e501fb6ef4eb9db3ddc6c1f76d1f95295bba09a245caa2c00bbfb52f721ca608

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe
Size

372KB
MD5

c6853daca97ec11728e07ca02877645d
SHA1

87f632096537d47dbaf97408054100f5b4620623
SHA256

e501fb6ef4eb9db3ddc6c1f76d1f95295bba09a245caa2c00bbfb52f721ca608
SHA512

cd6051abac02a13e1394ac82eb9b86b3e33bb0913db8d7ee21bce3028b865c7c316acddcd1fb8c8843468915983398ff3b572b0ec50e91e429782ac866844bb8
SSDEEP

3072:CEGh0odlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGHlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012266-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014ab3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015596-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}\stubpath = "C:\\Windows\\{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe"	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8464325-90D5-49c0-B1B8-83CD7B895535}	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}\stubpath = "C:\\Windows\\{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe"	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}\stubpath = "C:\\Windows\\{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe"	{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}	{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4643E8B2-14F9-48db-96A9-A949356CF670}	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4643E8B2-14F9-48db-96A9-A949356CF670}\stubpath = "C:\\Windows\\{4643E8B2-14F9-48db-96A9-A949356CF670}.exe"	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6081D6E-912D-4359-9BAB-B6F9AFF62131}	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AE890AF-5433-4a07-9742-6EA3CC9091E9}\stubpath = "C:\\Windows\\{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe"	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8464325-90D5-49c0-B1B8-83CD7B895535}\stubpath = "C:\\Windows\\{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe"	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}\stubpath = "C:\\Windows\\{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe"	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}	{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C23B61F-807A-4841-BB14-66A3E2DE4250}	{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}\stubpath = "C:\\Windows\\{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe"	{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50F9FFF-6C30-4879-A3A9-030F76DDA20B}	{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}\stubpath = "C:\\Windows\\{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe"	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6081D6E-912D-4359-9BAB-B6F9AFF62131}\stubpath = "C:\\Windows\\{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe"	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AE890AF-5433-4a07-9742-6EA3CC9091E9}	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C23B61F-807A-4841-BB14-66A3E2DE4250}\stubpath = "C:\\Windows\\{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe"	{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50F9FFF-6C30-4879-A3A9-030F76DDA20B}\stubpath = "C:\\Windows\\{F50F9FFF-6C30-4879-A3A9-030F76DDA20B}.exe"	{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe
2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe
2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe
2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe
1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe
1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe
2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe
1472	{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe
1524	{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe
2756	{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe
644	{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe
File created	C:\Windows\{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe
File created	C:\Windows\{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe
File created	C:\Windows\{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe
File created	C:\Windows\{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe
File created	C:\Windows\{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe	{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe
File created	C:\Windows\{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe	{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe
File created	C:\Windows\{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe
File created	C:\Windows\{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe
File created	C:\Windows\{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe
File created	C:\Windows\{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe	{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe
Token: SeIncBasePriorityPrivilege	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe
Token: SeIncBasePriorityPrivilege	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe
Token: SeIncBasePriorityPrivilege	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe
Token: SeIncBasePriorityPrivilege	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe
Token: SeIncBasePriorityPrivilege	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe
Token: SeIncBasePriorityPrivilege	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe
Token: SeIncBasePriorityPrivilege	1472	{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe
Token: SeIncBasePriorityPrivilege	1524	{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe
Token: SeIncBasePriorityPrivilege	2756	{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2072	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	28
PID 1220 wrote to memory of 2072	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	28
PID 1220 wrote to memory of 2072	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	28
PID 1220 wrote to memory of 2072	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	28
PID 1220 wrote to memory of 2764	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	29
PID 1220 wrote to memory of 2764	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	29
PID 1220 wrote to memory of 2764	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	29
PID 1220 wrote to memory of 2764	1220	2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe	29
PID 2072 wrote to memory of 2576	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	31
PID 2072 wrote to memory of 2576	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	31
PID 2072 wrote to memory of 2576	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	31
PID 2072 wrote to memory of 2576	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	31
PID 2072 wrote to memory of 2928	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	30
PID 2072 wrote to memory of 2928	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	30
PID 2072 wrote to memory of 2928	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	30
PID 2072 wrote to memory of 2928	2072	{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe	30
PID 2576 wrote to memory of 2640	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	35
PID 2576 wrote to memory of 2640	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	35
PID 2576 wrote to memory of 2640	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	35
PID 2576 wrote to memory of 2640	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	35
PID 2576 wrote to memory of 2628	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	34
PID 2576 wrote to memory of 2628	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	34
PID 2576 wrote to memory of 2628	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	34
PID 2576 wrote to memory of 2628	2576	{4643E8B2-14F9-48db-96A9-A949356CF670}.exe	34
PID 2640 wrote to memory of 2172	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	36
PID 2640 wrote to memory of 2172	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	36
PID 2640 wrote to memory of 2172	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	36
PID 2640 wrote to memory of 2172	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	36
PID 2640 wrote to memory of 2896	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	37
PID 2640 wrote to memory of 2896	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	37
PID 2640 wrote to memory of 2896	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	37
PID 2640 wrote to memory of 2896	2640	{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe	37
PID 2172 wrote to memory of 1404	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	38
PID 2172 wrote to memory of 1404	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	38
PID 2172 wrote to memory of 1404	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	38
PID 2172 wrote to memory of 1404	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	38
PID 2172 wrote to memory of 1672	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	39
PID 2172 wrote to memory of 1672	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	39
PID 2172 wrote to memory of 1672	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	39
PID 2172 wrote to memory of 1672	2172	{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe	39
PID 1404 wrote to memory of 1756	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	41
PID 1404 wrote to memory of 1756	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	41
PID 1404 wrote to memory of 1756	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	41
PID 1404 wrote to memory of 1756	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	41
PID 1404 wrote to memory of 2020	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	40
PID 1404 wrote to memory of 2020	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	40
PID 1404 wrote to memory of 2020	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	40
PID 1404 wrote to memory of 2020	1404	{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe	40
PID 1756 wrote to memory of 2244	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	42
PID 1756 wrote to memory of 2244	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	42
PID 1756 wrote to memory of 2244	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	42
PID 1756 wrote to memory of 2244	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	42
PID 1756 wrote to memory of 552	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	43
PID 1756 wrote to memory of 552	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	43
PID 1756 wrote to memory of 552	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	43
PID 1756 wrote to memory of 552	1756	{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe	43
PID 2244 wrote to memory of 1472	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	44
PID 2244 wrote to memory of 1472	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	44
PID 2244 wrote to memory of 1472	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	44
PID 2244 wrote to memory of 1472	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	44
PID 2244 wrote to memory of 2616	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	45
PID 2244 wrote to memory of 2616	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	45
PID 2244 wrote to memory of 2616	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	45
PID 2244 wrote to memory of 2616	2244	{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_c6853daca97ec11728e07ca02877645d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe
  C:\Windows\{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F08B~1.EXE > nul
    3⤵
    PID:2928
- - C:\Windows\{4643E8B2-14F9-48db-96A9-A949356CF670}.exe
    C:\Windows\{4643E8B2-14F9-48db-96A9-A949356CF670}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4643E~1.EXE > nul
      4⤵
      PID:2628
  - - C:\Windows\{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe
      C:\Windows\{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe
        
        C:\Windows\{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe
        
        C:\Windows\{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AE89~1.EXE > nul
        7⤵
        
        PID:2020
        
        C:\Windows\{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe
        
        C:\Windows\{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe
        
        C:\Windows\{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe
        
        C:\Windows\{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe
        
        C:\Windows\{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C23B~1.EXE > nul
        11⤵
        
        PID:2948
        
        C:\Windows\{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe
        
        C:\Windows\{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07F5C~1.EXE > nul
        12⤵
        
        PID:1952
        
        C:\Windows\{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe
        
        C:\Windows\{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\{F50F9FFF-6C30-4879-A3A9-030F76DDA20B}.exe
        
        C:\Windows\{F50F9FFF-6C30-4879-A3A9-030F76DDA20B}.exe
        13⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE344~1.EXE > nul
        10⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{516C0~1.EXE > nul
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8464~1.EXE > nul
        8⤵
        
        PID:552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6081~1.EXE > nul
        6⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8665~1.EXE > nul
        5⤵
        
        PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07F5C92D-FC62-4de5-8DD9-FC1E0001408C}.exe

Filesize
372KB

MD5
013d277010d2a0eae143011204f4e1a8

SHA1
2caad4dae726263c30709004081f32726f4e930b

SHA256
687fc494d43941e9086340fe0fd9ba22c57426edb2e182b6854a706f766bb0c8

SHA512
97ccd00d3df7c308aa28b07d36fa18af3d7fc8d024111af3b14f59f650e11c920353c46aeee0e8d4f29b2a9c9f4d759c25fca2f42b8d415ea30de2b34744705a

Download Submit
C:\Windows\{3C23B61F-807A-4841-BB14-66A3E2DE4250}.exe

Filesize
372KB

MD5
4580f6126af2f4ef13051babef4ed747

SHA1
0d094157ad801adb3d606637eb380fd1ae76578a

SHA256
2f1ea328a5f261f99c72759ca61b309461ac79229bb0a2fee58d1c33d2610e60

SHA512
e911bd4e9d4c7ab867ed82ad40e4dba1f656c8fa2d8cc700c11b33bca8b26c00c651da8e3aded38424d264ba08a6fcc1659cf88d634f08f888e2bfc63c4a1e53

Download Submit
C:\Windows\{4643E8B2-14F9-48db-96A9-A949356CF670}.exe

Filesize
372KB

MD5
119954c2a958efa8d39de6f0021a9263

SHA1
a4a44e294f515584c7c6344172b90beaa96505cb

SHA256
d643152725e648266dd3597243e62d3aba92602d0fe1daa6eca16bd5d7ad64cd

SHA512
96d0bb84dbc007027554563943ee21d52c88097ba2a5bfce6c190ff2f9f0369e4bf46112de13f12452420a100fb258a864ae47e7c5437a191ce2c48ed0075f9e

Download Submit
C:\Windows\{516C0BA3-BB45-4ff4-965E-9787AE6AFAC1}.exe

Filesize
372KB

MD5
37e970b06486e3ee062d0142a4f7ce47

SHA1
fff00f7cfe25ad705961559c92ce3ad4a82c1be1

SHA256
c972fcca499ca26dcdc8a969877f443c3d8644256ef21dc51a4948552adb58cd

SHA512
487fe0439daba35a561b20c0248ffab813161a351565fe2c5dff553262e0806f74acb3f7ef0567a62ad00888908f8cb749eebb0655455989b09a980d38b87035

Download Submit
C:\Windows\{62BF14FD-338D-42e6-8E56-9DA178B2A9E6}.exe

Filesize
372KB

MD5
f1add8edf33418ffbf1f4d067cf6c765

SHA1
f08e3e6f599a0861e525e590f94a0f3a705325ed

SHA256
db89fc59adea70d278233763ec8ef1c739d3bee6692b542fc158c401918bbdf0

SHA512
ef5e20ced38b07494b0e6aed950744fb07b1fc3af94c953861566c21add9649a8215279cd33455c424acf371c0a9d772ebbc90dae212757b964bc5a86947b239

Download Submit
C:\Windows\{7F08BC9C-EAE7-490a-8638-84FF25BF25E4}.exe

Filesize
372KB

MD5
2ecc6df423970439ed55ef642c5c3996

SHA1
481c62cd42126a797433b6dcab43dfe4b3830b95

SHA256
ed68bab2ad0e20487486ae7a963ddf41f18fbb92dbfa79941210b58a1f38880b

SHA512
b7e3b7d1564859333c5e758ed76c193cb21e2132d5829eef59539124e68718896b538159d469030e6ec2f334e72c2a27dcb987fcf27a4cb057358cc1dac2595a

Download Submit
C:\Windows\{8AE890AF-5433-4a07-9742-6EA3CC9091E9}.exe

Filesize
372KB

MD5
6f0abe5e5635c840b704a5453311ca3d

SHA1
1bbe629585d00ee321f18be4fb7bfb16e4a2e9af

SHA256
4acfe8a4cfeef52f964dde3b812229eb3ad9dda0de828f60182309a93b76db64

SHA512
e15aa640476fb53a5081c2d6a607a0c45455055dcefaa7f6d2f5142ad29dee51b4c75724e5d0f9c8ab4200160faa0efade5a4b48feac49330730435606878040

Download Submit
C:\Windows\{B8464325-90D5-49c0-B1B8-83CD7B895535}.exe

Filesize
372KB

MD5
7d29be0a404002bca79e06467d5852df

SHA1
8560f7374c604f0faf2f3e365e4c86db429e9050

SHA256
170f23c4de3c6c66b92889183f7f77c6eb947fa63369cd5b25b6c683fbe0ba97

SHA512
add0ff42a3f5e0f6c0ba342cbf012ca1b737ec81ab498576e39a0d1e1c27ed5f00b704c62ab6859c4b910409f3e86d1faf39be442d33db97640172f120dec780

Download Submit
C:\Windows\{B86653EF-E25A-49cd-A9D6-2EF4C980BF4C}.exe

Filesize
372KB

MD5
c04614add7ac95bf43fdf276b9aacb47

SHA1
2da67a18da2a71591054d45dc7900bceaf9508c6

SHA256
2f56c7b16b8c9fa6989b77b9749b62e246a0166cb57dca43542f1a6a0a2251cc

SHA512
414462fca7da746db4f598a0f43c2b4fd290e828feac6352efbb379d2a22ac4cf991e2e3c00b2364a54818a93a29f5d84bf54099475e7721179d053ee51316a1

Download Submit
C:\Windows\{CE344A4E-D2B4-4cfd-88DA-28F713605CD0}.exe

Filesize
372KB

MD5
9b1fd41e5e8ad4ce9de643c84099d450

SHA1
150b6a1fa09618ff374217c8db632d5c91595809

SHA256
0f143398963ef8d752bc05b1ca9559dfccd47e870e515eea087d86ccd2a7f4e0

SHA512
04b54f20d4b71b651c49ddb5f8a43a370683afb5c8e65bd33dd0100190beb9b2c209a0a8aa4fe1c5ae923226389b0e30b90d68788293c4b0a17428a853c8039d

Download Submit
C:\Windows\{E6081D6E-912D-4359-9BAB-B6F9AFF62131}.exe

Filesize
372KB

MD5
92c364d52a83fc72a890c4399bdd9ae5

SHA1
ea47e13faff01a3301490abc9f04464fbfe5541b

SHA256
62508f9dfa610ec24a7ce6a2aca7bd9781a1a097f5cbc3e5da404e91d4730fae

SHA512
d10f775240971354bad45913bb8c7457df58b5873481d16c3df05b21918495a5ab800660170382b76929058ab13ce494fd98ba7fa4c0ce99b020a6c6946c5a74

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads