b92019828b68282df1ae4c6144d4d11f678247d75dcb8502549dfc41d888b6e2

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Size

180KB
MD5

3bc48fe17c90c0fe44846b89e9e23d7b
SHA1

59f0f45b9daa9ca857ddc7bf2eb5f6cf7d8d2910
SHA256

b92019828b68282df1ae4c6144d4d11f678247d75dcb8502549dfc41d888b6e2
SHA512

e4fdde4b1abf162a8a691517c5c3242058906b6c58d256f9caa77557fc0a519b1652b513d778a3c18db2dae56ec963486d063c9fdf14fbb501865f642836dc41
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGql5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012232-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012251-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015c31-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E4BFD8-EF9B-4790-8947-897A4370E53C}	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}	{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}\stubpath = "C:\\Windows\\{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}.exe"	{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}\stubpath = "C:\\Windows\\{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe"	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}\stubpath = "C:\\Windows\\{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe"	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}\stubpath = "C:\\Windows\\{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe"	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FED87512-695E-4f87-A2B7-839831143A32}	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}	{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A5B2751-07A8-43e5-8C68-D881747C592F}	{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}\stubpath = "C:\\Windows\\{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe"	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}\stubpath = "C:\\Windows\\{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe"	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FED87512-695E-4f87-A2B7-839831143A32}\stubpath = "C:\\Windows\\{FED87512-695E-4f87-A2B7-839831143A32}.exe"	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8CAC5A0-031E-4918-B68A-0C717BE9059E}	{FED87512-695E-4f87-A2B7-839831143A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8CAC5A0-031E-4918-B68A-0C717BE9059E}\stubpath = "C:\\Windows\\{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe"	{FED87512-695E-4f87-A2B7-839831143A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}\stubpath = "C:\\Windows\\{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe"	{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E4BFD8-EF9B-4790-8947-897A4370E53C}\stubpath = "C:\\Windows\\{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe"	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A5B2751-07A8-43e5-8C68-D881747C592F}\stubpath = "C:\\Windows\\{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe"	{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe

Executes dropped EXE 11 IoCs

pid	Process
2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe
2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe
3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe
268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe
2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe
1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe
2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe
932	{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe
2452	{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe
2532	{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe
2672	{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}.exe	{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe
File created	C:\Windows\{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
File created	C:\Windows\{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe
File created	C:\Windows\{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	{FED87512-695E-4f87-A2B7-839831143A32}.exe
File created	C:\Windows\{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe
File created	C:\Windows\{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe
File created	C:\Windows\{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe
File created	C:\Windows\{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe
File created	C:\Windows\{FED87512-695E-4f87-A2B7-839831143A32}.exe	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe
File created	C:\Windows\{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe	{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe
File created	C:\Windows\{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe	{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe
Token: SeIncBasePriorityPrivilege	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe
Token: SeIncBasePriorityPrivilege	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe
Token: SeIncBasePriorityPrivilege	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe
Token: SeIncBasePriorityPrivilege	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe
Token: SeIncBasePriorityPrivilege	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe
Token: SeIncBasePriorityPrivilege	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe
Token: SeIncBasePriorityPrivilege	932	{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe
Token: SeIncBasePriorityPrivilege	2452	{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe
Token: SeIncBasePriorityPrivilege	2532	{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2684	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	28
PID 2956 wrote to memory of 2684	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	28
PID 2956 wrote to memory of 2684	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	28
PID 2956 wrote to memory of 2684	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	28
PID 2956 wrote to memory of 2796	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	29
PID 2956 wrote to memory of 2796	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	29
PID 2956 wrote to memory of 2796	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	29
PID 2956 wrote to memory of 2796	2956	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	29
PID 2684 wrote to memory of 2692	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	30
PID 2684 wrote to memory of 2692	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	30
PID 2684 wrote to memory of 2692	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	30
PID 2684 wrote to memory of 2692	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	30
PID 2684 wrote to memory of 2608	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	31
PID 2684 wrote to memory of 2608	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	31
PID 2684 wrote to memory of 2608	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	31
PID 2684 wrote to memory of 2608	2684	{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe	31
PID 2692 wrote to memory of 3060	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	34
PID 2692 wrote to memory of 3060	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	34
PID 2692 wrote to memory of 3060	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	34
PID 2692 wrote to memory of 3060	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	34
PID 2692 wrote to memory of 2624	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	35
PID 2692 wrote to memory of 2624	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	35
PID 2692 wrote to memory of 2624	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	35
PID 2692 wrote to memory of 2624	2692	{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe	35
PID 3060 wrote to memory of 268	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	37
PID 3060 wrote to memory of 268	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	37
PID 3060 wrote to memory of 268	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	37
PID 3060 wrote to memory of 268	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	37
PID 3060 wrote to memory of 1176	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	36
PID 3060 wrote to memory of 1176	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	36
PID 3060 wrote to memory of 1176	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	36
PID 3060 wrote to memory of 1176	3060	{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe	36
PID 268 wrote to memory of 2924	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	39
PID 268 wrote to memory of 2924	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	39
PID 268 wrote to memory of 2924	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	39
PID 268 wrote to memory of 2924	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	39
PID 268 wrote to memory of 1612	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	38
PID 268 wrote to memory of 1612	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	38
PID 268 wrote to memory of 1612	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	38
PID 268 wrote to memory of 1612	268	{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe	38
PID 2924 wrote to memory of 1988	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	40
PID 2924 wrote to memory of 1988	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	40
PID 2924 wrote to memory of 1988	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	40
PID 2924 wrote to memory of 1988	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	40
PID 2924 wrote to memory of 1652	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	41
PID 2924 wrote to memory of 1652	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	41
PID 2924 wrote to memory of 1652	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	41
PID 2924 wrote to memory of 1652	2924	{FED87512-695E-4f87-A2B7-839831143A32}.exe	41
PID 1988 wrote to memory of 2004	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	42
PID 1988 wrote to memory of 2004	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	42
PID 1988 wrote to memory of 2004	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	42
PID 1988 wrote to memory of 2004	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	42
PID 1988 wrote to memory of 1088	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	43
PID 1988 wrote to memory of 1088	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	43
PID 1988 wrote to memory of 1088	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	43
PID 1988 wrote to memory of 1088	1988	{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe	43
PID 2004 wrote to memory of 932	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	44
PID 2004 wrote to memory of 932	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	44
PID 2004 wrote to memory of 932	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	44
PID 2004 wrote to memory of 932	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	44
PID 2004 wrote to memory of 1664	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	45
PID 2004 wrote to memory of 1664	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	45
PID 2004 wrote to memory of 1664	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	45
PID 2004 wrote to memory of 1664	2004	{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe
  C:\Windows\{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe
    C:\Windows\{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe
      C:\Windows\{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E52D6~1.EXE > nul
        5⤵
        
        PID:1176
    - - C:\Windows\{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe
        
        C:\Windows\{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FAB9~1.EXE > nul
        6⤵
        
        PID:1612
      - C:\Windows\{FED87512-695E-4f87-A2B7-839831143A32}.exe
        
        C:\Windows\{FED87512-695E-4f87-A2B7-839831143A32}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe
        
        C:\Windows\{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe
        
        C:\Windows\{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe
        
        C:\Windows\{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe
        
        C:\Windows\{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe
        
        C:\Windows\{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}.exe
        
        C:\Windows\{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A5B2~1.EXE > nul
        12⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ECA9~1.EXE > nul
        11⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3E4B~1.EXE > nul
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C1E8~1.EXE > nul
        9⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8CAC~1.EXE > nul
        8⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FED87~1.EXE > nul
        7⤵
        
        PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{30E9E~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C64D0~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FAB9053-3220-4fb6-8A9A-6AB817EF3140}.exe

Filesize
180KB

MD5
85192dfaf807062f1fab47176ca12fa5

SHA1
ce2d2c6bf88bac6244bc0cbde879c14f6746851b

SHA256
8674d16e92f4a807a5f6bdb3b20f71ca15ca467d364ad659d8d4956e90f0f8aa

SHA512
7d806f3556822afc9f42bb82f4293d5d2e9b1c5fd4bffd22cdf4e6378d8a626adcea8d0948dd56811534ab0fae009c4c9d5b1f63bcb54da54bd2a914778bc6ba

Download Submit
C:\Windows\{2A5B2751-07A8-43e5-8C68-D881747C592F}.exe

Filesize
180KB

MD5
0f89a5e0391bd2979c805f8b926eb53a

SHA1
673a705aacdc003b6250608dd5c2c6e6b6a595f2

SHA256
f27159f67be2d74b37daf2febe874ea4e91d5bfebf84b58df72976b2a4fef542

SHA512
83b90bbd66f2b87568bcabde9ea0170b0c246b678845d4e1e2443cd5bc5f538c9d37f56a7187205ea51ff64d1e41d595b0a508afad3e5fbd6408e1a682ee7a91

Download Submit
C:\Windows\{30E9E6D8-3B6E-4c65-91B4-DCEA354EC477}.exe

Filesize
180KB

MD5
3a733915b1951484611ed887d87e96b0

SHA1
c5482e6b9e9126d1d28d72e412acfeca65270ba5

SHA256
567061a942508238c929bd23511edc1e06cb3f3e7be80fac42966aceff3a8643

SHA512
5bc931804627107ff995e6cdcd5ffb2d6dd58b3d0ba08f87080a0781ea8f2e56c1babc295ed7ecc1ae9e3dd8c04133abc66e7e067c76207bfe8b03da5e0a88c9

Download Submit
C:\Windows\{3B2D889E-B24C-4633-85C2-A877A5BEA4CC}.exe

Filesize
180KB

MD5
96122013188d2912f48aeb53d8cf4b54

SHA1
6725741979222a812ab5b9e44d69c4ccb543adc3

SHA256
bc4a7cd6f79f565562144e4722a2d75133adab469e1972f590e6b7862ca05256

SHA512
4fd3d696f179b998d281e9af6b9b5812bdcaea655413ced90f07b5ca85aad5a7c64324fa448f7c7eaf88cbc2341f781e2683a0d54d53a25e81b643201f10c672

Download Submit
C:\Windows\{8C1E8F1D-31B2-4579-95A4-C1841D4612AF}.exe

Filesize
180KB

MD5
2634b15ad49adb11345e139a6ba8190a

SHA1
3516df553623d7419892439c86cd3026cdf55b67

SHA256
f965bc6e99a8174d36d10c7e275d2790bbf96679a75bd6a5c69d523eeaf38f1f

SHA512
03a623e70c133f5560dd5d8f1ddd1c4c23509063281945c9d167a1f89e0b482314ce5b78987cd6e9d6e582ba6dad6f8b97e7a2f4f2afd304fd8f7332ca907201

Download Submit
C:\Windows\{8ECA9322-4267-41d8-A8BA-6F784ACA30C2}.exe

Filesize
180KB

MD5
68b8e043dbd1ecbce652e27aad2f4bb5

SHA1
b5624939fd917cdec2c71dfce84a41f5b8c192f0

SHA256
545adc859da3c3f064974987541a0e02e4478bfd3567f99d471992461b9ee4e5

SHA512
176270e3ec3cb12183634671f3c91c3737dda181d23061e66f1429a304e41283877e4cb119d5bf0d28a3f69a494ffd059197e1b92f4b77ac81c98403e9d82b23

Download Submit
C:\Windows\{B3E4BFD8-EF9B-4790-8947-897A4370E53C}.exe

Filesize
180KB

MD5
68e54e8ecc861800f59c6bef42b6dc19

SHA1
3602394572604cf7279cda6b4546a8f95c70dc4f

SHA256
58bf58ff7e34564edc315f31bcc915336e63e676bb644ba5ac197939cf6c0e9c

SHA512
8ca6fba7192e3c22cfd108ce076ec35dba409575f90e519a9fac89f1a0b2265a8e3cf9aa0180c00db37e65576b31a8928092334fb5f8309ee1998cbfd4bc7d34

Download Submit
C:\Windows\{B8CAC5A0-031E-4918-B68A-0C717BE9059E}.exe

Filesize
180KB

MD5
550cfdcdc7487875f9cd10c31f16668f

SHA1
945b99696baed4ac5a9c86b81a353b92870fe07c

SHA256
ab39c2de5679c82a989b681e17763c06324a64fc5f3f6cd9550b1434a5be5084

SHA512
4e186aa3d52ebd133fc504916e7377c51cdc71b80403371795586c67016b5f689b1396a63a242d870309ba0fabad32f7960cc645e2f809f002bf315b80c26060

Download Submit
C:\Windows\{C64D069F-28C9-4dd4-AEF2-15E1BC3941CD}.exe

Filesize
180KB

MD5
b8d8ff42bdd946abf6d74e988c22e9dc

SHA1
bac064810e35335d7ed3d3f8b9e03b821448ca00

SHA256
0a0fb81471f5e95a0651d41507dab84712deceff6821702fd7f0ae5cd60bb380

SHA512
15a9e9e513ef7de22870ada402949fea44393e148ae9af4406eeb881fa42757ad17e5f9958dcee8c0bdafa355fdcb45db8010fd6da37d699c08f034fd7724b2c

Download Submit
C:\Windows\{E52D6816-91BA-40d7-9452-D8C0FBDAFDD4}.exe

Filesize
180KB

MD5
2dc0144dfbd32afcb4c11115c51807f3

SHA1
6b6230cec94a583e079002b4c0c2e9029bd14b97

SHA256
155050c71de2202d68b3ce1b1347fddf1118f98715dff4ec79f6d1b6f50e71c7

SHA512
705ab0249ac075650094e974a0f7f3526fd75793066e4abcbda0422d17ee0f0d455d018fb19c2fcdf5efc0b5ed9aab62eb40e3d471170e3b87c73cfca573adc6

Download Submit
C:\Windows\{FED87512-695E-4f87-A2B7-839831143A32}.exe

Filesize
180KB

MD5
2a6dd55dc12666f74381c49090db3237

SHA1
612bcec650c9340295c9c960587f29af52302073

SHA256
6e1fd4549d2f60c349391382eddef8d6cb5d644df4ed8dc65bd01bedbf45720b

SHA512
60bc22df94d397d94b9cd915b2462b321853d84c2e70a4971f4c059d4a000e2e173537c22dbddbd53592463ef8e2381a4454c13605166a2e384f342a03c99a17

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads