2f45a44512a22d954a073c8f61164d0aef41780c4cc30fbd568a254a533f0e00

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 05:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe
Size

380KB
MD5

5c8ec9659a786e90fb83f28b2c9ea5aa
SHA1

f8204098af857cfce318960ef43c55da2bbbe29b
SHA256

2f45a44512a22d954a073c8f61164d0aef41780c4cc30fbd568a254a533f0e00
SHA512

904f8ced16fbf327ddd1580b726970522440fc189794fb04eacaf55a04ff233c123a17f30c18b1bfcc0ade288494fbdfd02c18a2d7a0041c0984e3794346d10d
SSDEEP

3072:mEGh0ovlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGtl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015d0f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016176-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d0f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016287-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d0f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015d0f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015d0f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5749CE37-263D-4219-B7F1-DBCC29FB5200}	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8BF309-265D-4bc1-B730-77CF54B2F06D}	{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE82583C-2384-4321-B122-439F3C82D80C}\stubpath = "C:\\Windows\\{FE82583C-2384-4321-B122-439F3C82D80C}.exe"	{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A85E1658-D5C7-45d4-B67C-AF05C83C6575}\stubpath = "C:\\Windows\\{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe"	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC499B08-D2D5-483d-976C-24B4A03BBD3E}\stubpath = "C:\\Windows\\{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe"	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4B5D50-06DE-459d-AB82-9250B0010024}\stubpath = "C:\\Windows\\{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe"	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE82583C-2384-4321-B122-439F3C82D80C}	{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D519B3FB-D3BD-44fd-8D43-028921D556A0}\stubpath = "C:\\Windows\\{D519B3FB-D3BD-44fd-8D43-028921D556A0}.exe"	{FE82583C-2384-4321-B122-439F3C82D80C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02301BB8-54B3-4f4d-95C6-4D44458783EF}	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E32977-918B-4d6e-BCCF-068306D391AB}\stubpath = "C:\\Windows\\{10E32977-918B-4d6e-BCCF-068306D391AB}.exe"	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4B5D50-06DE-459d-AB82-9250B0010024}	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D519B3FB-D3BD-44fd-8D43-028921D556A0}	{FE82583C-2384-4321-B122-439F3C82D80C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A85E1658-D5C7-45d4-B67C-AF05C83C6575}	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02301BB8-54B3-4f4d-95C6-4D44458783EF}\stubpath = "C:\\Windows\\{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe"	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC499B08-D2D5-483d-976C-24B4A03BBD3E}	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5749CE37-263D-4219-B7F1-DBCC29FB5200}\stubpath = "C:\\Windows\\{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe"	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1746C7EF-7290-45ca-A2B0-610A618011F2}	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1746C7EF-7290-45ca-A2B0-610A618011F2}\stubpath = "C:\\Windows\\{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe"	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E32977-918B-4d6e-BCCF-068306D391AB}	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8BF309-265D-4bc1-B730-77CF54B2F06D}\stubpath = "C:\\Windows\\{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe"	{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}\stubpath = "C:\\Windows\\{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe"	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe

Deletes itself 1 IoCs

pid	Process
2160	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe
3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe
2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe
2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe
2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe
1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe
1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe
2208	{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe
2492	{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe
2012	{FE82583C-2384-4321-B122-439F3C82D80C}.exe
1724	{D519B3FB-D3BD-44fd-8D43-028921D556A0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe
File created	C:\Windows\{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe
File created	C:\Windows\{D519B3FB-D3BD-44fd-8D43-028921D556A0}.exe	{FE82583C-2384-4321-B122-439F3C82D80C}.exe
File created	C:\Windows\{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe
File created	C:\Windows\{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe
File created	C:\Windows\{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe
File created	C:\Windows\{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe	{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe
File created	C:\Windows\{FE82583C-2384-4321-B122-439F3C82D80C}.exe	{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe
File created	C:\Windows\{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe
File created	C:\Windows\{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe
File created	C:\Windows\{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe
Token: SeIncBasePriorityPrivilege	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe
Token: SeIncBasePriorityPrivilege	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe
Token: SeIncBasePriorityPrivilege	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe
Token: SeIncBasePriorityPrivilege	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe
Token: SeIncBasePriorityPrivilege	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe
Token: SeIncBasePriorityPrivilege	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe
Token: SeIncBasePriorityPrivilege	2208	{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe
Token: SeIncBasePriorityPrivilege	2492	{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe
Token: SeIncBasePriorityPrivilege	2012	{FE82583C-2384-4321-B122-439F3C82D80C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1804	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	28
PID 2868 wrote to memory of 1804	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	28
PID 2868 wrote to memory of 1804	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	28
PID 2868 wrote to memory of 1804	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	28
PID 2868 wrote to memory of 2160	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	29
PID 2868 wrote to memory of 2160	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	29
PID 2868 wrote to memory of 2160	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	29
PID 2868 wrote to memory of 2160	2868	2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe	29
PID 1804 wrote to memory of 3064	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	30
PID 1804 wrote to memory of 3064	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	30
PID 1804 wrote to memory of 3064	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	30
PID 1804 wrote to memory of 3064	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	30
PID 1804 wrote to memory of 2508	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	31
PID 1804 wrote to memory of 2508	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	31
PID 1804 wrote to memory of 2508	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	31
PID 1804 wrote to memory of 2508	1804	{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe	31
PID 3064 wrote to memory of 2760	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	32
PID 3064 wrote to memory of 2760	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	32
PID 3064 wrote to memory of 2760	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	32
PID 3064 wrote to memory of 2760	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	32
PID 3064 wrote to memory of 2528	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	33
PID 3064 wrote to memory of 2528	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	33
PID 3064 wrote to memory of 2528	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	33
PID 3064 wrote to memory of 2528	3064	{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe	33
PID 2760 wrote to memory of 2420	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	36
PID 2760 wrote to memory of 2420	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	36
PID 2760 wrote to memory of 2420	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	36
PID 2760 wrote to memory of 2420	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	36
PID 2760 wrote to memory of 2480	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	37
PID 2760 wrote to memory of 2480	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	37
PID 2760 wrote to memory of 2480	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	37
PID 2760 wrote to memory of 2480	2760	{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe	37
PID 2420 wrote to memory of 2256	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	38
PID 2420 wrote to memory of 2256	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	38
PID 2420 wrote to memory of 2256	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	38
PID 2420 wrote to memory of 2256	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	38
PID 2420 wrote to memory of 1600	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	39
PID 2420 wrote to memory of 1600	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	39
PID 2420 wrote to memory of 1600	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	39
PID 2420 wrote to memory of 1600	2420	{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe	39
PID 2256 wrote to memory of 1916	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	40
PID 2256 wrote to memory of 1916	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	40
PID 2256 wrote to memory of 1916	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	40
PID 2256 wrote to memory of 1916	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	40
PID 2256 wrote to memory of 1952	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	41
PID 2256 wrote to memory of 1952	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	41
PID 2256 wrote to memory of 1952	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	41
PID 2256 wrote to memory of 1952	2256	{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe	41
PID 1916 wrote to memory of 1940	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	42
PID 1916 wrote to memory of 1940	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	42
PID 1916 wrote to memory of 1940	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	42
PID 1916 wrote to memory of 1940	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	42
PID 1916 wrote to memory of 1572	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	43
PID 1916 wrote to memory of 1572	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	43
PID 1916 wrote to memory of 1572	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	43
PID 1916 wrote to memory of 1572	1916	{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe	43
PID 1940 wrote to memory of 2208	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	44
PID 1940 wrote to memory of 2208	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	44
PID 1940 wrote to memory of 2208	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	44
PID 1940 wrote to memory of 2208	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	44
PID 1940 wrote to memory of 1312	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	45
PID 1940 wrote to memory of 1312	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	45
PID 1940 wrote to memory of 1312	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	45
PID 1940 wrote to memory of 1312	1940	{10E32977-918B-4d6e-BCCF-068306D391AB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_5c8ec9659a786e90fb83f28b2c9ea5aa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe
  C:\Windows\{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe
    C:\Windows\{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe
      C:\Windows\{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe
        
        C:\Windows\{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe
        
        C:\Windows\{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe
        
        C:\Windows\{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{10E32977-918B-4d6e-BCCF-068306D391AB}.exe
        
        C:\Windows\{10E32977-918B-4d6e-BCCF-068306D391AB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe
        
        C:\Windows\{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe
        
        C:\Windows\{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{FE82583C-2384-4321-B122-439F3C82D80C}.exe
        
        C:\Windows\{FE82583C-2384-4321-B122-439F3C82D80C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{D519B3FB-D3BD-44fd-8D43-028921D556A0}.exe
        
        C:\Windows\{D519B3FB-D3BD-44fd-8D43-028921D556A0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE825~1.EXE > nul
        12⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8BF~1.EXE > nul
        11⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD4B5~1.EXE > nul
        10⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10E32~1.EXE > nul
        9⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1746C~1.EXE > nul
        8⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5749C~1.EXE > nul
        7⤵
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02301~1.EXE > nul
        6⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC499~1.EXE > nul
        5⤵
        
        PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D121~1.EXE > nul
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A85E1~1.EXE > nul
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02301BB8-54B3-4f4d-95C6-4D44458783EF}.exe

Filesize
380KB

MD5
6a6bfbec622047e3f5ffc145bbf6cd8e

SHA1
e77562b062aa0f564bdef5ad0771cbd86f7e5b46

SHA256
4a1b9ae0aecd62f56bc4c59d7c38618930c4bf248f1a21e934d23f55e5d23289

SHA512
297687e1d5972088b159300f553aa6d19d51f2f7840e7b8e5a858a8f158278ddb7151ea2c4798a87cd36d8c72937b53c850c5eebec80cce61b9cdc849c87200e

Download Submit
C:\Windows\{10E32977-918B-4d6e-BCCF-068306D391AB}.exe

Filesize
380KB

MD5
62fbd5ee439495bae39fb75ca1fc9d61

SHA1
21f2655e5ddaca07563ab229ea1995d73b412698

SHA256
accbb9ac279488c2d7ae19c380fa5f292671ef82ec9327dd477ec36f72fd3932

SHA512
5ba681386999aec48859d9df92db4fe768c1e7618d505db507ab30b242aee9099a3ddccdaaa8a2aecdc865e3af1fe421df5559625fdafa734ad6aabd53bd4e08

Download Submit
C:\Windows\{1746C7EF-7290-45ca-A2B0-610A618011F2}.exe

Filesize
380KB

MD5
85544d70a0e8e83dc8ac581bb836f8e9

SHA1
9d58fa79ac99799e5237a306954e1935daf03c53

SHA256
e968c32eb25a5bf65d5eaae6aa094dffd55a2722bfa750fae61c6b0a1bda1d4b

SHA512
752984f718363e5a1bc08f70a8715d4f2ed8829112997887a2fd3b4ea4863aa93dd12cdc755834dacfd496da0ac27dd946ae2061397d582e96b073b1d97abed9

Download Submit
C:\Windows\{5749CE37-263D-4219-B7F1-DBCC29FB5200}.exe

Filesize
380KB

MD5
beafdadba47c05e76a1b6ad808f59047

SHA1
68bd1bb11c5c15f769e72b88110d047553bae8b6

SHA256
3eb4c2bc7ae698ed71d0c6f5fac15e2658ce30712ca86481e4a90057df86b198

SHA512
1d11f3330823bf6114ef8a6a2e9f6e2e429962ccbd573ceeb9c3c57ccb3bf969e6963a18e658c045bcd49293482e125528b8d712adecbd53cd25e9a730bd1e55

Download Submit
C:\Windows\{5E8BF309-265D-4bc1-B730-77CF54B2F06D}.exe

Filesize
380KB

MD5
e012e369cad4fd058114c4fdfb02844b

SHA1
086a532b8bfd08f250e93521b29fbbb2787821fb

SHA256
138b216fc86d6005e11a69333750d7a9ab193da2bece615e7711400160e5e437

SHA512
b0175c4eb0daf2a459181ad01704096db15915043ca8815c7034c741285bee70b5b1023d7c5add3de0f7bfa5521adae8f1a219fe75b7b0057917c766b36423ea

Download Submit
C:\Windows\{7D121E67-C423-4a2c-ACCD-0BD5C2734BC6}.exe

Filesize
380KB

MD5
731f81673f9b39410a529f436377fdfa

SHA1
28c0e83943f9eed83cc463372038a1df3937e5c7

SHA256
3ae75aa082fda377348cb21efda756f06a802aed4886a36a3172dcc1984a73b6

SHA512
1a6034c4487dfccc70cde0bcca6f25b905d5d4aa5fb824c5970fc57ee0ae56595618f9eacf5744228a0cf5a3a5638263ed71b18dca649c0f01f170cb0fe66cb6

Download Submit
C:\Windows\{A85E1658-D5C7-45d4-B67C-AF05C83C6575}.exe

Filesize
380KB

MD5
a01eb6dbfbcc4d9625a0597815f4cba9

SHA1
14298a8b311673525ecce4824d88c4aa0ebc2515

SHA256
f32ce86bda06457c958a9dd83b189ad3a6e0d254f8c5d3e549736e5bda3fad9b

SHA512
9bcafa6219903647c5e7dddec7def65fa8e7de14e1f6eb5e082c9ef720f6e90e0f7f4a858a08f48b8a7b82dc383506396c4771897f0215f9993088e7fdacf910

Download Submit
C:\Windows\{AD4B5D50-06DE-459d-AB82-9250B0010024}.exe

Filesize
380KB

MD5
46fe74ed01b461b96c2a872e520d0ecf

SHA1
a2e3540268bc4113d65ede45c4bc34b6dccf1e84

SHA256
621e7181c4d00e82111d1169231b3583ccd659c04d2770e6b7e436d48cf9bf06

SHA512
8c97d7500aea0d06e39185329dbd29dc5ae4440bb0f268b6f9054249196dc86523057a8478645e3687fa95d369e3538289da2577e82b6011566888510e28b6ce

Download Submit
C:\Windows\{D519B3FB-D3BD-44fd-8D43-028921D556A0}.exe

Filesize
380KB

MD5
761c15d2a90b5dda1f0a668e56507eca

SHA1
9bb82e0f945dabd33b9357bddc826ffb1da54717

SHA256
fad5b11754fed89d6a56394e9feea879c6224c1aad0adfca9131d9be9e817a04

SHA512
a1ce4c855620cfac4e8cf7623c2c5b684ab856b7b9a521a2381ff5152dd913d29e6771489835007d8657264d2e1250d78b6134763a1358755c4969b496c4ad27

Download Submit
C:\Windows\{DC499B08-D2D5-483d-976C-24B4A03BBD3E}.exe

Filesize
380KB

MD5
47768523f99e31dedff572255754fc49

SHA1
4e3093791ee57b9118d3c053735965d969e4338f

SHA256
c8f72a2ee86f2b9afa1708dea1d8c0832f3f5a97a24e7718e574e77074a9e3de

SHA512
2a4561ea7388b393cbf9120eb27d1776f88f45a0fcfbf94b3d87c508d30fb836e019c0d420da9addd0c9273172b9124cd0de841b55c442cd73c71187a06c1c7d

Download Submit
C:\Windows\{FE82583C-2384-4321-B122-439F3C82D80C}.exe

Filesize
380KB

MD5
9dca7fbe1c79aa2770db626d9d13cdbb

SHA1
9715dd5e6c82e9edb6786eeb88fefe5cfa62c773

SHA256
c8a7a1a583c8b53c466a5cd51f5ea64349fcefaf10e74f19e231d315586048bc

SHA512
13c28f4c5a205d64fb335ca2f79b483e1b8ab0aed4ae3c8ddd6fd443ba19834580319638012ab28c2ea5485128ca1ca8a698a710b7be144fbdab037231827051

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads