6e4ed7797a45f70598437e9e02bc2516616dd791ca80c016f63531c246b57af2

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Size

408KB
MD5

42921ce932ac734df4a7e06c9718ad10
SHA1

0ee07b827aa16e65c6f735dd6d3fa2f33682c6e5
SHA256

6e4ed7797a45f70598437e9e02bc2516616dd791ca80c016f63531c246b57af2
SHA512

6b225fb84284ed3a9b16b8613c12c3cead0052ed72eb7c7806a8a52c0dc94487b27c484442ec77a8041c602edf46f80c7bae91e5120e720482a40722019295ec
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGBldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001224d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001232d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224d-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014721-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014721-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DABAF574-6E53-4294-92C4-DCAAABB9DB61}\stubpath = "C:\\Windows\\{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe"	{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}\stubpath = "C:\\Windows\\{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}.exe"	{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}\stubpath = "C:\\Windows\\{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe"	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60E3419C-029C-4609-BEA5-1DE287C5A764}	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57D07351-88B9-4037-BC88-A08C16A9D3AF}	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57D07351-88B9-4037-BC88-A08C16A9D3AF}\stubpath = "C:\\Windows\\{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe"	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DCB3BB5-69B6-467c-B795-DBECC84927D9}	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A14047-DDAA-4a5f-9169-449257DFB073}	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AA075BA-E749-438b-ADA0-337531BBEE21}	{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60E3419C-029C-4609-BEA5-1DE287C5A764}\stubpath = "C:\\Windows\\{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe"	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DCB3BB5-69B6-467c-B795-DBECC84927D9}\stubpath = "C:\\Windows\\{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe"	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F4935D-EF48-46aa-A8CF-0350CFF9D448}\stubpath = "C:\\Windows\\{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe"	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}\stubpath = "C:\\Windows\\{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe"	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AA075BA-E749-438b-ADA0-337531BBEE21}\stubpath = "C:\\Windows\\{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe"	{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A14047-DDAA-4a5f-9169-449257DFB073}\stubpath = "C:\\Windows\\{33A14047-DDAA-4a5f-9169-449257DFB073}.exe"	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}\stubpath = "C:\\Windows\\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe"	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F4935D-EF48-46aa-A8CF-0350CFF9D448}	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DABAF574-6E53-4294-92C4-DCAAABB9DB61}	{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}	{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe

Deletes itself 1 IoCs

pid	Process
2148	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe
2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe
2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe
2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe
2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe
2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe
904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe
1536	{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe
2404	{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe
2588	{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe
1168	{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe
File created	C:\Windows\{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe
File created	C:\Windows\{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe
File created	C:\Windows\{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}.exe	{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe
File created	C:\Windows\{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
File created	C:\Windows\{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe
File created	C:\Windows\{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe
File created	C:\Windows\{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe
File created	C:\Windows\{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe	{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe
File created	C:\Windows\{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe	{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe
File created	C:\Windows\{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe
Token: SeIncBasePriorityPrivilege	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe
Token: SeIncBasePriorityPrivilege	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe
Token: SeIncBasePriorityPrivilege	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe
Token: SeIncBasePriorityPrivilege	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe
Token: SeIncBasePriorityPrivilege	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe
Token: SeIncBasePriorityPrivilege	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe
Token: SeIncBasePriorityPrivilege	1536	{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe
Token: SeIncBasePriorityPrivilege	2404	{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe
Token: SeIncBasePriorityPrivilege	2588	{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2904	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	28
PID 1244 wrote to memory of 2904	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	28
PID 1244 wrote to memory of 2904	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	28
PID 1244 wrote to memory of 2904	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	28
PID 1244 wrote to memory of 2148	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	29
PID 1244 wrote to memory of 2148	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	29
PID 1244 wrote to memory of 2148	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	29
PID 1244 wrote to memory of 2148	1244	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	29
PID 2904 wrote to memory of 2828	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	30
PID 2904 wrote to memory of 2828	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	30
PID 2904 wrote to memory of 2828	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	30
PID 2904 wrote to memory of 2828	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	30
PID 2904 wrote to memory of 2884	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	31
PID 2904 wrote to memory of 2884	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	31
PID 2904 wrote to memory of 2884	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	31
PID 2904 wrote to memory of 2884	2904	{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe	31
PID 2828 wrote to memory of 2868	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	33
PID 2828 wrote to memory of 2868	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	33
PID 2828 wrote to memory of 2868	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	33
PID 2828 wrote to memory of 2868	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	33
PID 2828 wrote to memory of 2912	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	32
PID 2828 wrote to memory of 2912	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	32
PID 2828 wrote to memory of 2912	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	32
PID 2828 wrote to memory of 2912	2828	{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe	32
PID 2868 wrote to memory of 2892	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	36
PID 2868 wrote to memory of 2892	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	36
PID 2868 wrote to memory of 2892	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	36
PID 2868 wrote to memory of 2892	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	36
PID 2868 wrote to memory of 2092	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	37
PID 2868 wrote to memory of 2092	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	37
PID 2868 wrote to memory of 2092	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	37
PID 2868 wrote to memory of 2092	2868	{33A14047-DDAA-4a5f-9169-449257DFB073}.exe	37
PID 2892 wrote to memory of 2660	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	38
PID 2892 wrote to memory of 2660	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	38
PID 2892 wrote to memory of 2660	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	38
PID 2892 wrote to memory of 2660	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	38
PID 2892 wrote to memory of 2920	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	39
PID 2892 wrote to memory of 2920	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	39
PID 2892 wrote to memory of 2920	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	39
PID 2892 wrote to memory of 2920	2892	{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe	39
PID 2660 wrote to memory of 2960	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	40
PID 2660 wrote to memory of 2960	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	40
PID 2660 wrote to memory of 2960	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	40
PID 2660 wrote to memory of 2960	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	40
PID 2660 wrote to memory of 1764	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	41
PID 2660 wrote to memory of 1764	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	41
PID 2660 wrote to memory of 1764	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	41
PID 2660 wrote to memory of 1764	2660	{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe	41
PID 2960 wrote to memory of 904	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	42
PID 2960 wrote to memory of 904	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	42
PID 2960 wrote to memory of 904	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	42
PID 2960 wrote to memory of 904	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	42
PID 2960 wrote to memory of 1864	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	43
PID 2960 wrote to memory of 1864	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	43
PID 2960 wrote to memory of 1864	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	43
PID 2960 wrote to memory of 1864	2960	{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe	43
PID 904 wrote to memory of 1536	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	44
PID 904 wrote to memory of 1536	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	44
PID 904 wrote to memory of 1536	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	44
PID 904 wrote to memory of 1536	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	44
PID 904 wrote to memory of 2180	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	45
PID 904 wrote to memory of 2180	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	45
PID 904 wrote to memory of 2180	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	45
PID 904 wrote to memory of 2180	904	{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe
  C:\Windows\{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe
    C:\Windows\{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{60E34~1.EXE > nul
      4⤵
      PID:2912
  - - C:\Windows\{33A14047-DDAA-4a5f-9169-449257DFB073}.exe
      C:\Windows\{33A14047-DDAA-4a5f-9169-449257DFB073}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe
        
        C:\Windows\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe
        
        C:\Windows\{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe
        
        C:\Windows\{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe
        
        C:\Windows\{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe
        
        C:\Windows\{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89733~1.EXE > nul
        10⤵
        
        PID:2344
        
        C:\Windows\{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe
        
        C:\Windows\{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe
        
        C:\Windows\{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DABAF~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}.exe
        
        C:\Windows\{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}.exe
        12⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AA07~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DCB3~1.EXE > nul
        9⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68F49~1.EXE > nul
        8⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57D07~1.EXE > nul
        7⤵
        
        PID:1764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F67DD~1.EXE > nul
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33A14~1.EXE > nul
        5⤵
        
        PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A43B~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AA075BA-E749-438b-ADA0-337531BBEE21}.exe

Filesize
408KB

MD5
593b0dcd0ad8e2d5b2beae585a4059f5

SHA1
dff65b6312dc4757b8ad09f638e69b88d766a025

SHA256
f7ad760bad0d5f7b95dd85d916adec62fd19f7efa9ccf37dee292548ed9ae121

SHA512
23f4b3660464fe3fc830cd579e9fce0d02eb2f582d1163d5e60cd24dd8918951f0d9a1b95a74ab91da8040774e48edcb496667158af480d40ddc00d08d2e5122

Download Submit
C:\Windows\{33A14047-DDAA-4a5f-9169-449257DFB073}.exe

Filesize
408KB

MD5
edfa545c6bdebab70e909b644c377f15

SHA1
e05c5e3eab1930a2c9f6ed6e079aa769e35eb678

SHA256
7502374f24e28b538fc89c93d8e0215e9aa6d3b16192e5049b3d27534b1af5d6

SHA512
8f9b72a90e8c9f61bd9c5c6035d0113ade8f5f74e69166068ed20eb017b66eb3bd1ba4f3b0a92b473cc353741d2e08f92f9c64b6346fcc1fe0c1d3e72703b4bb

Download Submit
C:\Windows\{33A14047-DDAA-4a5f-9169-449257DFB073}.exe

Filesize
305KB

MD5
68fca68833fd3adc3f90aafc35af4cdc

SHA1
146035b13461e692cd673f44af4c322a657f4bfc

SHA256
4cd185ce168f81205f2e34ff659c5f795e904d469aa931d8a2f6ea9969802328

SHA512
db63ab74f70f07240c841fb707bf28e1c1c7990c98e00c62f04f70a8daccca9f41a3741c5c0bcc28639cc11ff961dcd69615542695b54a80147f10613727ee8a

Download Submit
C:\Windows\{57D07351-88B9-4037-BC88-A08C16A9D3AF}.exe

Filesize
408KB

MD5
cdf442e718e6ac378e504c288681d326

SHA1
053e94b6f9fd37f0cc19e176a6abe10cdfde102e

SHA256
7bd04fef9e3cec341e33891ff158bee2b156219bf35365bbe346866580df5450

SHA512
669b7b2dedf9342796acfd13ea6c27b58a312a4f83ee904b9be4d836e27c8dfd9e566321f4c164d2ad0828d80e691a7e384138b76e939d86df6d5af2001564e8

Download Submit
C:\Windows\{60E3419C-029C-4609-BEA5-1DE287C5A764}.exe

Filesize
408KB

MD5
4407efaec78962a5c238afb42478b279

SHA1
bec90782c1333cd8f831b338b627bdbce3ad102a

SHA256
d7d58d7c5d42cd327cbfaaf89a2722fa2b35288edfebba12de50b0c5777a1089

SHA512
bfc869aff0f36294f45479b3b88c65fb4e9eedd8300e7cc0cda6d8c4f408b9b023063a655d3afa454c9b172d998f1360692de3a699426ecf8a3898e659bbf0db

Download Submit
C:\Windows\{68F4935D-EF48-46aa-A8CF-0350CFF9D448}.exe

Filesize
408KB

MD5
5711581cba73a876edebb645d0f262a1

SHA1
456fe173f97fe8f668d134a067a73955799ea8a3

SHA256
f9bdcfc3912624d8fc361628ac1e6c218a1678c0a37cc334a7676d9387c728bc

SHA512
5a192cc3714be5743b0d1f3178fe64348d16aa3379b68fcf491684520608038d331d0c7b70eb58d76800f163c1ccb302abd19091dfb929547870026a39c1ea00

Download Submit
C:\Windows\{8973308B-6C86-4c55-AAD5-ADDA6C40F56E}.exe

Filesize
408KB

MD5
7dd450e14c03b9131673af64fc0fc053

SHA1
6f4ebf5d977ca38279fb3753e9bd54b80770e0b8

SHA256
bd1605d3570c8726423cc206605529b1e1f17f44b97e9af12cb06b8b14bde2d1

SHA512
31e8b6d51970a16e85bebf53bc76bc0876fdaa49e7ef5e85361d2eb0d70620798cb212636aff169341780b0733d995e9101df4ba872e44a76c9a84c017cce486

Download Submit
C:\Windows\{8DCB3BB5-69B6-467c-B795-DBECC84927D9}.exe

Filesize
408KB

MD5
adcec03a1fe8bf5ed70fa48b488c26ab

SHA1
4bb1739385f9c9bd3a3da3e5a69548fa7dee2c45

SHA256
69602e3b81fa873b2527e088debe56c363658c5ef071d42b08a95f5fb436ea71

SHA512
e5ed2e358bb2428d178ec62b560bf9001d60b01598895de46e05b007b3e1ee3620525dce8c8603691b38c0522644223b22bdd926f6f52a20c774080bc309fdbd

Download Submit
C:\Windows\{8FC4A55A-FAA9-4d9a-9DD2-358959636C94}.exe

Filesize
408KB

MD5
8f09be8edcbe8998ba92566a69a2a3d0

SHA1
6cda9b8c08d7ea96b656cab27e22a1522c175e4f

SHA256
2156918b0f25f97516aa30cea305a5e83f26c91dbe29de4e461c1f832d327d47

SHA512
c538d0b7519547860e965d5bf60891ccc0f3ee2d7928052d4dba1354f7fe17367cc35a78cc72436e55b6021ea9c80c743ee929ebd050c2dcd8b00c0c66c4e6fd

Download Submit
C:\Windows\{9A43BFC0-E5DF-4a36-BAB8-005694AA37D6}.exe

Filesize
408KB

MD5
c236fd6dfb71d9fdfff4fdf921ac2a1a

SHA1
da68026c457904f5270f39793fd44ec058fc28ec

SHA256
54b627c743858f658bec58aa1f148ffed294580f6fa5212b133d76ed31a6d37e

SHA512
f79ab5be5cb331952c60122f85afa1048168188998006a76ec298f6fdb4960873a907bf25ca3950cc8f6f86fd9ce9a472b12db28d070c509d9f81c67609b07b9

Download Submit
C:\Windows\{DABAF574-6E53-4294-92C4-DCAAABB9DB61}.exe

Filesize
408KB

MD5
e93f7c673767849b978e9d7b1d0a32a7

SHA1
0b03793bf57a55b3155d5ffff4c154c9118e66f2

SHA256
f489e75c61a59ae3dab23812ec65c00b48e4725b8796c898a8d16d95c03a1a0f

SHA512
850c95c8d8b8e0be040addb3063637870b376f7eeec3a3d69bad2112bd54e95c53c21b94555928955e6583c10b6901deb3b090a8e842f09dbe15f2fc36f2d5cc

Download Submit
C:\Windows\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe

Filesize
295KB

MD5
51f0f9edd50bef7642994f2fa19af65e

SHA1
60c1ff4dd1867987c59f791113be8b6e4b8c0cb7

SHA256
3edbe081969e05bb6ee5ad6834d6d1dfaa10b41cb1956f45abc78084c3992945

SHA512
4a7b9610b725628bd58e3bbf7c53323688337076e1f63d477dd9f1f24002a2e951216c0d5f91579a368f0c010e5b93ce16ad368c3dfde0ebb319adba1d8ebe98

Download Submit
C:\Windows\{F67DD635-0CFF-41fc-BA57-CFE7EEA89D00}.exe

Filesize
408KB

MD5
24c85e9b47c961a5e9d96a9f8be0e960

SHA1
9c68826a57f960f6e3dba47ab1a453aebb2c0410

SHA256
1b902e735a6005021bf2b1f93db06bfbcca61c38c7609e44b0ad942db924a964

SHA512
c22bacb14cea5fdb583da80a4cb840c6f11464d2a2d6c3f829b583bae2c67859d1aeba90fa4bbe69c5e07e3b5fa7634cdaa847b8c6923d0f3ec307f70795d8df

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads