c9921d243740c91708e20fc01a61aefd0ac7b2d56d1cc211ceeddf6a117d65ec

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Size

408KB
MD5

2e558f98600c58e382ab1a0159d3f58c
SHA1

3edacc46ef239c3af4cff01829c6df9325504d7b
SHA256

c9921d243740c91708e20fc01a61aefd0ac7b2d56d1cc211ceeddf6a117d65ec
SHA512

44a37e8f70409fa91bb30b745e7693f08b312ab9cd4d57cdb7b5187149e12bdf5dd236c5a7e5b8e0d7cde5cc51c1c374a6f649a0a28c2d2eb683991e0d80ea42
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGKldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001225c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014177-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d50-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001225c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001225c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001225c-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18373925-7AFD-4831-8F32-00F43A6E2D4E}	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CEF0168-9AD2-4e34-BE65-F041005E21FC}\stubpath = "C:\\Windows\\{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe"	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{860E7611-A801-488d-A7A8-83155AD71730}\stubpath = "C:\\Windows\\{860E7611-A801-488d-A7A8-83155AD71730}.exe"	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}	{860E7611-A801-488d-A7A8-83155AD71730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35573E3D-9AD4-4d22-9240-E44ED7A687A3}\stubpath = "C:\\Windows\\{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe"	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}\stubpath = "C:\\Windows\\{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}.exe"	{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CEF0168-9AD2-4e34-BE65-F041005E21FC}	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{129F1272-81A2-4f4c-8825-35B73C081675}\stubpath = "C:\\Windows\\{129F1272-81A2-4f4c-8825-35B73C081675}.exe"	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}	{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05742D5D-8FE7-4628-8A66-EAFF246789D2}\stubpath = "C:\\Windows\\{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe"	{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{860E7611-A801-488d-A7A8-83155AD71730}	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4170310-406F-4f32-BBC2-42C8118161A8}\stubpath = "C:\\Windows\\{D4170310-406F-4f32-BBC2-42C8118161A8}.exe"	{129F1272-81A2-4f4c-8825-35B73C081675}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D684C833-9BD3-4589-BCFB-D69EDD61BF84}	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D684C833-9BD3-4589-BCFB-D69EDD61BF84}\stubpath = "C:\\Windows\\{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe"	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05742D5D-8FE7-4628-8A66-EAFF246789D2}	{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18373925-7AFD-4831-8F32-00F43A6E2D4E}\stubpath = "C:\\Windows\\{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe"	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}\stubpath = "C:\\Windows\\{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe"	{860E7611-A801-488d-A7A8-83155AD71730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{129F1272-81A2-4f4c-8825-35B73C081675}	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4170310-406F-4f32-BBC2-42C8118161A8}	{129F1272-81A2-4f4c-8825-35B73C081675}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35573E3D-9AD4-4d22-9240-E44ED7A687A3}	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}\stubpath = "C:\\Windows\\{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe"	{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}	{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe
2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe
2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe
1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe
1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe
2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe
1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe
1008	{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe
2640	{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe
744	{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe
572	{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	{129F1272-81A2-4f4c-8825-35B73C081675}.exe
File created	C:\Windows\{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe
File created	C:\Windows\{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe
File created	C:\Windows\{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
File created	C:\Windows\{860E7611-A801-488d-A7A8-83155AD71730}.exe	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe
File created	C:\Windows\{129F1272-81A2-4f4c-8825-35B73C081675}.exe	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe
File created	C:\Windows\{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe	{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe
File created	C:\Windows\{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe	{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe
File created	C:\Windows\{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}.exe	{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe
File created	C:\Windows\{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe
File created	C:\Windows\{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	{860E7611-A801-488d-A7A8-83155AD71730}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe
Token: SeIncBasePriorityPrivilege	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe
Token: SeIncBasePriorityPrivilege	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe
Token: SeIncBasePriorityPrivilege	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe
Token: SeIncBasePriorityPrivilege	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe
Token: SeIncBasePriorityPrivilege	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe
Token: SeIncBasePriorityPrivilege	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe
Token: SeIncBasePriorityPrivilege	1008	{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe
Token: SeIncBasePriorityPrivilege	2640	{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe
Token: SeIncBasePriorityPrivilege	744	{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2264	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	28
PID 2016 wrote to memory of 2700	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	29
PID 2264 wrote to memory of 2556	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	30
PID 2264 wrote to memory of 2556	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	30
PID 2264 wrote to memory of 2556	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	30
PID 2264 wrote to memory of 2556	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	30
PID 2264 wrote to memory of 2712	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	31
PID 2264 wrote to memory of 2712	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	31
PID 2264 wrote to memory of 2712	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	31
PID 2264 wrote to memory of 2712	2264	{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe	31
PID 2556 wrote to memory of 2724	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	32
PID 2556 wrote to memory of 2724	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	32
PID 2556 wrote to memory of 2724	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	32
PID 2556 wrote to memory of 2724	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	32
PID 2556 wrote to memory of 2500	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	33
PID 2556 wrote to memory of 2500	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	33
PID 2556 wrote to memory of 2500	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	33
PID 2556 wrote to memory of 2500	2556	{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe	33
PID 2724 wrote to memory of 1960	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	36
PID 2724 wrote to memory of 1960	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	36
PID 2724 wrote to memory of 1960	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	36
PID 2724 wrote to memory of 1960	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	36
PID 2724 wrote to memory of 2152	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	37
PID 2724 wrote to memory of 2152	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	37
PID 2724 wrote to memory of 2152	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	37
PID 2724 wrote to memory of 2152	2724	{860E7611-A801-488d-A7A8-83155AD71730}.exe	37
PID 1960 wrote to memory of 1820	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	38
PID 1960 wrote to memory of 1820	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	38
PID 1960 wrote to memory of 1820	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	38
PID 1960 wrote to memory of 1820	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	38
PID 1960 wrote to memory of 2848	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	39
PID 1960 wrote to memory of 2848	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	39
PID 1960 wrote to memory of 2848	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	39
PID 1960 wrote to memory of 2848	1960	{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe	39
PID 1820 wrote to memory of 2020	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	40
PID 1820 wrote to memory of 2020	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	40
PID 1820 wrote to memory of 2020	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	40
PID 1820 wrote to memory of 2020	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	40
PID 1820 wrote to memory of 2176	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	41
PID 1820 wrote to memory of 2176	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	41
PID 1820 wrote to memory of 2176	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	41
PID 1820 wrote to memory of 2176	1820	{129F1272-81A2-4f4c-8825-35B73C081675}.exe	41
PID 2020 wrote to memory of 1976	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	42
PID 2020 wrote to memory of 1976	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	42
PID 2020 wrote to memory of 1976	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	42
PID 2020 wrote to memory of 1976	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	42
PID 2020 wrote to memory of 2160	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	43
PID 2020 wrote to memory of 2160	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	43
PID 2020 wrote to memory of 2160	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	43
PID 2020 wrote to memory of 2160	2020	{D4170310-406F-4f32-BBC2-42C8118161A8}.exe	43
PID 1976 wrote to memory of 1008	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	44
PID 1976 wrote to memory of 1008	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	44
PID 1976 wrote to memory of 1008	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	44
PID 1976 wrote to memory of 1008	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	44
PID 1976 wrote to memory of 2336	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	45
PID 1976 wrote to memory of 2336	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	45
PID 1976 wrote to memory of 2336	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	45
PID 1976 wrote to memory of 2336	1976	{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe
  C:\Windows\{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe
    C:\Windows\{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{860E7611-A801-488d-A7A8-83155AD71730}.exe
      C:\Windows\{860E7611-A801-488d-A7A8-83155AD71730}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe
        
        C:\Windows\{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\{129F1272-81A2-4f4c-8825-35B73C081675}.exe
        
        C:\Windows\{129F1272-81A2-4f4c-8825-35B73C081675}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{D4170310-406F-4f32-BBC2-42C8118161A8}.exe
        
        C:\Windows\{D4170310-406F-4f32-BBC2-42C8118161A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe
        
        C:\Windows\{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe
        
        C:\Windows\{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe
        
        C:\Windows\{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe
        
        C:\Windows\{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}.exe
        
        C:\Windows\{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}.exe
        12⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05742~1.EXE > nul
        12⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D38B~1.EXE > nul
        11⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35573~1.EXE > nul
        10⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D684C~1.EXE > nul
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4170~1.EXE > nul
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{129F1~1.EXE > nul
        7⤵
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A2BD~1.EXE > nul
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{860E7~1.EXE > nul
        5⤵
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1CEF0~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18373~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe

Filesize
399KB

MD5
9b5a44175a4db9d22a8d33f0a32800e4

SHA1
eeee40f96389c355c1739b04b865a1fd18d5b950

SHA256
1d48c1bdf9d971687ce7dc2fac388587b68a3bc6ebd7ba55b3e7ab9328bf2351

SHA512
4531b22fa0ce4a08a243c55744f9df6f72476d6c68f785f63b5ea6342dca8ccf9aaa8139c229577bb6cdac91e8ce3d6c4c03dc051a308b7eea6fa53f14cf3d76

Download Submit
C:\Windows\{05742D5D-8FE7-4628-8A66-EAFF246789D2}.exe

Filesize
408KB

MD5
5e6fad64b595d717b62d07e8e08067ba

SHA1
d5b441fb0f5babf4a8278c72c91ea60dcb0d9d20

SHA256
afa37e38e5dd00d1aa2f92b6144740cdd66b08a6d303af430a761758a5275fea

SHA512
86be34503c3487a2597c2aa07ec1aa9221a105f5e196121d70a44d99edc6f0b0bc2decfa5afd92e8da42feaf6d88070d4357bafc8402319a0b2082a3095faa23

Download Submit
C:\Windows\{129F1272-81A2-4f4c-8825-35B73C081675}.exe

Filesize
408KB

MD5
046897e8d38b7863767787d58538bcf0

SHA1
202006de5dcecd6c2628c8b19263f8d42d76707e

SHA256
ddb862bbcb13251c204c06c1df1596ae159dd90d9936ff4247dc2912e55782bb

SHA512
a37d52a38e3da6a10501671c9efc5fee45460cec07260c50ae41aba66d7217ce76797a7d352946020761aecfb9bc4aca6a91ddeb92dc025715401909f4de74ad

Download Submit
C:\Windows\{129F1272-81A2-4f4c-8825-35B73C081675}.exe

Filesize
8KB

MD5
01c08fca73c93e39b0da970f14900346

SHA1
e7c42b67312c392606e292cd31a81f3b69bdbdc4

SHA256
ad95287f7eb68a877b26fa8f288288ddffa51ef2ba6926037b424bee35bdf7b4

SHA512
dc04ba982d592e30ee1c870a34a99e537e7957e301ba37aee99e20bd61e89dbdfded0a9b31ff27f137feb47f29e6304e26e1fefac8b52f9df3829a05e97700f8

Download Submit
C:\Windows\{18373925-7AFD-4831-8F32-00F43A6E2D4E}.exe

Filesize
408KB

MD5
806cdd5c3aa886e8cc64a38c3e858b9b

SHA1
88569e9ed8e7f73bb6eb5e21d70874c36a78bc86

SHA256
e0e0dba0e254ae43d8c6060852110b901685b05b409c745b863aaace91eb7bc1

SHA512
452d04b9bb642b489e9b2c3987d32325964d92366d24d3d6bf1c016fd0deeda6709338f937309c6659a043b8e308bf23405934673b7ec55eba1e194a31c41da0

Download Submit
C:\Windows\{1A2BD5D7-DBB2-4e70-A26C-E42ABE3F2918}.exe

Filesize
408KB

MD5
faf5cddcedb14cf98b3e5d443281b67e

SHA1
4f6f0525257e4fb42d2e5f275acb97f02525e7c2

SHA256
5915130921bd2f11b2661627e96c94bc07c18026387af3ec5b501d41ccbb0b6d

SHA512
45501043940c1c967d7e00c2d02d22d71942518ba6c15385c1585e87840d77c362e0b848c86d59952eb06edf5c07818844bf765755e832db72a342b358b9d459

Download Submit
C:\Windows\{1CEF0168-9AD2-4e34-BE65-F041005E21FC}.exe

Filesize
408KB

MD5
a00146c0658f4344f53eefc27e4750c1

SHA1
35dc2000f0cc1907d8f8d34c37c9aff4e9a041e6

SHA256
a722fc9c89dbebc08e80313feb2ba849c415ce1a1dbebf2eca8b72fada626c67

SHA512
02f15167e38f9d395269e364b6d635699d537a00b6010c491116861ac22d4c7284f066f659305229773d290bf49c6df30d0085cf1d4e0a888a9f1431699bc2b3

Download Submit
C:\Windows\{35573E3D-9AD4-4d22-9240-E44ED7A687A3}.exe

Filesize
408KB

MD5
d9a22a966c7c56e521dddb1983595f9f

SHA1
57e8882cce69c2fcf0cd78f4dc4d2964286f85d8

SHA256
8b7980fef633a960dacb2629397060f575f6dad7e92fe715b156e5eccaafbbd0

SHA512
f9e445c8ffe468c784035524246408e8be466d256d3e3cf334560d8d1d128d2d37ff1b754d97d872f17057fc652075599372dda30225df3e798c1f5624f11d30

Download Submit
C:\Windows\{3D38BCC9-CAD7-4bb2-B09B-B92FE719342A}.exe

Filesize
408KB

MD5
99f677babde62c548114bdef0ad4ddf2

SHA1
c34bf99ea5ff3ba5d874241c07ad91e583d3beb3

SHA256
15653c44f0ed8a7a51137a7ff84efa7c32951106d450062de0b7bc268b3fccd6

SHA512
64f1f64315f8e787ce7349f27419eb2529cb7c53d7973a746614f71772e809513bad519ab5d621ed7af91c2b9cd919efec6f4a6fbde27d7874f2547286c99d15

Download Submit
C:\Windows\{64BB8865-A214-4bc8-AC74-8E1D2D2346F8}.exe

Filesize
408KB

MD5
b5ec1e636b33ea381af5aaa1ee46f40a

SHA1
bd40c26994ea1f4f639fe2d1ea5cf199a07847e3

SHA256
b22afa6cc5216ec5782abf0dc3ec87864ace5e8ad8ffa339b3aa4d52690a22b2

SHA512
8c1541bc41a1a98dd6cf8ffd7f04bbfa0ca7dc45841e60d536a71b3ca837378969fb1e7216b0e308f66179aa9eaa53e13d3e4856401c7c6c76668805dae3490a

Download Submit
C:\Windows\{860E7611-A801-488d-A7A8-83155AD71730}.exe

Filesize
408KB

MD5
bacb7a6379d8dd07a2c685b1b3db982b

SHA1
6f88aad485bb24205182361790e4577d43b1f20d

SHA256
9d7010cedec4bd77f2eba73c0fa470092c46c2a72bf31993e3d0cf07f7e5a3f0

SHA512
8191df95c9d5f729b2751fe884ea8541b7b9db52ee20d3ae8ed378e8c0f5948cf5f53d5955b66a5520df843fdc6ec5948bd27aed0dec93392cb76cf002fbf0d0

Download Submit
C:\Windows\{D4170310-406F-4f32-BBC2-42C8118161A8}.exe

Filesize
408KB

MD5
3e3d84ad3f65c58d95fd9801443b5359

SHA1
40eec253b73e1c5956aaa90b11effd92fd6f31a6

SHA256
493405dbca5d7c9a73f641b3ec4c1403288ff9ab53819cc30298e4b4b2c0b305

SHA512
6b693c3e7849d20b22fcf08bd6b4753c8016d6377026ff8ab2c8efd2b313c4f65f599679be1e197c7a6c456bb64ff27ea5fa3f52878c18c35a9e6fbb4099815d

Download Submit
C:\Windows\{D684C833-9BD3-4589-BCFB-D69EDD61BF84}.exe

Filesize
408KB

MD5
acb6bdaee6767fd591385c573ebc52b8

SHA1
be59ab27830a9c5a3eed97267367cfdad4f32bae

SHA256
727ca71af49a8fb18636f0bdee4930864562a5659fbb1c04005b9d397d9a2d79

SHA512
878e1a7a2f00bc71012d9fda8938ad08b12aa8e10a3d5a41f24115bea4a1fcc33ad05d3543af95e60f0080777ab71f34b9a405f669b39b0b6052c5f4ed299809

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads