cefe367ecf5ebc8acecd85ca402b419f361fbc6e61fa21a024c491ae84c7bf39

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Size

180KB
MD5

af5021b6d57bedd6e34a4a3e6c08f1cf
SHA1

9b89844a0a781c88f3dd5ee6e5b0496d4f0d4e03
SHA256

cefe367ecf5ebc8acecd85ca402b419f361fbc6e61fa21a024c491ae84c7bf39
SHA512

ae0ce7138a203b5aadbe0362f0fd568914f8827be2cec1cb01ef7a65184cce36759d81322455b1b525b97dd28595cfad658991a9b59e892ba48098cfc7936c74
SSDEEP

3072:jEGh0ollfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012247-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015c9f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015c9f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015c9f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015d8e-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e82-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015d8e-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e94-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015d8e-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1327CA3F-72CC-4f53-B33D-E515D7B84196}	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B950920-DE98-4d7a-885E-5B6630BBFA49}	{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}\stubpath = "C:\\Windows\\{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}.exe"	{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501682CA-427F-4f84-B7F0-8ED08750351E}\stubpath = "C:\\Windows\\{501682CA-427F-4f84-B7F0-8ED08750351E}.exe"	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A91B2C-EF17-4d66-99B1-930475C270B2}\stubpath = "C:\\Windows\\{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe"	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}\stubpath = "C:\\Windows\\{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe"	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}\stubpath = "C:\\Windows\\{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe"	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}	{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19F139D-01F6-40e4-8196-B9393E76DAC8}	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501682CA-427F-4f84-B7F0-8ED08750351E}	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{705F869E-1A87-4386-9CEC-C4B28086422D}\stubpath = "C:\\Windows\\{705F869E-1A87-4386-9CEC-C4B28086422D}.exe"	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}	{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}\stubpath = "C:\\Windows\\{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe"	{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A91B2C-EF17-4d66-99B1-930475C270B2}	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1327CA3F-72CC-4f53-B33D-E515D7B84196}\stubpath = "C:\\Windows\\{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe"	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B950920-DE98-4d7a-885E-5B6630BBFA49}\stubpath = "C:\\Windows\\{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe"	{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}\stubpath = "C:\\Windows\\{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe"	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19F139D-01F6-40e4-8196-B9393E76DAC8}\stubpath = "C:\\Windows\\{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe"	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{705F869E-1A87-4386-9CEC-C4B28086422D}	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe
2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe
2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe
1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe
896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe
1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe
2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe
2484	{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe
1716	{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe
2456	{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe
2408	{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe
File created	C:\Windows\{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe
File created	C:\Windows\{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe
File created	C:\Windows\{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe	{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe
File created	C:\Windows\{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe	{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe
File created	C:\Windows\{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}.exe	{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe
File created	C:\Windows\{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe
File created	C:\Windows\{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe
File created	C:\Windows\{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe
File created	C:\Windows\{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
File created	C:\Windows\{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe
Token: SeIncBasePriorityPrivilege	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe
Token: SeIncBasePriorityPrivilege	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe
Token: SeIncBasePriorityPrivilege	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe
Token: SeIncBasePriorityPrivilege	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe
Token: SeIncBasePriorityPrivilege	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe
Token: SeIncBasePriorityPrivilege	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe
Token: SeIncBasePriorityPrivilege	2484	{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe
Token: SeIncBasePriorityPrivilege	1716	{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe
Token: SeIncBasePriorityPrivilege	2456	{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2416	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	28
PID 2880 wrote to memory of 2416	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	28
PID 2880 wrote to memory of 2416	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	28
PID 2880 wrote to memory of 2416	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	28
PID 2880 wrote to memory of 2724	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	29
PID 2880 wrote to memory of 2724	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	29
PID 2880 wrote to memory of 2724	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	29
PID 2880 wrote to memory of 2724	2880	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	29
PID 2416 wrote to memory of 2596	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	32
PID 2416 wrote to memory of 2596	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	32
PID 2416 wrote to memory of 2596	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	32
PID 2416 wrote to memory of 2596	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	32
PID 2416 wrote to memory of 2060	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	33
PID 2416 wrote to memory of 2060	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	33
PID 2416 wrote to memory of 2060	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	33
PID 2416 wrote to memory of 2060	2416	{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe	33
PID 2596 wrote to memory of 2624	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	34
PID 2596 wrote to memory of 2624	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	34
PID 2596 wrote to memory of 2624	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	34
PID 2596 wrote to memory of 2624	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	34
PID 2596 wrote to memory of 2984	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	35
PID 2596 wrote to memory of 2984	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	35
PID 2596 wrote to memory of 2984	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	35
PID 2596 wrote to memory of 2984	2596	{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe	35
PID 2624 wrote to memory of 1056	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	36
PID 2624 wrote to memory of 1056	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	36
PID 2624 wrote to memory of 1056	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	36
PID 2624 wrote to memory of 1056	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	36
PID 2624 wrote to memory of 572	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	37
PID 2624 wrote to memory of 572	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	37
PID 2624 wrote to memory of 572	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	37
PID 2624 wrote to memory of 572	2624	{501682CA-427F-4f84-B7F0-8ED08750351E}.exe	37
PID 1056 wrote to memory of 896	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	39
PID 1056 wrote to memory of 896	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	39
PID 1056 wrote to memory of 896	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	39
PID 1056 wrote to memory of 896	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	39
PID 1056 wrote to memory of 1752	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	38
PID 1056 wrote to memory of 1752	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	38
PID 1056 wrote to memory of 1752	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	38
PID 1056 wrote to memory of 1752	1056	{705F869E-1A87-4386-9CEC-C4B28086422D}.exe	38
PID 896 wrote to memory of 1244	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	40
PID 896 wrote to memory of 1244	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	40
PID 896 wrote to memory of 1244	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	40
PID 896 wrote to memory of 1244	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	40
PID 896 wrote to memory of 1968	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	41
PID 896 wrote to memory of 1968	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	41
PID 896 wrote to memory of 1968	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	41
PID 896 wrote to memory of 1968	896	{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe	41
PID 1244 wrote to memory of 2096	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	42
PID 1244 wrote to memory of 2096	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	42
PID 1244 wrote to memory of 2096	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	42
PID 1244 wrote to memory of 2096	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	42
PID 1244 wrote to memory of 932	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	43
PID 1244 wrote to memory of 932	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	43
PID 1244 wrote to memory of 932	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	43
PID 1244 wrote to memory of 932	1244	{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe	43
PID 2096 wrote to memory of 2484	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	44
PID 2096 wrote to memory of 2484	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	44
PID 2096 wrote to memory of 2484	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	44
PID 2096 wrote to memory of 2484	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	44
PID 2096 wrote to memory of 1772	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	45
PID 2096 wrote to memory of 1772	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	45
PID 2096 wrote to memory of 1772	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	45
PID 2096 wrote to memory of 1772	2096	{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe
  C:\Windows\{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe
    C:\Windows\{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{501682CA-427F-4f84-B7F0-8ED08750351E}.exe
      C:\Windows\{501682CA-427F-4f84-B7F0-8ED08750351E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{705F869E-1A87-4386-9CEC-C4B28086422D}.exe
        
        C:\Windows\{705F869E-1A87-4386-9CEC-C4B28086422D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{705F8~1.EXE > nul
        6⤵
        
        PID:1752
      - C:\Windows\{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe
        
        C:\Windows\{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe
        
        C:\Windows\{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe
        
        C:\Windows\{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe
        
        C:\Windows\{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe
        
        C:\Windows\{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe
        
        C:\Windows\{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B950~1.EXE > nul
        12⤵
        
        PID:2396
        
        C:\Windows\{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}.exe
        
        C:\Windows\{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD8DE~1.EXE > nul
        11⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1327C~1.EXE > nul
        10⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA1D~1.EXE > nul
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{915BD~1.EXE > nul
        8⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33A91~1.EXE > nul
        7⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50168~1.EXE > nul
        5⤵
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E19F1~1.EXE > nul
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA15~1.EXE > nul
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B950920-DE98-4d7a-885E-5B6630BBFA49}.exe

Filesize
180KB

MD5
411f4ad07cdf572aeba924fa602fe855

SHA1
976ace676f56c07e7f37965406f90884d6837109

SHA256
9932b328da6515065d1a1867eb2be9931b316c20560a85a926224bd75f0ba2f5

SHA512
97c253e6c4c27d244c94537de52a811c71cbd88ec4607b49b134e6a1a88e50210acd4b43398be4308845d2927bce561e00d2a7d9fd26b2b61a8495ceb529c4e9

Download Submit
C:\Windows\{1327CA3F-72CC-4f53-B33D-E515D7B84196}.exe

Filesize
180KB

MD5
932d7377780a0eda73bcb4d252d51181

SHA1
6e442b070e71b83de35a05e3bbb363e3a8e60f0f

SHA256
9505e9bfa13656484955e0064340d606072ed74b55af4529a6200c7cbbd7f46b

SHA512
28a704364cf4d45df80c794f2b6cf9427b2137359e4ac5bcd20946030659d64bfe09123b51da20910e8dbd8dc6587b4a839a2b0213d023cacf0900eba4993580

Download Submit
C:\Windows\{33A91B2C-EF17-4d66-99B1-930475C270B2}.exe

Filesize
180KB

MD5
60ff28199f454a99dcfb7917cbc4e15e

SHA1
77daaa70a897de3f23933e81e577c11d8d73057f

SHA256
81ee9123ed87f914a923f60d246fd577328a14f0ac053a44c2f77b5b6cfd17d9

SHA512
342c69091b5be1902d240703f863b80bc792f68b941d00db93c0c7995d1b1de3f4924b9c74344fc42edb25a28f8c92b0ce4423e77b49d6baa269de59c3fbc694

Download Submit
C:\Windows\{3FA152AE-C8C1-404d-AD3C-3BE5159870C8}.exe

Filesize
180KB

MD5
1ae2f68b492a4308ade9ac63c67e2bbd

SHA1
6288599d1c55ebaea2405c9b66f234b9b2d73068

SHA256
a4287cc38833844cf7770be50dcec43deab1da7cb7f276f8a9992274b19a24c0

SHA512
f3e12e222b9e229cb7cbb658f99d2e7ed09656f40acd90b69fd3fb281fd7ef12e9d22d497cf456ccc0f74ce23e4bca38e261c41fc814fd44288305cd55a95c4f

Download Submit
C:\Windows\{501682CA-427F-4f84-B7F0-8ED08750351E}.exe

Filesize
64KB

MD5
7262424b4cba68d4f28f3b0e72e18842

SHA1
a4da3eb39ddcd50f42422eccfe166d205f0b3b09

SHA256
39f1ecb3e2d8bbbdbe4b87403b2d130d14b80cd08bf674f11cd42f4eee81dd70

SHA512
f13d21fd87f9165a50dccbead512abb4a74b50ce42c9b1067e29f45b41e1f6da4a45c4ecc9f9748c862634ea25dc4da1682e81a265a5adeb33eed18e8afad14a

Download Submit
C:\Windows\{501682CA-427F-4f84-B7F0-8ED08750351E}.exe

Filesize
180KB

MD5
47f78d6ad5489520d52da90b46e6968b

SHA1
28e47478526c9f29b7f517930b63cc62115761d0

SHA256
eb01e3c4a0033deb6c56161b461ea0a5a55a70b9506002584cdc480039e9ac8a

SHA512
747f0010dade9d8a0217e4245bad58bf7ca6a7e8f202849116a589fc69fbfd5562016ae067616f1c4d79402d0f9476222ef77e212048d75f7c694b9bcd64f039

Download Submit
C:\Windows\{705F869E-1A87-4386-9CEC-C4B28086422D}.exe

Filesize
180KB

MD5
6331d7f148bbbe83492cafb1ee64f7c2

SHA1
1a5f3928356d42694c9c1936335567cffe2d9b86

SHA256
72d23105a4e1c56b833e985a3a081ca32962b6d9d18f1cd1f722c4f681e17d2f

SHA512
ceab5b84d00920628b5b0f31db8c12aa38e807df4aa8189cb9485ef33eee7a27772bb27672a3fe9e58b70c634efc0d4e18424adea51d2fe9b8732a5c082da600

Download Submit
C:\Windows\{915BDE2D-AB70-48e7-BF39-DE303A6BA6D7}.exe

Filesize
180KB

MD5
d32cc9ca3c5f73f3c7678a32e5722211

SHA1
e932d0a414c8de5627c9d843d7ede6507ac50977

SHA256
03e16f4c76d9dde970f208bb503b8a4d06d22eb9353e2d114f6dd1ca65a81392

SHA512
7233dde935be0a298fccd1565c70973373a03369bd3745171dad047e1d46720e54f9058753e669c36ba187aa497c66c37bef7ff2078f14e0f8bc90e028be7a4a

Download Submit
C:\Windows\{AD8DEF48-A81E-44ea-9C78-7D0B094B3C3D}.exe

Filesize
180KB

MD5
f8caa467bd42b250265b9aecd5c7e0ad

SHA1
2910b16ce6903d6839b317d655baeb6643cbd5bc

SHA256
b15ab57eaf6e31797ae912968808f67f4b747cba3fe6ae8f313a631b12966d2a

SHA512
4880673758e28dc3df959009fc18410b3fad2b64938e11412dd98a653eb4fd899ef377180a3041dd9ced2fc5cd4c1ef1468a08ec7f34ebd4e4dc594dc1ec68f6

Download Submit
C:\Windows\{BCA1D8BB-2A18-418d-BBAA-2BA3522FF022}.exe

Filesize
180KB

MD5
da912816095221a6085a7db1ef3a332a

SHA1
9b2c0da8e4159e909a2eee0643af4a602f4f583a

SHA256
48cbab2f91ae762e8ecf1aef4b5de6db7b7dee5092c2af3845ddd4431ff10b79

SHA512
6e0ecf43e1977f92ed22991abe943c302d726b38a9e4632bfe7c1a074920119aa64e27c373b87ed839915a877fcba7b233cd7dfe1f72148db048c4fde4be824c

Download Submit
C:\Windows\{E19F139D-01F6-40e4-8196-B9393E76DAC8}.exe

Filesize
180KB

MD5
61847e93e8af917b50289eac794f1860

SHA1
22a6a81a55c2fa9206ae1948306cd8628ddd2ab0

SHA256
a196ab54118444ef7ea1ef2b1ec715d5d6f7cf47b711d34b152d1adc6bbc80f1

SHA512
20c5780a767ee38efe80182ffcc2c96732bb88914a8fe8ae53747fb5985dc76185c234ae1d8ae3f5994d22d7ea36531942e96246a51a15f66f2c9ee81b5db654

Download Submit
C:\Windows\{E86F3DF9-6CFB-428f-9B49-2488AB4275B2}.exe

Filesize
180KB

MD5
f6045ff5ffc798907da061af201d117f

SHA1
39fddd6ec5e39c44d966230c24186d03f730fcb3

SHA256
cec8e91e04cc70debd4c10bd92a7711df5994384c3abce46bad2d1c0dae43ac2

SHA512
132ba7ddd865b9c0abd4a6e5d9b96aedbeb331815746dc028495d7dd3b56033899239b96b628cf0f964cdd9a0ee3d72eeab1293f47caa91640a29820ca2de3cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads