c78d3f0bf0a4d328d16bf179b67a767261d33248dadf00de548d9ade75b6fe2b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
Size

204KB
MD5

a79013869de5bb8ffa994d55fd8946fa
SHA1

97babb54a0146e3867702f38a8fb7b656270430f
SHA256

c78d3f0bf0a4d328d16bf179b67a767261d33248dadf00de548d9ade75b6fe2b
SHA512

f3051593e8de324dc4161cd316ec39cf1a60c93ece7a64179b927dae52685b9a70a2ebf3b3ba5589cb0f05ae25f66294103fd92ebaa74a44db7a325da85fce99
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001466c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000155d9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001466c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155d9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000155d9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000155d9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}\stubpath = "C:\\Windows\\{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe"	{9D383D54-0707-4419-805F-A990548721DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F1546D-75B5-491e-8F66-8A1722B9DB73}	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D617451-D93C-4a0f-ABA7-A660363424C9}	{CC813365-B61F-415c-81C4-EF776CE2C341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20805EEA-895B-49e6-8AC9-3D3A50276B71}	{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D383D54-0707-4419-805F-A990548721DF}\stubpath = "C:\\Windows\\{9D383D54-0707-4419-805F-A990548721DF}.exe"	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33D5CD21-3744-4aa4-83E8-CF4B92774266}\stubpath = "C:\\Windows\\{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe"	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F1546D-75B5-491e-8F66-8A1722B9DB73}\stubpath = "C:\\Windows\\{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe"	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20805EEA-895B-49e6-8AC9-3D3A50276B71}\stubpath = "C:\\Windows\\{20805EEA-895B-49e6-8AC9-3D3A50276B71}.exe"	{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F12357-37A4-44b6-8FB4-7029218CDCF4}	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F12357-37A4-44b6-8FB4-7029218CDCF4}\stubpath = "C:\\Windows\\{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe"	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D383D54-0707-4419-805F-A990548721DF}	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}	{9D383D54-0707-4419-805F-A990548721DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33D5CD21-3744-4aa4-83E8-CF4B92774266}	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C8E808-95B6-4ea2-99EB-07B0B10A7400}	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C8E808-95B6-4ea2-99EB-07B0B10A7400}\stubpath = "C:\\Windows\\{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe"	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648D905F-0D96-4aec-91FF-F25574FD0447}\stubpath = "C:\\Windows\\{648D905F-0D96-4aec-91FF-F25574FD0447}.exe"	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C910FA3-6879-4aa4-A493-77F5032480F4}	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC813365-B61F-415c-81C4-EF776CE2C341}\stubpath = "C:\\Windows\\{CC813365-B61F-415c-81C4-EF776CE2C341}.exe"	{648D905F-0D96-4aec-91FF-F25574FD0447}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648D905F-0D96-4aec-91FF-F25574FD0447}	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC813365-B61F-415c-81C4-EF776CE2C341}	{648D905F-0D96-4aec-91FF-F25574FD0447}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D617451-D93C-4a0f-ABA7-A660363424C9}\stubpath = "C:\\Windows\\{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe"	{CC813365-B61F-415c-81C4-EF776CE2C341}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C910FA3-6879-4aa4-A493-77F5032480F4}\stubpath = "C:\\Windows\\{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe"	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe
2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe
2528	{9D383D54-0707-4419-805F-A990548721DF}.exe
2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe
552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe
1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe
308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe
2216	{648D905F-0D96-4aec-91FF-F25574FD0447}.exe
1556	{CC813365-B61F-415c-81C4-EF776CE2C341}.exe
1616	{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe
2152	{20805EEA-895B-49e6-8AC9-3D3A50276B71}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{648D905F-0D96-4aec-91FF-F25574FD0447}.exe	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe
File created	C:\Windows\{9D383D54-0707-4419-805F-A990548721DF}.exe	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe
File created	C:\Windows\{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe
File created	C:\Windows\{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe
File created	C:\Windows\{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe
File created	C:\Windows\{CC813365-B61F-415c-81C4-EF776CE2C341}.exe	{648D905F-0D96-4aec-91FF-F25574FD0447}.exe
File created	C:\Windows\{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe	{CC813365-B61F-415c-81C4-EF776CE2C341}.exe
File created	C:\Windows\{20805EEA-895B-49e6-8AC9-3D3A50276B71}.exe	{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe
File created	C:\Windows\{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
File created	C:\Windows\{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe
File created	C:\Windows\{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	{9D383D54-0707-4419-805F-A990548721DF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe
Token: SeIncBasePriorityPrivilege	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe
Token: SeIncBasePriorityPrivilege	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe
Token: SeIncBasePriorityPrivilege	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe
Token: SeIncBasePriorityPrivilege	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe
Token: SeIncBasePriorityPrivilege	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe
Token: SeIncBasePriorityPrivilege	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe
Token: SeIncBasePriorityPrivilege	2216	{648D905F-0D96-4aec-91FF-F25574FD0447}.exe
Token: SeIncBasePriorityPrivilege	1556	{CC813365-B61F-415c-81C4-EF776CE2C341}.exe
Token: SeIncBasePriorityPrivilege	1616	{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2308	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	28
PID 2072 wrote to memory of 2308	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	28
PID 2072 wrote to memory of 2308	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	28
PID 2072 wrote to memory of 2308	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	28
PID 2072 wrote to memory of 2316	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	29
PID 2072 wrote to memory of 2316	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	29
PID 2072 wrote to memory of 2316	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	29
PID 2072 wrote to memory of 2316	2072	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	29
PID 2308 wrote to memory of 2572	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	32
PID 2308 wrote to memory of 2572	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	32
PID 2308 wrote to memory of 2572	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	32
PID 2308 wrote to memory of 2572	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	32
PID 2308 wrote to memory of 2564	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	33
PID 2308 wrote to memory of 2564	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	33
PID 2308 wrote to memory of 2564	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	33
PID 2308 wrote to memory of 2564	2308	{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe	33
PID 2572 wrote to memory of 2528	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	34
PID 2572 wrote to memory of 2528	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	34
PID 2572 wrote to memory of 2528	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	34
PID 2572 wrote to memory of 2528	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	34
PID 2572 wrote to memory of 2796	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	35
PID 2572 wrote to memory of 2796	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	35
PID 2572 wrote to memory of 2796	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	35
PID 2572 wrote to memory of 2796	2572	{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe	35
PID 2528 wrote to memory of 2368	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	36
PID 2528 wrote to memory of 2368	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	36
PID 2528 wrote to memory of 2368	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	36
PID 2528 wrote to memory of 2368	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	36
PID 2528 wrote to memory of 2428	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	37
PID 2528 wrote to memory of 2428	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	37
PID 2528 wrote to memory of 2428	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	37
PID 2528 wrote to memory of 2428	2528	{9D383D54-0707-4419-805F-A990548721DF}.exe	37
PID 2368 wrote to memory of 552	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	38
PID 2368 wrote to memory of 552	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	38
PID 2368 wrote to memory of 552	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	38
PID 2368 wrote to memory of 552	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	38
PID 2368 wrote to memory of 1088	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	39
PID 2368 wrote to memory of 1088	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	39
PID 2368 wrote to memory of 1088	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	39
PID 2368 wrote to memory of 1088	2368	{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe	39
PID 552 wrote to memory of 1660	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	40
PID 552 wrote to memory of 1660	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	40
PID 552 wrote to memory of 1660	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	40
PID 552 wrote to memory of 1660	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	40
PID 552 wrote to memory of 1516	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	41
PID 552 wrote to memory of 1516	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	41
PID 552 wrote to memory of 1516	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	41
PID 552 wrote to memory of 1516	552	{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe	41
PID 1660 wrote to memory of 308	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	42
PID 1660 wrote to memory of 308	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	42
PID 1660 wrote to memory of 308	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	42
PID 1660 wrote to memory of 308	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	42
PID 1660 wrote to memory of 2236	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	43
PID 1660 wrote to memory of 2236	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	43
PID 1660 wrote to memory of 2236	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	43
PID 1660 wrote to memory of 2236	1660	{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe	43
PID 308 wrote to memory of 2216	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	44
PID 308 wrote to memory of 2216	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	44
PID 308 wrote to memory of 2216	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	44
PID 308 wrote to memory of 2216	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	44
PID 308 wrote to memory of 1928	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	45
PID 308 wrote to memory of 1928	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	45
PID 308 wrote to memory of 1928	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	45
PID 308 wrote to memory of 1928	308	{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe
  C:\Windows\{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe
    C:\Windows\{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{9D383D54-0707-4419-805F-A990548721DF}.exe
      C:\Windows\{9D383D54-0707-4419-805F-A990548721DF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe
        
        C:\Windows\{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe
        
        C:\Windows\{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe
        
        C:\Windows\{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe
        
        C:\Windows\{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\{648D905F-0D96-4aec-91FF-F25574FD0447}.exe
        
        C:\Windows\{648D905F-0D96-4aec-91FF-F25574FD0447}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{CC813365-B61F-415c-81C4-EF776CE2C341}.exe
        
        C:\Windows\{CC813365-B61F-415c-81C4-EF776CE2C341}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe
        
        C:\Windows\{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{20805EEA-895B-49e6-8AC9-3D3A50276B71}.exe
        
        C:\Windows\{20805EEA-895B-49e6-8AC9-3D3A50276B71}.exe
        12⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D617~1.EXE > nul
        12⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC813~1.EXE > nul
        11⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{648D9~1.EXE > nul
        10⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C8E~1.EXE > nul
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78F15~1.EXE > nul
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33D5C~1.EXE > nul
        7⤵
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99C6C~1.EXE > nul
        6⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D383~1.EXE > nul
        5⤵
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F12~1.EXE > nul
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C910~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D617451-D93C-4a0f-ABA7-A660363424C9}.exe

Filesize
204KB

MD5
b99c45e6bec6ec7fbc37fc33b58e59a4

SHA1
c3754553568a471251e67f426438887bd344ef0b

SHA256
4c5bfe3244c7367c0337723571f9b23a0b63125c93cd7ac078a7f4d9ef28a683

SHA512
c333a0506426ae1a351fb8c2b7cfb5f750bd2cd1aeaae27096a4126d976c18066da663e2188957c80a0c2adb0da37a4e9fac2e0ccef0ee74ef0f0c01833018a1

Download Submit
C:\Windows\{20805EEA-895B-49e6-8AC9-3D3A50276B71}.exe

Filesize
204KB

MD5
eb41e07883a03e3e0d6abd69c2b987de

SHA1
b1811d4dd7aec44e89b6b92a0c00525e077ff450

SHA256
78d338a95e35c03de4d5fac99aae16e31cdd619fa1edeb3a91449addd6fe328e

SHA512
c48559b218b79f3c251caaede770ba651ce9901fb8f385c92d3776dcf3b6a7114fc415a858d7242e17daa24e83cf506780274ce76d3aa81f7804602302e3df25

Download Submit
C:\Windows\{33D5CD21-3744-4aa4-83E8-CF4B92774266}.exe

Filesize
204KB

MD5
00feff208cf38436543c56f343d322a8

SHA1
33dc99821698175779ad26aebad4515d0e44b9f6

SHA256
8aafe9adf9dbc66806b743e7db417079d9059170ec078f41910d69a89b4a0b31

SHA512
20f0976f41f936f2d587e39d023afcb38f2d61b99eb59de2ce88cbd81cc5a76ee91645c3b756850d908d637988d95707336e8a71356d730e009f35dedfef50a1

Download Submit
C:\Windows\{3C910FA3-6879-4aa4-A493-77F5032480F4}.exe

Filesize
204KB

MD5
66f787af0ad5795099f115f900fc300c

SHA1
8ce62b7cda237407b9e9a4b7675b73ef530a6840

SHA256
8a3056dd95d4e815e9f24420af10a8af74136e86ed065fd65837e4b405a0989b

SHA512
d6cb707f10fc11be21cf2d48ed54054d7252b3e3679a95fddabe4cbc82789be9473c3cf24dac412d135e701087b7363845434d0987c610a986f1a1af4bc20e5d

Download Submit
C:\Windows\{52C8E808-95B6-4ea2-99EB-07B0B10A7400}.exe

Filesize
204KB

MD5
ce82e2f56fac3a7a27eaf712a0451532

SHA1
6437799e0555543d4d888c440163aae91fc449a1

SHA256
a15331b9db4de8d9aa4b3b3e67d1c72ff00afcd4af64e03e36f71707d22ed20f

SHA512
73dfe3de297ca4efb19bbe2b5e06314aba7f57143308e20b1560163973858665fe16988688dad6fd2577daf19b09e5c103f58cd540f398c8bde6aa563f70b285

Download Submit
C:\Windows\{648D905F-0D96-4aec-91FF-F25574FD0447}.exe

Filesize
204KB

MD5
fdfd9a3cdcf309426eea89b6ad1548c8

SHA1
40ab93730b3f8a7869dd951831e6e3ad2f6c755f

SHA256
6eb1a140fd789a9d8ecb3b08595017b02593ad57ab8c8e2c737b1981d80f3ed8

SHA512
4724b0f4b3f36602e09bc4a39f9648450c431258f9ca36a8d174a6b227b2d7fab39a7c973e6c7f31f71478760ab3362f68cdfb6129d4ff121e17406ca6d82d58

Download Submit
C:\Windows\{78F1546D-75B5-491e-8F66-8A1722B9DB73}.exe

Filesize
204KB

MD5
acc5066234c0ced4992d4ac2de48db7f

SHA1
990d266f351f312a1f1b7fd39e6b60ae13412310

SHA256
99ad97bbe3d35abb94aee4db6db05c302664c0e195eebb9edd2c8e20863f6bda

SHA512
a83ccd2e72ca603615d38d726a62a8c29ec805aced1a6ade2fbff3f6dcc6ea982ec04ca182b7b023816859df0a516261e1e2a27bddc515a91e4bd11d56951bbe

Download Submit
C:\Windows\{99C6C4A7-F8B7-4264-8E82-4A86AC5B4A18}.exe

Filesize
204KB

MD5
2c9a7a2b855cc5a040af9966da64860b

SHA1
13c723984c161621713ae75163586c99c0f9d954

SHA256
6c70a7b235e5f7311fe0caf7b649c8b7d9a2eb6b5992607b5f9367464d8fc5e0

SHA512
a6402beaae9198f8328556b2f68c5f8b48758bfdfd3db98f595a66755710c46c09ed0c95e8978ba3d3e31c50ef0c325e0f926741b25fa6aa0c8d2baad2b43a82

Download Submit
C:\Windows\{9D383D54-0707-4419-805F-A990548721DF}.exe

Filesize
204KB

MD5
fb71417134daac99ae8182bf9068a540

SHA1
b6cc28b1a608975c41a4556c9202146b037fbe17

SHA256
28021a1e3abe6c4868e96290895801a032f25023d14dd41a6b38b3b6592937b9

SHA512
b17036152b9fb652b9a39166a34032feb752fc859f496f265f027ce035d85fd408dd77640cabd3d71d03201ef9067775d084804934fba13e5c1d1199df97ceb8

Download Submit
C:\Windows\{CC813365-B61F-415c-81C4-EF776CE2C341}.exe

Filesize
204KB

MD5
5f6f0aeeeba0214e6b2b612067933990

SHA1
87be2b1c903d7923833514b62bf6861434983f73

SHA256
3fb07c5b9c733bc32268df335939ae301bdcbaf0d9dab70f36b2960abb732834

SHA512
d9f55bc0cdb5e03aed03a8857164854e0e05e852bcea157505b502fdd0ebaa29cae3379a8510ba24e44c793da09394f23c8175b81b1afe07632cd89d7f23afee

Download Submit
C:\Windows\{F7F12357-37A4-44b6-8FB4-7029218CDCF4}.exe

Filesize
204KB

MD5
ab5b01bad41252f8c8ea8759fb8265ae

SHA1
612d4ee1330c799fd6efdca98e5a5d7e73f9c49f

SHA256
8fc79db2d0cce0f61a96ca7852a38619308278baea5b36cab50a988e64254b37

SHA512
be22976586467e624fdecadb426e4233c67f4224cb2f6bc3f58ee0bb5e76045390a9c10c0400697d73bd33e32ebbf866ae8d655a587180f910f71c82830b29da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads