528aa1cc45a89453bfec8d57db79ede87e79076cf39afc57483d4ab9f9a20173

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Size

197KB
MD5

1faf6f5e5f2eac0a4eff6232863c7f22
SHA1

e022b8e0892bb0ae22c200cc0e373aee883de077
SHA256

528aa1cc45a89453bfec8d57db79ede87e79076cf39afc57483d4ab9f9a20173
SHA512

cc1b7517e1d123e4aae54371a41354c48926e374ebd9df8db3fd7c9f91af9f307227660d77f5916c844e6da5981aec355d115207e509bfc9fe91304caf6e975a
SSDEEP

3072:jEGh0okl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGalEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120f8-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012252-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000120f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000015c9a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015cb6-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d99-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015f05-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000001603c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000160fe-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}\stubpath = "C:\\Windows\\{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe"	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FC1401-6D85-4909-BE97-F7D56D9C9581}	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B68A61D-2951-410f-9319-506845BCD479}	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}	{1B68A61D-2951-410f-9319-506845BCD479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23BF1107-9420-4cf5-B97A-3A19A487D311}	{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}	{6163E518-CD29-41aa-A72F-0476A6E10300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B608F2-7651-4054-8BEF-452CCB0ED7B3}\stubpath = "C:\\Windows\\{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe"	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}\stubpath = "C:\\Windows\\{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe"	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FC1401-6D85-4909-BE97-F7D56D9C9581}\stubpath = "C:\\Windows\\{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe"	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B68A61D-2951-410f-9319-506845BCD479}\stubpath = "C:\\Windows\\{1B68A61D-2951-410f-9319-506845BCD479}.exe"	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}\stubpath = "C:\\Windows\\{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe"	{1B68A61D-2951-410f-9319-506845BCD479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}\stubpath = "C:\\Windows\\{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}.exe"	{6163E518-CD29-41aa-A72F-0476A6E10300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B608F2-7651-4054-8BEF-452CCB0ED7B3}	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23BF1107-9420-4cf5-B97A-3A19A487D311}\stubpath = "C:\\Windows\\{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe"	{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}\stubpath = "C:\\Windows\\{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe"	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6163E518-CD29-41aa-A72F-0476A6E10300}	{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6163E518-CD29-41aa-A72F-0476A6E10300}\stubpath = "C:\\Windows\\{6163E518-CD29-41aa-A72F-0476A6E10300}.exe"	{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}\stubpath = "C:\\Windows\\{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe"	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe
2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe
2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe
2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe
2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe
2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe
3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe
3068	{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe
1304	{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe
2264	{6163E518-CD29-41aa-A72F-0476A6E10300}.exe
2544	{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe
File created	C:\Windows\{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe
File created	C:\Windows\{1B68A61D-2951-410f-9319-506845BCD479}.exe	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe
File created	C:\Windows\{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe
File created	C:\Windows\{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe	{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe
File created	C:\Windows\{6163E518-CD29-41aa-A72F-0476A6E10300}.exe	{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe
File created	C:\Windows\{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}.exe	{6163E518-CD29-41aa-A72F-0476A6E10300}.exe
File created	C:\Windows\{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
File created	C:\Windows\{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe
File created	C:\Windows\{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe
File created	C:\Windows\{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	{1B68A61D-2951-410f-9319-506845BCD479}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe
Token: SeIncBasePriorityPrivilege	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe
Token: SeIncBasePriorityPrivilege	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe
Token: SeIncBasePriorityPrivilege	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe
Token: SeIncBasePriorityPrivilege	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe
Token: SeIncBasePriorityPrivilege	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe
Token: SeIncBasePriorityPrivilege	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe
Token: SeIncBasePriorityPrivilege	3068	{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe
Token: SeIncBasePriorityPrivilege	1304	{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe
Token: SeIncBasePriorityPrivilege	2264	{6163E518-CD29-41aa-A72F-0476A6E10300}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2440	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	28
PID 1648 wrote to memory of 2440	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	28
PID 1648 wrote to memory of 2440	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	28
PID 1648 wrote to memory of 2440	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	28
PID 1648 wrote to memory of 2700	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	29
PID 1648 wrote to memory of 2700	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	29
PID 1648 wrote to memory of 2700	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	29
PID 1648 wrote to memory of 2700	1648	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	29
PID 2440 wrote to memory of 2800	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	30
PID 2440 wrote to memory of 2800	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	30
PID 2440 wrote to memory of 2800	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	30
PID 2440 wrote to memory of 2800	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	30
PID 2440 wrote to memory of 2792	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	31
PID 2440 wrote to memory of 2792	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	31
PID 2440 wrote to memory of 2792	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	31
PID 2440 wrote to memory of 2792	2440	{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe	31
PID 2800 wrote to memory of 2760	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	32
PID 2800 wrote to memory of 2760	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	32
PID 2800 wrote to memory of 2760	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	32
PID 2800 wrote to memory of 2760	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	32
PID 2800 wrote to memory of 2488	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	33
PID 2800 wrote to memory of 2488	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	33
PID 2800 wrote to memory of 2488	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	33
PID 2800 wrote to memory of 2488	2800	{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe	33
PID 2760 wrote to memory of 2956	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	36
PID 2760 wrote to memory of 2956	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	36
PID 2760 wrote to memory of 2956	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	36
PID 2760 wrote to memory of 2956	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	36
PID 2760 wrote to memory of 2136	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	37
PID 2760 wrote to memory of 2136	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	37
PID 2760 wrote to memory of 2136	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	37
PID 2760 wrote to memory of 2136	2760	{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe	37
PID 2956 wrote to memory of 2152	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	38
PID 2956 wrote to memory of 2152	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	38
PID 2956 wrote to memory of 2152	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	38
PID 2956 wrote to memory of 2152	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	38
PID 2956 wrote to memory of 3012	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	39
PID 2956 wrote to memory of 3012	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	39
PID 2956 wrote to memory of 3012	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	39
PID 2956 wrote to memory of 3012	2956	{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe	39
PID 2152 wrote to memory of 2944	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	40
PID 2152 wrote to memory of 2944	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	40
PID 2152 wrote to memory of 2944	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	40
PID 2152 wrote to memory of 2944	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	40
PID 2152 wrote to memory of 2852	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	41
PID 2152 wrote to memory of 2852	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	41
PID 2152 wrote to memory of 2852	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	41
PID 2152 wrote to memory of 2852	2152	{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe	41
PID 2944 wrote to memory of 3020	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	42
PID 2944 wrote to memory of 3020	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	42
PID 2944 wrote to memory of 3020	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	42
PID 2944 wrote to memory of 3020	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	42
PID 2944 wrote to memory of 672	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	43
PID 2944 wrote to memory of 672	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	43
PID 2944 wrote to memory of 672	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	43
PID 2944 wrote to memory of 672	2944	{1B68A61D-2951-410f-9319-506845BCD479}.exe	43
PID 3020 wrote to memory of 3068	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	44
PID 3020 wrote to memory of 3068	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	44
PID 3020 wrote to memory of 3068	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	44
PID 3020 wrote to memory of 3068	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	44
PID 3020 wrote to memory of 1636	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	45
PID 3020 wrote to memory of 1636	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	45
PID 3020 wrote to memory of 1636	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	45
PID 3020 wrote to memory of 1636	3020	{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe
  C:\Windows\{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe
    C:\Windows\{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe
      C:\Windows\{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe
        
        C:\Windows\{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe
        
        C:\Windows\{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{1B68A61D-2951-410f-9319-506845BCD479}.exe
        
        C:\Windows\{1B68A61D-2951-410f-9319-506845BCD479}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe
        
        C:\Windows\{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe
        
        C:\Windows\{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe
        
        C:\Windows\{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\{6163E518-CD29-41aa-A72F-0476A6E10300}.exe
        
        C:\Windows\{6163E518-CD29-41aa-A72F-0476A6E10300}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}.exe
        
        C:\Windows\{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}.exe
        12⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6163E~1.EXE > nul
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23BF1~1.EXE > nul
        11⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E731F~1.EXE > nul
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5017C~1.EXE > nul
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B68A~1.EXE > nul
        8⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00FC1~1.EXE > nul
        7⤵
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF6C1~1.EXE > nul
        6⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4ADA~1.EXE > nul
        5⤵
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F174~1.EXE > nul
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{92B60~1.EXE > nul
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00FC1401-6D85-4909-BE97-F7D56D9C9581}.exe

Filesize
197KB

MD5
3e73e0d806b73104c96ad3d287082beb

SHA1
9386cb4176ac3672f81694dbb7a0c7c7ed0be2de

SHA256
5ad06fe469e666f017ce8c2fc678b4574f03820ceb873f8463cba50d94f32038

SHA512
ecbf6b13e6a6609b15bb73ba455289288f957854cb7ff15db9310ee647486b4150b470b0e2a3508cab62a0ef03404290272950d5a6abf3ea3026223afb2dcbbf

Download Submit
C:\Windows\{1B68A61D-2951-410f-9319-506845BCD479}.exe

Filesize
197KB

MD5
ad02be6cbb49678fa205c5c32ebb2314

SHA1
842669a591a117153897c45d00fb6e1602e89ad2

SHA256
ac8547cd3b0e049178cdafb7092698e52965cb9d0403e457aa55b63e0ee45f46

SHA512
9e956448188d95484649e11f2ba824d58c2b333ba0c0716e3693b50c6f7c5594eb866a48d5619e0fd9274bb3386697a2c6858fbef026ed68c0ec5ea92f6e8056

Download Submit
C:\Windows\{23BF1107-9420-4cf5-B97A-3A19A487D311}.exe

Filesize
197KB

MD5
c2f69034f775cff873a622a963bd42a4

SHA1
ec5042239f7a8843b918b8405c1a159e8daf30af

SHA256
f23e7ba86067e162c2dc70d4006216b621e448900de429d796a6ab6be24d47ae

SHA512
7a1ff74177e19a74d8c22f850530c373c8dea3407c1cf83c181ecc2aa8c3d9bc1eec4514fef25ad29709dc2db5afe8512697d2d0b97943c168e7c8327482592b

Download Submit
C:\Windows\{2E1B569C-BAFC-47ed-AF0A-41414A30BE06}.exe

Filesize
197KB

MD5
470f6042aac5eaee9cf1ea1306bbe9cd

SHA1
b2d6580e39be2493724e9626a9095577de51ce1e

SHA256
31d02dd4846b728694d60c8e075f231fa3a28ea4c52fd3e2acd700a8d6c12763

SHA512
47827d41a608f0944394bcd4af1336442133dd165bdfc631b7f060a489e215caa5060843d045abf861004368d80c2f9517f04543792e8c5b5070c0ff483f783c

Download Submit
C:\Windows\{5017CE89-F82D-4bbb-9A4F-E4B7A634B093}.exe

Filesize
197KB

MD5
7a29e1b149147c2ed7c1b99a85139146

SHA1
49c2c1c031fe0af194baaad3fd23923de5f141a5

SHA256
78a99b1fb2281fcc550f422499b9cf8d85e45064aa53042b028f7a85c456d683

SHA512
f9df9dec721cf0a154c4ba1c9fa13c8a99c2eb79c26d19f0e16f5e2bd0aa4c7a7aa0ba07068cab3c7a3b6e3970daa3149c3cc5ce547ed0350f002f2756e81b48

Download Submit
C:\Windows\{6163E518-CD29-41aa-A72F-0476A6E10300}.exe

Filesize
197KB

MD5
3e3db25cb72ee0f180cb4cd15a738de0

SHA1
e52665ed617415eeb715760de83fe1a80bf6998e

SHA256
83aa13ac5d45827d26b255ca9de28471bd30ada398a0dccccf302cf1c7f13397

SHA512
ba7bde6bc5f8230dcf548fb469ad4d8593bb8cd81ba24c575ceb646d65462b26c2becb130fe5866d472348541de904ba6adf8f4e1de1a8ebe19638b73c7fc3b0

Download Submit
C:\Windows\{7F174885-6724-4ec9-AA0F-BD86E7FCAC38}.exe

Filesize
197KB

MD5
bd3d47977b7c5e4e97102e9580c572fc

SHA1
d22803cfae1dfc8978de142ff3205b918bfe418e

SHA256
691eadbac784ddd8e973eefd62180b4a265d1d1124643da56e85394352aa2983

SHA512
50cc78e08c086551c50ffab9ce051320c30e6a21baf6494a16d246cb908988d32b013071137430a922f39aff75c7c8fe49eb61fff8ceab05527bb2aee665bbf0

Download Submit
C:\Windows\{92B608F2-7651-4054-8BEF-452CCB0ED7B3}.exe

Filesize
197KB

MD5
d3680a0fbf929f3b255ab260d7525a6a

SHA1
06f08b664724461bba8f2702ebb99982267f9982

SHA256
816925807ce9c42d50e16ab7235c699559ee94a190b495176499071da83b46ae

SHA512
110867626bad7025aa0434b70cfc69b1a5e8f1cf6397b40276a131e51a2d7ae1097255f468a7c1c03ef53ebe24c33be37d7b154cc0c9e75710f7f30bc798d9ec

Download Submit
C:\Windows\{AF6C11FF-81D0-494f-ABC5-21E27D1EE8EB}.exe

Filesize
197KB

MD5
0e5b5ded9739baf16b2cc1926dc9b739

SHA1
b75e46a251bb14a2312bc317c13a94503022ffde

SHA256
7aa091fb5ab2eb96f40628abe87684d3fa49bb657dca423fdb2ad641426cb0cc

SHA512
77d078d5996498cca5b44c0268244bd8fa50f7f9b046defc19ee2cf8a5032cfac42fd0dc64066251ab4a3a69c33aed9ba78b3fea75e439fab0ff450412b68702

Download Submit
C:\Windows\{C4ADAB60-1B4A-464d-A11B-B01FC9C5758A}.exe

Filesize
197KB

MD5
be3134c9c84ef19d46b3c2ed3191385b

SHA1
a288e8e9905cb20e7a0789b4b1309396bb9922db

SHA256
2e125c4c12b1532950494614e92cfb17b370ab8fa3e7f41bf7e302152141d8e6

SHA512
86ea2c61fd30c110dac88719332d600240df62ca41a2e04f837b8fc140975cfe15b6624e79f5700438d27ff239010f9eb13732e765a8c7cde7baba58df2da345

Download Submit
C:\Windows\{E731FBBD-26E1-42af-8D63-60FD79F0F4A9}.exe

Filesize
197KB

MD5
b6bafa54faca2cd3bd9726e97e2ecf0a

SHA1
5f6767ea9410652bd466a5ed9681e8ece4ec72c4

SHA256
8233d09119df5edfff7075813864dcdfa19b26491e36112ed0cde33ebc4392df

SHA512
49a9ab49d13c7fd394a0e96c551ca9b13f95f2478ac38a8ed6bef16eb2bd6bd8e6f336af23f03da89f2397b4aec1447077c1984527220f67123a48235d222541

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads