87e44ff028ac898014de170b2b7d1c65356a1cf8153177e90948dfd0105d0f50

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Size

180KB
MD5

f9b29bec109fce193d71cf714e3282f5
SHA1

acd80cbda9a7576c42dc658c9060e1f5b195da01
SHA256

87e44ff028ac898014de170b2b7d1c65356a1cf8153177e90948dfd0105d0f50
SHA512

678db706ef8680ba9bb7b9060e64c3b365280ed0262122b47f5fb87394144a98b8d434ae3840787abfb693c83d3dbc11587b1d39b7329c0717bd6845cd7230a2
SSDEEP

3072:jEGh0ozlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGFl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000139b6-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a1a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000139b6-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000141b0-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000139b6-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000139b6-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000139b6-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}\stubpath = "C:\\Windows\\{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe"	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45AF4B9-83E2-454b-A44A-A446072D561F}	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}\stubpath = "C:\\Windows\\{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe"	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3E1147C-C916-413c-85DD-5B70191B6D0C}	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45AF4B9-83E2-454b-A44A-A446072D561F}\stubpath = "C:\\Windows\\{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe"	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}\stubpath = "C:\\Windows\\{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe"	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{639E79E7-7713-4445-81CD-E4E90FA7A306}\stubpath = "C:\\Windows\\{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe"	{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E01AF37-21EC-4804-8978-E9B23D55FFF0}	{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E01AF37-21EC-4804-8978-E9B23D55FFF0}\stubpath = "C:\\Windows\\{9E01AF37-21EC-4804-8978-E9B23D55FFF0}.exe"	{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3E1147C-C916-413c-85DD-5B70191B6D0C}\stubpath = "C:\\Windows\\{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe"	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}\stubpath = "C:\\Windows\\{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe"	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}\stubpath = "C:\\Windows\\{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe"	{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}\stubpath = "C:\\Windows\\{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe"	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}	{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}\stubpath = "C:\\Windows\\{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe"	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{639E79E7-7713-4445-81CD-E4E90FA7A306}	{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe
2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe
2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe
2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe
1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe
1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe
2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe
1596	{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe
2940	{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe
2880	{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe
608	{9E01AF37-21EC-4804-8978-E9B23D55FFF0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe
File created	C:\Windows\{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe
File created	C:\Windows\{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe
File created	C:\Windows\{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe
File created	C:\Windows\{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe
File created	C:\Windows\{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
File created	C:\Windows\{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe
File created	C:\Windows\{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe
File created	C:\Windows\{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe	{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe
File created	C:\Windows\{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe	{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe
File created	C:\Windows\{9E01AF37-21EC-4804-8978-E9B23D55FFF0}.exe	{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe
Token: SeIncBasePriorityPrivilege	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe
Token: SeIncBasePriorityPrivilege	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe
Token: SeIncBasePriorityPrivilege	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe
Token: SeIncBasePriorityPrivilege	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe
Token: SeIncBasePriorityPrivilege	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe
Token: SeIncBasePriorityPrivilege	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe
Token: SeIncBasePriorityPrivilege	1596	{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe
Token: SeIncBasePriorityPrivilege	2940	{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe
Token: SeIncBasePriorityPrivilege	2880	{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2168	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	28
PID 2244 wrote to memory of 2168	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	28
PID 2244 wrote to memory of 2168	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	28
PID 2244 wrote to memory of 2168	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	28
PID 2244 wrote to memory of 2560	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	29
PID 2244 wrote to memory of 2560	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	29
PID 2244 wrote to memory of 2560	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	29
PID 2244 wrote to memory of 2560	2244	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	29
PID 2168 wrote to memory of 2700	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	30
PID 2168 wrote to memory of 2700	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	30
PID 2168 wrote to memory of 2700	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	30
PID 2168 wrote to memory of 2700	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	30
PID 2168 wrote to memory of 2760	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	31
PID 2168 wrote to memory of 2760	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	31
PID 2168 wrote to memory of 2760	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	31
PID 2168 wrote to memory of 2760	2168	{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe	31
PID 2700 wrote to memory of 2300	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	33
PID 2700 wrote to memory of 2300	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	33
PID 2700 wrote to memory of 2300	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	33
PID 2700 wrote to memory of 2300	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	33
PID 2700 wrote to memory of 2860	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	32
PID 2700 wrote to memory of 2860	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	32
PID 2700 wrote to memory of 2860	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	32
PID 2700 wrote to memory of 2860	2700	{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe	32
PID 2300 wrote to memory of 2840	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	37
PID 2300 wrote to memory of 2840	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	37
PID 2300 wrote to memory of 2840	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	37
PID 2300 wrote to memory of 2840	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	37
PID 2300 wrote to memory of 3056	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	36
PID 2300 wrote to memory of 3056	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	36
PID 2300 wrote to memory of 3056	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	36
PID 2300 wrote to memory of 3056	2300	{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe	36
PID 2840 wrote to memory of 1328	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	38
PID 2840 wrote to memory of 1328	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	38
PID 2840 wrote to memory of 1328	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	38
PID 2840 wrote to memory of 1328	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	38
PID 2840 wrote to memory of 2456	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	39
PID 2840 wrote to memory of 2456	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	39
PID 2840 wrote to memory of 2456	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	39
PID 2840 wrote to memory of 2456	2840	{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe	39
PID 1328 wrote to memory of 1684	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	40
PID 1328 wrote to memory of 1684	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	40
PID 1328 wrote to memory of 1684	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	40
PID 1328 wrote to memory of 1684	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	40
PID 1328 wrote to memory of 2712	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	41
PID 1328 wrote to memory of 2712	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	41
PID 1328 wrote to memory of 2712	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	41
PID 1328 wrote to memory of 2712	1328	{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe	41
PID 1684 wrote to memory of 2720	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	42
PID 1684 wrote to memory of 2720	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	42
PID 1684 wrote to memory of 2720	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	42
PID 1684 wrote to memory of 2720	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	42
PID 1684 wrote to memory of 2696	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	43
PID 1684 wrote to memory of 2696	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	43
PID 1684 wrote to memory of 2696	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	43
PID 1684 wrote to memory of 2696	1684	{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe	43
PID 2720 wrote to memory of 1596	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	44
PID 2720 wrote to memory of 1596	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	44
PID 2720 wrote to memory of 1596	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	44
PID 2720 wrote to memory of 1596	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	44
PID 2720 wrote to memory of 1524	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	45
PID 2720 wrote to memory of 1524	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	45
PID 2720 wrote to memory of 1524	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	45
PID 2720 wrote to memory of 1524	2720	{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe
  C:\Windows\{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe
    C:\Windows\{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A58A~1.EXE > nul
      4⤵
      PID:2860
  - - C:\Windows\{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe
      C:\Windows\{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C53E~1.EXE > nul
        5⤵
        
        PID:3056
    - - C:\Windows\{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe
        
        C:\Windows\{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe
        
        C:\Windows\{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe
        
        C:\Windows\{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe
        
        C:\Windows\{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe
        
        C:\Windows\{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe
        
        C:\Windows\{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe
        
        C:\Windows\{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{9E01AF37-21EC-4804-8978-E9B23D55FFF0}.exe
        
        C:\Windows\{9E01AF37-21EC-4804-8978-E9B23D55FFF0}.exe
        12⤵
        Executes dropped EXE
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF9CD~1.EXE > nul
        12⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{639E7~1.EXE > nul
        11⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD418~1.EXE > nul
        10⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D425E~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C74~1.EXE > nul
        8⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC22~1.EXE > nul
        7⤵
        
        PID:2712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D45AF~1.EXE > nul
        6⤵
        
        PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A3E11~1.EXE > nul
    3⤵
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A58AC7D-26D2-4b3e-9CEE-58553BD0B45D}.exe

Filesize
180KB

MD5
78deff1f182d1b2f943010884f615e78

SHA1
8b96bab925843afe9645c9d574eacae2ad50d81e

SHA256
5ca556f69d994bfdafa1ff56690286bd48e72c5f4129d53e9796e1d95a3c7321

SHA512
6a9ac91d3c31c5d278411fa056fc106443847da6482948eee31cea8fe648d415a74cec0de378926bd53b75b1e2d0d16b3f8de693348a660361fc1c71decac205

Download Submit
C:\Windows\{4C53EEAA-E204-4b4e-B1F0-0BE9383D1B4D}.exe

Filesize
180KB

MD5
f74c24121037942da8fdd22b3aff4145

SHA1
67e70e512a6dfeb91581f69dee7fa3e4d265caed

SHA256
3d66ac33419c75357608226ef20c38224b2bef468d3e71c0f26a775a39301f20

SHA512
bb0aa0dd69e29f617925e506ebe56876dc8fddc3d1405d41cb64a95401862e3d6e403246573d58941be72aa35ab359d81a7664f634e4c6fa2d339d04f7d8e149

Download Submit
C:\Windows\{4EC22E9F-AD5D-45be-9798-BCE5F2407B7E}.exe

Filesize
180KB

MD5
77e389fa26b24d3f32be00d6c9b9ea21

SHA1
c09aa2e79aa4607a346922562157288a4df59cd4

SHA256
f75073d4a17b83cf98802b2c0854e2d6bcd5ceee98fc95ce109becb9f153c748

SHA512
04c52b1a8fe389e9aba686db20fd8dc9dc2ef034db00fe6dbb55deff492d86a0d261b339a74e33d76d8a5169d8355f7d23d6fc59e9179a3763051a8639c7a5d8

Download Submit
C:\Windows\{639E79E7-7713-4445-81CD-E4E90FA7A306}.exe

Filesize
180KB

MD5
362018cb46a16456fac8d9f4d7a204ec

SHA1
3044d1e410cf116296430a39532b7ec48a963571

SHA256
319575524ad5ce4b57b0b4bf824ab0fce4be147beb92dcf4b0ab9a0a24c3524e

SHA512
716eaa665ce8043d1cb1baa9192ff263acc1e9aa2e65872324fe92e98842517755fe2bcb8408f217fef33b6fe16cf2c5ea292054b12300ace0bb800bdd63cb14

Download Submit
C:\Windows\{9E01AF37-21EC-4804-8978-E9B23D55FFF0}.exe

Filesize
180KB

MD5
9d22e801c1801bcaabf0075780879972

SHA1
5856c7ee96477fa911209878f22cc0bb7daff32e

SHA256
5da8ecf5bfc9a918c853293e172c60b087028fb76fea11192acb752e3b213286

SHA512
d7ed53cc3ecf71ffaff89c8cfa4d238bb92499942b2becb34a8ab7c40d7fdad1e8636b606627c5a3b4813e3e8dd1a8735e6ec081eaae699b4b67a4a896745a1e

Download Submit
C:\Windows\{A3E1147C-C916-413c-85DD-5B70191B6D0C}.exe

Filesize
180KB

MD5
75d015405176a2afa933469be55c881e

SHA1
51b3605cd15894b731a98f3276734a99ce137eb1

SHA256
b2945989e920d09832ef508235ee08920fd9bdd36bb41bb2547874f0f71d0167

SHA512
ede59ca39e54031d697922bd487c47925245ecda8e75eda10688904ab6fb9b1374f5232eb4edc878cffbe434a86b0536af7e64127e2b83df59c642d12643e76e

Download Submit
C:\Windows\{D425E5F0-1F56-4a4a-B4FA-BA61DF00A69D}.exe

Filesize
180KB

MD5
59c7bede607bce718ab30bf133f5f67d

SHA1
0b5a38d0a095371ab7cab4177cc26a84145be07c

SHA256
9a42c5b5fffb5be23d2d47806cf3281ad1c7b12700a60262b7a3c1dcdb7bbff6

SHA512
7b9ff194e18f90480082c45707f5bf44bae15a444d49067b9d478e6e6078312263501bc0e01bd9bf0569190f35ae4eea687d7b5f20f96d8c0ce4ed182e1f3e18

Download Submit
C:\Windows\{D45AF4B9-83E2-454b-A44A-A446072D561F}.exe

Filesize
180KB

MD5
832c90d85db9a987caf6ff9d58b78100

SHA1
432c59e6368bfcd7e399c97cfab08caf593c448b

SHA256
6a827f7736993989163dc86f7d7b1bdf0f64af92ce7b42c722430c75d96ecae5

SHA512
f3c09243065e6dace895cbe4218c7042e1604570fc8ff940c7845b6175afb2f36d39113547580388d6b2276a9c032ec08fd6272f3d2b294942414b24790d6797

Download Submit
C:\Windows\{DD418EB4-0B1A-4576-9D8D-F5A2E42B3729}.exe

Filesize
180KB

MD5
3c4725b4ade7966e52f730d695cd8e20

SHA1
49ecbcdaa306bbd59466352590755e840e5d2a60

SHA256
0b68a83ab64f4f93f7dfaffdf6836c6aa7aaa25750fbf939f6b9c88c763afecc

SHA512
4f0a4e216c2a4d809c304302d0969eaee69ac0a10e14b15e6040c5b11edab3c67ea2416b302b6dd985723ce79d6b56e29948137d119fc4c8a168b6cd08c25020

Download Submit
C:\Windows\{E2C74620-DAA6-4cbe-801F-419D4FB55BC1}.exe

Filesize
180KB

MD5
ac56ee7dbaa41943c9449bfe66d51e9b

SHA1
14bbc6fe71167a9cf95cddb2ddbb286b73da0129

SHA256
127b060de924b264cf60d19df94e08b4ccd8fa2ec40963cab6d5a23bee2fc924

SHA512
cbe3cd7c5f730053d90c7baee24c4339303e86429e8cf64940c1a6063456aa87a790eac501aa6202f861e849137dbf836dae8e18199e7e6ffe17684255f361f6

Download Submit
C:\Windows\{FF9CDE55-B64F-4c9f-8FC6-6704435324E9}.exe

Filesize
180KB

MD5
521e3364a2fedc6cfada62c8e90fb299

SHA1
14b6c25033db75ee338a26421c26054981d8a5d8

SHA256
f8221b55a859dec213c00cd9cbbffed976dfc188297cad2d25de0bdff073c008

SHA512
5808b88265641b0f48604b9fb46364a9c46aea897386122e22015f45e3e84d4ca93154b9dfad7f01a2a3fbe9dae6b4ccacd787ac393a9697394885da11f1c22e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads