d843e9f6b4cae0a85b216e0138d8d190e98d329b138e9d2719abfc501fd456e0

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Size

344KB
MD5

594102273ce136c3eea9ab11c0ff1d4f
SHA1

828465de7de4a6963053c42588c1e3f019987958
SHA256

d843e9f6b4cae0a85b216e0138d8d190e98d329b138e9d2719abfc501fd456e0
SHA512

d654da8eb6eec82e1c7f09910c47243849bcbf1dc32b3a9bd708d49ea8be87101e02611d8f6887eec0e15c26a5a846bb250337f9f2537122cd642b5e99b4c1d4
SSDEEP

3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGklqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014b27-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015653-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014b27-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014b27-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014b27-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014b27-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014b27-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3D09A43-D66A-45c7-9F37-C70579C41D40}	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}\stubpath = "C:\\Windows\\{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe"	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED4612B-A326-4914-B351-E5EF18D260FE}\stubpath = "C:\\Windows\\{DED4612B-A326-4914-B351-E5EF18D260FE}.exe"	{B5564243-650E-4793-9EC4-9387D0E5B865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}\stubpath = "C:\\Windows\\{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe"	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A70A85A-2F43-4284-9249-9016CB23B62E}	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{957BAAA1-60F6-4c8a-9D30-5200049355D5}	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5564243-650E-4793-9EC4-9387D0E5B865}	{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5564243-650E-4793-9EC4-9387D0E5B865}\stubpath = "C:\\Windows\\{B5564243-650E-4793-9EC4-9387D0E5B865}.exe"	{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5538FC73-B7C1-4d10-A37C-1A2A224708AE}\stubpath = "C:\\Windows\\{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe"	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{957BAAA1-60F6-4c8a-9D30-5200049355D5}\stubpath = "C:\\Windows\\{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe"	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}\stubpath = "C:\\Windows\\{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe"	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED4612B-A326-4914-B351-E5EF18D260FE}	{B5564243-650E-4793-9EC4-9387D0E5B865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A70A85A-2F43-4284-9249-9016CB23B62E}\stubpath = "C:\\Windows\\{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe"	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5538FC73-B7C1-4d10-A37C-1A2A224708AE}	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3D09A43-D66A-45c7-9F37-C70579C41D40}\stubpath = "C:\\Windows\\{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe"	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896AD305-824F-41f7-BC90-FF2613494CB6}	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896AD305-824F-41f7-BC90-FF2613494CB6}\stubpath = "C:\\Windows\\{896AD305-824F-41f7-BC90-FF2613494CB6}.exe"	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B4913D-3730-487a-9ADF-6DD50DD02C84}	{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B4913D-3730-487a-9ADF-6DD50DD02C84}\stubpath = "C:\\Windows\\{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe"	{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe
2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe
2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe
2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe
2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe
1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe
1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe
448	{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe
1312	{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe
2952	{B5564243-650E-4793-9EC4-9387D0E5B865}.exe
1988	{DED4612B-A326-4914-B351-E5EF18D260FE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe	{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe
File created	C:\Windows\{B5564243-650E-4793-9EC4-9387D0E5B865}.exe	{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe
File created	C:\Windows\{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe
File created	C:\Windows\{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe
File created	C:\Windows\{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe
File created	C:\Windows\{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe
File created	C:\Windows\{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe
File created	C:\Windows\{DED4612B-A326-4914-B351-E5EF18D260FE}.exe	{B5564243-650E-4793-9EC4-9387D0E5B865}.exe
File created	C:\Windows\{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
File created	C:\Windows\{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe
File created	C:\Windows\{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe
Token: SeIncBasePriorityPrivilege	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe
Token: SeIncBasePriorityPrivilege	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe
Token: SeIncBasePriorityPrivilege	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe
Token: SeIncBasePriorityPrivilege	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe
Token: SeIncBasePriorityPrivilege	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe
Token: SeIncBasePriorityPrivilege	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe
Token: SeIncBasePriorityPrivilege	448	{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe
Token: SeIncBasePriorityPrivilege	1312	{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe
Token: SeIncBasePriorityPrivilege	2952	{B5564243-650E-4793-9EC4-9387D0E5B865}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1064	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	28
PID 2128 wrote to memory of 1064	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	28
PID 2128 wrote to memory of 1064	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	28
PID 2128 wrote to memory of 1064	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	28
PID 2128 wrote to memory of 2532	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	29
PID 2128 wrote to memory of 2532	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	29
PID 2128 wrote to memory of 2532	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	29
PID 2128 wrote to memory of 2532	2128	2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe	29
PID 1064 wrote to memory of 2852	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	30
PID 1064 wrote to memory of 2852	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	30
PID 1064 wrote to memory of 2852	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	30
PID 1064 wrote to memory of 2852	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	30
PID 1064 wrote to memory of 2840	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	31
PID 1064 wrote to memory of 2840	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	31
PID 1064 wrote to memory of 2840	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	31
PID 1064 wrote to memory of 2840	1064	{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe	31
PID 2852 wrote to memory of 2476	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	32
PID 2852 wrote to memory of 2476	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	32
PID 2852 wrote to memory of 2476	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	32
PID 2852 wrote to memory of 2476	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	32
PID 2852 wrote to memory of 2468	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	33
PID 2852 wrote to memory of 2468	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	33
PID 2852 wrote to memory of 2468	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	33
PID 2852 wrote to memory of 2468	2852	{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe	33
PID 2476 wrote to memory of 2228	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	36
PID 2476 wrote to memory of 2228	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	36
PID 2476 wrote to memory of 2228	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	36
PID 2476 wrote to memory of 2228	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	36
PID 2476 wrote to memory of 1644	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	37
PID 2476 wrote to memory of 1644	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	37
PID 2476 wrote to memory of 1644	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	37
PID 2476 wrote to memory of 1644	2476	{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe	37
PID 2228 wrote to memory of 2792	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	38
PID 2228 wrote to memory of 2792	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	38
PID 2228 wrote to memory of 2792	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	38
PID 2228 wrote to memory of 2792	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	38
PID 2228 wrote to memory of 2808	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	39
PID 2228 wrote to memory of 2808	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	39
PID 2228 wrote to memory of 2808	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	39
PID 2228 wrote to memory of 2808	2228	{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe	39
PID 2792 wrote to memory of 1536	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	40
PID 2792 wrote to memory of 1536	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	40
PID 2792 wrote to memory of 1536	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	40
PID 2792 wrote to memory of 1536	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	40
PID 2792 wrote to memory of 1628	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	41
PID 2792 wrote to memory of 1628	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	41
PID 2792 wrote to memory of 1628	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	41
PID 2792 wrote to memory of 1628	2792	{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe	41
PID 1536 wrote to memory of 1512	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	42
PID 1536 wrote to memory of 1512	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	42
PID 1536 wrote to memory of 1512	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	42
PID 1536 wrote to memory of 1512	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	42
PID 1536 wrote to memory of 2416	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	43
PID 1536 wrote to memory of 2416	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	43
PID 1536 wrote to memory of 2416	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	43
PID 1536 wrote to memory of 2416	1536	{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe	43
PID 1512 wrote to memory of 448	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	44
PID 1512 wrote to memory of 448	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	44
PID 1512 wrote to memory of 448	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	44
PID 1512 wrote to memory of 448	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	44
PID 1512 wrote to memory of 492	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	45
PID 1512 wrote to memory of 492	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	45
PID 1512 wrote to memory of 492	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	45
PID 1512 wrote to memory of 492	1512	{896AD305-824F-41f7-BC90-FF2613494CB6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_594102273ce136c3eea9ab11c0ff1d4f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe
  C:\Windows\{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe
    C:\Windows\{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe
      C:\Windows\{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe
        
        C:\Windows\{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe
        
        C:\Windows\{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe
        
        C:\Windows\{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\{896AD305-824F-41f7-BC90-FF2613494CB6}.exe
        
        C:\Windows\{896AD305-824F-41f7-BC90-FF2613494CB6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe
        
        C:\Windows\{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe
        
        C:\Windows\{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\{B5564243-650E-4793-9EC4-9387D0E5B865}.exe
        
        C:\Windows\{B5564243-650E-4793-9EC4-9387D0E5B865}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\{DED4612B-A326-4914-B351-E5EF18D260FE}.exe
        
        C:\Windows\{DED4612B-A326-4914-B351-E5EF18D260FE}.exe
        12⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5564~1.EXE > nul
        12⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57B49~1.EXE > nul
        11⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A4DD~1.EXE > nul
        10⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{896AD~1.EXE > nul
        9⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E1D4~1.EXE > nul
        8⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{957BA~1.EXE > nul
        7⤵
        
        PID:1628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3D09~1.EXE > nul
        6⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5538F~1.EXE > nul
        5⤵
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A70A~1.EXE > nul
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7087~1.EXE > nul
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A70A85A-2F43-4284-9249-9016CB23B62E}.exe

Filesize
344KB

MD5
d8940e28d5bdca058244a4d40cfed7f2

SHA1
95f13508e70943430dfc384ed1fd619fcffdea1b

SHA256
311052c9965c1a2930e68ce426dd6c0a669c2552e3f5136e572e45ae9e432239

SHA512
9c8e3a0f7e7d525b3423ef59ad044c25ab64f5ba714d236ab21e20797c62866a8dfacf41f24ae2814710a7d0dba380ce3239dd52898bad97eeebf3f3ea00e0d0

Download Submit
C:\Windows\{5538FC73-B7C1-4d10-A37C-1A2A224708AE}.exe

Filesize
344KB

MD5
74a6770fc466d347be0c39d777ad31f4

SHA1
af7a9c8eb7e04a4f6934c920b3e9802d1c5d87da

SHA256
c8b30e09b2b1362c5257c5d092eec58d67de3db604b758d0a4cbe57a9a00abe0

SHA512
a0334352d10c23e07e04e59847bb50196886c13d4013bb1cb0d66f5d6142967c5246cff6e8ae50744073b6125e4a0508b311377873fa26bde860d4af59355420

Download Submit
C:\Windows\{57B4913D-3730-487a-9ADF-6DD50DD02C84}.exe

Filesize
344KB

MD5
724694ab1fa6453211335c9e7bfff3e2

SHA1
96c060a219555f92a814e89a8e5402532abadf1f

SHA256
e79cd59dcdce6e0059708c2aa8c9a03775dd18837feb561a2f17e91390eddc00

SHA512
5db5112db12719b7f96ffcbb4773c5bf10200237f016e95e9978f47857cce9852f0ab3f0fe88e4bab42a0b0a36a37fb333b9a2b70086c8799e1c116d9fe9cf30

Download Submit
C:\Windows\{5E1D44FD-4C53-44e2-A1D2-F67757D244A4}.exe

Filesize
344KB

MD5
38b1edf6494d52b2155459560a141735

SHA1
38b2a2b8f8049a2f5034968f1106c0299cc6289f

SHA256
cf86234a4c97b953c95cd0858cfc6b4f699e02561a9d584380b166348a0f7bf9

SHA512
e114ae6834a52b4626b8100915bbf2710d1c5e41a8f34e328a975e432f2fe82417db63e13390bc240f1b135f303146d5d2ad55f0c71a47d67e69d2d1100786db

Download Submit
C:\Windows\{896AD305-824F-41f7-BC90-FF2613494CB6}.exe

Filesize
344KB

MD5
91e55835594dff0c8790705914caf4c7

SHA1
5ae766330af6181f9e4e971eb089ce05e5908fb6

SHA256
4d391e8509cc47f312c33cc43bf717f14cce60ff2b039be11952edad8ac36322

SHA512
f913128591e1bc854456040d708f6139e2d4a3442816b962a559a412cb5f02da3ffd01b250c3cc72ec4e6d987eec9d6bd3e44f3621c6942305ed29ac2fd83cae

Download Submit
C:\Windows\{957BAAA1-60F6-4c8a-9D30-5200049355D5}.exe

Filesize
344KB

MD5
97052a65d715fca77bec59ed05cdcf77

SHA1
37cd7e8d9ea3a679127508e9dc61944e09389f13

SHA256
3095327d904dfc11b58e3a6d46d87742efa480f10e18980bb0e260addce6618b

SHA512
ba24a45e9c534fce274f250c3407c0cf451416b44e95bb6fee0318bf7dbae26a8fb62f8208627eabfb80573855a5305767cbd3c0f9956825d30f1a3677690d3a

Download Submit
C:\Windows\{9A4DDCBD-2A04-49dc-86CF-B6845B7E96FC}.exe

Filesize
344KB

MD5
dbbdc7d43bec0760283b6682928353ee

SHA1
dde19e553082cba8e3d5d51b7b6ed946f4329a83

SHA256
6f361ef10020d01bdbede30f942ccfc27595d7db4f998ffe7836d6388ec9fc14

SHA512
642c85ab16d22dc208fea19df81655322cde1fded083e7cff1ba66dfff40e511c70d3401afb380eea5ee495e46eea4a30f6dada80bb1c6d4fb69d8a05d80a0c0

Download Submit
C:\Windows\{A7087EB1-6C39-4a44-A1A1-7A92F7B30995}.exe

Filesize
344KB

MD5
a7e6c7050daddd5a51b13e545c667e20

SHA1
2bfe8cd60b7b9750af36f9ee817543ff8acb0a6d

SHA256
a359040d01bcf3bb30add13e4a15296f6574e04668ec3e1239bf969ed5f7c988

SHA512
4f74986223f13954695e052d1ca85aa951e3b45a79732e962593e57c1010efd4a31afc60bcafcb56cbeef02f940992b2a42af61a5c391a59b1534238d647d09d

Download Submit
C:\Windows\{B5564243-650E-4793-9EC4-9387D0E5B865}.exe

Filesize
344KB

MD5
ed0973a11f26758a8b680fff4f0d4dd0

SHA1
8fb678aa21d34bcbfdc860268a06325580a24061

SHA256
d486d9429eb22c5c41cd7c344b3b1c9e86edf3184db282a499d1bc0502b5eae0

SHA512
d72b89ed3efd82d137a482c19b497d055363a67736e412962752c0794582a7a631da69e5908cca96c63b5c53d0a28537c6efbb010d4142e7ce8c20e5fe7adac4

Download Submit
C:\Windows\{DED4612B-A326-4914-B351-E5EF18D260FE}.exe

Filesize
344KB

MD5
48d3f293c37d144f166b431b4e10cb09

SHA1
5a0c1974555b1f19eb64e935156bae9489be4dc9

SHA256
0e0bf798cb9bb3833a07901f6f1656b5ca433713d28c931d91facfd7b03ea19a

SHA512
7d676a6aeaea1d75848071a5b27fe3097b739c43a3eb34f4c73ca99b190dc406156e7cc521ad149223a1f83c022ebe90a695ecf700764a7e5fb8b07693fdcf1f

Download Submit
C:\Windows\{E3D09A43-D66A-45c7-9F37-C70579C41D40}.exe

Filesize
344KB

MD5
00b1710d86da196e803be133e10a9cee

SHA1
c36797cdb6b5eb92fe7ef0414ec621a5560a596c

SHA256
076e5ccade27787f5bd7050a4842c37e6dc48a212289a77ff075cf60aaa7187d

SHA512
013a9c3d652bec15ac95ba8b70e99e5a244354a001c8d58d3093edb80a2b6d4f5ead50b542d16eb7d1f8b3d10fe378f88c4a5650e6eb16f6db5b5be534751f63

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads