f4fa14e6d1fcdbcb0db1c547453a

Download Submit
C:\Windows\{A2AC7055-6CAF-44f8-AD09-7F8E0E8EB486}.exe

Filesize
180KB

MD5
3bd139e9169ba86176c891eb44f46fcf

SHA1
2ddf12399c56223f85cc569a1f09efaf0bb002c1

SHA256
837433ffdd717698474c31d5b4ff14dc1526dd629afa507d5463148685637b7d

SHA512
f153b8c9a2ad4512f009dd70d3772a817747ca232da7a972a079db9e34c3cc2e5362de87c85d4af99cebf2602cd5dab9c93d5f7f2d9cd6a1f302e2849236cd30

Download Submit
C:\Windows\{A9584C59-E809-4a62-8E29-815373593064}.exe

Filesize
180KB

MD5
db7b5d95707a9206865ef5bdfc440b4f

SHA1
07221bceff49da7aa901b338f692d7ff375deffd

SHA256
e692be6a03d43b3db545c9801673113ce105247e5e40bf5704560185c5f3dd79

SHA512
708e39de868b2b8f940c05461afecf8ee04fca7792f8497b55b29c4d7e9b3eb02d1d3716468afeec352bbc278db9aa61648611027a5ea99458cb99de59506388

Download Submit
C:\Windows\{C3AD385F-2396-43da-B51C-CA4492448A23}.exe

Filesize
180KB

MD5
91037d32cf8f8c35ec3b2edd91f75039

SHA1
08a12856f7d046b968d9bc6527e2738737c3b93a

SHA256
733ced2a5d4d6b32ddbe18968ea9ee821f083c4cfd79b42b678341f2686ed226

SHA512
2a5f77f7b3330f8601f68a74dcc8cb5b7dc08f310d244ef9aab68a349be3a1ca338a6b1c8e78d12e7e677a2c88c28851b77ef34899b9e6973f10b1033e6a6f98

Download Submit
C:\Windows\{FEC0308D-EC47-462d-ACC9-2259DB15EF3E}.exe

Filesize
180KB

MD5
560730d904858d2eb4423205920ed1e4

SHA1
f4322e7b4aa9b9ba7843ef819550d03278cb363a

SHA256
cdfc68e7399f3e9669d9c683e8f4840f8b85afff528431879c5f46627af6563c

SHA512
b229c65c538b57d87caf7f91a08e745ca6b9202e278d168b410044171fbd927c9dcaa77eb26b104cc084fdee47974fb3f5db676a34e567f4584b3d8db3e8091f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads