c1c3f1d7514fc7c3672cf69722f0149c7d3c158c0fef08953a9e8532bc936513

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe
Size

180KB
MD5

8faa601e21bb9150bf3f8785c63c097a
SHA1

8dbcd917b52afbea919c401116ff3b330a4d713c
SHA256

c1c3f1d7514fc7c3672cf69722f0149c7d3c158c0fef08953a9e8532bc936513
SHA512

0ba6188a6dc198599ca27245a2ef17e4f1652844995e66cb7911204380ae27f190eece909e20ee8ef45b732fffa4fd7d1bf16dffef80720d78043aa0905f0705
SSDEEP

3072:jEGh0ohlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGzl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001224a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001800000001490f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}	{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}\stubpath = "C:\\Windows\\{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe"	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA4157AB-35F2-4c15-B585-861BA2F8D85C}	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F3D452-5499-45d8-BE63-7F000F5C8965}	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EE2C99A-7137-4430-8000-9A414785A1E8}\stubpath = "C:\\Windows\\{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe"	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B253ED-BF0A-453c-9FCE-5778203A2679}\stubpath = "C:\\Windows\\{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe"	{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA4157AB-35F2-4c15-B585-861BA2F8D85C}\stubpath = "C:\\Windows\\{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe"	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD857243-8B20-400a-9C27-4259AD4272EA}\stubpath = "C:\\Windows\\{BD857243-8B20-400a-9C27-4259AD4272EA}.exe"	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EE2C99A-7137-4430-8000-9A414785A1E8}	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}	{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}\stubpath = "C:\\Windows\\{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe"	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6518416B-B5F6-4b33-B1AE-C8497300B9AC}\stubpath = "C:\\Windows\\{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe"	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD857243-8B20-400a-9C27-4259AD4272EA}	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}\stubpath = "C:\\Windows\\{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe"	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}\stubpath = "C:\\Windows\\{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe"	{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6518416B-B5F6-4b33-B1AE-C8497300B9AC}	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F3D452-5499-45d8-BE63-7F000F5C8965}\stubpath = "C:\\Windows\\{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe"	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B253ED-BF0A-453c-9FCE-5778203A2679}	{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}\stubpath = "C:\\Windows\\{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}.exe"	{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe

Deletes itself 1 IoCs

pid	Process
2004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe
2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe
2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe
2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe
2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe
1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe
640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe
1972	{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe
1976	{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe
2824	{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe
2392	{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe	{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe
File created	C:\Windows\{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe
File created	C:\Windows\{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe
File created	C:\Windows\{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe
File created	C:\Windows\{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe
File created	C:\Windows\{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe
File created	C:\Windows\{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe
File created	C:\Windows\{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe	{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe
File created	C:\Windows\{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}.exe	{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe
File created	C:\Windows\{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe
File created	C:\Windows\{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe
Token: SeIncBasePriorityPrivilege	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe
Token: SeIncBasePriorityPrivilege	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe
Token: SeIncBasePriorityPrivilege	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe
Token: SeIncBasePriorityPrivilege	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe
Token: SeIncBasePriorityPrivilege	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe
Token: SeIncBasePriorityPrivilege	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe
Token: SeIncBasePriorityPrivilege	1972	{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe
Token: SeIncBasePriorityPrivilege	1976	{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe
Token: SeIncBasePriorityPrivilege	2824	{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1680	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	28
PID 2052 wrote to memory of 1680	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	28
PID 2052 wrote to memory of 1680	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	28
PID 2052 wrote to memory of 1680	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	28
PID 2052 wrote to memory of 2004	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	29
PID 2052 wrote to memory of 2004	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	29
PID 2052 wrote to memory of 2004	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	29
PID 2052 wrote to memory of 2004	2052	2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe	29
PID 1680 wrote to memory of 2776	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	32
PID 1680 wrote to memory of 2776	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	32
PID 1680 wrote to memory of 2776	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	32
PID 1680 wrote to memory of 2776	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	32
PID 1680 wrote to memory of 2572	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	33
PID 1680 wrote to memory of 2572	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	33
PID 1680 wrote to memory of 2572	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	33
PID 1680 wrote to memory of 2572	1680	{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe	33
PID 2776 wrote to memory of 2328	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	34
PID 2776 wrote to memory of 2328	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	34
PID 2776 wrote to memory of 2328	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	34
PID 2776 wrote to memory of 2328	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	34
PID 2776 wrote to memory of 2636	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	35
PID 2776 wrote to memory of 2636	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	35
PID 2776 wrote to memory of 2636	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	35
PID 2776 wrote to memory of 2636	2776	{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe	35
PID 2328 wrote to memory of 2448	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	36
PID 2328 wrote to memory of 2448	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	36
PID 2328 wrote to memory of 2448	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	36
PID 2328 wrote to memory of 2448	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	36
PID 2328 wrote to memory of 2488	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	37
PID 2328 wrote to memory of 2488	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	37
PID 2328 wrote to memory of 2488	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	37
PID 2328 wrote to memory of 2488	2328	{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe	37
PID 2448 wrote to memory of 2948	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	38
PID 2448 wrote to memory of 2948	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	38
PID 2448 wrote to memory of 2948	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	38
PID 2448 wrote to memory of 2948	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	38
PID 2448 wrote to memory of 1436	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	39
PID 2448 wrote to memory of 1436	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	39
PID 2448 wrote to memory of 1436	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	39
PID 2448 wrote to memory of 1436	2448	{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe	39
PID 2948 wrote to memory of 1868	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	40
PID 2948 wrote to memory of 1868	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	40
PID 2948 wrote to memory of 1868	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	40
PID 2948 wrote to memory of 1868	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	40
PID 2948 wrote to memory of 1428	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	41
PID 2948 wrote to memory of 1428	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	41
PID 2948 wrote to memory of 1428	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	41
PID 2948 wrote to memory of 1428	2948	{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe	41
PID 1868 wrote to memory of 640	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	42
PID 1868 wrote to memory of 640	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	42
PID 1868 wrote to memory of 640	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	42
PID 1868 wrote to memory of 640	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	42
PID 1868 wrote to memory of 1696	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	43
PID 1868 wrote to memory of 1696	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	43
PID 1868 wrote to memory of 1696	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	43
PID 1868 wrote to memory of 1696	1868	{BD857243-8B20-400a-9C27-4259AD4272EA}.exe	43
PID 640 wrote to memory of 1972	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	44
PID 640 wrote to memory of 1972	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	44
PID 640 wrote to memory of 1972	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	44
PID 640 wrote to memory of 1972	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	44
PID 640 wrote to memory of 2000	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	45
PID 640 wrote to memory of 2000	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	45
PID 640 wrote to memory of 2000	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	45
PID 640 wrote to memory of 2000	640	{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_8faa601e21bb9150bf3f8785c63c097a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe
  C:\Windows\{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe
    C:\Windows\{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe
      C:\Windows\{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe
        
        C:\Windows\{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe
        
        C:\Windows\{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{BD857243-8B20-400a-9C27-4259AD4272EA}.exe
        
        C:\Windows\{BD857243-8B20-400a-9C27-4259AD4272EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe
        
        C:\Windows\{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe
        
        C:\Windows\{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe
        
        C:\Windows\{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe
        
        C:\Windows\{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}.exe
        
        C:\Windows\{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B25~1.EXE > nul
        12⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1E3B~1.EXE > nul
        11⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD4CE~1.EXE > nul
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EE2C~1.EXE > nul
        9⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD857~1.EXE > nul
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F3D~1.EXE > nul
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA415~1.EXE > nul
        6⤵
        
        PID:1436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65184~1.EXE > nul
        5⤵
        
        PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{77A9B~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{57DC2~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{57DC2BBB-03D6-4b06-B19D-A9A7D590CAB6}.exe

Filesize
180KB

MD5
51426ac41d2893b52955695af6229a8f

SHA1
14a70e218596bf5c8e0118aa60d2ae75e042063f

SHA256
f0cc68061693c97732dfff0d24d18c54b22e70a909b6a02225de2aea651ce3bf

SHA512
5aeb6822c1997552bd46ad085c3791bbd08e345a83750b02a8fae3e76e6df6a3a5ac02c4c492599e44253145915693c26784806700ab19541a2722fec266a2ab

Download Submit
C:\Windows\{6518416B-B5F6-4b33-B1AE-C8497300B9AC}.exe

Filesize
180KB

MD5
b899c1533b56d8d40715a69b0326bdd8

SHA1
3573fd1d2d36564ff9da1ecb18707dc952a26f40

SHA256
61bfce8cfa01c81c4be2c696b94d2eb5032c901c155342f0bdc73b58375592af

SHA512
8f28503ac23a95854e15d3424b89dda5073e93e15dfc54c582c47758bd58346268f6f7876051d56ec5fe6b46375cabfb9da4b27a15af40440dac8306dba4f9b0

Download Submit
C:\Windows\{77A9BDEE-BA45-4170-B1A0-0E2FE878A13A}.exe

Filesize
180KB

MD5
33d11ad6db082b5bd36fd8da053d27f1

SHA1
df2f21b57537eaeea8e70b59d4ac6c0c0d55981a

SHA256
f9451b831bef7cd6f701ec14a8cec0d03030e6d51554f3b175f3c9ebcacd4866

SHA512
a57a0e056f6f9761a31db12d5082af20523aa156a5b4d88b50d07e33a9b6c677732da87dab9f8bda1c4f77ca4f02961ab6092fde349f753f51d4c10f8ee92c44

Download Submit
C:\Windows\{7EE2C99A-7137-4430-8000-9A414785A1E8}.exe

Filesize
180KB

MD5
3620bb20cb337d3622c318083bcf10f9

SHA1
5f9ddd41add112fc348811a13a0a1c7a9bc8751d

SHA256
7830b38deb1bd48ddcdbd276985792d0102dd99e7730d45acc0f63498aa18598

SHA512
610099feab28aae43be3ea3d8581af156c7c7430f79001487c07f6532489c451433f36ff43f95ad15c4f026c53a53acf0a28f64d9d9b2e30c5f28d365657c0a4

Download Submit
C:\Windows\{99E428FD-3BA9-4c81-9B73-A1C3C1CBB03D}.exe

Filesize
180KB

MD5
c0e1ce237d15c3d989904b3948d739ab

SHA1
efa8762e0f7cde300b4c32e8947fbe5cdbf1c060

SHA256
7295f1427a4b1090e5736bdde4dd490a9ce43fb984a1d47bee50b2dbd592bcd2

SHA512
d75ba7d4766a3b79e150811f92d34d2fd5d724d7097c201dac7ce5945b5dedb351d036a6a48d1a9b8bc25f74dcfaefbb6c36e3f531fc7b00c259078bfac9e267

Download Submit
C:\Windows\{B1E3BA3F-A9E5-46b7-B2BF-EDBBF265403E}.exe

Filesize
180KB

MD5
2ae6949326757ed6cc84ce1dc0e10c41

SHA1
d30e523615d7d7f390e669d1a2aabf574143683b

SHA256
86e36aeb15e79bed399069722b84115419810c72d3d35bd41c6a4a61faf1de18

SHA512
ddf6702d2fde25db331bb6409cb70e1a9676a2e06db8bacc3b3f6a844c110495d79efc6d231e31636fcd48dc1bd67ac37728eb2cda1abdddfe5f7968b94e8544

Download Submit
C:\Windows\{B6B253ED-BF0A-453c-9FCE-5778203A2679}.exe

Filesize
180KB

MD5
9013d8df4d419bad683613d5f1ec1cf9

SHA1
072bdd19def0afd1405d1b8e90425343b9c7e46f

SHA256
517039b80f921a5911895d3042a58f2bd949dbc404669348c07232160406b024

SHA512
5d8890ba6790a771bc545f78773f83b8fb1a586bfa76cb5d199fadbd04933c14d0f12d4497b72975fbb30d365adbd6d73fed41901906699534cb7b97c6a6fb63

Download Submit
C:\Windows\{BD857243-8B20-400a-9C27-4259AD4272EA}.exe

Filesize
180KB

MD5
37b368e0126b3b42abc8036c3a0615d7

SHA1
9a05b507dec97184a93e23f49f7204059efd39e2

SHA256
72c72dd7390235fd036199e0b9e209e8170989e7f4b4daae65fe4c0ecb603ec3

SHA512
12a69011ce894c356a8378fcfd4455513c1ecb4390e5aaf7a63a706a9c636e8d411f7eb64391ed4918b18a3c6a29ec6c4abd06ce0240199c0abe9eada854bdf3

Download Submit
C:\Windows\{DD4CEE3A-D1C8-4e77-84B3-D6988A7B2FC0}.exe

Filesize
180KB

MD5
c2ccbd09c62f8e41a74d57feccfe12c2

SHA1
35261a2c6a329567d0ac8c8b0a8e19c7aa0045e4

SHA256
e7cd6f105b6cfaa645f7a7e710aaeb1caf2f64a58e6ec20e2e0882a9f03f142d

SHA512
abc01263fbb9325d0b74158347b8569faefcb7bd437e25c585abbf63bedacf4c75b1cbeae3080acfeb580c6f4be78584b1afc97941ddcbf3a92a369dfb526925

Download Submit
C:\Windows\{E1F3D452-5499-45d8-BE63-7F000F5C8965}.exe

Filesize
180KB

MD5
9bdd2e51912932d9ea37fa61c4103225

SHA1
dcccaa0bafbc47a061f97884da11c5ad90f089fc

SHA256
8371028d6a97a8951c912fe871e5e78d3b5e245c1cb0b5d4d191b988f20751c0

SHA512
2b297434a47ef5b5b474ba654685c204b7c1c5de8a3e6a75e9b872365de66779db456e5f920dd00668e643e7e2f8e4aed0f35a9c1edaf8ad571676824823fb12

Download Submit
C:\Windows\{FA4157AB-35F2-4c15-B585-861BA2F8D85C}.exe

Filesize
180KB

MD5
91e8a6a24d672b813d6c5f2ca2da216f

SHA1
3a57145bf0d2cb126c3a27fadc48bc90d3ac2b73

SHA256
b58be016c9bf841047c67c1bdb8935aa64ea301b0d421a05d0ff04da6802308e

SHA512
8508cf5adf15254dfee4d62d14adc5f3d1478b625e1e39a178d7f736f9f0dcbcc70661d07ece97e86e7622931292e1c55c7180a3be69b5c7aa6de317e453a684

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads