741d927827b98dd4258526f5103da3072c4b2d7a9945932ca77ede8a64cfd2e2

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Size

344KB
MD5

a0e982a24f42f9348842bd7685b4430d
SHA1

f1596901d7bcfc508d005d2cd3bd472d5065393a
SHA256

741d927827b98dd4258526f5103da3072c4b2d7a9945932ca77ede8a64cfd2e2
SHA512

16356426862bd047f2fd029a14bcb45ef7ecf0aa51338bb1871a3559480e516725b3aaf14ed10ebee7103ff56ec725ad3894406eb79fe543d954f097fc245b1e
SSDEEP

3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG+lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000143a8-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014588-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000143a8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014662-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000143a8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000143a8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000143a8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{159A5FEE-1A27-4279-BF3D-BA8577FDB818}\stubpath = "C:\\Windows\\{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe"	{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C302C2-8A50-4040-9181-23287DD13C07}\stubpath = "C:\\Windows\\{F5C302C2-8A50-4040-9181-23287DD13C07}.exe"	{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E825049-F613-4cb3-B226-321294192DF8}	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1949DA2-9AB5-4854-945C-5744D5578DBF}	{2E825049-F613-4cb3-B226-321294192DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56697F2-5E1B-4828-A0B9-33A45AA0A432}\stubpath = "C:\\Windows\\{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe"	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{159A5FEE-1A27-4279-BF3D-BA8577FDB818}	{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C302C2-8A50-4040-9181-23287DD13C07}	{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA220C0C-9B9D-4803-93B7-6F58085DF253}	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}	{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}\stubpath = "C:\\Windows\\{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe"	{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2904378F-5CCA-4a15-86A8-5068FA9306F7}\stubpath = "C:\\Windows\\{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe"	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FB99910-42A0-4a74-8FBE-B152F39756BF}\stubpath = "C:\\Windows\\{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe"	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56697F2-5E1B-4828-A0B9-33A45AA0A432}	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA220C0C-9B9D-4803-93B7-6F58085DF253}\stubpath = "C:\\Windows\\{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe"	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}\stubpath = "C:\\Windows\\{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe"	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2904378F-5CCA-4a15-86A8-5068FA9306F7}	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FB99910-42A0-4a74-8FBE-B152F39756BF}	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E825049-F613-4cb3-B226-321294192DF8}\stubpath = "C:\\Windows\\{2E825049-F613-4cb3-B226-321294192DF8}.exe"	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1949DA2-9AB5-4854-945C-5744D5578DBF}\stubpath = "C:\\Windows\\{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe"	{2E825049-F613-4cb3-B226-321294192DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}\stubpath = "C:\\Windows\\{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe"	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe
2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe
2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe
2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe
2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe
2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe
2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe
1052	{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe
2036	{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe
1152	{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe
1732	{F5C302C2-8A50-4040-9181-23287DD13C07}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe
File created	C:\Windows\{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe
File created	C:\Windows\{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe	{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe
File created	C:\Windows\{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe	{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe
File created	C:\Windows\{2E825049-F613-4cb3-B226-321294192DF8}.exe	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
File created	C:\Windows\{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	{2E825049-F613-4cb3-B226-321294192DF8}.exe
File created	C:\Windows\{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe
File created	C:\Windows\{F5C302C2-8A50-4040-9181-23287DD13C07}.exe	{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe
File created	C:\Windows\{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe
File created	C:\Windows\{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe
File created	C:\Windows\{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe
Token: SeIncBasePriorityPrivilege	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe
Token: SeIncBasePriorityPrivilege	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe
Token: SeIncBasePriorityPrivilege	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe
Token: SeIncBasePriorityPrivilege	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe
Token: SeIncBasePriorityPrivilege	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe
Token: SeIncBasePriorityPrivilege	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe
Token: SeIncBasePriorityPrivilege	1052	{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe
Token: SeIncBasePriorityPrivilege	2036	{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe
Token: SeIncBasePriorityPrivilege	1152	{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3040	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	28
PID 2344 wrote to memory of 3040	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	28
PID 2344 wrote to memory of 3040	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	28
PID 2344 wrote to memory of 3040	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	28
PID 2344 wrote to memory of 2648	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	29
PID 2344 wrote to memory of 2648	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	29
PID 2344 wrote to memory of 2648	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	29
PID 2344 wrote to memory of 2648	2344	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	29
PID 3040 wrote to memory of 2628	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	30
PID 3040 wrote to memory of 2628	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	30
PID 3040 wrote to memory of 2628	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	30
PID 3040 wrote to memory of 2628	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	30
PID 3040 wrote to memory of 2596	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	31
PID 3040 wrote to memory of 2596	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	31
PID 3040 wrote to memory of 2596	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	31
PID 3040 wrote to memory of 2596	3040	{2E825049-F613-4cb3-B226-321294192DF8}.exe	31
PID 2628 wrote to memory of 2396	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	32
PID 2628 wrote to memory of 2396	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	32
PID 2628 wrote to memory of 2396	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	32
PID 2628 wrote to memory of 2396	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	32
PID 2628 wrote to memory of 2440	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	33
PID 2628 wrote to memory of 2440	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	33
PID 2628 wrote to memory of 2440	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	33
PID 2628 wrote to memory of 2440	2628	{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe	33
PID 2396 wrote to memory of 2700	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	36
PID 2396 wrote to memory of 2700	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	36
PID 2396 wrote to memory of 2700	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	36
PID 2396 wrote to memory of 2700	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	36
PID 2396 wrote to memory of 2760	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	37
PID 2396 wrote to memory of 2760	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	37
PID 2396 wrote to memory of 2760	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	37
PID 2396 wrote to memory of 2760	2396	{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe	37
PID 2700 wrote to memory of 2916	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	38
PID 2700 wrote to memory of 2916	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	38
PID 2700 wrote to memory of 2916	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	38
PID 2700 wrote to memory of 2916	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	38
PID 2700 wrote to memory of 1616	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	39
PID 2700 wrote to memory of 1616	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	39
PID 2700 wrote to memory of 1616	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	39
PID 2700 wrote to memory of 1616	2700	{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe	39
PID 2916 wrote to memory of 2016	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	40
PID 2916 wrote to memory of 2016	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	40
PID 2916 wrote to memory of 2016	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	40
PID 2916 wrote to memory of 2016	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	40
PID 2916 wrote to memory of 1576	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	41
PID 2916 wrote to memory of 1576	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	41
PID 2916 wrote to memory of 1576	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	41
PID 2916 wrote to memory of 1576	2916	{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe	41
PID 2016 wrote to memory of 2496	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	42
PID 2016 wrote to memory of 2496	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	42
PID 2016 wrote to memory of 2496	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	42
PID 2016 wrote to memory of 2496	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	42
PID 2016 wrote to memory of 624	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	43
PID 2016 wrote to memory of 624	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	43
PID 2016 wrote to memory of 624	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	43
PID 2016 wrote to memory of 624	2016	{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe	43
PID 2496 wrote to memory of 1052	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	44
PID 2496 wrote to memory of 1052	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	44
PID 2496 wrote to memory of 1052	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	44
PID 2496 wrote to memory of 1052	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	44
PID 2496 wrote to memory of 2244	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	45
PID 2496 wrote to memory of 2244	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	45
PID 2496 wrote to memory of 2244	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	45
PID 2496 wrote to memory of 2244	2496	{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\{2E825049-F613-4cb3-B226-321294192DF8}.exe
  C:\Windows\{2E825049-F613-4cb3-B226-321294192DF8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe
    C:\Windows\{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe
      C:\Windows\{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe
        
        C:\Windows\{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe
        
        C:\Windows\{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe
        
        C:\Windows\{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe
        
        C:\Windows\{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe
        
        C:\Windows\{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe
        
        C:\Windows\{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe
        
        C:\Windows\{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\{F5C302C2-8A50-4040-9181-23287DD13C07}.exe
        
        C:\Windows\{F5C302C2-8A50-4040-9181-23287DD13C07}.exe
        12⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED60D~1.EXE > nul
        12⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{159A5~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA220~1.EXE > nul
        10⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5669~1.EXE > nul
        9⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB99~1.EXE > nul
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29043~1.EXE > nul
        7⤵
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F3EB~1.EXE > nul
        6⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33A1C~1.EXE > nul
        5⤵
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1949~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2E825~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FB99910-42A0-4a74-8FBE-B152F39756BF}.exe

Filesize
344KB

MD5
8750f215b9bf70caea95cc1d7205bdfd

SHA1
6fbfcf341eaf2f6327256a27fbcbc4c6428c2f81

SHA256
0a940766c05fb94a0d562afcc84580e15f9387d628866d9164d07d118a8af390

SHA512
6d7007d18fa72591a10992d4464fa69643c482fd88bcd8189c02126c750a163bb82ec0bc3b1c321ad561167c245ba660823120df8b6eafaa865647ec1d6ae075

Download Submit
C:\Windows\{159A5FEE-1A27-4279-BF3D-BA8577FDB818}.exe

Filesize
344KB

MD5
63cd36ec88a058ceebf340f1bdb23e4e

SHA1
1115a3e5940efad5921ca68b1fa57717d34202c6

SHA256
cfe319bbbe11238e8a91c19cbed34a9c112be5ab2e501fb9eff6f40df73b0533

SHA512
eff55329928bcfe78a8796a8380248b5185e1108f493499d792203b8795465857ab04ac5bad3b767e13d59679e369c6db2f5e6b92ad8ae5ad1b9323b701f26e4

Download Submit
C:\Windows\{2904378F-5CCA-4a15-86A8-5068FA9306F7}.exe

Filesize
344KB

MD5
9fc8644214f670cebcf909a1962bb361

SHA1
15b7586a75e7f6ba8d0530ed83df15318b7189d9

SHA256
39162e42d14d2d1a98f6f9e42f730dbcec8b652f42ce3385a4f2647b63e6b53d

SHA512
d1e445dfad10381592ec279bd803acfde3d6d29b3b7429e0cdc15583465effaeaaa2db3bdc80fd492df79376271b387fc17dff4e3103c3415624a9dd04b5c00d

Download Submit
C:\Windows\{2E825049-F613-4cb3-B226-321294192DF8}.exe

Filesize
344KB

MD5
b3a21ade87597e655a6ea4b48c1af0bd

SHA1
c189fc7bd28a9f724110b0b3e8575fe35ba94f19

SHA256
3966ad774bbbf8dac482b34a1be0ce68daf4b02a6b675ba0cc9bccade0f90c52

SHA512
e04c1b7d8e266be4e03bebd73427e821bf63ab42a59059800f72edf252346b45fc7312daff68c23a2f76442ea773acb97a76529bea25ee995a520813e2bdf78e

Download Submit
C:\Windows\{33A1C93A-F20B-4465-9EED-C5613C0EA9E2}.exe

Filesize
344KB

MD5
a98b113dc5d5876fc4bad2cdbcd1f9e2

SHA1
09a7656afe3904e782c953044074e74307c64a41

SHA256
6245b53543884dd455e90e933b947ad71f877a226d0239ff433560438a8d9904

SHA512
c805fe735940382eb8e04602ef4e17549a3dbbcafa8e123dd8d4136a11922c901c5e084b7c489cf7130e5d8baf58932fbf8bc970d8b760622dbf5b00b9f3533f

Download Submit
C:\Windows\{8F3EBCF2-4555-4a7a-A600-1D159C42BB03}.exe

Filesize
344KB

MD5
c83bf562572c52b7cdd1b2c8ab33dac1

SHA1
1ddbb4d4499b470cb93b0b0157ec38a223219ff0

SHA256
07f54ef7b06a3400fc5e065f986c01f77cfcb72b9150f0fbb6f82ec831bba98e

SHA512
8a9b4845bcf417cf451196b832991ac7e75f276ac2718b44ba3786588d67701006551e1f16f081edf0d4439fe70aafe0ebb68d75b77b9100d75324a0ea9cd529

Download Submit
C:\Windows\{C1949DA2-9AB5-4854-945C-5744D5578DBF}.exe

Filesize
344KB

MD5
dca801b8fcbafcf9f5976361b87c295e

SHA1
c3db0ba378a4e230c30b92da6f2750e4378737be

SHA256
d8ef6584d4b49be2642893c1584c285c03fa1c7d967b784ac9a747a804c8b5b4

SHA512
4e898a6bf5e8c7d33381d1b7caefa2463da7fdc0fa4edec10ac50b43b2315273306a0915806851fe61cbc8b7180aea0a8dfef44aece2f1150afe3531e8ef8800

Download Submit
C:\Windows\{DA220C0C-9B9D-4803-93B7-6F58085DF253}.exe

Filesize
344KB

MD5
ce88d2ff26090df5274dce471ccb8ef9

SHA1
6caf0502ca8bfca680084afae1767a1f2aae4ffa

SHA256
f5a7627eb0f07f2fdfdc56dbb6a2ee1a832edd1f5b594721c165592af847130a

SHA512
d48efaf458389910339a3bee400703b5178de42975b1676ff10fffb175730392fadd0b212613aa3d16de551e41450c43b9e595d417b245e48dd770f4c1aa529c

Download Submit
C:\Windows\{E56697F2-5E1B-4828-A0B9-33A45AA0A432}.exe

Filesize
344KB

MD5
4f60bbdb2f0d13c0b38086b66e3d8da6

SHA1
7722ba74a89dba47b66a8ccf9609fd480e531e56

SHA256
304e450cbc237012e36c7b6b7a8cab5c92c355e7d9194f457f7db045edfc29f4

SHA512
caa90d09ed912bdba66e379a33a5c14cb8a22bfa3f143caf2e930e29aa4040aeaf684f81c57c924469bec66a59827daf2c297f042610a6321db01c1bf480694f

Download Submit
C:\Windows\{ED60D3E6-BD05-4033-87DC-6151CCAF7DBA}.exe

Filesize
344KB

MD5
c0b3a91303926ae955d5efb3cbc0e92b

SHA1
a0ea6443d6cf16b6d07c6847f0449a7d9629f9cf

SHA256
e159648dd071ca4eb9072feddf4e741ee400e2e2ecf4c8a14441db211616ca6e

SHA512
9255ad5b366866e581c1028735298528e48ddca04c8eb1207fa089e4d185dc8574849e502b4245e66aea97b9c5b2628e041c8067534064ff79338e6fdb890731

Download Submit
C:\Windows\{F5C302C2-8A50-4040-9181-23287DD13C07}.exe

Filesize
344KB

MD5
f4d9e64804de446d26e63a44ed452791

SHA1
954a794b576e0254abbedc311e733bb942ff3856

SHA256
8f272cbf2c6fbd7d42415db903d816a5a7ce815bdcde70231572b27544e8113a

SHA512
0b2d8cb6152051e8c8773e3072c6471d7fce8d295cb95f59b4b10d90cf352b763e277089c8b2cda7fc9dea5a22adb14a0518cf75f58ba0df3e189bd0228a1767

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads