8c3d1cbad4a040ad37d5815b9ce29f993f1e9865916e4a5fbf11df5b73e782d9

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe
Size

216KB
MD5

a161ab4f8de0391157483a332987ec09
SHA1

de7742f0f332cef0718fcd1daab32c7d40410403
SHA256

8c3d1cbad4a040ad37d5815b9ce29f993f1e9865916e4a5fbf11df5b73e782d9
SHA512

db1391de93f919b11bfdc8e16fba743865b25001d3dc84aaabb51e4f603e0855a922b826ddf4b40e1e0a95681a8cb3d1b8c0b81d4800017cfe80e6afd7354d2d
SSDEEP

3072:jEGh0otMl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG8lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000155f7-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c6b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000155f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c78-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000155f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000155f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000155f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FB18E5-D713-470d-B920-01058CC51D74}	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}	{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}	{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}\stubpath = "C:\\Windows\\{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe"	{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}\stubpath = "C:\\Windows\\{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe"	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}\stubpath = "C:\\Windows\\{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe"	{78FB18E5-D713-470d-B920-01058CC51D74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD918B20-02C8-4d56-A274-B3E77AE3C37D}	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}\stubpath = "C:\\Windows\\{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe"	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF673F11-A30C-428f-B3F0-DF640C7396FA}	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD918B20-02C8-4d56-A274-B3E77AE3C37D}\stubpath = "C:\\Windows\\{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe"	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30AFD8EF-258A-4bda-970E-C4EEEA01C299}\stubpath = "C:\\Windows\\{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe"	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FB18E5-D713-470d-B920-01058CC51D74}\stubpath = "C:\\Windows\\{78FB18E5-D713-470d-B920-01058CC51D74}.exe"	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80FE3138-89B8-45ce-8266-11B3A0559E5A}	{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}\stubpath = "C:\\Windows\\{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe"	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30AFD8EF-258A-4bda-970E-C4EEEA01C299}	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}	{78FB18E5-D713-470d-B920-01058CC51D74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}\stubpath = "C:\\Windows\\{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe"	{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80FE3138-89B8-45ce-8266-11B3A0559E5A}\stubpath = "C:\\Windows\\{80FE3138-89B8-45ce-8266-11B3A0559E5A}.exe"	{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF673F11-A30C-428f-B3F0-DF640C7396FA}\stubpath = "C:\\Windows\\{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe"	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe

Executes dropped EXE 11 IoCs

pid	Process
1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe
2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe
2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe
2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe
1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe
2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe
2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe
2988	{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe
2912	{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe
1008	{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe
560	{80FE3138-89B8-45ce-8266-11B3A0559E5A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe
File created	C:\Windows\{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe
File created	C:\Windows\{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe
File created	C:\Windows\{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe	{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe
File created	C:\Windows\{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe
File created	C:\Windows\{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe
File created	C:\Windows\{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe
File created	C:\Windows\{78FB18E5-D713-470d-B920-01058CC51D74}.exe	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe
File created	C:\Windows\{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe	{78FB18E5-D713-470d-B920-01058CC51D74}.exe
File created	C:\Windows\{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe	{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe
File created	C:\Windows\{80FE3138-89B8-45ce-8266-11B3A0559E5A}.exe	{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe
Token: SeIncBasePriorityPrivilege	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe
Token: SeIncBasePriorityPrivilege	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe
Token: SeIncBasePriorityPrivilege	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe
Token: SeIncBasePriorityPrivilege	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe
Token: SeIncBasePriorityPrivilege	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe
Token: SeIncBasePriorityPrivilege	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe
Token: SeIncBasePriorityPrivilege	2988	{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe
Token: SeIncBasePriorityPrivilege	2912	{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe
Token: SeIncBasePriorityPrivilege	1008	{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1756	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	28
PID 2232 wrote to memory of 1756	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	28
PID 2232 wrote to memory of 1756	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	28
PID 2232 wrote to memory of 1756	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	28
PID 2232 wrote to memory of 2868	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	29
PID 2232 wrote to memory of 2868	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	29
PID 2232 wrote to memory of 2868	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	29
PID 2232 wrote to memory of 2868	2232	2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe	29
PID 1756 wrote to memory of 2628	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	30
PID 1756 wrote to memory of 2628	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	30
PID 1756 wrote to memory of 2628	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	30
PID 1756 wrote to memory of 2628	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	30
PID 1756 wrote to memory of 2148	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	31
PID 1756 wrote to memory of 2148	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	31
PID 1756 wrote to memory of 2148	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	31
PID 1756 wrote to memory of 2148	1756	{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe	31
PID 2628 wrote to memory of 2748	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	32
PID 2628 wrote to memory of 2748	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	32
PID 2628 wrote to memory of 2748	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	32
PID 2628 wrote to memory of 2748	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	32
PID 2628 wrote to memory of 2608	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	33
PID 2628 wrote to memory of 2608	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	33
PID 2628 wrote to memory of 2608	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	33
PID 2628 wrote to memory of 2608	2628	{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe	33
PID 2748 wrote to memory of 2212	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	36
PID 2748 wrote to memory of 2212	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	36
PID 2748 wrote to memory of 2212	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	36
PID 2748 wrote to memory of 2212	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	36
PID 2748 wrote to memory of 1956	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	37
PID 2748 wrote to memory of 1956	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	37
PID 2748 wrote to memory of 1956	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	37
PID 2748 wrote to memory of 1956	2748	{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe	37
PID 2212 wrote to memory of 1944	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	38
PID 2212 wrote to memory of 1944	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	38
PID 2212 wrote to memory of 1944	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	38
PID 2212 wrote to memory of 1944	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	38
PID 2212 wrote to memory of 956	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	39
PID 2212 wrote to memory of 956	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	39
PID 2212 wrote to memory of 956	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	39
PID 2212 wrote to memory of 956	2212	{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe	39
PID 1944 wrote to memory of 2540	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	40
PID 1944 wrote to memory of 2540	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	40
PID 1944 wrote to memory of 2540	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	40
PID 1944 wrote to memory of 2540	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	40
PID 1944 wrote to memory of 1656	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	41
PID 1944 wrote to memory of 1656	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	41
PID 1944 wrote to memory of 1656	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	41
PID 1944 wrote to memory of 1656	1944	{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe	41
PID 2540 wrote to memory of 2808	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	42
PID 2540 wrote to memory of 2808	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	42
PID 2540 wrote to memory of 2808	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	42
PID 2540 wrote to memory of 2808	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	42
PID 2540 wrote to memory of 1324	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	43
PID 2540 wrote to memory of 1324	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	43
PID 2540 wrote to memory of 1324	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	43
PID 2540 wrote to memory of 1324	2540	{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe	43
PID 2808 wrote to memory of 2988	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	44
PID 2808 wrote to memory of 2988	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	44
PID 2808 wrote to memory of 2988	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	44
PID 2808 wrote to memory of 2988	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	44
PID 2808 wrote to memory of 2860	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	45
PID 2808 wrote to memory of 2860	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	45
PID 2808 wrote to memory of 2860	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	45
PID 2808 wrote to memory of 2860	2808	{78FB18E5-D713-470d-B920-01058CC51D74}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe
  C:\Windows\{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe
    C:\Windows\{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe
      C:\Windows\{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe
        
        C:\Windows\{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe
        
        C:\Windows\{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe
        
        C:\Windows\{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{78FB18E5-D713-470d-B920-01058CC51D74}.exe
        
        C:\Windows\{78FB18E5-D713-470d-B920-01058CC51D74}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe
        
        C:\Windows\{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe
        
        C:\Windows\{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe
        
        C:\Windows\{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\{80FE3138-89B8-45ce-8266-11B3A0559E5A}.exe
        
        C:\Windows\{80FE3138-89B8-45ce-8266-11B3A0559E5A}.exe
        12⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0E8D~1.EXE > nul
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4BB7~1.EXE > nul
        11⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6FD3~1.EXE > nul
        10⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78FB1~1.EXE > nul
        9⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30AFD~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1662F~1.EXE > nul
        7⤵
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C16FA~1.EXE > nul
        6⤵
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD918~1.EXE > nul
        5⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AF673~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D63B~1.EXE > nul
    3⤵
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1662F3A0-68E3-461b-A73A-ED57AC9E6FAB}.exe

Filesize
216KB

MD5
172d12bab94cb79bc15438094ddcc661

SHA1
d163a477e969f67c1d651eb0d30ba046cb271351

SHA256
5bb2ff4617768bebcd9263f3d8b178d7eebdd5329dab7f44802ba0651228463e

SHA512
74c4b2d7a1ca74ff5c0fdd96d694ab45e8429eb3ff70da0240eabf76e3b0253a7572f1a9f8f5f72726750a92c750033f44896f4d3feab1c9dc3291ca7a1a0a7a

Download Submit
C:\Windows\{30AFD8EF-258A-4bda-970E-C4EEEA01C299}.exe

Filesize
216KB

MD5
9e41447a84ae43a36f206674c91c4d24

SHA1
10e433722b9a42d1636bd188bb522dd2840a7734

SHA256
5f92410b5a9e4303bc3f849ab82852ac0c9ae497b46ec3ba29817611a91f2b97

SHA512
42ef13616cfe99f17f765f9ce7cd8b14bce4564eda6e9be812d142c42fa705a8af05de8b0e32d25ea07fd483c6315049e90cacafb9aa2e40ec56a2d03b708f63

Download Submit
C:\Windows\{6D63B21E-E9FD-4fcf-A1E2-33F08493D375}.exe

Filesize
216KB

MD5
ff8da86d55ec938d50d7d3a8715d7dd9

SHA1
90cdc5a9280c96ebc57b65e7beb963b02a5caf6d

SHA256
de3f1f802e819ba77d05078e1d4f737488d085a959946aa49bd3b537b5279f30

SHA512
cc07a851498a4370151666dea11f78d3482cec00d5a43736f02289ea8d630e053bf01943523f4144f683ecccedb35389856120e783eaa72d186e02939c1a88a8

Download Submit
C:\Windows\{78FB18E5-D713-470d-B920-01058CC51D74}.exe

Filesize
216KB

MD5
f3f0cd9c720350ea65ce7ab4467b4ebe

SHA1
e066d14dda874c1a9d606f883d53c47734b455df

SHA256
58ff116a4c281b63a9726f0733f72331c642838552897ad644e7f870568e50df

SHA512
3b428f58d38d66656e3e93c2dccda1f9424a0ed4eb589950d0b86ab57a077f9beb7ed91adcf2198da3f5b8e8732ebf5543a112d6cd938a84268b4afd46f52b61

Download Submit
C:\Windows\{80FE3138-89B8-45ce-8266-11B3A0559E5A}.exe

Filesize
216KB

MD5
cd728c75c3685142070bc919b231328d

SHA1
e421956428bd205fa9ed7b7c0cc09968689211e4

SHA256
7d63a92242dd099c5c1db748cbf4e59a5dd8bd249b7933ea8e36b463ef81c29b

SHA512
79971a323a094c04f152b1ecb284f79a131abb52874a7a91779c13bcd683a670164b23799c95d204fd83ccabf7bf39ef7021efa9959669165bddedacc33357f4

Download Submit
C:\Windows\{A6FD371E-3FE7-4034-8B3F-21A18AA931CD}.exe

Filesize
216KB

MD5
22c6e7da682205fcf027f8cbc225b19e

SHA1
6ed51bca269890aecf1a934db51fc7f395d7f5ec

SHA256
38b4a852e024183135559e05c002a3e33c900931aae1745def77b042f383c0cf

SHA512
e6af3c840e6bbce9de2bec649db74bc8e39f6478d35c879b105e25dd970cdf0c1e3b3a653eb47622ae56be0fe3d9c54d1d656d9e065cd4b71b3537f1d784f46e

Download Submit
C:\Windows\{AF673F11-A30C-428f-B3F0-DF640C7396FA}.exe

Filesize
216KB

MD5
401219884f3c51180f82e207b97aeeb1

SHA1
4290b2317a364eee4dc2891c226be5958edd0689

SHA256
467070c9161d1a1aa86d8036064ba69d20f661fd38550fb9dca5fe3333f93e67

SHA512
1f9b98606b8e4e2d2cb65b7016ae3ef953372871427ecd6758f31286c8fd4de01d81d70ab71ea2df966c56e02e337052a364c3dde0c348fc49e0e839484db97c

Download Submit
C:\Windows\{B0E8DCE8-7699-4f16-B745-DAEE0CD7E019}.exe

Filesize
216KB

MD5
1430269458dc2517dce56cdfe94792f3

SHA1
fcbecd97bfbe0564a887e63fa3c0d418451af512

SHA256
95a3cdd1cf8d5c2938c7ac29a3a91a13041abe47e5de324d828590998772a376

SHA512
389ea31414673fa9cb17922ab3877565e15a32bde7638f59b621614d17c26017f4196120a7965f480db4c2e5ee526c4482a95f2ddf8a453bcb85415763d9b85a

Download Submit
C:\Windows\{C16FA44D-BB63-462f-8905-CEABFE5C8F1D}.exe

Filesize
216KB

MD5
87dfed78b23b13820eee412f13fe9bc7

SHA1
561083477d2dcb8854a01870cdd612a51259e263

SHA256
ba2ac45e675191c883cd9bea1defa4b28aa4fda10632d68b09e8c75d3bd86436

SHA512
4b33a310e671ea0b2de6aa8c0277ae52f49d8549cb7509035496a4b6eda740938e73eb7f8ea029dddaa172debb044f37805c39634b6b996a4d00203871f916b6

Download Submit
C:\Windows\{DD918B20-02C8-4d56-A274-B3E77AE3C37D}.exe

Filesize
216KB

MD5
0f71b2bca54d919b16dd70b69c0131c1

SHA1
6f9ac149957c2d0cd2eafd42b09579e0032f8a7e

SHA256
8dc30af38e29d78bf9feab9d43834b3e56933788c4e2699fddef5048f26d2c18

SHA512
b7e3c1018d15605baa18aa8f87075861fceca9b67f51ec6df8a8423a8b725c823336c17f3c049a59500f1c51a915a6fadb176e2b99d35526d0d9455a65be91f8

Download Submit
C:\Windows\{E4BB7C7B-6313-4d61-A180-C3F81B48FD3B}.exe

Filesize
216KB

MD5
dda8247cd0e5226a2571f19968cb2268

SHA1
cb7074f6e0db30b5fe0828563004bd72466566e8

SHA256
be25a7ca4f18540e0abbf5415add10c83d6da639d5d86ead40346248655e5b65

SHA512
5404ef60c597176be70c31e6e44b8a07e7c6f4ada78351f256a68c3bc5f1e4bd2946dafd902453cc108348a2fd80e0cd6ed392cbf75a082291141ad2c15d602b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads