21dfc97c983daf57430a5c8829c64d0ce033e2fb9f081559a638cf3707be2a2f

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
Size

408KB
MD5

85fc9d379a3bd3f9924558b4e6597873
SHA1

211e2ac8635e8a24bda501fd31544e78acb388e3
SHA256

21dfc97c983daf57430a5c8829c64d0ce033e2fb9f081559a638cf3707be2a2f
SHA512

e72593d77d4e19258f9c6f6882efe6c32374df6883b44a7ac2cdf0c0b75cb3a780c5bd91abea2137603d50773ef3d2e6cf087db98d2d0780e60c3638a517827d
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGoldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014698-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015264-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014698-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014698-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015364-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000155d4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000155d9-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000155d4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000155d9-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA420CF-886E-492b-9CA5-21D402E93C5B}	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73236C0C-9362-4713-A1F1-346FA2A2652B}\stubpath = "C:\\Windows\\{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe"	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}\stubpath = "C:\\Windows\\{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe"	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94DD1BB-6895-4875-847B-0A7062D5D608}\stubpath = "C:\\Windows\\{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe"	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}\stubpath = "C:\\Windows\\{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe"	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07475E7-0775-4b0f-A211-E1A179427B60}	{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{870BF621-E5B7-4bdb-BD7B-240515E8647F}	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{870BF621-E5B7-4bdb-BD7B-240515E8647F}\stubpath = "C:\\Windows\\{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe"	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA420CF-886E-492b-9CA5-21D402E93C5B}\stubpath = "C:\\Windows\\{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe"	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07475E7-0775-4b0f-A211-E1A179427B60}\stubpath = "C:\\Windows\\{B07475E7-0775-4b0f-A211-E1A179427B60}.exe"	{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0AF1FC-383C-4b1c-84D9-26C13120D208}	{B07475E7-0775-4b0f-A211-E1A179427B60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0AF1FC-383C-4b1c-84D9-26C13120D208}\stubpath = "C:\\Windows\\{0E0AF1FC-383C-4b1c-84D9-26C13120D208}.exe"	{B07475E7-0775-4b0f-A211-E1A179427B60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}\stubpath = "C:\\Windows\\{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe"	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73236C0C-9362-4713-A1F1-346FA2A2652B}	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}\stubpath = "C:\\Windows\\{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe"	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94DD1BB-6895-4875-847B-0A7062D5D608}	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}	{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}\stubpath = "C:\\Windows\\{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe"	{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe
2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe
2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe
240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe
1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe
2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe
1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe
1088	{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe
764	{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe
2972	{B07475E7-0775-4b0f-A211-E1A179427B60}.exe
2172	{0E0AF1FC-383C-4b1c-84D9-26C13120D208}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
File created	C:\Windows\{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe
File created	C:\Windows\{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe
File created	C:\Windows\{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe
File created	C:\Windows\{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe
File created	C:\Windows\{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe
File created	C:\Windows\{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe
File created	C:\Windows\{B07475E7-0775-4b0f-A211-E1A179427B60}.exe	{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe
File created	C:\Windows\{0E0AF1FC-383C-4b1c-84D9-26C13120D208}.exe	{B07475E7-0775-4b0f-A211-E1A179427B60}.exe
File created	C:\Windows\{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe
File created	C:\Windows\{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe	{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe
Token: SeIncBasePriorityPrivilege	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe
Token: SeIncBasePriorityPrivilege	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe
Token: SeIncBasePriorityPrivilege	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe
Token: SeIncBasePriorityPrivilege	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe
Token: SeIncBasePriorityPrivilege	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe
Token: SeIncBasePriorityPrivilege	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe
Token: SeIncBasePriorityPrivilege	1088	{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe
Token: SeIncBasePriorityPrivilege	764	{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe
Token: SeIncBasePriorityPrivilege	2972	{B07475E7-0775-4b0f-A211-E1A179427B60}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2552	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	28
PID 2860 wrote to memory of 2552	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	28
PID 2860 wrote to memory of 2552	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	28
PID 2860 wrote to memory of 2552	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	28
PID 2860 wrote to memory of 3024	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	29
PID 2860 wrote to memory of 3024	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	29
PID 2860 wrote to memory of 3024	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	29
PID 2860 wrote to memory of 3024	2860	2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe	29
PID 2552 wrote to memory of 2392	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	32
PID 2552 wrote to memory of 2392	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	32
PID 2552 wrote to memory of 2392	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	32
PID 2552 wrote to memory of 2392	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	32
PID 2552 wrote to memory of 2404	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	33
PID 2552 wrote to memory of 2404	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	33
PID 2552 wrote to memory of 2404	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	33
PID 2552 wrote to memory of 2404	2552	{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe	33
PID 2392 wrote to memory of 2384	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	34
PID 2392 wrote to memory of 2384	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	34
PID 2392 wrote to memory of 2384	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	34
PID 2392 wrote to memory of 2384	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	34
PID 2392 wrote to memory of 2484	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	35
PID 2392 wrote to memory of 2484	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	35
PID 2392 wrote to memory of 2484	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	35
PID 2392 wrote to memory of 2484	2392	{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe	35
PID 2384 wrote to memory of 240	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	36
PID 2384 wrote to memory of 240	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	36
PID 2384 wrote to memory of 240	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	36
PID 2384 wrote to memory of 240	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	36
PID 2384 wrote to memory of 1396	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	37
PID 2384 wrote to memory of 1396	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	37
PID 2384 wrote to memory of 1396	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	37
PID 2384 wrote to memory of 1396	2384	{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe	37
PID 240 wrote to memory of 1928	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	38
PID 240 wrote to memory of 1928	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	38
PID 240 wrote to memory of 1928	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	38
PID 240 wrote to memory of 1928	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	38
PID 240 wrote to memory of 1200	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	39
PID 240 wrote to memory of 1200	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	39
PID 240 wrote to memory of 1200	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	39
PID 240 wrote to memory of 1200	240	{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe	39
PID 1928 wrote to memory of 2540	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	40
PID 1928 wrote to memory of 2540	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	40
PID 1928 wrote to memory of 2540	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	40
PID 1928 wrote to memory of 2540	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	40
PID 1928 wrote to memory of 2760	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	41
PID 1928 wrote to memory of 2760	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	41
PID 1928 wrote to memory of 2760	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	41
PID 1928 wrote to memory of 2760	1928	{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe	41
PID 2540 wrote to memory of 1912	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	42
PID 2540 wrote to memory of 1912	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	42
PID 2540 wrote to memory of 1912	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	42
PID 2540 wrote to memory of 1912	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	42
PID 2540 wrote to memory of 1800	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	43
PID 2540 wrote to memory of 1800	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	43
PID 2540 wrote to memory of 1800	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	43
PID 2540 wrote to memory of 1800	2540	{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe	43
PID 1912 wrote to memory of 1088	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	44
PID 1912 wrote to memory of 1088	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	44
PID 1912 wrote to memory of 1088	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	44
PID 1912 wrote to memory of 1088	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	44
PID 1912 wrote to memory of 1972	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	45
PID 1912 wrote to memory of 1972	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	45
PID 1912 wrote to memory of 1972	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	45
PID 1912 wrote to memory of 1972	1912	{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_85fc9d379a3bd3f9924558b4e6597873_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe
  C:\Windows\{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe
    C:\Windows\{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe
      C:\Windows\{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe
        
        C:\Windows\{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:240
      - C:\Windows\{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe
        
        C:\Windows\{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe
        
        C:\Windows\{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe
        
        C:\Windows\{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe
        
        C:\Windows\{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe
        
        C:\Windows\{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\{B07475E7-0775-4b0f-A211-E1A179427B60}.exe
        
        C:\Windows\{B07475E7-0775-4b0f-A211-E1A179427B60}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{0E0AF1FC-383C-4b1c-84D9-26C13120D208}.exe
        
        C:\Windows\{0E0AF1FC-383C-4b1c-84D9-26C13120D208}.exe
        12⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0747~1.EXE > nul
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E2F9~1.EXE > nul
        11⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C94DD~1.EXE > nul
        10⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C040~1.EXE > nul
        9⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E82B~1.EXE > nul
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73236~1.EXE > nul
        7⤵
        
        PID:2760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEA42~1.EXE > nul
        6⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD94E~1.EXE > nul
        5⤵
        
        PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{870BF~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{619DC~1.EXE > nul
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E0AF1FC-383C-4b1c-84D9-26C13120D208}.exe

Filesize
408KB

MD5
1be5abc3bdea110dc81a30bea607129e

SHA1
29db8d0287502fb6e4cfc819b31ac239aea1f2b5

SHA256
0d4cfd6f783ebddba218b2b27c8696baa6692eacb4f74718a243ded557cc8ad1

SHA512
3293172f89fa4b4c121d762ec0a2a15c38b5b8e2db516cf2541521aa9acec0701342d6ccebaed1d3946adb4c6b448cc84fd7e4f203e7b52864d7f033d8fcd625

Download Submit
C:\Windows\{1C040FAD-21F5-4e6c-B8AB-839F581BBA73}.exe

Filesize
408KB

MD5
21d2d4997c0af51ea1cd44d09be4b790

SHA1
93ac5b4b19f13a560d58e116e196e1bd60bbd986

SHA256
3ddb6463c4d4950a5da947c3d22ade2869e8325b8ed38bd6a7f48631c9d9a9ab

SHA512
d6228535a07448c03bee46fc1863536e7818164d8fd31fae4aa249c7afab43680c722d08c7ea2de24873b019c14d7d421c1c9c8acbafee11d5eb0cfc4509ef5e

Download Submit
C:\Windows\{3E82B54A-DC3C-43f1-8BC6-72B1D7C6E2A5}.exe

Filesize
408KB

MD5
467cdca998ba614888199218918b8a5b

SHA1
5838abf11f48c7883df8906977487c32a013f4ed

SHA256
c2ff25d55bc33bf85b9016a3191886c6b75c95276e46efa86dd59f7de93a219b

SHA512
dc01eebb417f7adb1281899b568f12a9ac15229f5f31f7afdf9af77e6dcc9fbf03686fb586d8dc97c7152118c57692dd68448a99910e0eb511cb3650bf7081ae

Download Submit
C:\Windows\{619DCCB5-F1A1-4753-B68E-FC4D50AF0E0E}.exe

Filesize
408KB

MD5
ea0bb7275774325c96fc43cdea0ed469

SHA1
6e64e3916bc59e59c1cd983bafec03851e7e6500

SHA256
9bc9b57649147a1d69fba7da9efe02ac2853f2270a8ac3a4adc14a0034fc6643

SHA512
6fcf1b53a5bb4d45b2acd9eac69e01dc6b0b23e3ba1b5f8e8f48f56883e5238538857b891841a2c9b66f0668d1c289cf5bd8e73e9e10b72d147755e587204db9

Download Submit
C:\Windows\{73236C0C-9362-4713-A1F1-346FA2A2652B}.exe

Filesize
408KB

MD5
00591e008d6a02fcc549154645431f04

SHA1
f00544a464a003c438152a6a61a6f4fba3a818e7

SHA256
e17c54bd8e6c0727532ef29ce34c5ed30ed7b8032b976b1c606231ecdf12707e

SHA512
93704d185124bbb009cac618a0f5ac2c539c3c6249234c0cfb34d0481c81bd8519296b15644fcc3cd4114412a45970683738e4338b891cfa2c4ed954b0c75712

Download Submit
C:\Windows\{7E2F9F07-DD1C-4dd7-B09F-EA0CD80B5FEA}.exe

Filesize
408KB

MD5
3c031e8969834991bc8114f635cbf12a

SHA1
59d8e7b5ed21e6b7b4b971d070f7939c338c2e02

SHA256
deed9da0b616c1c8065878fe8c20c4e714517a5dd6a869260b708f79f9625a43

SHA512
4b292de5f715ff4ce4a916e704a230f616410ddb94394d8fb3386d4b71f314ad696c35bc3310fbfcd928ed718e01cd42812fb508e80b5f134bf1721bdb598754

Download Submit
C:\Windows\{870BF621-E5B7-4bdb-BD7B-240515E8647F}.exe

Filesize
408KB

MD5
9eda1b752285baefaddd1ed9848d82b2

SHA1
bfe1c73d244d4856c8f5146f9423dd7c0be18471

SHA256
378a5e2698f9413033a7fe7825f93b94d4349136420b42b0dc4ef58c3905dcd2

SHA512
70a7b8ec9c5d1912e6fb9a8d25b471554803b82193fc12c883f02ff91d09631eb36086545e5951936d95971e3ba1ba5703f6c31d32f3ea36cce9182c9862a05d

Download Submit
C:\Windows\{B07475E7-0775-4b0f-A211-E1A179427B60}.exe

Filesize
408KB

MD5
9daf09e2d30f1808601804daff83ca6d

SHA1
66d8f69f00b33fecee50f12fee5c29546653e5f6

SHA256
6f8d42aa981af1f51c103f6b4a4d3af270a2fff97300d09af770aae68a4cb3d1

SHA512
b208937bdd50e7b2735ee4f672f2baa285cc170d7c3f649378058af2e33211c14b29819a7bf1eab30d6cb3e488a79418f2eb64e78fd95d04ee15d81ebce39bc3

Download Submit
C:\Windows\{BEA420CF-886E-492b-9CA5-21D402E93C5B}.exe

Filesize
408KB

MD5
f74e543e42010328a1c7a7c728133374

SHA1
72a1fa06ed27b63ce7c8229b34e277672c256550

SHA256
692495e6b580ef142b69cb9e824156740ac49e66ea8c054b01424132728bad78

SHA512
38d69fc77fc13e5b2f257c77fe686eff58f114fa29cb83f33666e7d60aa1d84ba6e562e7a58bd281ecf11f48b19b9817b25aa346631871210f844f5d77530d4f

Download Submit
C:\Windows\{C94DD1BB-6895-4875-847B-0A7062D5D608}.exe

Filesize
408KB

MD5
4ed5658d763bbe55772aeea8e012e1ba

SHA1
0f21c66b6cfd7d4333aa08ddba986caae79cb075

SHA256
002cf47c6f0bb06704722c71d40ca4f9b7b39de09fe68ea5e2049bd2a9515f74

SHA512
41a352e7d40ea808c25eec8515b8fd317d7a89eae3001322802e43de7bafdf5a395df7b4b543afea863d69a54a6b691196e9ce06a53ce175cbb066cd0ad95af7

Download Submit
C:\Windows\{FD94EB01-7C38-47eb-B76A-AFA9A3744DF8}.exe

Filesize
408KB

MD5
73ec3a32832a8ac78cd73c3e75894bf3

SHA1
2883370fe58b2d982be77b27241d09aee72cbacc

SHA256
8bd4efea893be81b58bf00fe68ca287f416b6935477c8e880d736206c4b1ea20

SHA512
918e12282e445d351349ff7760664066ea475403642272fb9297825c535ec5d8d66022303aa9a5f52558b85c9879b0f49b454e9187049ba177a6fc63048b1feb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads