35f63e22b3e4f15ae3752daefe79a5c104a2f0d4d78e8e4154309bbddac4be96

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe
Size

216KB
MD5

08bd6033dcaaf903f7666d463658604a
SHA1

e26f34aefb42eb9b072554b4dfbc022fdd493213
SHA256

35f63e22b3e4f15ae3752daefe79a5c104a2f0d4d78e8e4154309bbddac4be96
SHA512

9fed870a0f83ee2269327be0ab12a93e3f54b17c015779049b64a60755b9501f3770034d5bdfe53527b048990744455e2eba31e6b9162b38f40f9dce22972266
SSDEEP

3072:jEGh0oml+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGUlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000016813-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016ce4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016813-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000016cf5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016813-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016813-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016813-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}\stubpath = "C:\\Windows\\{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}.exe"	{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B033FC9-D985-4826-8726-43C64CCF33D0}\stubpath = "C:\\Windows\\{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe"	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{074B0CCF-DD86-427c-873F-477BFB3ACCF4}	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{074B0CCF-DD86-427c-873F-477BFB3ACCF4}\stubpath = "C:\\Windows\\{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe"	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}\stubpath = "C:\\Windows\\{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe"	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96386C9F-673A-487b-910D-A7FFA133355E}	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{373A4946-7F7D-4604-AFB8-E5274441E4DD}\stubpath = "C:\\Windows\\{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe"	{96386C9F-673A-487b-910D-A7FFA133355E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8490A351-BCFB-473d-BE63-857EF771D2E2}	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93BDC189-3495-4bb2-809F-0F643D007ACE}	{BD733FDB-323E-4ed0-9908-E77302858189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B033FC9-D985-4826-8726-43C64CCF33D0}	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96B61CD7-1DD9-41eb-84CD-3210672F8001}	{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}	{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8490A351-BCFB-473d-BE63-857EF771D2E2}\stubpath = "C:\\Windows\\{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe"	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD733FDB-323E-4ed0-9908-E77302858189}	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD733FDB-323E-4ed0-9908-E77302858189}\stubpath = "C:\\Windows\\{BD733FDB-323E-4ed0-9908-E77302858189}.exe"	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96386C9F-673A-487b-910D-A7FFA133355E}\stubpath = "C:\\Windows\\{96386C9F-673A-487b-910D-A7FFA133355E}.exe"	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}	{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93BDC189-3495-4bb2-809F-0F643D007ACE}\stubpath = "C:\\Windows\\{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe"	{BD733FDB-323E-4ed0-9908-E77302858189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{373A4946-7F7D-4604-AFB8-E5274441E4DD}	{96386C9F-673A-487b-910D-A7FFA133355E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96B61CD7-1DD9-41eb-84CD-3210672F8001}\stubpath = "C:\\Windows\\{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe"	{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}\stubpath = "C:\\Windows\\{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe"	{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe
2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe
2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe
1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe
2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe
1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe
1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe
2872	{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe
2216	{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe
564	{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe
1780	{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe
File created	C:\Windows\{BD733FDB-323E-4ed0-9908-E77302858189}.exe	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe
File created	C:\Windows\{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	{BD733FDB-323E-4ed0-9908-E77302858189}.exe
File created	C:\Windows\{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe
File created	C:\Windows\{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe	{96386C9F-673A-487b-910D-A7FFA133355E}.exe
File created	C:\Windows\{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe	{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe
File created	C:\Windows\{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe
File created	C:\Windows\{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe
File created	C:\Windows\{96386C9F-673A-487b-910D-A7FFA133355E}.exe	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe
File created	C:\Windows\{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe	{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe
File created	C:\Windows\{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}.exe	{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe
Token: SeIncBasePriorityPrivilege	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe
Token: SeIncBasePriorityPrivilege	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe
Token: SeIncBasePriorityPrivilege	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe
Token: SeIncBasePriorityPrivilege	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe
Token: SeIncBasePriorityPrivilege	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe
Token: SeIncBasePriorityPrivilege	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe
Token: SeIncBasePriorityPrivilege	2872	{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe
Token: SeIncBasePriorityPrivilege	2216	{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe
Token: SeIncBasePriorityPrivilege	564	{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2996	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	28
PID 2908 wrote to memory of 2996	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	28
PID 2908 wrote to memory of 2996	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	28
PID 2908 wrote to memory of 2996	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	28
PID 2908 wrote to memory of 2540	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	29
PID 2908 wrote to memory of 2540	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	29
PID 2908 wrote to memory of 2540	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	29
PID 2908 wrote to memory of 2540	2908	2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe	29
PID 2996 wrote to memory of 2524	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	30
PID 2996 wrote to memory of 2524	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	30
PID 2996 wrote to memory of 2524	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	30
PID 2996 wrote to memory of 2524	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	30
PID 2996 wrote to memory of 2796	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	31
PID 2996 wrote to memory of 2796	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	31
PID 2996 wrote to memory of 2796	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	31
PID 2996 wrote to memory of 2796	2996	{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe	31
PID 2524 wrote to memory of 2556	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	32
PID 2524 wrote to memory of 2556	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	32
PID 2524 wrote to memory of 2556	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	32
PID 2524 wrote to memory of 2556	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	32
PID 2524 wrote to memory of 2504	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	33
PID 2524 wrote to memory of 2504	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	33
PID 2524 wrote to memory of 2504	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	33
PID 2524 wrote to memory of 2504	2524	{BD733FDB-323E-4ed0-9908-E77302858189}.exe	33
PID 2556 wrote to memory of 1268	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	36
PID 2556 wrote to memory of 1268	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	36
PID 2556 wrote to memory of 1268	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	36
PID 2556 wrote to memory of 1268	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	36
PID 2556 wrote to memory of 2644	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	37
PID 2556 wrote to memory of 2644	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	37
PID 2556 wrote to memory of 2644	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	37
PID 2556 wrote to memory of 2644	2556	{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe	37
PID 1268 wrote to memory of 2748	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	38
PID 1268 wrote to memory of 2748	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	38
PID 1268 wrote to memory of 2748	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	38
PID 1268 wrote to memory of 2748	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	38
PID 1268 wrote to memory of 1340	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	39
PID 1268 wrote to memory of 1340	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	39
PID 1268 wrote to memory of 1340	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	39
PID 1268 wrote to memory of 1340	1268	{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe	39
PID 2748 wrote to memory of 1772	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	40
PID 2748 wrote to memory of 1772	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	40
PID 2748 wrote to memory of 1772	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	40
PID 2748 wrote to memory of 1772	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	40
PID 2748 wrote to memory of 1568	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	41
PID 2748 wrote to memory of 1568	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	41
PID 2748 wrote to memory of 1568	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	41
PID 2748 wrote to memory of 1568	2748	{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe	41
PID 1772 wrote to memory of 1152	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	42
PID 1772 wrote to memory of 1152	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	42
PID 1772 wrote to memory of 1152	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	42
PID 1772 wrote to memory of 1152	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	42
PID 1772 wrote to memory of 1316	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	43
PID 1772 wrote to memory of 1316	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	43
PID 1772 wrote to memory of 1316	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	43
PID 1772 wrote to memory of 1316	1772	{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe	43
PID 1152 wrote to memory of 2872	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	44
PID 1152 wrote to memory of 2872	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	44
PID 1152 wrote to memory of 2872	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	44
PID 1152 wrote to memory of 2872	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	44
PID 1152 wrote to memory of 2016	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	45
PID 1152 wrote to memory of 2016	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	45
PID 1152 wrote to memory of 2016	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	45
PID 1152 wrote to memory of 2016	1152	{96386C9F-673A-487b-910D-A7FFA133355E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_08bd6033dcaaf903f7666d463658604a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe
  C:\Windows\{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\{BD733FDB-323E-4ed0-9908-E77302858189}.exe
    C:\Windows\{BD733FDB-323E-4ed0-9908-E77302858189}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe
      C:\Windows\{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe
        
        C:\Windows\{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe
        
        C:\Windows\{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe
        
        C:\Windows\{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{96386C9F-673A-487b-910D-A7FFA133355E}.exe
        
        C:\Windows\{96386C9F-673A-487b-910D-A7FFA133355E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe
        
        C:\Windows\{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe
        
        C:\Windows\{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe
        
        C:\Windows\{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}.exe
        
        C:\Windows\{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}.exe
        12⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E31~1.EXE > nul
        12⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96B61~1.EXE > nul
        11⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{373A4~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96386~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6D24~1.EXE > nul
        8⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{074B0~1.EXE > nul
        7⤵
        
        PID:1568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B033~1.EXE > nul
        6⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93BDC~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BD733~1.EXE > nul
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8490A~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{074B0CCF-DD86-427c-873F-477BFB3ACCF4}.exe

Filesize
216KB

MD5
b47ace94ff9ed332dd877da59fe2103a

SHA1
d953d04e1efe7b621a905f1783dd4a1e5f0d6218

SHA256
e51f68b5eca69c80b6fb2fd4afeb72a075f394b88b6700cc134a90cfa81fda98

SHA512
91d59e8f72877c57d39805f78033758006a593231cc567fe2d063fd2c887721b0a6f4216044ed018e4211a730c6fb57070b30afd658fc59e5057e80bbdce7cc3

Download Submit
C:\Windows\{1B033FC9-D985-4826-8726-43C64CCF33D0}.exe

Filesize
216KB

MD5
ba9582b5c03359b7206734878713e0f1

SHA1
7ae61a1e9aa4d1caaf1f0d4bc8e232a91c93e952

SHA256
2e2304d69ab93744ac1706ca4df60a4b4e21edf72458af9e52f784e1a89e9a06

SHA512
9ef804122b951503b86c034fd61589a2dfa06f1bb31bec9a1f267db69398211f66526624d42f1412714befb358cd006aac44e098d85587d317470d094b38d4ae

Download Submit
C:\Windows\{373A4946-7F7D-4604-AFB8-E5274441E4DD}.exe

Filesize
216KB

MD5
0d636092b7c959200f805989948d74be

SHA1
53d7355674ef752c4a3ea15e0c781156075ee2dd

SHA256
ada596539e438a5a3aba59fd03fa0e4fc13bcffb40d92aaf296022126de01494

SHA512
94812aa6fb7fb74a3ca681038be81355e465181a329acb6fa76eda307b032043808dd33ee732cbd4589b43dcc1f3af355548efc2363d0fda2ff2a89200ab738d

Download Submit
C:\Windows\{81018D63-BDBE-4ed3-83F8-0A30FFFA0E85}.exe

Filesize
216KB

MD5
7f70f51211564c48511b698c65bcd9da

SHA1
3a68e684acf38757714fb33fcb3153d4e170cb57

SHA256
77232658e0356e6ecb1b948f92ceafa9154fcd8b8848b02ea97dad54a21387b4

SHA512
4bfa4a7578fe1be4242363ed5d5988dad3e30dad2b534036b20fbb40d38e8cea0663b96bbe264344c0d56f509baf4cbd3245246834ee08560690427d30571ec8

Download Submit
C:\Windows\{8490A351-BCFB-473d-BE63-857EF771D2E2}.exe

Filesize
216KB

MD5
d162f39ea6009cfa19345eaecfeb0e34

SHA1
490dcc0f2ed83ed5f9aec279de41bce2cab315bc

SHA256
f1624d8ac6b48cdf0d5e59b381002627a7599acd4c3cb1bd6e70f1178078638b

SHA512
d756c3089b734998bead7b9701eeeb35a6796e8260a8417f28f75db045d65d4d732d248d3119f24b6320c31504f155c2ed99643fd5484a6a37009f395b2c06e0

Download Submit
C:\Windows\{93BDC189-3495-4bb2-809F-0F643D007ACE}.exe

Filesize
216KB

MD5
7fdda63aba888069591a2692b3d77531

SHA1
48ca4fdd55386f18f383d5a60cacf25622fce460

SHA256
667a61a8d1fe936688eb0e4cd6c9b9c981f911c6adee5c650d02163259678bb2

SHA512
067e18dae57297a9acfbec87c95af1d8eb7a2f69326d1cd70855120a7f833d8f1ac85a83c9b4b8ae9ae2979b1ff849f7a8d1c7b951f4912d544b6688e43ab5b3

Download Submit
C:\Windows\{96386C9F-673A-487b-910D-A7FFA133355E}.exe

Filesize
216KB

MD5
4eb3db8351cbaaae27121ae75b883333

SHA1
fdcf6ee9f974817321d5de4097303b22022f5c2a

SHA256
724b50eb6df2dcde5dba1972992d2db3a58999a21bd130e02f27f16a65cd2edc

SHA512
5d2cdec5836d197c3d4e75d227525d069b24f4ce8a205cd412a50ee2cc02854dbf0f8f6b919674ec3001b179457a04adc47ab9ccd114b6b1827a231ab8494a06

Download Submit
C:\Windows\{96B61CD7-1DD9-41eb-84CD-3210672F8001}.exe

Filesize
216KB

MD5
2124614bbd9e43f936b0627332e35e2d

SHA1
437305d052b985c4a41231445be4704fd5a76e5f

SHA256
aeed28fa01c5037c8fa614e7ca0cc642a437b9de7031c192dcb00943ec76a87d

SHA512
9d8af105d67f1f7ed22f48068873ba57d24e11abce71fd2611e1643957038657406c275236e1aaf1a6af0c6d47ce01dc563b39bd0f852ac75a18b604a4f6c124

Download Submit
C:\Windows\{BD733FDB-323E-4ed0-9908-E77302858189}.exe

Filesize
216KB

MD5
b7a3220f2c51e22e3d7cee3fa612aefe

SHA1
4c54294781da88525b887b58a5e12e02d58b0650

SHA256
3bcf4f5dc88113582540b30b4aa28dde16d2e0341910d2177eef7f4871ed136c

SHA512
cd7052a1bf69f32b62b6ffddfb6f9183a7ddbe9b03c689dc827c536b4a13a58b8e50c0c4cbd4fd7456a390563cc9d5c3230512345e65fafbe0b52b773822a540

Download Submit
C:\Windows\{C6D2409A-222F-44c9-B59C-69EC2A1EFAB6}.exe

Filesize
216KB

MD5
894d9dc6a7fd54afcdfc436d5cf9d246

SHA1
57b82c071799693aba4d1ccab61ea1a883ceb8c4

SHA256
3dfdd7e4c376c372e34687f1e477a8a89313ae7edcfa2dba0fddab311c76530e

SHA512
c41a20086cbacc37e45a9f27e6f1e71c8348bd0fb1ff00bd5b869624eaef39d1b28ab3ae37a13d7a19ac548da095db8e82076a3872c4144c58ae9e1a417305dd

Download Submit
C:\Windows\{C9E31AED-40D1-40c4-83D4-FCB269C12B2D}.exe

Filesize
216KB

MD5
ba0c75636392f126181b6f1e42e60889

SHA1
6497d23145b2399287372adb9275149354584382

SHA256
280e26ea339e20cbaa93d743945c10d4461f5eeb381568349b55ef4ea2102b5a

SHA512
df95326ebfa2eec1eb3a957c12701164ba8311380d55f5ea873b79cc3a4d7ca5f6a7b4be48ed5761c4257a866ced01a804bc98a82abbdd7ce46291f5c677aa16

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads