0f3db2069dfb9245ac236493c6317ff52772cad151dc053366f0bb8d74157f94

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe
Size

380KB
MD5

70ae290995b00aa8a3af90d8c49359a9
SHA1

7c65054880b2f2a20b8b1249e9d18afa9ac3e800
SHA256

0f3db2069dfb9245ac236493c6317ff52772cad151dc053366f0bb8d74157f94
SHA512

e4d8322f622f1a6b9eadf9bf9fc370886597decf1425a8d4618252784bd5f2788ecbb27534a58953946064f296951966b558012e6a4074e5b057636141024773
SSDEEP

3072:mEGh0ohlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGzl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001231b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000013a7f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7F61341-0BBA-4daa-B778-E1F356564C05}\stubpath = "C:\\Windows\\{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe"	{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}	{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}\stubpath = "C:\\Windows\\{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe"	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98672717-FBDC-405f-B3A8-502BA8290EFB}	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98672717-FBDC-405f-B3A8-502BA8290EFB}\stubpath = "C:\\Windows\\{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe"	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD2504E5-478F-4b57-930E-4A5C3A7973A3}	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12787A26-9033-4f26-872D-C084FC8ADA68}	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}	{60052189-2997-4de1-A25F-64FC17153990}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7F61341-0BBA-4daa-B778-E1F356564C05}	{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823233B3-5CE9-4c9d-B79E-0531D9967C24}\stubpath = "C:\\Windows\\{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe"	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60052189-2997-4de1-A25F-64FC17153990}\stubpath = "C:\\Windows\\{60052189-2997-4de1-A25F-64FC17153990}.exe"	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}\stubpath = "C:\\Windows\\{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe"	{60052189-2997-4de1-A25F-64FC17153990}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60052189-2997-4de1-A25F-64FC17153990}	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD2504E5-478F-4b57-930E-4A5C3A7973A3}\stubpath = "C:\\Windows\\{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe"	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}\stubpath = "C:\\Windows\\{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe"	{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2031F35-0647-4b27-B20E-3966DB1F52C5}	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2031F35-0647-4b27-B20E-3966DB1F52C5}\stubpath = "C:\\Windows\\{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe"	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12787A26-9033-4f26-872D-C084FC8ADA68}\stubpath = "C:\\Windows\\{12787A26-9033-4f26-872D-C084FC8ADA68}.exe"	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823233B3-5CE9-4c9d-B79E-0531D9967C24}	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3258CAC1-AF09-4ac0-82B1-5030A2F74731}	{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3258CAC1-AF09-4ac0-82B1-5030A2F74731}\stubpath = "C:\\Windows\\{3258CAC1-AF09-4ac0-82B1-5030A2F74731}.exe"	{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe

Deletes itself 1 IoCs

pid	Process
2468	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe
2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe
2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe
2128	{60052189-2997-4de1-A25F-64FC17153990}.exe
2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe
1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe
568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe
752	{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe
2220	{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe
2808	{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe
1140	{3258CAC1-AF09-4ac0-82B1-5030A2F74731}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe	{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe
File created	C:\Windows\{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe
File created	C:\Windows\{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe
File created	C:\Windows\{60052189-2997-4de1-A25F-64FC17153990}.exe	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe
File created	C:\Windows\{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	{60052189-2997-4de1-A25F-64FC17153990}.exe
File created	C:\Windows\{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe
File created	C:\Windows\{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe
File created	C:\Windows\{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe
File created	C:\Windows\{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe
File created	C:\Windows\{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe	{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe
File created	C:\Windows\{3258CAC1-AF09-4ac0-82B1-5030A2F74731}.exe	{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe
Token: SeIncBasePriorityPrivilege	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe
Token: SeIncBasePriorityPrivilege	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe
Token: SeIncBasePriorityPrivilege	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe
Token: SeIncBasePriorityPrivilege	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe
Token: SeIncBasePriorityPrivilege	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe
Token: SeIncBasePriorityPrivilege	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe
Token: SeIncBasePriorityPrivilege	752	{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe
Token: SeIncBasePriorityPrivilege	2220	{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe
Token: SeIncBasePriorityPrivilege	2808	{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2796	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	28
PID 1876 wrote to memory of 2796	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	28
PID 1876 wrote to memory of 2796	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	28
PID 1876 wrote to memory of 2796	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	28
PID 1876 wrote to memory of 2468	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	29
PID 1876 wrote to memory of 2468	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	29
PID 1876 wrote to memory of 2468	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	29
PID 1876 wrote to memory of 2468	1876	2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe	29
PID 2796 wrote to memory of 2760	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	31
PID 2796 wrote to memory of 2760	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	31
PID 2796 wrote to memory of 2760	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	31
PID 2796 wrote to memory of 2760	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	31
PID 2796 wrote to memory of 3020	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	30
PID 2796 wrote to memory of 3020	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	30
PID 2796 wrote to memory of 3020	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	30
PID 2796 wrote to memory of 3020	2796	{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe	30
PID 2760 wrote to memory of 2788	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	33
PID 2760 wrote to memory of 2788	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	33
PID 2760 wrote to memory of 2788	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	33
PID 2760 wrote to memory of 2788	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	33
PID 2760 wrote to memory of 2196	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	32
PID 2760 wrote to memory of 2196	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	32
PID 2760 wrote to memory of 2196	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	32
PID 2760 wrote to memory of 2196	2760	{12787A26-9033-4f26-872D-C084FC8ADA68}.exe	32
PID 2788 wrote to memory of 2128	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	37
PID 2788 wrote to memory of 2128	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	37
PID 2788 wrote to memory of 2128	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	37
PID 2788 wrote to memory of 2128	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	37
PID 2788 wrote to memory of 1980	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	36
PID 2788 wrote to memory of 1980	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	36
PID 2788 wrote to memory of 1980	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	36
PID 2788 wrote to memory of 1980	2788	{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe	36
PID 2128 wrote to memory of 2824	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	39
PID 2128 wrote to memory of 2824	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	39
PID 2128 wrote to memory of 2824	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	39
PID 2128 wrote to memory of 2824	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	39
PID 2128 wrote to memory of 2784	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	38
PID 2128 wrote to memory of 2784	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	38
PID 2128 wrote to memory of 2784	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	38
PID 2128 wrote to memory of 2784	2128	{60052189-2997-4de1-A25F-64FC17153990}.exe	38
PID 2824 wrote to memory of 1584	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	40
PID 2824 wrote to memory of 1584	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	40
PID 2824 wrote to memory of 1584	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	40
PID 2824 wrote to memory of 1584	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	40
PID 2824 wrote to memory of 1820	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	41
PID 2824 wrote to memory of 1820	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	41
PID 2824 wrote to memory of 1820	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	41
PID 2824 wrote to memory of 1820	2824	{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe	41
PID 1584 wrote to memory of 568	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	42
PID 1584 wrote to memory of 568	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	42
PID 1584 wrote to memory of 568	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	42
PID 1584 wrote to memory of 568	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	42
PID 1584 wrote to memory of 896	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	43
PID 1584 wrote to memory of 896	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	43
PID 1584 wrote to memory of 896	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	43
PID 1584 wrote to memory of 896	1584	{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe	43
PID 568 wrote to memory of 752	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	44
PID 568 wrote to memory of 752	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	44
PID 568 wrote to memory of 752	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	44
PID 568 wrote to memory of 752	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	44
PID 568 wrote to memory of 1548	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	45
PID 568 wrote to memory of 1548	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	45
PID 568 wrote to memory of 1548	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	45
PID 568 wrote to memory of 1548	568	{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_70ae290995b00aa8a3af90d8c49359a9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe
  C:\Windows\{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F2031~1.EXE > nul
    3⤵
    PID:3020
- - C:\Windows\{12787A26-9033-4f26-872D-C084FC8ADA68}.exe
    C:\Windows\{12787A26-9033-4f26-872D-C084FC8ADA68}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{12787~1.EXE > nul
      4⤵
      PID:2196
  - - C:\Windows\{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe
      C:\Windows\{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82323~1.EXE > nul
        5⤵
        
        PID:1980
    - - C:\Windows\{60052189-2997-4de1-A25F-64FC17153990}.exe
        
        C:\Windows\{60052189-2997-4de1-A25F-64FC17153990}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60052~1.EXE > nul
        6⤵
        
        PID:2784
      - C:\Windows\{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe
        
        C:\Windows\{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe
        
        C:\Windows\{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe
        
        C:\Windows\{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe
        
        C:\Windows\{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD250~1.EXE > nul
        10⤵
        
        PID:2224
        
        C:\Windows\{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe
        
        C:\Windows\{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7F61~1.EXE > nul
        11⤵
        
        PID:2112
        
        C:\Windows\{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe
        
        C:\Windows\{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E2D4~1.EXE > nul
        12⤵
        
        PID:1100
        
        C:\Windows\{3258CAC1-AF09-4ac0-82B1-5030A2F74731}.exe
        
        C:\Windows\{3258CAC1-AF09-4ac0-82B1-5030A2F74731}.exe
        12⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98672~1.EXE > nul
        9⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C9BF~1.EXE > nul
        8⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE7D7~1.EXE > nul
        7⤵
        
        PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12787A26-9033-4f26-872D-C084FC8ADA68}.exe

Filesize
380KB

MD5
74ff095bfba0cd2e52e8983c3e97f502

SHA1
b440fda4ee2752e1b0544a7e311baac51f7e758e

SHA256
0a2442051333d85adb76c9a9fc313da65c960e5910fe54d877e30d604a60256e

SHA512
17f0ba3cc51ab59e6817c478b57419eb6c2f81d56b6c4504d580555f5845e2662289ff2fd1ebda18e79d135fd6c288b3fc8fff0f16d0208d87e28c68bfc1b43d

Download Submit
C:\Windows\{3258CAC1-AF09-4ac0-82B1-5030A2F74731}.exe

Filesize
380KB

MD5
a7c57b0a9ef8ff63c960333372ae221f

SHA1
d59b3fdaba48fedf717b241ec7945a9019af09dd

SHA256
932701cf5cfce077c627b87e009aee5e117cd21227222e3d6ef5f79a12ac5a34

SHA512
42aad01fb7b99bebb895d02eda922c3fa90036fa65b33e93a6332cf17de494ed50bcd645d2803ebecd2214a9bca664d8e644c7bdd60a7b543631c0234afc02fd

Download Submit
C:\Windows\{60052189-2997-4de1-A25F-64FC17153990}.exe

Filesize
380KB

MD5
9aacccb5ecdadd2ab598d1321afe59ea

SHA1
70c304c1efc2a740e844b8cd2ff45d31fe11374e

SHA256
72f56f4ece6027f51c2046ff4c93ebb6385d5343f23c5c734ad83cba6f7cd774

SHA512
683e1331b8c3ae24c5bcdae3da4183ba8b526f082d69e222a42a31d453ed4a6fcb1e89c05794fb042764e7a7db13e1df9455d4287deed03f003bd76b1f6ec553

Download Submit
C:\Windows\{6C9BFD03-C58E-4b1f-AC0C-7A52A5E20D6E}.exe

Filesize
380KB

MD5
dd4730569494cda163c032019e1e689b

SHA1
ec4b810e0af0ed42fb4a30a42d6c9e11abe5feab

SHA256
a4d1cc04827c7f0abd4bc87673d461dd3ec60bf556c749289359a69b429e550a

SHA512
2b826a1bd1975229f8ba9cb019758183dce707389ad023265a58c80dc3a99e04646a7d04e44aa7b4680eb59ecef59bb94706a4004d16d357bdfada40bc679d6a

Download Submit
C:\Windows\{823233B3-5CE9-4c9d-B79E-0531D9967C24}.exe

Filesize
380KB

MD5
88cf6ab72f35f37fefa9a6d7a52e79b8

SHA1
047e840760af35c5864a148da85a0cd11804146c

SHA256
e2a0dd4ce783603fe33f2d943b3c95f8402f56d6ee9796140f78044977207676

SHA512
a14eb5d42081a53e455fca49c830eb9bef3d5e128668214c0f187ad9b82a6ed018c65501fe1934fb3198d561059a66da29d0774aaf8531ac470b9abfbcbb1469

Download Submit
C:\Windows\{8E2D48CB-DB47-45d7-AB38-FF1B6978A2A8}.exe

Filesize
380KB

MD5
73205aec2a6047818c0cda0e84028cd9

SHA1
55cc54ab32c4c04686fec627b6344c3b4c82470d

SHA256
2d9f54373a8f37379edc8ed405c40a38cfe50eca1440dbbb6a394ee314e59988

SHA512
d851dfe672f799c77bc1fbb1253d74f92d518cf9e44f3a47e5e77526e574ff2edaac63e5367f11bdabd5dfc7b2c546c8d6e17a7f68bdc4b87e6d73e70f74fe32

Download Submit
C:\Windows\{98672717-FBDC-405f-B3A8-502BA8290EFB}.exe

Filesize
380KB

MD5
be84edc89c9c47842953aff5c83ec524

SHA1
4b4a607f77c5af15015341bdc4f96f1138dbeaa9

SHA256
fc1223aa8156c7b58ff485bf62b75bb39bced9700a65c430f76e1ff145623cbb

SHA512
a312b511989856a01824c55e52f912da84f9b0a67482ce8840f5a025dd0640c996e38d6010807dca0a4c3db33b5985e16cf6c0e44c0ca487c0abf257878dd372

Download Submit
C:\Windows\{AE7D7AB3-B989-4374-8EDF-4C037D4B14B6}.exe

Filesize
380KB

MD5
c3fb4b74db4c09591e743e8e29beff74

SHA1
2f1a7739b9a1b3b0b224cd34287259b88f623fe2

SHA256
48d903a010d3f076ffac3bac5218db94f94e4bf73fbfdd6eeb5800a2b3a93b4e

SHA512
f5856f646f9001a472dcb95951e11aea1373d1290ce1ecf4b620742706ebc39bb54431beaa5dbc7eb1abd8f7f0036523a083f22afd51dab40090ee0633517e75

Download Submit
C:\Windows\{E7F61341-0BBA-4daa-B778-E1F356564C05}.exe

Filesize
380KB

MD5
94a69228445d4fc744abef4462836b61

SHA1
68d463996c7f695b72bd532d5924dbce522e7db4

SHA256
5b69748ede7419bc24e696aa2078fb9671ef99a557e2f7614b20db2ffc422791

SHA512
aab41eb4ca66c8716402f82d2d9832eb2bf1d729c49c17894978622a202b23269ad1fe68a95c1df441de3657984ff6f35a1182ed13372b62c46480c6cd76ce07

Download Submit
C:\Windows\{F2031F35-0647-4b27-B20E-3966DB1F52C5}.exe

Filesize
380KB

MD5
e676db4226179889806846d9bb5231d7

SHA1
7d4f831f7a0e0be12360e6d216ac29bfc539dc6c

SHA256
97c5d9c31977137381862cb57887b7952f62113b06ce4d6a46527ce38ee7eb91

SHA512
8253a9699573cd8a30842fa2aae271ffd605db8179e767690bb83db2eb17363e2a464db6e1796478187a1c15b892ce0d97eba3535e27ea9cf8e3a87d0d2249c8

Download Submit
C:\Windows\{FD2504E5-478F-4b57-930E-4A5C3A7973A3}.exe

Filesize
380KB

MD5
06e5ba46222a406e11fffea096b83f7e

SHA1
5887aafd6681f558591f2c0ee8f0e7a28d14c0a0

SHA256
c9a84f43d703dd080cce04ed790a836e8eae0935b323556a638d87d6edcdbff8

SHA512
38036701abb43ca5cc97d864766a5634844078335f57faececb32e01df1a9371455772e9f8066926bf591df2f7c14082241d7ad13afb3534fd5241e60c8312db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads