49fac542510ca9786014f13c0f7a11ca9e295902cdcadeeef4941460b9e81f35

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
Size

380KB
MD5

07f5b0e454e04d3818d62a1c20854ebf
SHA1

fbde11c70e7d670e1fecc8eefd1aeae97cdb0fb2
SHA256

49fac542510ca9786014f13c0f7a11ca9e295902cdcadeeef4941460b9e81f35
SHA512

5b01e369f92225dc85b470e28728cc0e152316d1ec61cec3b9da64d42bdc4b307e4bc8b761e01280547ac76ec52d08580a03f4ac23cae17502a5a3f5f491fc20
SSDEEP

3072:mEGh0oRZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGNl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001480e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014eb9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001480e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001502c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001480e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001480e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001480e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEF3922-40AB-4098-8F5A-F11E6037759C}	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3E1D97-1804-4b62-9563-854733D6F192}\stubpath = "C:\\Windows\\{0E3E1D97-1804-4b62-9563-854733D6F192}.exe"	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE07B5ED-4655-4db0-A12E-9E84860EA20F}	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE07B5ED-4655-4db0-A12E-9E84860EA20F}\stubpath = "C:\\Windows\\{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe"	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}\stubpath = "C:\\Windows\\{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe"	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{500967FF-1AF2-4007-85AB-03031B0A8F81}\stubpath = "C:\\Windows\\{500967FF-1AF2-4007-85AB-03031B0A8F81}.exe"	{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEF3922-40AB-4098-8F5A-F11E6037759C}\stubpath = "C:\\Windows\\{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe"	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3E1D97-1804-4b62-9563-854733D6F192}	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B36F428-61FD-4bcb-9978-28E3057544BE}\stubpath = "C:\\Windows\\{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe"	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{500967FF-1AF2-4007-85AB-03031B0A8F81}	{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}\stubpath = "C:\\Windows\\{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe"	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B36F428-61FD-4bcb-9978-28E3057544BE}	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97520EC3-17DA-4e95-B8F3-44D75D197540}	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16324CA4-3D94-4a89-BD40-8A72B43401CB}	{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97520EC3-17DA-4e95-B8F3-44D75D197540}\stubpath = "C:\\Windows\\{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe"	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF6743FA-2911-4da1-8D07-4109F104B026}	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF6743FA-2911-4da1-8D07-4109F104B026}\stubpath = "C:\\Windows\\{BF6743FA-2911-4da1-8D07-4109F104B026}.exe"	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}	{BF6743FA-2911-4da1-8D07-4109F104B026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}\stubpath = "C:\\Windows\\{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe"	{BF6743FA-2911-4da1-8D07-4109F104B026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16324CA4-3D94-4a89-BD40-8A72B43401CB}\stubpath = "C:\\Windows\\{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe"	{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe
2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe
2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe
2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe
2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe
1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe
2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe
2028	{BF6743FA-2911-4da1-8D07-4109F104B026}.exe
1892	{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe
1508	{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe
952	{500967FF-1AF2-4007-85AB-03031B0A8F81}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe
File created	C:\Windows\{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe
File created	C:\Windows\{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe	{BF6743FA-2911-4da1-8D07-4109F104B026}.exe
File created	C:\Windows\{500967FF-1AF2-4007-85AB-03031B0A8F81}.exe	{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe
File created	C:\Windows\{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe
File created	C:\Windows\{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe
File created	C:\Windows\{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe
File created	C:\Windows\{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe
File created	C:\Windows\{BF6743FA-2911-4da1-8D07-4109F104B026}.exe	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe
File created	C:\Windows\{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe	{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe
File created	C:\Windows\{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe
Token: SeIncBasePriorityPrivilege	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe
Token: SeIncBasePriorityPrivilege	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe
Token: SeIncBasePriorityPrivilege	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe
Token: SeIncBasePriorityPrivilege	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe
Token: SeIncBasePriorityPrivilege	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe
Token: SeIncBasePriorityPrivilege	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe
Token: SeIncBasePriorityPrivilege	2028	{BF6743FA-2911-4da1-8D07-4109F104B026}.exe
Token: SeIncBasePriorityPrivilege	1892	{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe
Token: SeIncBasePriorityPrivilege	1508	{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1928	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	28
PID 1956 wrote to memory of 1928	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	28
PID 1956 wrote to memory of 1928	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	28
PID 1956 wrote to memory of 1928	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	28
PID 1956 wrote to memory of 2968	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	29
PID 1956 wrote to memory of 2968	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	29
PID 1956 wrote to memory of 2968	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	29
PID 1956 wrote to memory of 2968	1956	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	29
PID 1928 wrote to memory of 2772	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	30
PID 1928 wrote to memory of 2772	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	30
PID 1928 wrote to memory of 2772	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	30
PID 1928 wrote to memory of 2772	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	30
PID 1928 wrote to memory of 2992	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	31
PID 1928 wrote to memory of 2992	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	31
PID 1928 wrote to memory of 2992	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	31
PID 1928 wrote to memory of 2992	1928	{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe	31
PID 2772 wrote to memory of 2692	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	32
PID 2772 wrote to memory of 2692	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	32
PID 2772 wrote to memory of 2692	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	32
PID 2772 wrote to memory of 2692	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	32
PID 2772 wrote to memory of 2700	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	33
PID 2772 wrote to memory of 2700	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	33
PID 2772 wrote to memory of 2700	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	33
PID 2772 wrote to memory of 2700	2772	{0E3E1D97-1804-4b62-9563-854733D6F192}.exe	33
PID 2692 wrote to memory of 2316	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	36
PID 2692 wrote to memory of 2316	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	36
PID 2692 wrote to memory of 2316	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	36
PID 2692 wrote to memory of 2316	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	36
PID 2692 wrote to memory of 1228	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	37
PID 2692 wrote to memory of 1228	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	37
PID 2692 wrote to memory of 1228	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	37
PID 2692 wrote to memory of 1228	2692	{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe	37
PID 2316 wrote to memory of 2740	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	38
PID 2316 wrote to memory of 2740	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	38
PID 2316 wrote to memory of 2740	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	38
PID 2316 wrote to memory of 2740	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	38
PID 2316 wrote to memory of 2860	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	39
PID 2316 wrote to memory of 2860	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	39
PID 2316 wrote to memory of 2860	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	39
PID 2316 wrote to memory of 2860	2316	{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe	39
PID 2740 wrote to memory of 1736	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	40
PID 2740 wrote to memory of 1736	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	40
PID 2740 wrote to memory of 1736	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	40
PID 2740 wrote to memory of 1736	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	40
PID 2740 wrote to memory of 1620	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	41
PID 2740 wrote to memory of 1620	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	41
PID 2740 wrote to memory of 1620	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	41
PID 2740 wrote to memory of 1620	2740	{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe	41
PID 1736 wrote to memory of 2304	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	42
PID 1736 wrote to memory of 2304	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	42
PID 1736 wrote to memory of 2304	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	42
PID 1736 wrote to memory of 2304	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	42
PID 1736 wrote to memory of 1020	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	43
PID 1736 wrote to memory of 1020	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	43
PID 1736 wrote to memory of 1020	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	43
PID 1736 wrote to memory of 1020	1736	{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe	43
PID 2304 wrote to memory of 2028	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	44
PID 2304 wrote to memory of 2028	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	44
PID 2304 wrote to memory of 2028	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	44
PID 2304 wrote to memory of 2028	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	44
PID 2304 wrote to memory of 2044	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	45
PID 2304 wrote to memory of 2044	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	45
PID 2304 wrote to memory of 2044	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	45
PID 2304 wrote to memory of 2044	2304	{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe
  C:\Windows\{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\{0E3E1D97-1804-4b62-9563-854733D6F192}.exe
    C:\Windows\{0E3E1D97-1804-4b62-9563-854733D6F192}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe
      C:\Windows\{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe
        
        C:\Windows\{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe
        
        C:\Windows\{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe
        
        C:\Windows\{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe
        
        C:\Windows\{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\{BF6743FA-2911-4da1-8D07-4109F104B026}.exe
        
        C:\Windows\{BF6743FA-2911-4da1-8D07-4109F104B026}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe
        
        C:\Windows\{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe
        
        C:\Windows\{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\{500967FF-1AF2-4007-85AB-03031B0A8F81}.exe
        
        C:\Windows\{500967FF-1AF2-4007-85AB-03031B0A8F81}.exe
        12⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16324~1.EXE > nul
        12⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0D4B~1.EXE > nul
        11⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF674~1.EXE > nul
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97520~1.EXE > nul
        9⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B36F~1.EXE > nul
        8⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{374FE~1.EXE > nul
        7⤵
        
        PID:1620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A5DC~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE07B~1.EXE > nul
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E3E1~1.EXE > nul
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEF3~1.EXE > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E3E1D97-1804-4b62-9563-854733D6F192}.exe

Filesize
380KB

MD5
1e1eb819609a1f8a0195d3920534bcbd

SHA1
464327195a81064f0f4cd6f53f98eaf54e4654a7

SHA256
b02760f2c5ba0e75e818dd48f17a2da20fcafe6ca37c2628f891df3e7267af78

SHA512
05349a70ff29752afabaf3df7875f689066f53cf5c4cab5e8d78fd6dafdfad8e77162c1f11c0a088ccaaca8bf21b47215b092941ef51fd01999f00b4a2a7516e

Download Submit
C:\Windows\{16324CA4-3D94-4a89-BD40-8A72B43401CB}.exe

Filesize
380KB

MD5
1d9d6943b2f1c20a5c159ca952d770ed

SHA1
17209384c0a4e792af3cb903ded8d4fb03205fca

SHA256
8927cb22c0dd0eca2c620b3dc1d92416e3442037a80d53cf2afc2992eaf00e80

SHA512
86e39bce580a6a095dfd6f0621070144cd218956936ac747b3c55a00b27e191b3839487f6f4f90e14ed3205590b34bfd096a4ce27894d9967e2eacb292a5333f

Download Submit
C:\Windows\{374FE4FF-EB08-4c8b-B72E-AAA9B82AA544}.exe

Filesize
380KB

MD5
3b5645a34f504ada5d44ac3865536eed

SHA1
6d16835f15135607849ce3c933cb46b55165347c

SHA256
60cc5635bdaf94be1d9db4820c6cdc9d714450dd45c692b007a01a338e9749dd

SHA512
71b188161288a285edc0bbab9aa52cb65fdb6e15bb8feb185201f162342d273a17ba158e6cca4b02a9f7ccb0cde2746ff622779bc48f21db10c95eb36ce94fc1

Download Submit
C:\Windows\{3B36F428-61FD-4bcb-9978-28E3057544BE}.exe

Filesize
380KB

MD5
0949a499ee85437f3df191c93dc1691b

SHA1
c7344261fd833b2e68c3ea75bebbfdc78c4e42f2

SHA256
d76bda51579c9c92058c029ef3757b232032d5835887ddedcd1d97cac6790794

SHA512
c87aa43d438d6ebd244223296d37f7c407262b4144e1f25522ca6da8fcd1fc0a2c899a0efc12c74cccbcd655ed0b78277362c1e414c14b6ef728284ec06b4df7

Download Submit
C:\Windows\{500967FF-1AF2-4007-85AB-03031B0A8F81}.exe

Filesize
380KB

MD5
0a02557ab15a401e4b492008806562ec

SHA1
5afeca75310479d1bf5a4df3ded38960b4a86201

SHA256
5d4933338a4bc1f87f104ce69a678b38298c3164dc99172d43f0d0ba1123f19f

SHA512
84735638181f87e9f539673c678419fa68088b4896f0989f74698a85e6dd445639bc476e73e857e69e43e0312880f925ba27c9403bde577ec07829e6ec8eda11

Download Submit
C:\Windows\{8A5DCF57-B9D8-4d36-8FDC-82398D40366C}.exe

Filesize
380KB

MD5
0fa5f1369bec64bee2448e41ab2205d6

SHA1
dec7fa9ac54494beadd32efcda39715b9bff9f7d

SHA256
d7753aa4f640bd65d95633742cc183deaaffc003327a2e56b70d3379bc9b640c

SHA512
f0ecb8a26ff22264c790c62ca34a474549af1fb161b604700e2f55a38069a9dd05ef1cc4d2c8363aedd9a2fd825c5d8cca0389ed7a2ab85b3b563886e0eac797

Download Submit
C:\Windows\{97520EC3-17DA-4e95-B8F3-44D75D197540}.exe

Filesize
380KB

MD5
34c470076f2c08301bfb099fc7a85036

SHA1
057051fac51d8fdbb32e614ba1c8209c056cdb54

SHA256
9cc35675afc9827c8f5044640aad22b2cf2b7eb74e6a45754594e304d8fb30a8

SHA512
ab48885fe49a9c9b41f7659f3104bcd1d601e1e7f13c6b642efa78a5ccff9a7a7713950a2819ca20aaf4b02e2fdbd4e4898d141f860167d4dee813cc4c779136

Download Submit
C:\Windows\{ACEF3922-40AB-4098-8F5A-F11E6037759C}.exe

Filesize
380KB

MD5
3d423f2c45bfd0dc36ea8b6b76d3a336

SHA1
6c7fe5494e5630666136ff80d7af2841fff732ec

SHA256
18216165bb93cd9aacbcc62d558dcce12ed8f45d2c2a9c3af944b9bc12efd1ed

SHA512
3d9dcfa03288bf14efc653b42925534325f2c075d310562a7fae5dc4e781c69486e4113c8d70b5bf1d8c7ba551edf796bf11b2e77b3fd08474d83b3081988507

Download Submit
C:\Windows\{BE07B5ED-4655-4db0-A12E-9E84860EA20F}.exe

Filesize
380KB

MD5
47375e70b97cc03844c08559706d25bb

SHA1
29f6be7d0630bd74bee313cb26764a33d48a3672

SHA256
29e57601e1978b9789e9a5d85008f2933ef6345bf24142be9b8ce5b2e6f26128

SHA512
9fe6b935aa3b3831ce998acaf8cfb3a82edc46cb19d70aafd2fc34794e9f0db42eebee429b26cd659507c95e77fb2ecb05c55bd0b8e16597e297985b13fa6312

Download Submit
C:\Windows\{BF6743FA-2911-4da1-8D07-4109F104B026}.exe

Filesize
380KB

MD5
d744adb61ee6ab9b254c5f0e2ad2e690

SHA1
18cbc53777e93190bcb021a71bb7d1bd95d1793d

SHA256
b785b618a7b8fd70cb24c7aac3b373df7c1ef84135d4578c6656cacc831ac713

SHA512
8f0e2bd7d57f6f00f0c8399166a9b04e2e33ce5083e6078c71910b2f0becab788dac0850810d56312abfe1c663283419d1884526ec7d9f751c7ac0c8d90c4f64

Download Submit
C:\Windows\{C0D4B7C6-58C9-4bea-87C2-D9C64EC702AA}.exe

Filesize
380KB

MD5
bf959ac9c3c4a8fd2b48062ddb9b3ab9

SHA1
a3c7f7ecd06045c89fb1630fd9d4afa1c7d25930

SHA256
8126b74354ab58c8596bbee4ffd9c451ba629a05fbb138e525e2c7f7f1dd272d

SHA512
8b6a007bcc4daee470dafb435346d9d39ccd2456ec7ac6206740cff4feadfbda762a495742bb20d63d0284a3952fdf8d6e2f66256c7c91d0bbe7fe8a7881fe1c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads