b7d0c949e55a493102d48d2ce9112462e7e75834e2801180d4784f28ccd9b6c4

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe
Size

408KB
MD5

26cca0bb7318a937d79f3d2acf9662d5
SHA1

045a31f82b6ce37c11d7cafe81654be075d4eb5a
SHA256

b7d0c949e55a493102d48d2ce9112462e7e75834e2801180d4784f28ccd9b6c4
SHA512

0263ee582d162d21a4c4b61fa62c09f38cdf33086fb70560be4e9ab3459144624f167c1d209fabab5ef1ae7f9a7c68a9593bff38b0e142d0232b715cc862a8ef
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGvldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012243-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001225c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001225c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002000000001529f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015580-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002100000001529f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000155ea-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA982EA2-9969-46fd-BEB8-22A41814CA32}	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}	{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}\stubpath = "C:\\Windows\\{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe"	{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9DD4460-56E1-46a2-AD10-179C58E49B3A}	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C2670A-2D8F-4d2c-8304-410C86044CEC}	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C2670A-2D8F-4d2c-8304-410C86044CEC}\stubpath = "C:\\Windows\\{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe"	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA982EA2-9969-46fd-BEB8-22A41814CA32}\stubpath = "C:\\Windows\\{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe"	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}\stubpath = "C:\\Windows\\{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe"	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1468E641-DE2C-49bc-84E8-082DF393D5B9}	{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}\stubpath = "C:\\Windows\\{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe"	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18539217-2B40-477e-80A6-07F6F10B9A15}\stubpath = "C:\\Windows\\{18539217-2B40-477e-80A6-07F6F10B9A15}.exe"	{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F6C373E-BFE2-44e1-A84A-6CE09B467120}\stubpath = "C:\\Windows\\{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe"	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}\stubpath = "C:\\Windows\\{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe"	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18539217-2B40-477e-80A6-07F6F10B9A15}	{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F6C373E-BFE2-44e1-A84A-6CE09B467120}	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}\stubpath = "C:\\Windows\\{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe"	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9DD4460-56E1-46a2-AD10-179C58E49B3A}\stubpath = "C:\\Windows\\{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe"	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1468E641-DE2C-49bc-84E8-082DF393D5B9}\stubpath = "C:\\Windows\\{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe"	{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe
2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe
2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe
2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe
2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe
2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe
1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe
936	{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe
880	{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe
1148	{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe
2268	{18539217-2B40-477e-80A6-07F6F10B9A15}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{18539217-2B40-477e-80A6-07F6F10B9A15}.exe	{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe
File created	C:\Windows\{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe
File created	C:\Windows\{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe
File created	C:\Windows\{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe
File created	C:\Windows\{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe
File created	C:\Windows\{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe
File created	C:\Windows\{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe
File created	C:\Windows\{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe
File created	C:\Windows\{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe
File created	C:\Windows\{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe	{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe
File created	C:\Windows\{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe	{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe
Token: SeIncBasePriorityPrivilege	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe
Token: SeIncBasePriorityPrivilege	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe
Token: SeIncBasePriorityPrivilege	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe
Token: SeIncBasePriorityPrivilege	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe
Token: SeIncBasePriorityPrivilege	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe
Token: SeIncBasePriorityPrivilege	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe
Token: SeIncBasePriorityPrivilege	936	{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe
Token: SeIncBasePriorityPrivilege	880	{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe
Token: SeIncBasePriorityPrivilege	1148	{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1768	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	28
PID 2224 wrote to memory of 1768	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	28
PID 2224 wrote to memory of 1768	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	28
PID 2224 wrote to memory of 1768	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	28
PID 2224 wrote to memory of 1932	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	29
PID 2224 wrote to memory of 1932	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	29
PID 2224 wrote to memory of 1932	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	29
PID 2224 wrote to memory of 1932	2224	2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe	29
PID 1768 wrote to memory of 2832	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	32
PID 1768 wrote to memory of 2832	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	32
PID 1768 wrote to memory of 2832	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	32
PID 1768 wrote to memory of 2832	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	32
PID 1768 wrote to memory of 2892	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	33
PID 1768 wrote to memory of 2892	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	33
PID 1768 wrote to memory of 2892	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	33
PID 1768 wrote to memory of 2892	1768	{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe	33
PID 2832 wrote to memory of 2580	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	34
PID 2832 wrote to memory of 2580	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	34
PID 2832 wrote to memory of 2580	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	34
PID 2832 wrote to memory of 2580	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	34
PID 2832 wrote to memory of 1912	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	35
PID 2832 wrote to memory of 1912	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	35
PID 2832 wrote to memory of 1912	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	35
PID 2832 wrote to memory of 1912	2832	{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe	35
PID 2580 wrote to memory of 2568	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	36
PID 2580 wrote to memory of 2568	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	36
PID 2580 wrote to memory of 2568	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	36
PID 2580 wrote to memory of 2568	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	36
PID 2580 wrote to memory of 1292	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	37
PID 2580 wrote to memory of 1292	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	37
PID 2580 wrote to memory of 1292	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	37
PID 2580 wrote to memory of 1292	2580	{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe	37
PID 2568 wrote to memory of 2248	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	38
PID 2568 wrote to memory of 2248	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	38
PID 2568 wrote to memory of 2248	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	38
PID 2568 wrote to memory of 2248	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	38
PID 2568 wrote to memory of 584	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	39
PID 2568 wrote to memory of 584	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	39
PID 2568 wrote to memory of 584	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	39
PID 2568 wrote to memory of 584	2568	{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe	39
PID 2248 wrote to memory of 2936	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	40
PID 2248 wrote to memory of 2936	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	40
PID 2248 wrote to memory of 2936	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	40
PID 2248 wrote to memory of 2936	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	40
PID 2248 wrote to memory of 2956	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	41
PID 2248 wrote to memory of 2956	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	41
PID 2248 wrote to memory of 2956	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	41
PID 2248 wrote to memory of 2956	2248	{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe	41
PID 2936 wrote to memory of 1704	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	42
PID 2936 wrote to memory of 1704	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	42
PID 2936 wrote to memory of 1704	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	42
PID 2936 wrote to memory of 1704	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	42
PID 2936 wrote to memory of 2156	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	43
PID 2936 wrote to memory of 2156	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	43
PID 2936 wrote to memory of 2156	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	43
PID 2936 wrote to memory of 2156	2936	{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe	43
PID 1704 wrote to memory of 936	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	44
PID 1704 wrote to memory of 936	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	44
PID 1704 wrote to memory of 936	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	44
PID 1704 wrote to memory of 936	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	44
PID 1704 wrote to memory of 2864	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	45
PID 1704 wrote to memory of 2864	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	45
PID 1704 wrote to memory of 2864	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	45
PID 1704 wrote to memory of 2864	1704	{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_26cca0bb7318a937d79f3d2acf9662d5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe
  C:\Windows\{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe
    C:\Windows\{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe
      C:\Windows\{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe
        
        C:\Windows\{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe
        
        C:\Windows\{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe
        
        C:\Windows\{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe
        
        C:\Windows\{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe
        
        C:\Windows\{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe
        
        C:\Windows\{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe
        
        C:\Windows\{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\{18539217-2B40-477e-80A6-07F6F10B9A15}.exe
        
        C:\Windows\{18539217-2B40-477e-80A6-07F6F10B9A15}.exe
        12⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1468E~1.EXE > nul
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2942B~1.EXE > nul
        11⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2838D~1.EXE > nul
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96E1C~1.EXE > nul
        9⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA982~1.EXE > nul
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C26~1.EXE > nul
        7⤵
        
        PID:2956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9DD4~1.EXE > nul
        6⤵
        
        PID:584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7298~1.EXE > nul
        5⤵
        
        PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F6C3~1.EXE > nul
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EC11D~1.EXE > nul
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1468E641-DE2C-49bc-84E8-082DF393D5B9}.exe

Filesize
408KB

MD5
c496120bd4a584baf2c7f1b39d171254

SHA1
3274e21edddaee4deb043800abd8159d16d2cad3

SHA256
563182de882af9d4b01204c2fd9839ff15893500bde7bb55995279b0b6c346f0

SHA512
b9df3b67ae80b00ec066daa9594f74710653473cd68df2b14daf84887e6c73ead15024618052c8bef3740ab967064f20d6fa0107eaad01bf3505fa46b1dec095

Download Submit
C:\Windows\{18539217-2B40-477e-80A6-07F6F10B9A15}.exe

Filesize
408KB

MD5
f28d4722fd781af3c2e555501b2ae3c1

SHA1
049aa2b12ea87911f08f510efffdb04b7c9fd097

SHA256
fa4ec424ee696ba36dd0cf63fa926e199bc6a860cc7d7d719faea940f2ddea2f

SHA512
d933d52c790004c86f090c963a8a1988e33f2d7247087d1d502733041eff2175712222092377740ebc17c8c157a2a7109da5d8782d4bc452b7064120d4716917

Download Submit
C:\Windows\{2838D37F-F517-4c0b-A549-6A0DFDAA0C7A}.exe

Filesize
408KB

MD5
501c00be034fb3297453261effa5d7bb

SHA1
55ced655141783ae30ef3663e86e1fdb9ca4275b

SHA256
71fa95f0ebdc953bfbca33377d3b0dd6db48c9324b46dbb5f527516f9c99eacd

SHA512
524d68c39b54e9ed4b3a2c5521bba032ab241acc5743bf99831b1d22b89aaf5374a6b564c11d5def1ce497c7edec5070d3bbcd646aa8c5068bc1fc3880d4ddc0

Download Submit
C:\Windows\{2942B6A5-C022-4e85-9DA6-8EF1D0EC26DF}.exe

Filesize
408KB

MD5
de1ab01868fac86eb2139fd85cae315c

SHA1
84a43e11e8dc574dc23de19339a79a4cefb319ac

SHA256
034998213c27298b0ce5993e8e74894f205551a82b65761ce67cb48b8634bb53

SHA512
77673e9f2dd88cd2ebbf8102f53f4687b6806814ff4a126a1c4f0eef6b92a6b8d593ea5423f049ce7e678ff15b1bd7688dcf82dfe270fb2438030a5e415070d4

Download Submit
C:\Windows\{6F6C373E-BFE2-44e1-A84A-6CE09B467120}.exe

Filesize
408KB

MD5
b5751312913eaa5eca2fe142f3b935e0

SHA1
ea340c0f9ab99f2ab17402a16be4c9f72b24f12b

SHA256
369cc66fa0cc2c2bac87653c8ea07045dffce06c41af3ede0194cc6d27b3f448

SHA512
f7ef43fea48a481028211cc9d338c3574b832d32c54982f3c0a2e4ede76f7f54af62bb274f8d1d353f366f5e081ae1651d27101eeb3ed96e29574ef3f68e0591

Download Submit
C:\Windows\{96E1CFCF-4CD9-4c83-A8F8-6BB1ED82B2CD}.exe

Filesize
408KB

MD5
142a6a9c4e3d68820c84618cc08e0c10

SHA1
52b7397ddcca2a1d5579e034c9d563f26b552d1c

SHA256
0ea175d89afeca156683697de429c0979d61aa643c5bf4c6a70639c7f8349f7d

SHA512
ce098dacda773ae54724d75b4f4851b6b489a86613a0cbf17fdac467d7a30090eb8f15a694be51b7e081346772461500ec05dd4b66cae46838754ed63477930d

Download Submit
C:\Windows\{AA982EA2-9969-46fd-BEB8-22A41814CA32}.exe

Filesize
408KB

MD5
74a4e2068b4d1e2d844b6b98c0426869

SHA1
217d655f8361a954db5bb65605e58caba7f8a04a

SHA256
642d5b6a24414cc0f9f211847796fa6088006bae2be6edbd2f9ebb74db461118

SHA512
8afea176192a1b1b2c7b2b31391d75a2dd762a87e9545246b5763dabf63b032291427644e5c6e57f3566074863c5eea0866878ce69835e60b8d93c80c43bdd53

Download Submit
C:\Windows\{C7298278-8A61-4690-B7C6-6F30FDE5EBAE}.exe

Filesize
408KB

MD5
7a29b9d533f9999facf520090c5b93d3

SHA1
c10d783ce61cc20cb295c8563cad762611cd0df2

SHA256
efa93fc7d17e52ccf5b1964650bb4bae0f8949e00149e9941b18f61078f6fb0b

SHA512
ee6c2c7785fae70a02b89dff39592f258afbb04497fa49f9e4791e39c5c4743699e81a27dc8251b51ff69f0992289f4e9fd5d00c135170dea544f4f51c86214f

Download Submit
C:\Windows\{C9DD4460-56E1-46a2-AD10-179C58E49B3A}.exe

Filesize
408KB

MD5
cd55dbe6ff5f8514e33a7fa0954106d1

SHA1
9804b3ba3deb420a7bbde5b33120b0f5b41d3461

SHA256
d164a759f204bf606637efc8e8946bbcc5d0c7df5ba45b4358938e4713bf4aac

SHA512
d043db08de797f4aa0c85d991b1d7fa5c666d9da0500c94afaa9145c55e7c0e3ddab384f20c1ab3c59d7425b0b1f66ac6dabd3662e5c200899bd55f292fe43dc

Download Submit
C:\Windows\{E4C2670A-2D8F-4d2c-8304-410C86044CEC}.exe

Filesize
408KB

MD5
dd2bfd418a63dcf104cf484d0ed04d1f

SHA1
242d8a10cbcbc99fd82b6423b3ec0f6ff23f0ec5

SHA256
663bee46ece0bee5cc27ee888391e2722a7242b11f62e70a961ebf92a7c30032

SHA512
bf3297d820699fe0392783fe32909c9aca819aee7bd50cb77f0dcc10b28cd20706c5714b54129745ade40bef4251aa63cf627d1c444d2d622364d959670ac3d9

Download Submit
C:\Windows\{EC11DF82-16C7-4ec3-85ED-6AD8C4A00741}.exe

Filesize
408KB

MD5
5e306b66821cbf72dfed1fc78f5eaf1e

SHA1
972e0ec14b2ce601cb20ae25cbca504bdb1ee9bc

SHA256
5add5e7189825d89e4f2e9386ee30fcdf6854f4433bb5ed71cf295a0fdc43703

SHA512
254cb5b89a5a2c6f1fe5db0fb588903ddb7adb3cfdb0408842443afd942e0873e0907f21d4cd52f77ae7d18653e9c2116b19e9a8ad8bad7a2415f035036652aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads