1fcc677219df60f6759f7e799b5bb64dab2544da6b60991ae3e0507db3ca81d6

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Size

197KB
MD5

625441720e99715e4899c50ce94c9c3d
SHA1

de740b07fc7d576413e3e2be82d7b6db77e900de
SHA256

1fcc677219df60f6759f7e799b5bb64dab2544da6b60991ae3e0507db3ca81d6
SHA512

e59b6783b570cf2954c201053c46e48f39250871db9f880667248e6554761daa63816f68cea15fb297669a6c80e3f1c3343b23a380055b0976b0b4b820e55f41
SSDEEP

3072:jEGh0oYl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015d02-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001227b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015d13-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001227b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001227b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001227b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BD1001A-E193-46fc-B433-E7B25ED54257}	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}\stubpath = "C:\\Windows\\{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe"	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCD68091-33DF-4d44-B9A9-2D47867093C6}	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BD1001A-E193-46fc-B433-E7B25ED54257}\stubpath = "C:\\Windows\\{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe"	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACF1AAD-E934-414c-A205-B1CE034E53D2}\stubpath = "C:\\Windows\\{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe"	{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{793DFF58-DB78-4d24-966D-59E0BF8D605B}	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{793DFF58-DB78-4d24-966D-59E0BF8D605B}\stubpath = "C:\\Windows\\{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe"	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}\stubpath = "C:\\Windows\\{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe"	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01294226-0CCD-4a64-93C3-9100D1259330}\stubpath = "C:\\Windows\\{01294226-0CCD-4a64-93C3-9100D1259330}.exe"	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD342745-33E1-426f-A02F-3CFBC2E589E4}	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCD68091-33DF-4d44-B9A9-2D47867093C6}\stubpath = "C:\\Windows\\{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe"	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}\stubpath = "C:\\Windows\\{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe"	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01294226-0CCD-4a64-93C3-9100D1259330}	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}	{01294226-0CCD-4a64-93C3-9100D1259330}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}\stubpath = "C:\\Windows\\{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe"	{01294226-0CCD-4a64-93C3-9100D1259330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACF1AAD-E934-414c-A205-B1CE034E53D2}	{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD342745-33E1-426f-A02F-3CFBC2E589E4}\stubpath = "C:\\Windows\\{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe"	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}\stubpath = "C:\\Windows\\{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}.exe"	{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}	{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe

Deletes itself 1 IoCs

pid	Process
1776	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe
2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe
2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe
3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe
2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe
1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe
1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe
2744	{01294226-0CCD-4a64-93C3-9100D1259330}.exe
2072	{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe
2356	{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe
692	{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe
File created	C:\Windows\{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe
File created	C:\Windows\{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe
File created	C:\Windows\{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe
File created	C:\Windows\{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe
File created	C:\Windows\{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe	{01294226-0CCD-4a64-93C3-9100D1259330}.exe
File created	C:\Windows\{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}.exe	{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe
File created	C:\Windows\{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
File created	C:\Windows\{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe
File created	C:\Windows\{01294226-0CCD-4a64-93C3-9100D1259330}.exe	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe
File created	C:\Windows\{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe	{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe
Token: SeIncBasePriorityPrivilege	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe
Token: SeIncBasePriorityPrivilege	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe
Token: SeIncBasePriorityPrivilege	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe
Token: SeIncBasePriorityPrivilege	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe
Token: SeIncBasePriorityPrivilege	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe
Token: SeIncBasePriorityPrivilege	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe
Token: SeIncBasePriorityPrivilege	2744	{01294226-0CCD-4a64-93C3-9100D1259330}.exe
Token: SeIncBasePriorityPrivilege	2072	{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe
Token: SeIncBasePriorityPrivilege	2356	{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2584	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	28
PID 2256 wrote to memory of 2584	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	28
PID 2256 wrote to memory of 2584	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	28
PID 2256 wrote to memory of 2584	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	28
PID 2256 wrote to memory of 1776	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	29
PID 2256 wrote to memory of 1776	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	29
PID 2256 wrote to memory of 1776	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	29
PID 2256 wrote to memory of 1776	2256	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	29
PID 2584 wrote to memory of 2784	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	30
PID 2584 wrote to memory of 2784	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	30
PID 2584 wrote to memory of 2784	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	30
PID 2584 wrote to memory of 2784	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	30
PID 2584 wrote to memory of 2608	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	31
PID 2584 wrote to memory of 2608	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	31
PID 2584 wrote to memory of 2608	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	31
PID 2584 wrote to memory of 2608	2584	{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe	31
PID 2784 wrote to memory of 2540	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	32
PID 2784 wrote to memory of 2540	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	32
PID 2784 wrote to memory of 2540	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	32
PID 2784 wrote to memory of 2540	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	32
PID 2784 wrote to memory of 2852	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	33
PID 2784 wrote to memory of 2852	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	33
PID 2784 wrote to memory of 2852	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	33
PID 2784 wrote to memory of 2852	2784	{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe	33
PID 2540 wrote to memory of 3036	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	36
PID 2540 wrote to memory of 3036	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	36
PID 2540 wrote to memory of 3036	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	36
PID 2540 wrote to memory of 3036	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	36
PID 2540 wrote to memory of 2248	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	37
PID 2540 wrote to memory of 2248	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	37
PID 2540 wrote to memory of 2248	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	37
PID 2540 wrote to memory of 2248	2540	{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe	37
PID 3036 wrote to memory of 2604	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	38
PID 3036 wrote to memory of 2604	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	38
PID 3036 wrote to memory of 2604	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	38
PID 3036 wrote to memory of 2604	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	38
PID 3036 wrote to memory of 2736	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	39
PID 3036 wrote to memory of 2736	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	39
PID 3036 wrote to memory of 2736	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	39
PID 3036 wrote to memory of 2736	3036	{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe	39
PID 2604 wrote to memory of 1628	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	40
PID 2604 wrote to memory of 1628	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	40
PID 2604 wrote to memory of 1628	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	40
PID 2604 wrote to memory of 1628	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	40
PID 2604 wrote to memory of 1648	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	41
PID 2604 wrote to memory of 1648	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	41
PID 2604 wrote to memory of 1648	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	41
PID 2604 wrote to memory of 1648	2604	{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe	41
PID 1628 wrote to memory of 1420	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	42
PID 1628 wrote to memory of 1420	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	42
PID 1628 wrote to memory of 1420	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	42
PID 1628 wrote to memory of 1420	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	42
PID 1628 wrote to memory of 1800	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	43
PID 1628 wrote to memory of 1800	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	43
PID 1628 wrote to memory of 1800	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	43
PID 1628 wrote to memory of 1800	1628	{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe	43
PID 1420 wrote to memory of 2744	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	44
PID 1420 wrote to memory of 2744	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	44
PID 1420 wrote to memory of 2744	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	44
PID 1420 wrote to memory of 2744	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	44
PID 1420 wrote to memory of 1620	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	45
PID 1420 wrote to memory of 1620	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	45
PID 1420 wrote to memory of 1620	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	45
PID 1420 wrote to memory of 1620	1420	{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe
  C:\Windows\{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe
    C:\Windows\{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe
      C:\Windows\{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe
        
        C:\Windows\{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe
        
        C:\Windows\{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe
        
        C:\Windows\{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe
        
        C:\Windows\{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{01294226-0CCD-4a64-93C3-9100D1259330}.exe
        
        C:\Windows\{01294226-0CCD-4a64-93C3-9100D1259330}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe
        
        C:\Windows\{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe
        
        C:\Windows\{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}.exe
        
        C:\Windows\{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}.exe
        12⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DACF1~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C70~1.EXE > nul
        11⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01294~1.EXE > nul
        10⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FFC9~1.EXE > nul
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5F0E~1.EXE > nul
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CA07~1.EXE > nul
        7⤵
        
        PID:1648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BD10~1.EXE > nul
        6⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCD68~1.EXE > nul
        5⤵
        
        PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{793DF~1.EXE > nul
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD342~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01294226-0CCD-4a64-93C3-9100D1259330}.exe

Filesize
197KB

MD5
1673e2831fdff4e5f62a8e948651fa8f

SHA1
9766e9fb9a90955322aa44b0eee6ccc2f9a82157

SHA256
50feb262b5cf459a8bc93aca1f6c84c1af8d54c2ef8e53d936bbfddf74d43efb

SHA512
958c6969308bccb6a6f7b02992cc10c0a87b0e9b087be632b2e23f1c8ffff2c72d18913d413895ec926f9ddf953f78bf0d70c27d6e89685c7ed815eb4731f36e

Download Submit
C:\Windows\{0CA07F19-A1DA-47e3-833E-156D4DA27BAC}.exe

Filesize
197KB

MD5
16940ca4d3b7398a2e8d66abc263861f

SHA1
91430e004ac0aae571da6221c906d120f53bf491

SHA256
07a6435a678a1cc9be5eb397e521ab7535bdeddc60b3a1ab53a9c74b08ed2a9a

SHA512
c17644b9f66dcc28072d93320f6caa202b99034a8d93356fbb8d6abcc8b427e9c7b935f1b9387d32df66799c88855fe8f8f7f260182a4d632155de5ddecbbf38

Download Submit
C:\Windows\{1FFC982E-BDBC-4d8a-97E3-31FAF0AA4015}.exe

Filesize
197KB

MD5
1fba9c758de79c941161cb04aeab3fea

SHA1
3f4f43d82e0fd3d3ff5a3c75557c8ff8038b3a1a

SHA256
932be3e6bb8ae993430c7a7b5d6c1fc4d2b751a2c97685f5bcdd6e738aa14539

SHA512
9c2304897550945c8aecc75b343b55557c7fd2f8ae51b293713efccc0cbef107d432fa1c99aa0c054bacb0e7ed9f55e397b32699221f0af6f6dbbac804e0a8b3

Download Submit
C:\Windows\{4BD1001A-E193-46fc-B433-E7B25ED54257}.exe

Filesize
197KB

MD5
47d3aee9d5790a8f92fce30723e2730f

SHA1
3bf9596054d6e73f92e7608dbc15a9f6ca4a0675

SHA256
30d5e77104ac44bc34d2e9393d50d4124439f512dbe0af8ea7529d02033a7b47

SHA512
d48a7c4691111f4aae74d74524bf1f7bae9a0d6e4949952d69068244f2c412108c53bcae61ac7983a34d2b74fd7bd5f5cde60ce3bf9d0cfd2f9223082cccd191

Download Submit
C:\Windows\{793DFF58-DB78-4d24-966D-59E0BF8D605B}.exe

Filesize
197KB

MD5
5322d3c8664cc723299680fe0410e1c2

SHA1
b1de03926b05c8cd05ca519c82b3bf53adb81eec

SHA256
b9cefa5ec9c997c025ca359db60aa44ec2cac8e9026549b0fa9659f1f09f8238

SHA512
e57deda67b409997820a80d94da9c0f4255134a20d3d538e9311a8cd84aea59f0f1638192c99a14efb751269405f4b7ae205434aca1f8cbdbb10b291a8e53b03

Download Submit
C:\Windows\{A1C70C77-7F9B-4f2a-BBB0-543EF6A6418D}.exe

Filesize
197KB

MD5
5466a42db31c1d7c3e128a333ada2559

SHA1
ed798b54be54fca28678000c5e29ab7a4b4c12e0

SHA256
b118b2ea4081f055aa88d8af61bad723adc130d76e1f3e03f3ab5c0e16e212b2

SHA512
42bed0ff4ee29eb3d406247819270d2813affe22b4c396170ca9d7dab3a4526cb42774567f4816e738be550bdd99d49e3fc5d5da05be1743f49731b77d38626c

Download Submit
C:\Windows\{DACF1AAD-E934-414c-A205-B1CE034E53D2}.exe

Filesize
197KB

MD5
0ce8796400a5369e6dc9a49dc933e60f

SHA1
023a940b20590f12a9f7dc8c5d109dbf2ac53eb5

SHA256
59ef7bb7881582781967ab287a60d65ca5d89c2971224cf0b779286e2eba97aa

SHA512
dc24057f571be8304312253e86647ce92aa4306e719e3c2ab031d6fa8bbc20e853699ee9ef04b8d9d47146a8218bd03e482fbc063a6afd61e5653c232bc9188f

Download Submit
C:\Windows\{DD342745-33E1-426f-A02F-3CFBC2E589E4}.exe

Filesize
197KB

MD5
2d687d8d31f4e25d81a93834c853f889

SHA1
85977eaaa1093f5366009efdb654c6396dc816b0

SHA256
c09430dbdd5dd47e6e1477a26a2f89fe11a059e331b7f135e77683be03aa9580

SHA512
43efc27b70311e36c910ad4836dc338d4b769a740bd370d62f02f69ce6c0c85d00b62e047ee0497f2a2fa9696ac88dfedc83f64ff9eaa407ddbfea5714c927f1

Download Submit
C:\Windows\{E5F0E356-0C22-4545-BA51-8EB5486EE6D1}.exe

Filesize
197KB

MD5
81059c09307a54ca3c12a9e14d31a745

SHA1
a52c064900387aa60986e4fe02802fcf13c7b16a

SHA256
0774ecebc08b2df061dc59cf1a020ff616245a4d0c946af4459470b6f86c99db

SHA512
1350e1e139a78e697a029f9308f66bd517ef9e6cb9e21bbbe742dbcbcc48d516ca3567426d331b1f661ee392cf2512c6d19a394fab003b51efa59dfee115780e

Download Submit
C:\Windows\{E87AD673-FD4F-4716-B1D4-D0122C4F72D2}.exe

Filesize
197KB

MD5
2e1b89a696ae7a086e33607f5a8b1393

SHA1
015b0dfee7edb9094cdc8bfa4c80733fc0c70219

SHA256
5c0091d5404872010aac9d7d23b7a66823c1c96c7589f380bebf9f85c72755b4

SHA512
d317e84e7f683de223f4519c064eedf642c442ca7a9d884fa5af9337d8ca05ff8629ac217bdac7eb21cb8320e1b3cf0789048b1485850a4a91c88f26643c864c

Download Submit
C:\Windows\{FCD68091-33DF-4d44-B9A9-2D47867093C6}.exe

Filesize
197KB

MD5
5111c843e859a7945abc51d77908af50

SHA1
46e380b209b5608c356c371d3471e8c815fdf491

SHA256
a6fb4c1dc823fc3a498d31cccf997648624735f6b95699fa0b34944d305346b3

SHA512
467e1f6c9ad3ef9053ab81222bf8ab12c5f010ea86983b6e2dc93b6e495702233a7f4ed83112a9560b4ea60f222cf8d186f64caf14404baf56b2c06e3d4b2b52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads