e5ba57c5ba704e0fc1c2f4370be2d3d35caaf3177612ca35260006e5515e692b

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe
Size

204KB
MD5

5477ea7d1f5b256a99383c91b27c6f21
SHA1

e14b47776969534d02f9de673cb5c3722b19e75d
SHA256

e5ba57c5ba704e0fc1c2f4370be2d3d35caaf3177612ca35260006e5515e692b
SHA512

045b8ddd062be891fd45ff82a1127b69d59d2975944eff31b0064dfea98d452f464d129a6ac4662be6af45b99f787b83dd2f441a983d087bc2d90eb9d2e23f36
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o1l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012286-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000015670-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012286-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000015678-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012286-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000015678-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015686-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000015678-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015b6e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b000000015678-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0EF288-5F9A-45c6-A830-A77C9280BF14}\stubpath = "C:\\Windows\\{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe"	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}\stubpath = "C:\\Windows\\{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe"	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}	{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13286049-3F09-4aef-B636-A1B20B7FC0D8}	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13286049-3F09-4aef-B636-A1B20B7FC0D8}\stubpath = "C:\\Windows\\{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe"	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{489F3107-F0CA-4a87-A829-A376A82F3062}	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0EF288-5F9A-45c6-A830-A77C9280BF14}	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}	{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}\stubpath = "C:\\Windows\\{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}.exe"	{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{489F3107-F0CA-4a87-A829-A376A82F3062}\stubpath = "C:\\Windows\\{489F3107-F0CA-4a87-A829-A376A82F3062}.exe"	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}\stubpath = "C:\\Windows\\{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe"	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}\stubpath = "C:\\Windows\\{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe"	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70123D9D-BDD9-4334-A944-90F0F27264B5}\stubpath = "C:\\Windows\\{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe"	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0547C63F-7C6A-4de5-855D-B21D3D7BA201}\stubpath = "C:\\Windows\\{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe"	{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}\stubpath = "C:\\Windows\\{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe"	{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}\stubpath = "C:\\Windows\\{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe"	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70123D9D-BDD9-4334-A944-90F0F27264B5}	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0547C63F-7C6A-4de5-855D-B21D3D7BA201}	{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe
2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe
2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe
2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe
2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe
2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe
1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe
756	{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe
1760	{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe
2448	{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe
772	{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe
File created	C:\Windows\{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe
File created	C:\Windows\{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}.exe	{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe
File created	C:\Windows\{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe
File created	C:\Windows\{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe
File created	C:\Windows\{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe
File created	C:\Windows\{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe	{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe
File created	C:\Windows\{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe	{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe
File created	C:\Windows\{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe
File created	C:\Windows\{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe
File created	C:\Windows\{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe
Token: SeIncBasePriorityPrivilege	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe
Token: SeIncBasePriorityPrivilege	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe
Token: SeIncBasePriorityPrivilege	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe
Token: SeIncBasePriorityPrivilege	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe
Token: SeIncBasePriorityPrivilege	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe
Token: SeIncBasePriorityPrivilege	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe
Token: SeIncBasePriorityPrivilege	756	{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe
Token: SeIncBasePriorityPrivilege	1760	{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe
Token: SeIncBasePriorityPrivilege	2448	{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2444	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	28
PID 3044 wrote to memory of 2444	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	28
PID 3044 wrote to memory of 2444	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	28
PID 3044 wrote to memory of 2444	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	28
PID 3044 wrote to memory of 2788	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	29
PID 3044 wrote to memory of 2788	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	29
PID 3044 wrote to memory of 2788	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	29
PID 3044 wrote to memory of 2788	3044	2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe	29
PID 2444 wrote to memory of 2716	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	30
PID 2444 wrote to memory of 2716	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	30
PID 2444 wrote to memory of 2716	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	30
PID 2444 wrote to memory of 2716	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	30
PID 2444 wrote to memory of 2884	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	31
PID 2444 wrote to memory of 2884	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	31
PID 2444 wrote to memory of 2884	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	31
PID 2444 wrote to memory of 2884	2444	{489F3107-F0CA-4a87-A829-A376A82F3062}.exe	31
PID 2716 wrote to memory of 2604	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	32
PID 2716 wrote to memory of 2604	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	32
PID 2716 wrote to memory of 2604	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	32
PID 2716 wrote to memory of 2604	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	32
PID 2716 wrote to memory of 2520	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	33
PID 2716 wrote to memory of 2520	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	33
PID 2716 wrote to memory of 2520	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	33
PID 2716 wrote to memory of 2520	2716	{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe	33
PID 2604 wrote to memory of 2544	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	36
PID 2604 wrote to memory of 2544	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	36
PID 2604 wrote to memory of 2544	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	36
PID 2604 wrote to memory of 2544	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	36
PID 2604 wrote to memory of 2988	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	37
PID 2604 wrote to memory of 2988	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	37
PID 2604 wrote to memory of 2988	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	37
PID 2604 wrote to memory of 2988	2604	{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe	37
PID 2544 wrote to memory of 2664	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	38
PID 2544 wrote to memory of 2664	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	38
PID 2544 wrote to memory of 2664	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	38
PID 2544 wrote to memory of 2664	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	38
PID 2544 wrote to memory of 2744	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	39
PID 2544 wrote to memory of 2744	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	39
PID 2544 wrote to memory of 2744	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	39
PID 2544 wrote to memory of 2744	2544	{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe	39
PID 2664 wrote to memory of 2948	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	40
PID 2664 wrote to memory of 2948	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	40
PID 2664 wrote to memory of 2948	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	40
PID 2664 wrote to memory of 2948	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	40
PID 2664 wrote to memory of 2420	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	41
PID 2664 wrote to memory of 2420	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	41
PID 2664 wrote to memory of 2420	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	41
PID 2664 wrote to memory of 2420	2664	{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe	41
PID 2948 wrote to memory of 1040	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	42
PID 2948 wrote to memory of 1040	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	42
PID 2948 wrote to memory of 1040	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	42
PID 2948 wrote to memory of 1040	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	42
PID 2948 wrote to memory of 464	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	43
PID 2948 wrote to memory of 464	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	43
PID 2948 wrote to memory of 464	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	43
PID 2948 wrote to memory of 464	2948	{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe	43
PID 1040 wrote to memory of 756	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	44
PID 1040 wrote to memory of 756	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	44
PID 1040 wrote to memory of 756	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	44
PID 1040 wrote to memory of 756	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	44
PID 1040 wrote to memory of 2552	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	45
PID 1040 wrote to memory of 2552	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	45
PID 1040 wrote to memory of 2552	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	45
PID 1040 wrote to memory of 2552	1040	{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5477ea7d1f5b256a99383c91b27c6f21_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{489F3107-F0CA-4a87-A829-A376A82F3062}.exe
  C:\Windows\{489F3107-F0CA-4a87-A829-A376A82F3062}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe
    C:\Windows\{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe
      C:\Windows\{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe
        
        C:\Windows\{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe
        
        C:\Windows\{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe
        
        C:\Windows\{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe
        
        C:\Windows\{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe
        
        C:\Windows\{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe
        
        C:\Windows\{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe
        
        C:\Windows\{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}.exe
        
        C:\Windows\{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}.exe
        12⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CCB9~1.EXE > nul
        12⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0547C~1.EXE > nul
        11⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70123~1.EXE > nul
        10⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13286~1.EXE > nul
        9⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C3AD~1.EXE > nul
        8⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16C86~1.EXE > nul
        7⤵
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54DB0~1.EXE > nul
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0EF~1.EXE > nul
        5⤵
        
        PID:2988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{70D72~1.EXE > nul
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{489F3~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0547C63F-7C6A-4de5-855D-B21D3D7BA201}.exe

Filesize
204KB

MD5
d8c787bfc2d0dca19012909227e2bb88

SHA1
e0f18706e40bf68f1b6aa0199f20f5c656764b2b

SHA256
11740988fcf133cb76e822be4ed91afc3020ff20ef9c4fb12c2255ce1b34f3b0

SHA512
3d8bed75027983e63eee1f4c0292846aa4738696b5d40f3ddfb71c008476829c86a45aeb0fbe0029158ec4a554a6b4e1d2d3e5d909c086f2468c6f5c881dd3bf

Download Submit
C:\Windows\{0CCB96E6-040C-45df-BD59-F5C13B1DD6D6}.exe

Filesize
204KB

MD5
597ba80fb7a8023d979759a83fb0bea0

SHA1
ca62a001cb3545b9933b7c7fdf66e8fc3478f944

SHA256
ec97aae27ed1c4dbabdd00a3d80eeee6cb35ade7f6d879bd467f4639c8f5dc31

SHA512
15e6f1ddae5c7964a407bc8d60196dfd930de00ce38e8c87bf509fad0a8ac7e42ffdf49a1052b73eafab51e9262e52be169b5c341df957132bc4af863a9c9861

Download Submit
C:\Windows\{13286049-3F09-4aef-B636-A1B20B7FC0D8}.exe

Filesize
204KB

MD5
06ee1bbba562103cee1fc5781a673a4d

SHA1
ad5f1f2f9a78beb4fa2b8ef1bba155c6648da4b8

SHA256
a1001a2a77650dc4a477a39b3616e59974ef879826195ca8f14a10938a2b39ed

SHA512
fe3134ee78585dbfb047de103e24117893b4313673700aae00931a72c48720e439e72385741c2978d9df0ae69038b703d3069aaf364f2db7decb2797eb4a1371

Download Submit
C:\Windows\{16C865D1-2E7F-4ff0-8C2E-37255DA15DD7}.exe

Filesize
204KB

MD5
b2f510afa3b679e2316e9551a187aaf3

SHA1
869e0364373e2923eadc45e8bcffc22ad73aedec

SHA256
98c328d9e363fb09e09095e9aef9cad7b8b17f17527b273515411811cc9e9041

SHA512
9911384d47191e3e3f6b4843a5648cd9b3def30c8c6ceacf7316789b4287ba10bff1a33f912016e0e60c5aa8d2515b779569255c39bd2bb440feffc9db1bfb97

Download Submit
C:\Windows\{2C3AD7FC-BC22-4667-89D5-3B958D70F30F}.exe

Filesize
204KB

MD5
bbcc9bdc2ba9bf79272b35c36abbce52

SHA1
48302403139791b6ce27e74ad16c38c672b2af1b

SHA256
5a3cfd7491fc94d504e6a7d16858af071a2f61b92f4fde5e9650757d9a7f031a

SHA512
90e6c69e785f2eee150f56d4dc26cc1af3a161de61242abe6a9eee97246d7f55b7c91517eb7d71b682d29fa51f294c91033363fd0aeb50462533d664be561291

Download Submit
C:\Windows\{489F3107-F0CA-4a87-A829-A376A82F3062}.exe

Filesize
204KB

MD5
ebcafefc0edfd465881c4aa96d8e91c7

SHA1
bd7c15ce88b016114859824bab235a7c089ea6f4

SHA256
38b65db1351a52cbbcc588f2da0118d1026ee14e6b275806616f2d39cd37e61b

SHA512
09e2753cc4cfc6f8bf4a3aebc1e33f280a6576654425e3002bfaef3c35c3b969a0d82ea59d6e8bfabcb34ce4352eb42477e4f06ae5d041fcf968f69f42cfa545

Download Submit
C:\Windows\{54DB0E86-B8C3-4e67-B0C2-CE6E8AD19316}.exe

Filesize
204KB

MD5
a7735f4630b3bdd9d0c8384cfcc41c1e

SHA1
0960bf28ffdd7c5bd8077e5e03f6548eaced0bbb

SHA256
27a80e5d76713fb45e723287800505fc42a99f0b52149f75dd532b5923e79d82

SHA512
6ca193224d6f35cd0d64ace13d35efc6a64f5860f4840d82378f4c3963fd9e3241a112932b6ef5d45dd1148f8b28dd2d9f31ec127b572e3a27ccdecb1bdd8004

Download Submit
C:\Windows\{6E0FA8D9-04AA-4bc5-BE95-EBFAE56F288F}.exe

Filesize
204KB

MD5
306cf9a56a3ff15050c96c2a5fc64fcd

SHA1
641b7d618a2254b3bf810d51cb50354ca9aa1455

SHA256
9015856224a333a2ba15385db40a16e108606d09f1f89695d52a1fb29c2e8454

SHA512
391bbb44286786314ef1432fd109c05de367e5df50434a163b5a1518a47befe0a933ea57059475ac4afdbbd94161061a0d15e8004f1a165177c22004a0cc68ac

Download Submit
C:\Windows\{70123D9D-BDD9-4334-A944-90F0F27264B5}.exe

Filesize
204KB

MD5
7e48853c5efeca5b87ce90fa1b76ef51

SHA1
878f635e590ab9d3e4655c4487322a7936a40d52

SHA256
350a326117e95f5bab6fe40bdb382a752dcad7a2896f68e9de70f3526a15007a

SHA512
3c732ee29e514b148fe81450c3fcbd6865511cfcec4bf1f6f553dbc3981bef1947406c78f6b560e2a2f5d9b9664deac8e0e26dc5f78426ee9ae6144d2763400e

Download Submit
C:\Windows\{70D722D7-27A9-4951-9BD3-DD4D96FB8C3A}.exe

Filesize
204KB

MD5
e6bd8183048416219fcffe7e31cdd998

SHA1
eaf89bbee8ce0bb945f87faf2d0abd2ae413ebe1

SHA256
3b0af2f01946fc0195e2e6f17c180d18a16c4b00fbcb2527cfdef4f5e9ae1b58

SHA512
de7798acecb67c3be9d024ed727bf57bbf3818f441e0732813df4b0f6d44f4193c86387c67199ef624f44316e77f8870770c488fdb35b7db5444a810bfd61396

Download Submit
C:\Windows\{FC0EF288-5F9A-45c6-A830-A77C9280BF14}.exe

Filesize
204KB

MD5
f4205642999369f56c1dea1370b71ad9

SHA1
801ec82ce92ba14adeefdff5094d0c9345db0a27

SHA256
33e4b03ce5e69d29add36b44c71ac6298b653ea13672b118297b4bcc5331a6d1

SHA512
5d9086a96810f3e7bc90052200468b54d96d61a863cb6d8d5114bc7b053adc818e14f10f4bfdbb17d0106dbf6c204a907dd6ed7fd5cad6dca419dcfac26b91f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads