0417cc4710d893fbc99844bc4c7405939590e0f44c537eed169909c628c90dbf

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe
Size

180KB
MD5

75521cc0dbd7b1ad9c0ba2e082f8ee11
SHA1

0fe2d946524fe08ce8c4b7cbb80efb044add5eb3
SHA256

0417cc4710d893fbc99844bc4c7405939590e0f44c537eed169909c628c90dbf
SHA512

c4a624fad958eabb9649af410e62bf666fb42a9bbc84969f30cdbd119a6ae995c2b83ff05b48d77d14a82b974ace9e0a7d2093363b3a0e470da7f3d902d62dc0
SSDEEP

3072:jEGh0oXlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGpl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cbd-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015d24-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015cbd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015d44-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015cbd-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015cbd-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015cbd-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D77E3E55-064B-4fe5-A40D-54B456B1505A}\stubpath = "C:\\Windows\\{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe"	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}\stubpath = "C:\\Windows\\{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe"	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303D2171-6D7E-4560-89C2-EE5D39BBAF12}	{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EE8A33D-4DC0-493c-8265-54E09F006CB3}\stubpath = "C:\\Windows\\{1EE8A33D-4DC0-493c-8265-54E09F006CB3}.exe"	{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}	{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}\stubpath = "C:\\Windows\\{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe"	{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383CC579-8A19-4367-B85C-5143F31FA9FC}	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}\stubpath = "C:\\Windows\\{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe"	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303D2171-6D7E-4560-89C2-EE5D39BBAF12}\stubpath = "C:\\Windows\\{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe"	{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}\stubpath = "C:\\Windows\\{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe"	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EE8A33D-4DC0-493c-8265-54E09F006CB3}	{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6135864-D93C-46e1-95EA-B50C19391DB6}	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383CC579-8A19-4367-B85C-5143F31FA9FC}\stubpath = "C:\\Windows\\{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe"	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}\stubpath = "C:\\Windows\\{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe"	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A33C56-E08D-40df-904B-AFCD10EF32C0}	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A33C56-E08D-40df-904B-AFCD10EF32C0}\stubpath = "C:\\Windows\\{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe"	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6135864-D93C-46e1-95EA-B50C19391DB6}\stubpath = "C:\\Windows\\{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe"	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D77E3E55-064B-4fe5-A40D-54B456B1505A}	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe
2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe
296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe
2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe
1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe
320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe
2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe
1200	{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe
2644	{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe
532	{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe
816	{1EE8A33D-4DC0-493c-8265-54E09F006CB3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe
File created	C:\Windows\{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe
File created	C:\Windows\{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe	{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe
File created	C:\Windows\{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe	{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe
File created	C:\Windows\{1EE8A33D-4DC0-493c-8265-54E09F006CB3}.exe	{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe
File created	C:\Windows\{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe
File created	C:\Windows\{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe
File created	C:\Windows\{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe
File created	C:\Windows\{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe
File created	C:\Windows\{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe
File created	C:\Windows\{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe
Token: SeIncBasePriorityPrivilege	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe
Token: SeIncBasePriorityPrivilege	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe
Token: SeIncBasePriorityPrivilege	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe
Token: SeIncBasePriorityPrivilege	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe
Token: SeIncBasePriorityPrivilege	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe
Token: SeIncBasePriorityPrivilege	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe
Token: SeIncBasePriorityPrivilege	1200	{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe
Token: SeIncBasePriorityPrivilege	2644	{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe
Token: SeIncBasePriorityPrivilege	532	{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2544	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	28
PID 2972 wrote to memory of 2544	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	28
PID 2972 wrote to memory of 2544	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	28
PID 2972 wrote to memory of 2544	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	28
PID 2972 wrote to memory of 2604	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	29
PID 2972 wrote to memory of 2604	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	29
PID 2972 wrote to memory of 2604	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	29
PID 2972 wrote to memory of 2604	2972	2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe	29
PID 2544 wrote to memory of 2696	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	30
PID 2544 wrote to memory of 2696	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	30
PID 2544 wrote to memory of 2696	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	30
PID 2544 wrote to memory of 2696	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	30
PID 2544 wrote to memory of 2700	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	31
PID 2544 wrote to memory of 2700	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	31
PID 2544 wrote to memory of 2700	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	31
PID 2544 wrote to memory of 2700	2544	{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe	31
PID 2696 wrote to memory of 296	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	32
PID 2696 wrote to memory of 296	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	32
PID 2696 wrote to memory of 296	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	32
PID 2696 wrote to memory of 296	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	32
PID 2696 wrote to memory of 2400	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	33
PID 2696 wrote to memory of 2400	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	33
PID 2696 wrote to memory of 2400	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	33
PID 2696 wrote to memory of 2400	2696	{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe	33
PID 296 wrote to memory of 2636	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	36
PID 296 wrote to memory of 2636	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	36
PID 296 wrote to memory of 2636	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	36
PID 296 wrote to memory of 2636	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	36
PID 296 wrote to memory of 2748	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	37
PID 296 wrote to memory of 2748	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	37
PID 296 wrote to memory of 2748	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	37
PID 296 wrote to memory of 2748	296	{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe	37
PID 2636 wrote to memory of 1884	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	38
PID 2636 wrote to memory of 1884	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	38
PID 2636 wrote to memory of 1884	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	38
PID 2636 wrote to memory of 1884	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	38
PID 2636 wrote to memory of 2000	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	39
PID 2636 wrote to memory of 2000	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	39
PID 2636 wrote to memory of 2000	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	39
PID 2636 wrote to memory of 2000	2636	{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe	39
PID 1884 wrote to memory of 320	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	40
PID 1884 wrote to memory of 320	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	40
PID 1884 wrote to memory of 320	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	40
PID 1884 wrote to memory of 320	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	40
PID 1884 wrote to memory of 864	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	41
PID 1884 wrote to memory of 864	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	41
PID 1884 wrote to memory of 864	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	41
PID 1884 wrote to memory of 864	1884	{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe	41
PID 320 wrote to memory of 2580	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	42
PID 320 wrote to memory of 2580	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	42
PID 320 wrote to memory of 2580	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	42
PID 320 wrote to memory of 2580	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	42
PID 320 wrote to memory of 2392	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	43
PID 320 wrote to memory of 2392	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	43
PID 320 wrote to memory of 2392	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	43
PID 320 wrote to memory of 2392	320	{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe	43
PID 2580 wrote to memory of 1200	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	44
PID 2580 wrote to memory of 1200	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	44
PID 2580 wrote to memory of 1200	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	44
PID 2580 wrote to memory of 1200	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	44
PID 2580 wrote to memory of 1656	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	45
PID 2580 wrote to memory of 1656	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	45
PID 2580 wrote to memory of 1656	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	45
PID 2580 wrote to memory of 1656	2580	{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_75521cc0dbd7b1ad9c0ba2e082f8ee11_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe
  C:\Windows\{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe
    C:\Windows\{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe
      C:\Windows\{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:296
    - - C:\Windows\{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe
        
        C:\Windows\{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe
        
        C:\Windows\{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe
        
        C:\Windows\{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe
        
        C:\Windows\{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe
        
        C:\Windows\{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe
        
        C:\Windows\{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe
        
        C:\Windows\{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\{1EE8A33D-4DC0-493c-8265-54E09F006CB3}.exe
        
        C:\Windows\{1EE8A33D-4DC0-493c-8265-54E09F006CB3}.exe
        12⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3AB2~1.EXE > nul
        12⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{303D2~1.EXE > nul
        11⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02E1D~1.EXE > nul
        10⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33A33~1.EXE > nul
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB3E0~1.EXE > nul
        8⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AC98~1.EXE > nul
        7⤵
        
        PID:864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{383CC~1.EXE > nul
        6⤵
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57F79~1.EXE > nul
        5⤵
        
        PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D77E3~1.EXE > nul
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6135~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02E1D52D-B66E-4b71-8BFE-875D00BBD1DB}.exe

Filesize
180KB

MD5
62ca735bb5b7d873d2be5f88131b05ce

SHA1
043d70c716d231731650222eaffaa524a5076ec5

SHA256
b1c0c87a58e10249feeb1b7887121942a7d8b56f98caedfd70cfbde098140657

SHA512
5b97809ac8b957e458b7f78659e728e0d7d64a860654d6b0cec6a15154e27115122e4e8d88ee268b278bdc6ceb74c3dd80fd44f6032a2a6b102d8257ad2d2763

Download Submit
C:\Windows\{1EE8A33D-4DC0-493c-8265-54E09F006CB3}.exe

Filesize
180KB

MD5
a150c68f645a81d7a276ce52d6ab909e

SHA1
7fb43e32953f9e995caf97dbc30cd6ee315c9537

SHA256
9fd07c049f82a165e8a9ed3c22963df4872a746916e0995a0eef4068735d9ad7

SHA512
dae226531095acb764ef35d4e91a59ace4d664d6905787272bf42ac811b5598bb5d95497f6da33841b0afb5dfeb3abf56250bb27a3f724d08cfaf1d0a3753863

Download Submit
C:\Windows\{2AC98532-11E0-4d9e-8ED3-5B37934CDFAE}.exe

Filesize
180KB

MD5
46c4980a0ebddd208693b2a5142e816a

SHA1
622b90baa9606727c37dace09dd10d04a826d1a4

SHA256
a4688fe33cdf725ccc5f9ecaa7cca48e848ee2cc5b04122f5826611a7865fe82

SHA512
c973d1ee67276e7aeb028ae20f3d781b8e992dce7a537a97e20f0af50285d3c53f66048706653021d4669de6d0ec355f906819745544b1d849c4db0f7f5b14a9

Download Submit
C:\Windows\{303D2171-6D7E-4560-89C2-EE5D39BBAF12}.exe

Filesize
180KB

MD5
a3fca2b69b5ea8feb908dc13b8510a9c

SHA1
cf07057fe615463b818130a024287f6c7b656d01

SHA256
5fe0f4c0c9693b66c612b6eee729c419892514f79629d5a927418eb4a38393d7

SHA512
20cccd7d2b952902c4ad3871d79de78e6a0dad00efd6ba9cde6051aae9cf8fca98c027886e35a4af882be22024ad7340d7adca8c5cdee99b5ec91712ced7e9c9

Download Submit
C:\Windows\{33A33C56-E08D-40df-904B-AFCD10EF32C0}.exe

Filesize
180KB

MD5
696cdf8358fb151f53075a03522af139

SHA1
f5e2c8a95a6b7b76cd2280ad76bf3f35ef0303c8

SHA256
5cf9f54820d83f8de9ecc0cadd4f15c1fc95f34bbb2efe0665c516d900a6157b

SHA512
cea08128d126a1c491d651260c41475e83ad603cbb2aeaff34872c3a1cb3db4ee53fd41b0d4d9ec62de6fbdef3143858aff7f33eddfae7d70f4178f915d0c5c9

Download Submit
C:\Windows\{383CC579-8A19-4367-B85C-5143F31FA9FC}.exe

Filesize
180KB

MD5
c02ae5e29b8d32137a1260f8513ea1e7

SHA1
75928e16450a87b9e13d9bdeeb5333429b1d4d5c

SHA256
137e9c43e1975670318b54e3a25fb71fd3e576618a034cbc1d2918eae17b2eb2

SHA512
eab8ea2bd172bfcc7855c0348009af153383e583f6356d7e0861aef40ee0183d0737134817a7f81ac4688a68f667c5af17a0661c9c493e0e177bd196734095e6

Download Submit
C:\Windows\{57F79121-01BA-4b9c-8A1C-0D1011A25E9F}.exe

Filesize
180KB

MD5
5fb94d8cd0f44e159f7f01e4c5867630

SHA1
ad58fde3333bf74ca1050ac6082092e9acd33235

SHA256
a5c86e44e065eea7748ba54eaceb6e7ad895d481d9fc244a4c595dc762932d5b

SHA512
28fe7cd6ab680f1623d358a4ea977fea61c0be9ba85d3ceb4ca4b1f00a3854b77f0b1b8c5cdeea53f5275049cf3e053ddce3dd2505bc71ef7872d9c9c9d91ea7

Download Submit
C:\Windows\{A6135864-D93C-46e1-95EA-B50C19391DB6}.exe

Filesize
180KB

MD5
fed4b4f8bf5cd6722af3795c7cfcf0e0

SHA1
f5d6ff7542c51d68662992ecff0f0e9c3383045a

SHA256
91a551e21f1305730416ad892e6daec519d791b2545fb7adb45af697f05d313b

SHA512
9cc5e8e025063d407b9e32db14d37178e3caa1b846362c7cca066234c5ca730f555472ec0074dd3dcea7230f5d7a44cac0e1954aaeb9976c5a535bb23d6352d9

Download Submit
C:\Windows\{D77E3E55-064B-4fe5-A40D-54B456B1505A}.exe

Filesize
180KB

MD5
fed595a68be0608e527189be105009e5

SHA1
609a26facbb32a2cedd6cbe841e860fcf4122a4a

SHA256
3a65103918f8a2805f93b42523de3eed449c197efedc467577f55187b2a61aef

SHA512
915eac0c9b353086c735fed6b0c7b927a08453df14a056c7610f4351101ce94bdb7ace44140b4301ff2423378c04121c8e715b84229f22ca50edf2c92bcd56c1

Download Submit
C:\Windows\{DB3E0B0C-A82E-4c63-AC91-5AAA92BE9FA4}.exe

Filesize
180KB

MD5
fc0ab7f3d42cc9213a0f88a0458dfec0

SHA1
6490e8ae4660cc7beafe0fba96699ce8c62081bc

SHA256
c8d42cd6a81588c24b2069ac7d0a85f01863b494bcedc054aae204a441960867

SHA512
f3c478aa9f95d02ae0174d9aaa6614045d7af20ffb5158ee4a42500ad9df44c7cc3c1ad36217b2e50b41698729b33afe2d1263b30baf5edd238d14d65511756d

Download Submit
C:\Windows\{F3AB2B53-C526-44ec-BB34-BC64D8BDB048}.exe

Filesize
180KB

MD5
b7c0e4a4a1a7bbb1282e16368aa54792

SHA1
a2d6a559c0b8c3a7f9a134ccd8e5407f8794d0b3

SHA256
647e1b736724dd9e5a3d2e6c5181e3361977a159276745a059a0b2752a2876f2

SHA512
6add1b6c59a9e337c5c5f9496f6ff626b4687a4f10e15c0bb04cd931a207c6c03d0479f284b14e4eff0d17b94aff5c78b0c992ddc39120d826d3d9419139f6f9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads