30f9a1bdc935d52bca065d1c408834b639d2f00cbb5b65003867ef8f5609557f

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-02-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Size

344KB
MD5

5361047b6d6e80ae01ddfb1ba747d45a
SHA1

fee28910eb97b73f9bcbbac709b075a005b32a48
SHA256

30f9a1bdc935d52bca065d1c408834b639d2f00cbb5b65003867ef8f5609557f
SHA512

b2cc30e0a4648b3b5c40622b813581fd36f47493d60fe9ecfbaf85da231391e92e94d9a365e9a6c206a27fb2f7471a3ce7d10f1482a9af1cc55db973bfeeb277
SSDEEP

3072:mEGh0oclEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGKlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012238-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012238-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012238-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012238-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012238-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012238-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012238-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB69DD3A-12B5-458a-921C-028A225028A4}	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91334F61-9C6E-48b2-A347-432EF22CC56D}	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}	{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}\stubpath = "C:\\Windows\\{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe"	{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}\stubpath = "C:\\Windows\\{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe"	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CA174A7-512A-4fac-A875-F907D3FB8C77}\stubpath = "C:\\Windows\\{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe"	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B80BD75E-A866-4ca5-856F-F0C55E3C2236}\stubpath = "C:\\Windows\\{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe"	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91334F61-9C6E-48b2-A347-432EF22CC56D}\stubpath = "C:\\Windows\\{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe"	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB69DD3A-12B5-458a-921C-028A225028A4}\stubpath = "C:\\Windows\\{CB69DD3A-12B5-458a-921C-028A225028A4}.exe"	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CA174A7-512A-4fac-A875-F907D3FB8C77}	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}\stubpath = "C:\\Windows\\{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe"	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}	{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}\stubpath = "C:\\Windows\\{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe"	{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33B71633-03D7-4afb-BDFF-957B69089DCC}	{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33B71633-03D7-4afb-BDFF-957B69089DCC}\stubpath = "C:\\Windows\\{33B71633-03D7-4afb-BDFF-957B69089DCC}.exe"	{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B80BD75E-A866-4ca5-856F-F0C55E3C2236}	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}\stubpath = "C:\\Windows\\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe"	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}\stubpath = "C:\\Windows\\{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe"	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe
1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe
2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe
548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe
1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe
2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe
800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe
2856	{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe
856	{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe
2192	{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe
576	{33B71633-03D7-4afb-BDFF-957B69089DCC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe
File created	C:\Windows\{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe
File created	C:\Windows\{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe
File created	C:\Windows\{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe	{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe
File created	C:\Windows\{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
File created	C:\Windows\{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe
File created	C:\Windows\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe
File created	C:\Windows\{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe
File created	C:\Windows\{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe	{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe
File created	C:\Windows\{33B71633-03D7-4afb-BDFF-957B69089DCC}.exe	{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe
File created	C:\Windows\{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe
Token: SeIncBasePriorityPrivilege	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe
Token: SeIncBasePriorityPrivilege	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe
Token: SeIncBasePriorityPrivilege	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe
Token: SeIncBasePriorityPrivilege	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe
Token: SeIncBasePriorityPrivilege	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe
Token: SeIncBasePriorityPrivilege	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe
Token: SeIncBasePriorityPrivilege	2856	{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe
Token: SeIncBasePriorityPrivilege	856	{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe
Token: SeIncBasePriorityPrivilege	2192	{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2840	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	28
PID 1720 wrote to memory of 2840	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	28
PID 1720 wrote to memory of 2840	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	28
PID 1720 wrote to memory of 2840	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	28
PID 1720 wrote to memory of 2652	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	29
PID 1720 wrote to memory of 2652	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	29
PID 1720 wrote to memory of 2652	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	29
PID 1720 wrote to memory of 2652	1720	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	29
PID 2840 wrote to memory of 1704	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	33
PID 2840 wrote to memory of 1704	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	33
PID 2840 wrote to memory of 1704	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	33
PID 2840 wrote to memory of 1704	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	33
PID 2840 wrote to memory of 2580	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	32
PID 2840 wrote to memory of 2580	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	32
PID 2840 wrote to memory of 2580	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	32
PID 2840 wrote to memory of 2580	2840	{CB69DD3A-12B5-458a-921C-028A225028A4}.exe	32
PID 1704 wrote to memory of 2568	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	35
PID 1704 wrote to memory of 2568	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	35
PID 1704 wrote to memory of 2568	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	35
PID 1704 wrote to memory of 2568	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	35
PID 1704 wrote to memory of 2624	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	34
PID 1704 wrote to memory of 2624	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	34
PID 1704 wrote to memory of 2624	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	34
PID 1704 wrote to memory of 2624	1704	{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe	34
PID 2568 wrote to memory of 548	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	37
PID 2568 wrote to memory of 548	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	37
PID 2568 wrote to memory of 548	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	37
PID 2568 wrote to memory of 548	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	37
PID 2568 wrote to memory of 1440	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	36
PID 2568 wrote to memory of 1440	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	36
PID 2568 wrote to memory of 1440	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	36
PID 2568 wrote to memory of 1440	2568	{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe	36
PID 548 wrote to memory of 1612	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	38
PID 548 wrote to memory of 1612	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	38
PID 548 wrote to memory of 1612	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	38
PID 548 wrote to memory of 1612	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	38
PID 548 wrote to memory of 2940	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	39
PID 548 wrote to memory of 2940	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	39
PID 548 wrote to memory of 2940	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	39
PID 548 wrote to memory of 2940	548	{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe	39
PID 1612 wrote to memory of 2444	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	40
PID 1612 wrote to memory of 2444	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	40
PID 1612 wrote to memory of 2444	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	40
PID 1612 wrote to memory of 2444	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	40
PID 1612 wrote to memory of 808	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	41
PID 1612 wrote to memory of 808	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	41
PID 1612 wrote to memory of 808	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	41
PID 1612 wrote to memory of 808	1612	{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe	41
PID 2444 wrote to memory of 800	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	43
PID 2444 wrote to memory of 800	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	43
PID 2444 wrote to memory of 800	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	43
PID 2444 wrote to memory of 800	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	43
PID 2444 wrote to memory of 1564	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	42
PID 2444 wrote to memory of 1564	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	42
PID 2444 wrote to memory of 1564	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	42
PID 2444 wrote to memory of 1564	2444	{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe	42
PID 800 wrote to memory of 2856	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	45
PID 800 wrote to memory of 2856	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	45
PID 800 wrote to memory of 2856	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	45
PID 800 wrote to memory of 2856	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	45
PID 800 wrote to memory of 2884	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	44
PID 800 wrote to memory of 2884	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	44
PID 800 wrote to memory of 2884	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	44
PID 800 wrote to memory of 2884	800	{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{CB69DD3A-12B5-458a-921C-028A225028A4}.exe
  C:\Windows\{CB69DD3A-12B5-458a-921C-028A225028A4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB69D~1.EXE > nul
    3⤵
    PID:2580
- - C:\Windows\{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe
    C:\Windows\{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55BB4~1.EXE > nul
      4⤵
      PID:2624
  - - C:\Windows\{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe
      C:\Windows\{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA17~1.EXE > nul
        5⤵
        
        PID:1440
    - - C:\Windows\{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe
        
        C:\Windows\{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe
        
        C:\Windows\{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe
        
        C:\Windows\{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91334~1.EXE > nul
        8⤵
        
        PID:1564
        
        C:\Windows\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe
        
        C:\Windows\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CFCE~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe
        
        C:\Windows\{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe
        
        C:\Windows\{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAF71~1.EXE > nul
        11⤵
        
        PID:580
        
        C:\Windows\{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe
        
        C:\Windows\{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7053F~1.EXE > nul
        12⤵
        
        PID:976
        
        C:\Windows\{33B71633-03D7-4afb-BDFF-957B69089DCC}.exe
        
        C:\Windows\{33B71633-03D7-4afb-BDFF-957B69089DCC}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E61F~1.EXE > nul
        10⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B80BD~1.EXE > nul
        7⤵
        
        PID:808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75C10~1.EXE > nul
        6⤵
        
        PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{33B71633-03D7-4afb-BDFF-957B69089DCC}.exe

Filesize
344KB

MD5
23f01c4919f2b1ab4ed72e90e6bdcc1d

SHA1
8df92ee82920426e77858e28ffbc697a6dc75795

SHA256
acd9a87ec9f2980ebf55d954a2bbf0f600dfe50ee81fdab24a63372fef940ef9

SHA512
67c7a102c69662ff875a065cbad35cd36390ed2e31f0e7e12a8ee839dbe2eff4e07816d6909eb0ee5d3290eda3d6fec408dbe6212addbe7f8401ae519092b668

Download Submit
C:\Windows\{4E61FC17-4C5E-4569-B5D6-DF5B8E232ED5}.exe

Filesize
344KB

MD5
a6ecfe95555361959c33740403ad3154

SHA1
a53988195ca78931cb2bec95ebc4dd5d4117b0f6

SHA256
2e5edb6b2ab8a31c5f35ef0026eef3526a922f014c50476acdbd9e535a2d9cda

SHA512
96a92ba2e17bd72e2fcc8eadb047de3430c3e8d6a68643d52ba4edced76d3489c0682235c97c55fcafb245f2f3a2a18665d7aa9a7084897749fdf34fbf13a723

Download Submit
C:\Windows\{55BB4A0E-5A29-4fe1-8CE3-976A5ECB89F4}.exe

Filesize
344KB

MD5
02b29d75fc45d88fe31807154888130b

SHA1
0daa17149d88c8b629ecb387fc994a1101abfe47

SHA256
18ce1e606752728690cd5c58a03c68ae05a817454bd219d4ff0984819cb0832b

SHA512
d75833560cff020d45bc7d28cfa5edaa76b0c7e5656f820f52fdcf92bc2949cd1a4ce16d3c3f90fd489ade5e55e34d9f131f094cf272e50ba1255191fc6fc68d

Download Submit
C:\Windows\{7053FA1D-BAA2-48f1-9FA9-9535BEC0043B}.exe

Filesize
344KB

MD5
22923c3c75e6ae5d481fa616225de74d

SHA1
09be08d4abdb6619f4d7c224806678ba97e69d35

SHA256
226ea91af1973b023d85033581ce7e2d01eb4797449638eb7089a69749cd37cc

SHA512
e5d79305ae94e7f529f933065111a00eb9a64b47d732adf78790af9403c0d6b718275e4015a7d5c174ae1752b33c8f32a3546ca46cbf4b3e39fc08736e947804

Download Submit
C:\Windows\{75C109A5-1CB5-4937-BD48-E67F3F2E4CD2}.exe

Filesize
344KB

MD5
e533833be8b615398b1a308c8047c88b

SHA1
b1844e11a80495a98ea80ac86f4ff6321876a541

SHA256
bcc58cb56d7b19fb71dfe966036e0428bd7a3f5eb0b49e72f882fadb765b90c4

SHA512
0beb15d704f4cbf1043d7103234a7e233b6de7fc0c0422acc758c08452f0340891d98eb4b1503ae1b048e4549ab382f72e8e4381a77ec1bfac2edf3dbc10433d

Download Submit
C:\Windows\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe

Filesize
344KB

MD5
4a42b3eedc677889f114c670286e736c

SHA1
018d10f82f6ec2f4ec0af5636267f2d3c23d93a6

SHA256
a1678fa7b6764bcbadf2e780daade82e890fc40ab3a791159aba45e020a68e99

SHA512
710b5f33919dde0317470a3c8708b52e590be4e4d2af04dda89c720a9d447c2b1581675d529d5c998ae8444ac1e15dc3071a3f14011ace1007da87327424149a

Download Submit
C:\Windows\{7CFCE41E-2BD6-47a8-B45F-22473E47EAE0}.exe

Filesize
166KB

MD5
18438440d8fc720acdb97c9ccbd23e1d

SHA1
f32ff548e0ee7c6795981c96b1d019b8aa9d6cf8

SHA256
04d75e631119d943da67490648a19b57f02e6adc2a60c3e36e7a44db44e56123

SHA512
156538498f284bd206351329ac4f47a95a1a5b61523babd00ee97cc00dc4a9d8511d3195d0c74b6373834c339273b8e4aef844976a73e2ff334c74d918b53563

Download Submit
C:\Windows\{91334F61-9C6E-48b2-A347-432EF22CC56D}.exe

Filesize
344KB

MD5
2703b1477b1bbe75aad9b522ff2804ae

SHA1
f419bd5a9acf6b053c0e58f6fbd73fd08d5047fc

SHA256
46d1e6048c51c7dd8a283008fc8cdbcf33c9949c927c2ffd31a17c5640ed7114

SHA512
da4cb8aa3cdecd12a33b5e8baa8cacf6bee968815536a022f376defc4ea4d18681830d08e2fd8b63794bfdd45d4d8704e6c23ca389250a173b10d8c6fa87130f

Download Submit
C:\Windows\{9CA174A7-512A-4fac-A875-F907D3FB8C77}.exe

Filesize
344KB

MD5
0bdacd0be23839474edaa7c15f37305e

SHA1
62b125c320b771b1b9e1d22fba93220bc00ba693

SHA256
ed8067633e0b524838c9f74a6fc23e8f09b0ed09dff4b793b50326b2043753c3

SHA512
94fbfc7784ef9d6d617901c65d3dab0e1a5b14993675cd206a67fbeb373064a1c8e0353ad5505938aa8643938eba88269378802ef390a353b1561f220a2c8ac6

Download Submit
C:\Windows\{B80BD75E-A866-4ca5-856F-F0C55E3C2236}.exe

Filesize
344KB

MD5
bd7582d6e90cb8544f3b9b275f804910

SHA1
3ecd7cd1cdbeab1234b7b7c698cd9014dbb30532

SHA256
df96d998cba9d43ce2a7ee19fe3cb9fe47711e2e5172c058e55a6e2c5e1090f0

SHA512
215aa6204d32a66a2f2fa47b83fe01a6763f0879e45bb805a077156c6070bdc51ece2c82303fa2750c4dcb7338e70fecf8496cc3f1c75d2c4ae70fe9c6639482

Download Submit
C:\Windows\{BAF71AB4-CB6E-4600-AC49-7AF8D5A1BA46}.exe

Filesize
344KB

MD5
7f31481859ca453c520549c512c9a453

SHA1
d33c3b52605a0c679da84d4b96103f50b81dd1af

SHA256
9a5a719392d148b002c6be969c0d57a25f62c15fdfaca61aac30a3a377f21780

SHA512
7b9477ec469ff5c69d9f47049879c80fc411a4019b18a3242d275167d7faffc84a4415c031fa820697274062b24e4c628a967aec61b9907614f199419dd886a2

Download Submit
C:\Windows\{CB69DD3A-12B5-458a-921C-028A225028A4}.exe

Filesize
344KB

MD5
5d9de00b8a741ce565b6b4d027fad6f8

SHA1
6dcaab1c1fed17fb10b029567387221a91171716

SHA256
84031258784f43d42af3c73175a78433f447f9cc3100746b3e00d2d8d1511997

SHA512
171d4e8b5009e8a8858d43284a21e369d968be3e9e440e0969807f8e6978f946f4014d5c3fed58801ad978a489d5ddd658e0b4478992de1b8978778a26e2ac3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads