35f8575760187952cbc3b6d65c1c65c6341006e1a16fdbffa8b53b9a5db6f6be

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 00:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe
Size

372KB
MD5

dabd940fb1530a16e8905d87c87d627f
SHA1

dab6bce74b2f234b8dcc227235c3d1cdbb8a4098
SHA256

35f8575760187952cbc3b6d65c1c65c6341006e1a16fdbffa8b53b9a5db6f6be
SHA512

d32d1c1dc7fcfab638cefa6a9ee9f96851de87239b132152300f93c98e7ed0d8025c62a8fac212e6aa39080d40a7dfe48f5a15eecb3ce315b5a9fad5d49abb74
SSDEEP

3072:CEGh0orlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGllkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 19 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014120-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014120-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000141e6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014120-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000141e6-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001447e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014120-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001447e-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014120-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014120-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014120-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014120-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014120-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C042692D-6EEE-45f3-BFD3-E042442FBA90}\stubpath = "C:\\Windows\\{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe"	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}\stubpath = "C:\\Windows\\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe"	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42C72E3D-619C-4543-8DC3-1193D6ECA637}\stubpath = "C:\\Windows\\{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe"	{9945EAF0-219B-4415-A408-4E4048499B95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48FA658-A3FA-4618-B677-331502D18493}\stubpath = "C:\\Windows\\{E48FA658-A3FA-4618-B677-331502D18493}.exe"	{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C042692D-6EEE-45f3-BFD3-E042442FBA90}	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D3E67EB-0328-4c15-9918-7BED87C989E1}	{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}\stubpath = "C:\\Windows\\{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe"	{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96D08B66-A6A8-4044-BD87-DB15D541E417}	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB3C67B-5C46-48da-A637-86E0B3F00396}\stubpath = "C:\\Windows\\{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe"	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96D08B66-A6A8-4044-BD87-DB15D541E417}\stubpath = "C:\\Windows\\{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe"	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9945EAF0-219B-4415-A408-4E4048499B95}	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42C72E3D-619C-4543-8DC3-1193D6ECA637}	{9945EAF0-219B-4415-A408-4E4048499B95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D3E67EB-0328-4c15-9918-7BED87C989E1}\stubpath = "C:\\Windows\\{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe"	{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}	{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}\stubpath = "C:\\Windows\\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe"	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48FA658-A3FA-4618-B677-331502D18493}	{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}\stubpath = "C:\\Windows\\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe"	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9945EAF0-219B-4415-A408-4E4048499B95}\stubpath = "C:\\Windows\\{9945EAF0-219B-4415-A408-4E4048499B95}.exe"	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB3C67B-5C46-48da-A637-86E0B3F00396}	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe
2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe
2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe
2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe
1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe
2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe
2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe
2640	{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe
2996	{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe
384	{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe
3056	{E48FA658-A3FA-4618-B677-331502D18493}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe
File created	C:\Windows\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe
File created	C:\Windows\{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe	{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe
File created	C:\Windows\{9945EAF0-219B-4415-A408-4E4048499B95}.exe	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe
File created	C:\Windows\{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe	{9945EAF0-219B-4415-A408-4E4048499B95}.exe
File created	C:\Windows\{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe	{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe
File created	C:\Windows\{E48FA658-A3FA-4618-B677-331502D18493}.exe	{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe
File created	C:\Windows\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe
File created	C:\Windows\{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe
File created	C:\Windows\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe
File created	C:\Windows\{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe
Token: SeIncBasePriorityPrivilege	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe
Token: SeIncBasePriorityPrivilege	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe
Token: SeIncBasePriorityPrivilege	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe
Token: SeIncBasePriorityPrivilege	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe
Token: SeIncBasePriorityPrivilege	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe
Token: SeIncBasePriorityPrivilege	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe
Token: SeIncBasePriorityPrivilege	2640	{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe
Token: SeIncBasePriorityPrivilege	2996	{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe
Token: SeIncBasePriorityPrivilege	384	{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2044	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	28
PID 2212 wrote to memory of 2044	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	28
PID 2212 wrote to memory of 2044	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	28
PID 2212 wrote to memory of 2044	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	28
PID 2212 wrote to memory of 2540	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	29
PID 2212 wrote to memory of 2540	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	29
PID 2212 wrote to memory of 2540	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	29
PID 2212 wrote to memory of 2540	2212	2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe	29
PID 2044 wrote to memory of 2652	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	30
PID 2044 wrote to memory of 2652	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	30
PID 2044 wrote to memory of 2652	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	30
PID 2044 wrote to memory of 2652	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	30
PID 2044 wrote to memory of 2680	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	31
PID 2044 wrote to memory of 2680	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	31
PID 2044 wrote to memory of 2680	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	31
PID 2044 wrote to memory of 2680	2044	{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe	31
PID 2652 wrote to memory of 2304	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	33
PID 2652 wrote to memory of 2304	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	33
PID 2652 wrote to memory of 2304	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	33
PID 2652 wrote to memory of 2304	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	33
PID 2652 wrote to memory of 2708	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	32
PID 2652 wrote to memory of 2708	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	32
PID 2652 wrote to memory of 2708	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	32
PID 2652 wrote to memory of 2708	2652	{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe	32
PID 2304 wrote to memory of 2504	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	37
PID 2304 wrote to memory of 2504	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	37
PID 2304 wrote to memory of 2504	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	37
PID 2304 wrote to memory of 2504	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	37
PID 2304 wrote to memory of 2972	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	36
PID 2304 wrote to memory of 2972	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	36
PID 2304 wrote to memory of 2972	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	36
PID 2304 wrote to memory of 2972	2304	{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe	36
PID 2504 wrote to memory of 1640	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	39
PID 2504 wrote to memory of 1640	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	39
PID 2504 wrote to memory of 1640	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	39
PID 2504 wrote to memory of 1640	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	39
PID 2504 wrote to memory of 1632	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	38
PID 2504 wrote to memory of 1632	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	38
PID 2504 wrote to memory of 1632	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	38
PID 2504 wrote to memory of 1632	2504	{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe	38
PID 1640 wrote to memory of 2180	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	41
PID 1640 wrote to memory of 2180	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	41
PID 1640 wrote to memory of 2180	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	41
PID 1640 wrote to memory of 2180	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	41
PID 1640 wrote to memory of 1684	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	40
PID 1640 wrote to memory of 1684	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	40
PID 1640 wrote to memory of 1684	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	40
PID 1640 wrote to memory of 1684	1640	{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe	40
PID 2180 wrote to memory of 2428	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	42
PID 2180 wrote to memory of 2428	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	42
PID 2180 wrote to memory of 2428	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	42
PID 2180 wrote to memory of 2428	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	42
PID 2180 wrote to memory of 1316	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	43
PID 2180 wrote to memory of 1316	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	43
PID 2180 wrote to memory of 1316	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	43
PID 2180 wrote to memory of 1316	2180	{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe	43
PID 2428 wrote to memory of 2640	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	45
PID 2428 wrote to memory of 2640	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	45
PID 2428 wrote to memory of 2640	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	45
PID 2428 wrote to memory of 2640	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	45
PID 2428 wrote to memory of 1424	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	44
PID 2428 wrote to memory of 1424	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	44
PID 2428 wrote to memory of 1424	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	44
PID 2428 wrote to memory of 1424	2428	{9945EAF0-219B-4415-A408-4E4048499B95}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_dabd940fb1530a16e8905d87c87d627f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe
  C:\Windows\{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe
    C:\Windows\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2BCC5~1.EXE > nul
      4⤵
      PID:2708
  - - C:\Windows\{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe
      C:\Windows\{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB3C~1.EXE > nul
        5⤵
        
        PID:2972
    - - C:\Windows\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe
        
        C:\Windows\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{342CA~1.EXE > nul
        6⤵
        
        PID:1632
      - C:\Windows\{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe
        
        C:\Windows\{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96D08~1.EXE > nul
        7⤵
        
        PID:1684
        
        C:\Windows\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe
        
        C:\Windows\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{9945EAF0-219B-4415-A408-4E4048499B95}.exe
        
        C:\Windows\{9945EAF0-219B-4415-A408-4E4048499B95}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9945E~1.EXE > nul
        9⤵
        
        PID:1424
        
        C:\Windows\{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe
        
        C:\Windows\{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42C72~1.EXE > nul
        10⤵
        
        PID:2292
        
        C:\Windows\{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe
        
        C:\Windows\{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D3E6~1.EXE > nul
        11⤵
        
        PID:780
        
        C:\Windows\{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe
        
        C:\Windows\{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3086D~1.EXE > nul
        12⤵
        
        PID:812
        
        C:\Windows\{E48FA658-A3FA-4618-B677-331502D18493}.exe
        
        C:\Windows\{E48FA658-A3FA-4618-B677-331502D18493}.exe
        12⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13CE2~1.EXE > nul
        8⤵
        
        PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0426~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe

Filesize
168KB

MD5
7bd1da16abd325ee498c7ae99a452c9a

SHA1
09ab9d607bd9e25af3d91e12a24092dd8d673d4f

SHA256
f44cb2ba48a33f3d7970bee88168aeb5f71363807aedc164053097b39a257792

SHA512
368dc4b1be96810cf21e6b13aeebdbff05d063a66e987e427ee8d1dbf86c8acd8836cd07e32490d1d136ab43b1977441e2887c5b7e08b0ef5af56084d46fa3e8

Download Submit
C:\Windows\{13CE2ABC-0AE7-49e5-91FB-925D9F5BC4D4}.exe

Filesize
163KB

MD5
47cb4f8921ff185bd7e9a43caa01c280

SHA1
b37760d94ed21a01cc2cbcff3717a6aefda4cd93

SHA256
6657747260d9773ee4376cb490c6f852a1fe878a4e0a5dc9788abcc07dce3dd1

SHA512
bbddde3d2a142b43f35ce8cc2004830b55bc010cbf52a0e12672fde4c45b8a670e25dc30310edd6661ebdaca3874cfbfc6754636d608a01723c8dfbc0d6e3de3

Download Submit
C:\Windows\{1D3E67EB-0328-4c15-9918-7BED87C989E1}.exe

Filesize
372KB

MD5
5c88990097f677ec74ca66a858e6d189

SHA1
7e5b562f5c689fb7188367736ee92a1a233cceb5

SHA256
378f315ef93b8f9809722d53bc841b38fcd3ef6837a1fceefdb1498874ad5dd6

SHA512
e2a5111c78f355fce9481ae11b3fb65343cf2c3000671e822058d84a329675d8c6bb66b6ed20a8aea470b71b32f4b9d3051d860e059b453240bc27fca72045f6

Download Submit
C:\Windows\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe

Filesize
372KB

MD5
ed6e18c5e83303880a3ad862411d0d3b

SHA1
bbe39e053cd1d7f5170459fdb5b24bc6caed11dd

SHA256
2b9a93c0df39963904294e4c78b15bb285f987b732cbc042b8aa7745fe8e3c36

SHA512
da93f461e21835dcf8fcb4a35f8464527eda8c4df72dbb59656493fcf61f2c66546d885945fa01f1975a1e5974a32b2334462bc0e3638cd32e14112e172cf8bd

Download Submit
C:\Windows\{2BCC5544-F47C-4d45-8ACB-3497C35122C2}.exe

Filesize
30KB

MD5
f293c91e323f6dbe981c6d42cdc8528d

SHA1
26dd3b0ef6c5df2dcd503dab27ab06817b6acb86

SHA256
65ec38595ad062ddea0fcdc04a65224ab795898f4e13a6fa1c35fb646774f4f4

SHA512
d17d43e309411f7c67278a71d38a133f9d36b7c7ea7922f86273b91e36477a2bab7c7712654cd2902ef17fe4623dbc81e230dd0f2972a7e42b1c44d2453c33ad

Download Submit
C:\Windows\{3086D01C-0C60-4a26-AE9D-60E2CFB3F333}.exe

Filesize
372KB

MD5
c3965f7a90cf7fffc370df1e23e9cdd6

SHA1
0ee9cbc7e0a4ded939bac43896c73b33de0e347f

SHA256
fd25f50023c29254b8c28f4dd748fb9d5e53579244d3a7294efe364f09eb0d71

SHA512
ec3a0abdf982bdefcd34e115e861422df3a6d5f9b89e1fb409ec4dfeb3b0cff6dce6163e12ad4cb19a5450fe1226d5377caac51388954ac349a2b69b8feab2e7

Download Submit
C:\Windows\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe

Filesize
219KB

MD5
757b3cb740c554403a2fcff0fe8be5c6

SHA1
4246c1c2cbcefed9b804c3ea78ee2c9f1cef2c75

SHA256
61330206defa64ab27d58c125bae824583292540e15ef7aad627b4fec810e7d8

SHA512
4c99dbf84fc173a43cdde19af8fb384aab5c64a3d31ff583d2b59c9308a26ac54b2ed95e974797ce5c052a6091d386127849a33fbc83a3a51dc0b3efe3009426

Download Submit
C:\Windows\{342CA0FB-2E34-436a-98D3-E78B6956A3B5}.exe

Filesize
372KB

MD5
202b4f004136964d5d44f3e70eb6cbc3

SHA1
9db95923fdcc57f877729d5d240952522d00ed8a

SHA256
9cc82b98452b5faa5d95d34e07e45168ddc8270d5b6db6366828f5dcd17e0cff

SHA512
6ba085e98d21b27024ee019311926bac077a0db8b604d53a01a4e2f561f99e87173e5cc4a853c8f5dcf55aed551286dd0c0a35c5da6ddbf866bd306d284cb621

Download Submit
C:\Windows\{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe

Filesize
365KB

MD5
4e1830de63bcf81dcc94c7011eefb946

SHA1
3279f28d533a84d0d77e9e2aa92aa58f25cd865b

SHA256
82f51926b8c02579cb570481844d9778e53e8226383f891ce4a97fa3a8fa9e22

SHA512
de2f167d95dd7842daca8b76db6007f70abf1d65dea18553383737d6ce086ce569c1c428eaa957ac19a58d3793f46013fa8f9edeed64af0373abe83fcc35fc61

Download Submit
C:\Windows\{42C72E3D-619C-4543-8DC3-1193D6ECA637}.exe

Filesize
372KB

MD5
bc512ab7289ee8ff410ddaeb9c4e41e6

SHA1
a36f2fa5c4763f9428ffd2d600f1d4048b029fb8

SHA256
ba4cf46d3817485e5082a087769494d14bd764fc064ccf541210ba5c558c3dad

SHA512
83168a225fff1884c864f86096ec7240cfeab0caec01fc1645d3cf54eb62628095c924d18e0bfa9d22b7d2ec03fe563c0a63e5df9e181e39ab53ce08bd92d2b7

Download Submit
C:\Windows\{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe

Filesize
126KB

MD5
256cb336bd9a300aaa576e7ddc8827f7

SHA1
693cdef7bba00a98f79c0455a213bf246d8d82b6

SHA256
d3fc88b0e4b28b57c308acf91fc4ef1ecd8bb8e7b1cae828683e82ac48171320

SHA512
bf73488289c6e4b221f2f094be2d5baa6386404feb31afc1a36a8fa4f61d2213b0f38f0d4d4380ad69e35c6a2a31558b3bee74e9a35312e4f076bbac729958a4

Download Submit
C:\Windows\{8AB3C67B-5C46-48da-A637-86E0B3F00396}.exe

Filesize
306KB

MD5
125e94899fd4494da5c271380a3233f2

SHA1
97de76d97fd21438cae619886af7bb30403fecfa

SHA256
7120a5314dcf71ca48ae560e93604859af2abfeb63995dc0163f090b61d1bb19

SHA512
8099662fa919fcf7b0b4738981c4c85b364213db16e1e3f84ad5a9f10b87ea37470ea7b4a6e1b4591720af3a5d850da1ab6fc11a6ece7a9c3573e2fd1cd1ddd3

Download Submit
C:\Windows\{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe

Filesize
372KB

MD5
8d057c6013f8bd25f98047c1d42fae76

SHA1
f924e6890e375742de3147ec07f238a96baabad0

SHA256
b9e29844525ec708d7e61bb299bf02da09d2d31e164023ab84f104b0e6fd697f

SHA512
5b840504f64bf741243e75775d22776f591286e7a2bb114e8a3cef1513c2a8e11c17d9b3468b4f45eea62c75a6b801d5569b5bd83665e4343bdf260888e23512

Download Submit
C:\Windows\{96D08B66-A6A8-4044-BD87-DB15D541E417}.exe

Filesize
134KB

MD5
0b78e186f489bd3e6102da80581c39d2

SHA1
cec2e31bede0b1e483cf06f72cb7f1691e2c83f1

SHA256
e18c084916458d520911e98fd4fd9af0407f8dd7c74eaaf456c95ed6be796797

SHA512
7ba9fddaafa1f20eb9909da33d0373208f65e7f3a02111c8d2518c4b5d073ce4f8cfbda8cb065bb89039925b87e1a741cbed9eed24fc18b3d6c740af012fe4ce

Download Submit
C:\Windows\{9945EAF0-219B-4415-A408-4E4048499B95}.exe

Filesize
79KB

MD5
bed9bad5bb2046f82afe351d77d81531

SHA1
3f183b5b9c6da011975153ddd1b127356722b2b8

SHA256
e553906746103c735139784d944eea197313b8ad357e31506c330171e9070474

SHA512
8181d32573a9724c21cead66582b8dc4f5304e0dda0eda7a266005fb9b2cf9b12a812721fe49882e7ce19e8de44053345d35bb914afee5544814cdbe4c156c7c

Download Submit
C:\Windows\{9945EAF0-219B-4415-A408-4E4048499B95}.exe

Filesize
372KB

MD5
d7642fa58fc6ba04bdf6688a8a537ae5

SHA1
1aba0c103c145277ee07e1db264f3416952b229f

SHA256
a60c671f8e985bccdd69e25b5da8a3167663715fa012c2e31fd6198c8eb6a557

SHA512
3c8f10fa833aa0575f220930105dc217ecf86665b2bc41c53e9b00fac66f5bdfa8026488cff393c210b420c84b46b9f7569e97ca5da759bb3876bfd785879940

Download Submit
C:\Windows\{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe

Filesize
372KB

MD5
a30a9aa299bdc50459eb99c42bba0bd9

SHA1
0386be463d7d52078f2b58aaffba6075a82709c0

SHA256
53dc1216fa3468857b2440abe40683f4f2dcef75aa53a4ed7f7ea3c8b5e89f1e

SHA512
008fe3171f837af9c0b6f7c440da0482272abaf366c5f411d390617dc344992d7b4f62e1abfa80305b0c91d597886a5298314238e343719a57ab5535cd6d1244

Download Submit
C:\Windows\{C042692D-6EEE-45f3-BFD3-E042442FBA90}.exe

Filesize
342KB

MD5
4d74eecefe39349cd937e8014846f185

SHA1
3367bd56932f2c9e7e455839cf01284dad1224e4

SHA256
5e4788a5c493b9a462e00d0786cead6e83beec27ed3927449a6b05347aedfbc0

SHA512
5fc5c36f2dcde0d49895de5d2201ee557f6e97ad7f5bbb38b47166895a5839143e7f25e6fa3e963834c00d19b8af085803ed3782000d491b9e27d57efcaae41c

Download Submit
C:\Windows\{E48FA658-A3FA-4618-B677-331502D18493}.exe

Filesize
372KB

MD5
081a9f681e1119d6b144acdd4345dedb

SHA1
c258c7539617d7caf474212ac1f100e2dc79692e

SHA256
63c7f3bc39ba7214ed60d983a5632cc9e3e37117e2035f1e12399bc4a8c2a7c9

SHA512
48b21e1b92528a5c9b99e9fc3936aa74915513d730cc1a098854927d0b49b8701ff2882b0fbc43e7bfdcd7bcc8f42ff729636c99dc63240b8c3570ee663d03b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads