d3011b475b91aaaf3d13879c7aa0a03b6a4e52d8d05b636d43016f8fbdaf8894

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Size

180KB
MD5

9c62d91d0ea75c6ec352e67d8712afd0
SHA1

a325e2b640d503bf0f8190850b64eea6db385ef9
SHA256

d3011b475b91aaaf3d13879c7aa0a03b6a4e52d8d05b636d43016f8fbdaf8894
SHA512

f0083971ab0db3227ad795f5812644e8d5ffca472ff55f3d8c16d260f9bdaa627520c31dd23a49dcecea57220ee61d095a2c2b5bf4ff99ff5265274c7bd009a0
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014ac0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001560b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014ac0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015624-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014ac0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014ac0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014ac0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8EC901F-51F1-493d-A151-114EDE76A982}	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8EC901F-51F1-493d-A151-114EDE76A982}\stubpath = "C:\\Windows\\{B8EC901F-51F1-493d-A151-114EDE76A982}.exe"	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}\stubpath = "C:\\Windows\\{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe"	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD337AA-DFC8-4e81-A478-1841B5E11F96}	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFE759DB-6F31-4d0d-991E-496E4152D655}	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBECF26D-4F77-412e-AB77-917FFB64F0CA}	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBECF26D-4F77-412e-AB77-917FFB64F0CA}\stubpath = "C:\\Windows\\{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe"	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}	{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}\stubpath = "C:\\Windows\\{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}.exe"	{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC038A16-9FAE-4644-9C42-EE98D46928EB}\stubpath = "C:\\Windows\\{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe"	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94672578-A030-4f4f-8406-EDCAC3CF5FA2}	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}\stubpath = "C:\\Windows\\{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe"	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}\stubpath = "C:\\Windows\\{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe"	{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFE759DB-6F31-4d0d-991E-496E4152D655}\stubpath = "C:\\Windows\\{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe"	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D918131C-B5F9-4a39-B41F-04D615683A8F}	{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D918131C-B5F9-4a39-B41F-04D615683A8F}\stubpath = "C:\\Windows\\{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe"	{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC038A16-9FAE-4644-9C42-EE98D46928EB}	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94672578-A030-4f4f-8406-EDCAC3CF5FA2}\stubpath = "C:\\Windows\\{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe"	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD337AA-DFC8-4e81-A478-1841B5E11F96}\stubpath = "C:\\Windows\\{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe"	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}	{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe

Deletes itself 1 IoCs

pid	Process
2160	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe
2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe
2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe
2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe
2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe
2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe
2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe
1648	{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe
2116	{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe
600	{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe
1936	{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe	{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe
File created	C:\Windows\{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe	{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe
File created	C:\Windows\{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe
File created	C:\Windows\{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe
File created	C:\Windows\{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe
File created	C:\Windows\{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe
File created	C:\Windows\{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe
File created	C:\Windows\{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe
File created	C:\Windows\{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}.exe	{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe
File created	C:\Windows\{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
File created	C:\Windows\{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe
Token: SeIncBasePriorityPrivilege	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe
Token: SeIncBasePriorityPrivilege	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe
Token: SeIncBasePriorityPrivilege	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe
Token: SeIncBasePriorityPrivilege	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe
Token: SeIncBasePriorityPrivilege	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe
Token: SeIncBasePriorityPrivilege	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe
Token: SeIncBasePriorityPrivilege	1648	{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe
Token: SeIncBasePriorityPrivilege	2116	{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe
Token: SeIncBasePriorityPrivilege	600	{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2240	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	28
PID 2348 wrote to memory of 2240	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	28
PID 2348 wrote to memory of 2240	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	28
PID 2348 wrote to memory of 2240	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	28
PID 2348 wrote to memory of 2160	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	29
PID 2348 wrote to memory of 2160	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	29
PID 2348 wrote to memory of 2160	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	29
PID 2348 wrote to memory of 2160	2348	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	29
PID 2240 wrote to memory of 2652	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	30
PID 2240 wrote to memory of 2652	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	30
PID 2240 wrote to memory of 2652	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	30
PID 2240 wrote to memory of 2652	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	30
PID 2240 wrote to memory of 2596	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	31
PID 2240 wrote to memory of 2596	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	31
PID 2240 wrote to memory of 2596	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	31
PID 2240 wrote to memory of 2596	2240	{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe	31
PID 2652 wrote to memory of 2688	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	32
PID 2652 wrote to memory of 2688	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	32
PID 2652 wrote to memory of 2688	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	32
PID 2652 wrote to memory of 2688	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	32
PID 2652 wrote to memory of 2620	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	33
PID 2652 wrote to memory of 2620	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	33
PID 2652 wrote to memory of 2620	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	33
PID 2652 wrote to memory of 2620	2652	{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe	33
PID 2688 wrote to memory of 2952	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	36
PID 2688 wrote to memory of 2952	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	36
PID 2688 wrote to memory of 2952	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	36
PID 2688 wrote to memory of 2952	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	36
PID 2688 wrote to memory of 1484	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	37
PID 2688 wrote to memory of 1484	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	37
PID 2688 wrote to memory of 1484	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	37
PID 2688 wrote to memory of 1484	2688	{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe	37
PID 2952 wrote to memory of 2828	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	39
PID 2952 wrote to memory of 2828	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	39
PID 2952 wrote to memory of 2828	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	39
PID 2952 wrote to memory of 2828	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	39
PID 2952 wrote to memory of 2924	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	38
PID 2952 wrote to memory of 2924	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	38
PID 2952 wrote to memory of 2924	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	38
PID 2952 wrote to memory of 2924	2952	{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe	38
PID 2828 wrote to memory of 2760	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	40
PID 2828 wrote to memory of 2760	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	40
PID 2828 wrote to memory of 2760	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	40
PID 2828 wrote to memory of 2760	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	40
PID 2828 wrote to memory of 2176	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	41
PID 2828 wrote to memory of 2176	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	41
PID 2828 wrote to memory of 2176	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	41
PID 2828 wrote to memory of 2176	2828	{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe	41
PID 2760 wrote to memory of 2816	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	42
PID 2760 wrote to memory of 2816	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	42
PID 2760 wrote to memory of 2816	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	42
PID 2760 wrote to memory of 2816	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	42
PID 2760 wrote to memory of 2812	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	43
PID 2760 wrote to memory of 2812	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	43
PID 2760 wrote to memory of 2812	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	43
PID 2760 wrote to memory of 2812	2760	{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe	43
PID 2816 wrote to memory of 1648	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	45
PID 2816 wrote to memory of 1648	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	45
PID 2816 wrote to memory of 1648	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	45
PID 2816 wrote to memory of 1648	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	45
PID 2816 wrote to memory of 1800	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	44
PID 2816 wrote to memory of 1800	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	44
PID 2816 wrote to memory of 1800	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	44
PID 2816 wrote to memory of 1800	2816	{B8EC901F-51F1-493d-A151-114EDE76A982}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe
  C:\Windows\{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe
    C:\Windows\{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe
      C:\Windows\{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe
        
        C:\Windows\{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD33~1.EXE > nul
        6⤵
        
        PID:2924
      - C:\Windows\{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe
        
        C:\Windows\{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe
        
        C:\Windows\{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{B8EC901F-51F1-493d-A151-114EDE76A982}.exe
        
        C:\Windows\{B8EC901F-51F1-493d-A151-114EDE76A982}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8EC9~1.EXE > nul
        9⤵
        
        PID:1800
        
        C:\Windows\{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe
        
        C:\Windows\{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FEE7~1.EXE > nul
        10⤵
        
        PID:2300
        
        C:\Windows\{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe
        
        C:\Windows\{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe
        
        C:\Windows\{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}.exe
        
        C:\Windows\{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1BAA~1.EXE > nul
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9181~1.EXE > nul
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBECF~1.EXE > nul
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFE75~1.EXE > nul
        7⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94672~1.EXE > nul
        5⤵
        
        PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2B702~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC038~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B702A50-3A93-4d73-A5F7-2B1401DB0AF1}.exe

Filesize
180KB

MD5
73945624a15e71f1fb8c7f9da81c1e35

SHA1
2265b9208a72ccf503002ef408c50697727834a1

SHA256
afa7849359b909d8b8a5918a72aefb58a214203cec001a7122778582e4477e58

SHA512
897f85ff3283aa6515471a394b3d152f5abedaa37be64a077627fa55c7a2c5fc920ffdf3498bc8a83f63aed18919067f94508676d3fb528a7c7510450059ab11

Download Submit
C:\Windows\{2E6F7752-9EEB-42cc-A637-2C9D1DB4081F}.exe

Filesize
180KB

MD5
f6ddbb9112e20142867b4dc521b1053d

SHA1
07dae4c883c23c2b78617afaf891f6cd3176d9fc

SHA256
19c816c36ade6ab1b5250a0d69c08db8b1f00427a7977193721c6333dcb88903

SHA512
6e4ebd39ec3ba513730549829a0c54f8aa06c43677ba652566d7396fb24fe9acc042f92adff8c08ea7ee10a58bd53b48090e458b4d7cf5291e7560d2e3c32d82

Download Submit
C:\Windows\{6AD337AA-DFC8-4e81-A478-1841B5E11F96}.exe

Filesize
180KB

MD5
5f1c27ed8d42b0fbc4b8fe4d96f40d4f

SHA1
2d4deb73b5287b3550de639c87e6262c2121cc86

SHA256
9d64c99cb553de9e9bfa2a65cde3e750037adfcb65aacb506a5961e636b5a575

SHA512
8e1a290579de9ff99a5a2c0839d5261530054b141eaf94d7f1069da959e6eae465ba2224f526988c99b8b9d978c963ec6e6126f0a72ae2e64d78476007567dd9

Download Submit
C:\Windows\{7FEE7FDD-D955-45c1-B1F9-106F1FEDA366}.exe

Filesize
180KB

MD5
470bad468bb410a1e2e97171c9d413dc

SHA1
b229e41ec7279e4c8f36a06fbb4b30dcab6a33c1

SHA256
6f915579fe02ecf5a72f870c99f8fb42210a5c8ad47b758f6dc244292c69f58c

SHA512
9b9982b44dda34768a1e0a181f2aac3f161c18c16311751439dad44683affbbf3ce0d54d62f38d9ca74f7316ed39a07eb9cda10b12b9621986cd1a4e46ba52a0

Download Submit
C:\Windows\{94672578-A030-4f4f-8406-EDCAC3CF5FA2}.exe

Filesize
180KB

MD5
cbacc86b56e69e602e3698d970db42dc

SHA1
de3a3c12734c86a5c08284b2761bb0e8339f3c85

SHA256
2c01270113a660291e620da1c2e526549cb5bae9b6875b73c1da56acd9a6cfd6

SHA512
a73e4c02119c8d8111827597ee7c22250ac1d1a4ebf64460f969b8bd17d1fa1fcf3b8889501ec1ccdf2f03c4104dfcec096be03a1fb6a486486494f54d898211

Download Submit
C:\Windows\{B8EC901F-51F1-493d-A151-114EDE76A982}.exe

Filesize
180KB

MD5
29d3e3b1d9c5d46aa4d7986d41e5e8c1

SHA1
c4a36beaba4a053aff50167a48408ef45535fef0

SHA256
ad29b7d5c9db22292ffea34c5dc69db4c069c94138ed56de224c0e2bc6c460ec

SHA512
3af65e8864934bd8e149e650a4e69fca8d563b22eb8d05b84ea7b934f28f82240dcd8833ba2a8f6ab01d07cc8b94655639a83aa2cf1fccf04d96bfb137085d54

Download Submit
C:\Windows\{BFE759DB-6F31-4d0d-991E-496E4152D655}.exe

Filesize
180KB

MD5
89ddcd206b44494e79689c9efd57496d

SHA1
f6372401669f071600c485cff38f757648289650

SHA256
51f18f2dcd9ca5822ce8a1581062a1cd1d1290dd9727576dd0534f1c7956d889

SHA512
fda0c06984c2fdfaaf08f056be797fdb8fc1d9b13b79ba758aa03ccbf600786ba2db9b0d50114b10f27db47282c13be7a209a8c8158608bd516219c0ad80fc2d

Download Submit
C:\Windows\{CBECF26D-4F77-412e-AB77-917FFB64F0CA}.exe

Filesize
180KB

MD5
0b39502a61daa07abec000fe483fe9d9

SHA1
856ffdec300d1d0fe0b41c2f102414f27acef478

SHA256
8b3c5bd7041c3f041eb6bf0a5b09e933be8d4dda73e85a9f9319fa3222984c66

SHA512
587018c80153dd949d9f735157d9d90e9f4a8fb157a459b764340f7bcf3e42562745160b7bbc53544e077aa4efce2240fe7877ff3f23e421cf36d5d11c99926f

Download Submit
C:\Windows\{D1BAA83A-C42D-4478-8150-8D2DCBB195C3}.exe

Filesize
180KB

MD5
b93828e832f87a70b64dc5525a17946c

SHA1
ef9f314b1ff1a67232a710bffbaebe867c08446b

SHA256
2fa18a0b4ac0657108eaa9c23b2099a91debd33ba0f357e428e2eee9abe272d3

SHA512
06888075c58f6f78369afc443ba2badbb6adeb20d7a19838956708f93246f00d42a015a059f4d982d098e300408f8e206014c6cbc90047ec04b6650694739572

Download Submit
C:\Windows\{D918131C-B5F9-4a39-B41F-04D615683A8F}.exe

Filesize
180KB

MD5
f35c7e408f9fcc681c257c3264b8956e

SHA1
bac486bdd394f652f54d358288ec7562cae4bd6c

SHA256
13ba2ccc214d592aa1a5d514b78114f466acb8927c2d21a47d99e91b7b0e60d6

SHA512
94bb6fb8f2b4063d2bcb87bf4f15b346a20c92ba44e4224dc351fd2a51646214a58b7aa0bd869c794134330bc9e36bc38c4bfb09fef76050c526be16a607f6ca

Download Submit
C:\Windows\{FC038A16-9FAE-4644-9C42-EE98D46928EB}.exe

Filesize
180KB

MD5
3e5ed16c1b5822f6c284f4cdaf5c6ee4

SHA1
61f750f5b0552048e1c91fa6702b97ae2c7c8bdb

SHA256
e511b133f5af6b0fbac0497a665ca1617b8ac81cc6c139ffed4218ad4a144c88

SHA512
72067696ba79bb60145f3351b77dc5c3c6f4024c32be07dc0f2fabdc63f43a3001c65de5dc9f911e1493325e3fa691234624df1da8bca7714649c42fabe3875f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads