f2846341436e73367dc913cbee38dc6e72609c91dcdebe143260fd5d24a7123f

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 12:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe
Size

180KB
MD5

1ac0336fc8e568255c9b4ddb1907f53b
SHA1

42cf493e1e41b6cd9e1f47c06c895652ecb84d8a
SHA256

f2846341436e73367dc913cbee38dc6e72609c91dcdebe143260fd5d24a7123f
SHA512

bd185be8c71d86674876d1628340e4c1076fc451bc452e13bc2c31e5223f1c40b73bf4f3bebf5d1e150e17427cc6afd78d885084641d2be87ce333f6c7c5d453
SSDEEP

3072:jEGh0omlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a1a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a1a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001410b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000142cc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a1a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a1a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a1a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}\stubpath = "C:\\Windows\\{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe"	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C9D814-08E7-4618-B005-2C8B4CA55C95}	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}\stubpath = "C:\\Windows\\{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe"	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821EA681-8CCF-4d60-A877-9FA92E1F91E2}\stubpath = "C:\\Windows\\{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe"	{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}\stubpath = "C:\\Windows\\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe"	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}\stubpath = "C:\\Windows\\{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe"	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{493A530F-29B1-4935-B8ED-BFD1C79CD55C}\stubpath = "C:\\Windows\\{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe"	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}	{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}\stubpath = "C:\\Windows\\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe"	{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49BA2F75-BB7F-42a6-B8A4-572E390215EA}	{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49BA2F75-BB7F-42a6-B8A4-572E390215EA}\stubpath = "C:\\Windows\\{49BA2F75-BB7F-42a6-B8A4-572E390215EA}.exe"	{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}\stubpath = "C:\\Windows\\{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe"	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CF6122-CA03-4fbf-B709-CE401E5F8026}	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821EA681-8CCF-4d60-A877-9FA92E1F91E2}	{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{493A530F-29B1-4935-B8ED-BFD1C79CD55C}	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CF6122-CA03-4fbf-B709-CE401E5F8026}\stubpath = "C:\\Windows\\{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe"	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C9D814-08E7-4618-B005-2C8B4CA55C95}\stubpath = "C:\\Windows\\{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe"	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe

Executes dropped EXE 11 IoCs

pid	Process
2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe
2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe
2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe
2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe
1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe
1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe
1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe
1612	{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe
2800	{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe
2136	{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe
1444	{49BA2F75-BB7F-42a6-B8A4-572E390215EA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe	{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe
File created	C:\Windows\{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe
File created	C:\Windows\{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe
File created	C:\Windows\{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe
File created	C:\Windows\{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe
File created	C:\Windows\{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe
File created	C:\Windows\{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe
File created	C:\Windows\{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe	{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe
File created	C:\Windows\{49BA2F75-BB7F-42a6-B8A4-572E390215EA}.exe	{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe
File created	C:\Windows\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe
File created	C:\Windows\{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe
Token: SeIncBasePriorityPrivilege	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe
Token: SeIncBasePriorityPrivilege	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe
Token: SeIncBasePriorityPrivilege	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe
Token: SeIncBasePriorityPrivilege	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe
Token: SeIncBasePriorityPrivilege	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe
Token: SeIncBasePriorityPrivilege	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe
Token: SeIncBasePriorityPrivilege	1612	{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe
Token: SeIncBasePriorityPrivilege	2800	{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe
Token: SeIncBasePriorityPrivilege	2136	{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2196	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	28
PID 2904 wrote to memory of 2196	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	28
PID 2904 wrote to memory of 2196	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	28
PID 2904 wrote to memory of 2196	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	28
PID 2904 wrote to memory of 2536	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	29
PID 2904 wrote to memory of 2536	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	29
PID 2904 wrote to memory of 2536	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	29
PID 2904 wrote to memory of 2536	2904	2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe	29
PID 2196 wrote to memory of 2648	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	30
PID 2196 wrote to memory of 2648	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	30
PID 2196 wrote to memory of 2648	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	30
PID 2196 wrote to memory of 2648	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	30
PID 2196 wrote to memory of 2676	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	31
PID 2196 wrote to memory of 2676	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	31
PID 2196 wrote to memory of 2676	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	31
PID 2196 wrote to memory of 2676	2196	{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe	31
PID 2648 wrote to memory of 2460	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	32
PID 2648 wrote to memory of 2460	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	32
PID 2648 wrote to memory of 2460	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	32
PID 2648 wrote to memory of 2460	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	32
PID 2648 wrote to memory of 2572	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	33
PID 2648 wrote to memory of 2572	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	33
PID 2648 wrote to memory of 2572	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	33
PID 2648 wrote to memory of 2572	2648	{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe	33
PID 2460 wrote to memory of 2576	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	36
PID 2460 wrote to memory of 2576	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	36
PID 2460 wrote to memory of 2576	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	36
PID 2460 wrote to memory of 2576	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	36
PID 2460 wrote to memory of 2916	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	37
PID 2460 wrote to memory of 2916	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	37
PID 2460 wrote to memory of 2916	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	37
PID 2460 wrote to memory of 2916	2460	{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe	37
PID 2576 wrote to memory of 1172	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	38
PID 2576 wrote to memory of 1172	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	38
PID 2576 wrote to memory of 1172	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	38
PID 2576 wrote to memory of 1172	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	38
PID 2576 wrote to memory of 1296	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	39
PID 2576 wrote to memory of 1296	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	39
PID 2576 wrote to memory of 1296	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	39
PID 2576 wrote to memory of 1296	2576	{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe	39
PID 1172 wrote to memory of 1792	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	40
PID 1172 wrote to memory of 1792	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	40
PID 1172 wrote to memory of 1792	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	40
PID 1172 wrote to memory of 1792	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	40
PID 1172 wrote to memory of 1724	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	41
PID 1172 wrote to memory of 1724	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	41
PID 1172 wrote to memory of 1724	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	41
PID 1172 wrote to memory of 1724	1172	{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe	41
PID 1792 wrote to memory of 1752	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	42
PID 1792 wrote to memory of 1752	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	42
PID 1792 wrote to memory of 1752	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	42
PID 1792 wrote to memory of 1752	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	42
PID 1792 wrote to memory of 2680	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	43
PID 1792 wrote to memory of 2680	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	43
PID 1792 wrote to memory of 2680	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	43
PID 1792 wrote to memory of 2680	1792	{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe	43
PID 1752 wrote to memory of 1612	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	45
PID 1752 wrote to memory of 1612	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	45
PID 1752 wrote to memory of 1612	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	45
PID 1752 wrote to memory of 1612	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	45
PID 1752 wrote to memory of 1680	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	44
PID 1752 wrote to memory of 1680	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	44
PID 1752 wrote to memory of 1680	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	44
PID 1752 wrote to memory of 1680	1752	{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_1ac0336fc8e568255c9b4ddb1907f53b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe
  C:\Windows\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe
    C:\Windows\{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe
      C:\Windows\{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe
        
        C:\Windows\{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe
        
        C:\Windows\{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe
        
        C:\Windows\{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe
        
        C:\Windows\{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11C9D~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe
        
        C:\Windows\{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe
        
        C:\Windows\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe
        
        C:\Windows\{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\{49BA2F75-BB7F-42a6-B8A4-572E390215EA}.exe
        
        C:\Windows\{49BA2F75-BB7F-42a6-B8A4-572E390215EA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{821EA~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E2D2~1.EXE > nul
        11⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCCAA~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B255C~1.EXE > nul
        8⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39CF6~1.EXE > nul
        7⤵
        
        PID:1724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C4E3~1.EXE > nul
        6⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{493A5~1.EXE > nul
        5⤵
        
        PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB5A~1.EXE > nul
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2983~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AB5AA67-E75C-47ee-8E9B-D5D116DEE237}.exe

Filesize
180KB

MD5
1f1fe4a79a527ae33a41757aeb2fd8c8

SHA1
116998d4678c5e2e038f55fb1fd7d51fba230d1f

SHA256
556cefdfa213313560209935a9625d8889bc8101cea0970580d29579ed2ef7dd

SHA512
91870a0e0c7fdd49ff36c3cf3b6db6111f2cbec192cc120833b2aba837fb960064d97d7726abd32f069444befde42a1a216885a5f014d6d675d58ae40a89678d

Download Submit
C:\Windows\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe

Filesize
180KB

MD5
29db9e59d0ad49700aefb90d18765d7d

SHA1
f5d7e82ecd883f5029ff2e91031ded5dbac259cb

SHA256
4eb13d7b71fe6a223e5fb2baa7c68b15f825239c425076775aa3c0cd923a5f68

SHA512
ca8a6ab6dfdc2bc275b2a468b9601177d4e75803c1cfedde405b46e10679b692fc59a77c6f3e97f6383fb30954bbbf91e72a4d9639662f6342d868458c51e1ca

Download Submit
C:\Windows\{0E2D244B-319C-4dd9-AB82-A5DC3658A2C6}.exe

Filesize
3KB

MD5
c500142b8061603cd1d64c9b56080b57

SHA1
ce4f3d74272e3bb89eac0df81ae7f61b9a8273db

SHA256
3c0224e67e4320ce91aece01ee9175c28b10eab0fe3d1d519eb4ffb65167abd6

SHA512
f31c23ae395878c973c1b69a930b812473ad9193249b949cc6de7bfc68beea7e14bcc0473065468127484680e3554cc796374a33c1fa4cc5a6b9c0837d95f322

Download Submit
C:\Windows\{11C9D814-08E7-4618-B005-2C8B4CA55C95}.exe

Filesize
180KB

MD5
46fc394761d25738d2581dac2623d2f9

SHA1
9e490d435c6ac9b30de15990b2020c7ee9d439c8

SHA256
099f001de3a451fdc6916581a45cb07232a1d3644c07f819235ed77f2598de08

SHA512
ca93cbe63a26efa3ef9fe1baece046f6bd917f0ae8ea7d445cc8e0bfee19e2d5faba15d844b3cc939fe7b43fb02e0c0ea050485daad453f4a353a0dba6391520

Download Submit
C:\Windows\{39CF6122-CA03-4fbf-B709-CE401E5F8026}.exe

Filesize
180KB

MD5
711f42d86b2ff1ac3db408bb46c9c768

SHA1
36a63a7f8252b3f3a50605d1550099f79bc6f84b

SHA256
63dd4b69ae7e269905d30474fc491791ebd923e8c74303d8cc7374309cc11be0

SHA512
c4ff986d21468d2093ab4c45bceebae9a0e481d4b5b9fbb6b7910cf3ddfe423ddb9de6ee1298f34f9291eda1909794466724862a11e839c2f3103b9f700919d4

Download Submit
C:\Windows\{493A530F-29B1-4935-B8ED-BFD1C79CD55C}.exe

Filesize
180KB

MD5
d5e5eafebe8c11ede8665654794f3966

SHA1
23df23611d7dec5c306cb787e86156f96b758999

SHA256
ed955a586924d9ea5a443f65e7579286422469627bab36d5715930df64a12ab9

SHA512
f2ab7fc545e22ce012290d37cd370fb21e6d1b383e728de4d2f0bb5633ebe7f8d41ffb7790815d7f3cebf24f1d4f1dcfcc2ff408ba08bbb47f142f69e40edb32

Download Submit
C:\Windows\{49BA2F75-BB7F-42a6-B8A4-572E390215EA}.exe

Filesize
180KB

MD5
92b0eddc761f3aec285877d2806e74c6

SHA1
776f0a07181db66cd06217fb56a4eed7536f899e

SHA256
fb565b02ac9dfc6211874ed12356644915b0fe5fcac47427b3872d96c858383b

SHA512
9a0e3c573ca7f58b3f33703e1bb3d62b183922b5cccb3887f975e6dbbc3345f7cf996853d63a40189e9f208a136171e8307208ee0a1e33754b08ee19d6caf27d

Download Submit
C:\Windows\{821EA681-8CCF-4d60-A877-9FA92E1F91E2}.exe

Filesize
180KB

MD5
b1d10b9738599402219e46f4c43f0ed8

SHA1
d8ccfa75dec72bb8f607593c382a68725bab3d26

SHA256
271280d487d513af9b2d68de394d1d53ca8964f5835f15591ab233f1cbaadeb5

SHA512
1a307e8bd7ff1d26f85ece5fb142e8f76ec6fd15a0a03f8e4644ad7127a7e5bd4b6cfdeaa8054b366177ba0c4784a2649b3dcda08099bb302a11f6e5e9d961b7

Download Submit
C:\Windows\{9C4E3FE1-A8D3-4b74-ADB8-475556592DB6}.exe

Filesize
180KB

MD5
b34e439e3d50774cf83d1a3841b9151d

SHA1
6050cadcc1405cc32de83bf752dc29e8ef875d06

SHA256
20604e31090a3b34b2d04152d094f30594281e3445917cc2650ed7d45319020c

SHA512
7ab4d356b370195f570ce9d4378dfec83554b9246a73c1f4cb3d09ea230fa2b3c1d2820d37962875ed29af7e75a1f40f79d4f99b0efb6076b15b5f41ece08e4d

Download Submit
C:\Windows\{B255C33C-2333-4fc4-A10A-3B1FE34D0E07}.exe

Filesize
180KB

MD5
488ea84e6cccb23ae11509f49a9bb1e4

SHA1
9bef84a365588111a52c38327d79a5ebd7c0cd37

SHA256
8855ef167f4ffe0947c0687d4245cb13654ad94735cc68e9e812ad45828849ca

SHA512
d0fb5bb8c83ce814755ae888c62c445459467ba251c2f0fe96f4a12e93f9ec769e6534410a0a253b3353155a915f3dba52c59d9450f09a09f136d9220cd2a33d

Download Submit
C:\Windows\{DCCAAD05-F516-4007-BCAC-66E6CA0C30FC}.exe

Filesize
180KB

MD5
ef428e8370ad156411e09b09513b46bc

SHA1
1d148f09641907900a585db1c9a30c18583b55f6

SHA256
13f4c5f6750b2fd9c73018f02d66fe5cf02f055964bc52fd6849f2df1834d448

SHA512
072b00b3ab3cb403e82f9fe3ddb7e4cf55becfe75e8606c8579d3f34f6df373b9418fb01a99aa85a7436224425ae95da32880d9479b3f4b44271d667bb691e94

Download Submit
C:\Windows\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe

Filesize
180KB

MD5
d75834ef827691d82805383ce1084881

SHA1
e7a02199800c918d925e0f56a191c0e890fc3c69

SHA256
6869a7a85ead58eb841b1ec9190a86d1b6687f8fb122147d32526dcfa1c2800a

SHA512
871286e75edd3ee9a09bb6f60908b8292ce2314b00a11f4feaadbadde5948250427d6b620d9c072bf1ed91661b1908440e3903409c7a1105b38be587444b4b9f

Download Submit
C:\Windows\{E2983E9E-A3FF-41e3-8839-8CA34DFB2101}.exe

Filesize
126KB

MD5
367ff6c283ed012fd7050a5a9e63838b

SHA1
334bfef3bf61ccd5993cfe367f743a5641ee9cfc

SHA256
2204cc2d42c3d7bcef41bd24f95ddadf65810230656060213142610f6ce21342

SHA512
b9aefc6d0980953ed005f8665354020fed6d6ba19d872c840466e21914c6f87e2dbc4048da473d77a5fa2e816c8de320ff40c7ba93f9b1bed08ee45325b6b5a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads