5548c4cb5adce2c51af99b27a7104b81d7c9b4bc06775ff0b28af600a98c990e

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 14:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe
Size

216KB
MD5

7be5243da61aa58801401f116b5f824e
SHA1

f804bac07b54e3b61feede0fecfa7f1893195317
SHA256

5548c4cb5adce2c51af99b27a7104b81d7c9b4bc06775ff0b28af600a98c990e
SHA512

5ae4dfb9cd8fb71b63c5a4773c225f66b1f946bec16d0866b634cec3fe961049a4d8dcca7c1bb3fe439302d63d43e1e2669a0f5d39995ac0724e01b8eb5b825c
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001232b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001232b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000013a13-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001232b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001232b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001232b-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001232b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9059449-9A2A-46e8-83A4-552C993EE280}	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{427D152F-4181-4eac-96DA-4D67DE539747}	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{427D152F-4181-4eac-96DA-4D67DE539747}\stubpath = "C:\\Windows\\{427D152F-4181-4eac-96DA-4D67DE539747}.exe"	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}	{427D152F-4181-4eac-96DA-4D67DE539747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}\stubpath = "C:\\Windows\\{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe"	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}\stubpath = "C:\\Windows\\{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe"	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E79FB618-8C1E-4f4e-B395-45747D6BB533}	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E79FB618-8C1E-4f4e-B395-45747D6BB533}\stubpath = "C:\\Windows\\{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe"	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B738BA4B-016A-4664-8BEC-5D434428E48B}	{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9059449-9A2A-46e8-83A4-552C993EE280}\stubpath = "C:\\Windows\\{E9059449-9A2A-46e8-83A4-552C993EE280}.exe"	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBC5205A-42E1-452e-BDF2-5625E12A0F45}	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}\stubpath = "C:\\Windows\\{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe"	{427D152F-4181-4eac-96DA-4D67DE539747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}\stubpath = "C:\\Windows\\{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe"	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}	{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A4D6ACC-2B81-4da6-9711-058135C10619}	{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBC5205A-42E1-452e-BDF2-5625E12A0F45}\stubpath = "C:\\Windows\\{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe"	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}\stubpath = "C:\\Windows\\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe"	{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A4D6ACC-2B81-4da6-9711-058135C10619}\stubpath = "C:\\Windows\\{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe"	{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B738BA4B-016A-4664-8BEC-5D434428E48B}\stubpath = "C:\\Windows\\{B738BA4B-016A-4664-8BEC-5D434428E48B}.exe"	{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe
2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe
2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe
2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe
2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe
1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe
1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe
2180	{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe
2248	{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe
2268	{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe
580	{B738BA4B-016A-4664-8BEC-5D434428E48B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe
File created	C:\Windows\{427D152F-4181-4eac-96DA-4D67DE539747}.exe	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe
File created	C:\Windows\{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	{427D152F-4181-4eac-96DA-4D67DE539747}.exe
File created	C:\Windows\{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe
File created	C:\Windows\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe	{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe
File created	C:\Windows\{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe	{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe
File created	C:\Windows\{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe
File created	C:\Windows\{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe
File created	C:\Windows\{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe
File created	C:\Windows\{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe
File created	C:\Windows\{B738BA4B-016A-4664-8BEC-5D434428E48B}.exe	{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe
Token: SeIncBasePriorityPrivilege	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe
Token: SeIncBasePriorityPrivilege	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe
Token: SeIncBasePriorityPrivilege	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe
Token: SeIncBasePriorityPrivilege	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe
Token: SeIncBasePriorityPrivilege	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe
Token: SeIncBasePriorityPrivilege	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe
Token: SeIncBasePriorityPrivilege	2180	{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe
Token: SeIncBasePriorityPrivilege	2248	{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe
Token: SeIncBasePriorityPrivilege	2268	{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3048	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	28
PID 1272 wrote to memory of 3048	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	28
PID 1272 wrote to memory of 3048	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	28
PID 1272 wrote to memory of 3048	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	28
PID 1272 wrote to memory of 2712	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	29
PID 1272 wrote to memory of 2712	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	29
PID 1272 wrote to memory of 2712	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	29
PID 1272 wrote to memory of 2712	1272	2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe	29
PID 3048 wrote to memory of 2848	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	30
PID 3048 wrote to memory of 2848	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	30
PID 3048 wrote to memory of 2848	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	30
PID 3048 wrote to memory of 2848	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	30
PID 3048 wrote to memory of 2764	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	31
PID 3048 wrote to memory of 2764	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	31
PID 3048 wrote to memory of 2764	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	31
PID 3048 wrote to memory of 2764	3048	{E9059449-9A2A-46e8-83A4-552C993EE280}.exe	31
PID 2848 wrote to memory of 2888	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	32
PID 2848 wrote to memory of 2888	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	32
PID 2848 wrote to memory of 2888	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	32
PID 2848 wrote to memory of 2888	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	32
PID 2848 wrote to memory of 2644	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	33
PID 2848 wrote to memory of 2644	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	33
PID 2848 wrote to memory of 2644	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	33
PID 2848 wrote to memory of 2644	2848	{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe	33
PID 2888 wrote to memory of 2380	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	36
PID 2888 wrote to memory of 2380	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	36
PID 2888 wrote to memory of 2380	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	36
PID 2888 wrote to memory of 2380	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	36
PID 2888 wrote to memory of 3032	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	37
PID 2888 wrote to memory of 3032	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	37
PID 2888 wrote to memory of 3032	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	37
PID 2888 wrote to memory of 3032	2888	{427D152F-4181-4eac-96DA-4D67DE539747}.exe	37
PID 2380 wrote to memory of 2500	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	38
PID 2380 wrote to memory of 2500	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	38
PID 2380 wrote to memory of 2500	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	38
PID 2380 wrote to memory of 2500	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	38
PID 2380 wrote to memory of 1840	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	39
PID 2380 wrote to memory of 1840	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	39
PID 2380 wrote to memory of 1840	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	39
PID 2380 wrote to memory of 1840	2380	{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe	39
PID 2500 wrote to memory of 1828	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	40
PID 2500 wrote to memory of 1828	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	40
PID 2500 wrote to memory of 1828	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	40
PID 2500 wrote to memory of 1828	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	40
PID 2500 wrote to memory of 2352	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	41
PID 2500 wrote to memory of 2352	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	41
PID 2500 wrote to memory of 2352	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	41
PID 2500 wrote to memory of 2352	2500	{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe	41
PID 1828 wrote to memory of 1280	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	43
PID 1828 wrote to memory of 1280	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	43
PID 1828 wrote to memory of 1280	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	43
PID 1828 wrote to memory of 1280	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	43
PID 1828 wrote to memory of 1040	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	42
PID 1828 wrote to memory of 1040	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	42
PID 1828 wrote to memory of 1040	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	42
PID 1828 wrote to memory of 1040	1828	{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe	42
PID 1280 wrote to memory of 2180	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	45
PID 1280 wrote to memory of 2180	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	45
PID 1280 wrote to memory of 2180	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	45
PID 1280 wrote to memory of 2180	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	45
PID 1280 wrote to memory of 1680	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	44
PID 1280 wrote to memory of 1680	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	44
PID 1280 wrote to memory of 1680	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	44
PID 1280 wrote to memory of 1680	1280	{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7be5243da61aa58801401f116b5f824e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\{E9059449-9A2A-46e8-83A4-552C993EE280}.exe
  C:\Windows\{E9059449-9A2A-46e8-83A4-552C993EE280}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe
    C:\Windows\{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\{427D152F-4181-4eac-96DA-4D67DE539747}.exe
      C:\Windows\{427D152F-4181-4eac-96DA-4D67DE539747}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe
        
        C:\Windows\{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe
        
        C:\Windows\{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe
        
        C:\Windows\{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4AA9~1.EXE > nul
        8⤵
        
        PID:1040
        
        C:\Windows\{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe
        
        C:\Windows\{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7BBF~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe
        
        C:\Windows\{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe
        
        C:\Windows\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C663D~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe
        
        C:\Windows\{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{B738BA4B-016A-4664-8BEC-5D434428E48B}.exe
        
        C:\Windows\{B738BA4B-016A-4664-8BEC-5D434428E48B}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A4D6~1.EXE > nul
        12⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E79FB~1.EXE > nul
        10⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78C6B~1.EXE > nul
        7⤵
        
        PID:2352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{480E8~1.EXE > nul
        6⤵
        
        PID:1840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{427D1~1.EXE > nul
        5⤵
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBC52~1.EXE > nul
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E9059~1.EXE > nul
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{427D152F-4181-4eac-96DA-4D67DE539747}.exe

Filesize
216KB

MD5
d5e696779ecd309396cec7b1045faf5b

SHA1
d4f34c47a5df2bd86e8fb1a6af432519d6d201ec

SHA256
b0ab46ede7c34132f051ad9359abf90d161eeb125d4e89438d552029f7fb4e40

SHA512
0a87795b5da34c4f32a1aae80cc05fe18aa58e4ae2798cf437f393a91eb7e027d6a0ce5c55a5e17424178e18b60f2b043cf704e9e64fe84481ff4756611e5579

Download Submit
C:\Windows\{480E8DC3-4BAD-4ed7-9C27-06656F40CE4F}.exe

Filesize
216KB

MD5
054c40ce0eb5605da13353e4feb7cf7e

SHA1
db9cb89bd9eb49f06844927c945911e1a5ca2016

SHA256
b577935280e40746c9940fccfcdbde2acedd4ab38742273b45b574006abe4655

SHA512
3bd45c24c3d0c1b78b0ffe252da8deae81e2a5da7fb2f935d33333b2313d8f2be9b681dbb325d84f281ec8ff88ea3b37d856774220222582a69ce01e52f11653

Download Submit
C:\Windows\{78C6B3C9-2B0D-499e-9409-58FCF5A7800E}.exe

Filesize
216KB

MD5
8ee3c7235386d5bd9acdc8bd2998e35c

SHA1
c6243ebe62d27199477d08243825dc97c55425d8

SHA256
366de218bc8a5e59a77869dc3cfd7ce11f9c5b562e48fa11acc77b8b45315ecd

SHA512
330bd2268c37df96e5bf74c734b48d4d3d3620b8b9a15afd395f7538d60a2262f9a4e46002cf134a3ab31c6cff337c26fffa1786eec1a8e8dbc1858a061c82ea

Download Submit
C:\Windows\{7A4D6ACC-2B81-4da6-9711-058135C10619}.exe

Filesize
216KB

MD5
baee1f2ad55fe4d447452ec56476cc7a

SHA1
cfbaa98bf22e892239f39201bd1934d45686b562

SHA256
3d2302c1eb00412e968680e1028517eb3471b26f3808e24ccad5460d0948f264

SHA512
6afd1fa0c965c4ea2209db5e51a480f9a333a1b992e4cc9aa5c038aa41d4c0cde69780c10a8f255224679833f5e0019cf7b2372964ae80ff045935c990501bd7

Download Submit
C:\Windows\{A4AA96A3-ED46-44ed-9797-19DAACFFEDD8}.exe

Filesize
216KB

MD5
d479e190b5c9e67f9985079334b0331c

SHA1
5dfff935b25b0a72ce620cd06c48dbe3b8608329

SHA256
e97fdf3331f91d42d1c3d6e0143730fdf69d45e0115d088bf897883775cbc6b4

SHA512
74a32148769b17b2b6cc48a791e4f2d7103715c0a85c89e3700409374d4f6a7e0ac9b3f60ab0e63078d94fd3e8b0a549b913b94a3958dadc87bfe26c632df92e

Download Submit
C:\Windows\{B738BA4B-016A-4664-8BEC-5D434428E48B}.exe

Filesize
216KB

MD5
7387049b5f4ed3b6390ca3107bba13ec

SHA1
6f8612121bd5e69678c103b01c5e642471a7720b

SHA256
a2b3c2fc8063ef614a5e105f0d77cb74c33f592407e1e7cee943d79d8327ca01

SHA512
7c37a5e1ddc95123f6e1e4a8601515794652933ffc4a65a2894cdbdc7557bf26d26daf133da63a6a060305d0a2c48ebcfc51e92dd330390cf54b0550f2ff0579

Download Submit
C:\Windows\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe

Filesize
111KB

MD5
429841af4e319eadbc640f351b75a6d5

SHA1
fae14c70a41267d80d9d9ad98a1aa38bf945753b

SHA256
969554c154e8127ba31d95dafb0958a11b1477e7b2b1a42cd9c25d575f0c269a

SHA512
b29703c779d57e95480d2f43a2103ed0640bc846e1f7fa93ad6f72cb6aa62f716ff6734be114dbc92ad6339db62257a0e58400f9b8f75488f959bf80e86c146b

Download Submit
C:\Windows\{C663DAA8-CCFA-4d80-863D-86F9F0626F96}.exe

Filesize
216KB

MD5
1a14e6192b68e2b39dbc5f62bb7b17e2

SHA1
007ae0aa953be52457afb6b68c012da0eb2dbeb2

SHA256
51ff21c644af57c25d23a84865d631dc6141ad942437e05d2b9a9b95c34dd428

SHA512
f0d45b00703766e187e925d854b3c7f938f3d1fdc0dcba288ba91bf912aba6cd2f2b142ff8abf123bafb9d1c3db1bb897fb4319868949f8f04ea1639a4fbccd6

Download Submit
C:\Windows\{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe

Filesize
216KB

MD5
d2a901f2b20eb114cd9169137cb31084

SHA1
e6858279ac288c0399f70ee30f1077479a79d8b3

SHA256
b78ba584193cf9054a24141412d3492022a4063551eb687df87ca3b386e857da

SHA512
645ecb1396c535ca455f55063c4b032fc79d47985e20df2ab14f14285ffcef0f4cdb2e37d82b8aa770ffe7f554d5c2a2c238d9d98f23d13cf4080a41cc66b07b

Download Submit
C:\Windows\{E79FB618-8C1E-4f4e-B395-45747D6BB533}.exe

Filesize
136KB

MD5
ede95cfcd6c0910f2aa6dda5e114ed0c

SHA1
28281add4e6d63bb4196cf74fa10f9ecb6714473

SHA256
1181f9bfc359aea0588d6dca9c1a6140212d86af94185f1c6e26fa55f65b5c06

SHA512
71c0d1daf07de052b5c494439160491e090c205099b76b42f40b9d810bed069441d468a4ee4695df979780baf1e58fb391c99f05d3179d6176cd4aa8087212a8

Download Submit
C:\Windows\{E7BBFBBA-5FCB-4a93-9D34-0D77FBE52E24}.exe

Filesize
216KB

MD5
54577a644dd450f9777d6ded147172e0

SHA1
d72b49c3daf374e265ef4be60f77492d57ffcdd9

SHA256
0d2f6402920dbb1d8d2475c66b0bbce477b06ef209ba05cd9cf703af7639e715

SHA512
347059b12decafc74e8b1b588d3a08f722622ba1e381b5d80e2d1e8788e04fc94f3cc7ca6977761225c5fc8575a4e96f49afb51c733e78ae6f26c68fbdeb24a9

Download Submit
C:\Windows\{E9059449-9A2A-46e8-83A4-552C993EE280}.exe

Filesize
216KB

MD5
c352201f2e36ff14b8d6b12fca3214e6

SHA1
4bd451613958fd120c578d6cb5a5d12c64ec037c

SHA256
72ee43be6cb571e9b7628bcb225acc7f53045f6cc06dc3009d3633c4b7ff8c5b

SHA512
c217e6b577849699f0e3900728081f3c0d963dea20842faa75c9d982d0fc6bbd5ff206360bffb80534ef7f701596c71f947db4ca7dc5445e228133a8de55c2e1

Download Submit
C:\Windows\{FBC5205A-42E1-452e-BDF2-5625E12A0F45}.exe

Filesize
216KB

MD5
46090194d42855171a8a59f2c957d225

SHA1
ffb5f59a70c6e10a02bd34ae7612505f49f590e1

SHA256
02ce6736465eb249aba2b3c8cca6781f6d799c7a9df25561a91530321b1550a8

SHA512
00572fb4eaa893a33574fd04a46010398529db3c044e078baa7efa302b173f7dd0d242e4b66bcd2b48d6657517c1dae5506dd6c5ad1a86f9e430e44c2450dfc9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads