7307af2c6528aa271f5fbf0d07487ac0a47c860eed30f94869acb406a0a57bfd

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe
Size

197KB
MD5

d513c4794f4fed8a661a20e58e58f5b3
SHA1

b8ab705e172148e02cca92326892868e00bfe108
SHA256

7307af2c6528aa271f5fbf0d07487ac0a47c860eed30f94869acb406a0a57bfd
SHA512

0f14f42af2251637f84d2d7d22bb0172d34263d8885a6cd38ca295d509be58997da243d6ff0710d27f0b650c9377b86c2dfd5a1af7925eb45a06a4068f05c38e
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGClEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014227-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014227-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014227-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014313-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014227-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001458f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014227-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014227-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014227-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD250A7-4204-47f2-919B-A0FA5231E241}	{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}\stubpath = "C:\\Windows\\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe"	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85B1F10C-A000-4b8d-A251-55AAFC82C55E}\stubpath = "C:\\Windows\\{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe"	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}\stubpath = "C:\\Windows\\{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe"	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F71618-9410-4f15-9520-B0062C902E51}	{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5A71F55-5484-46b8-819F-453EB9B6C00D}	{E2F71618-9410-4f15-9520-B0062C902E51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}\stubpath = "C:\\Windows\\{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe"	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8D39AC-6FFD-4b53-A5CD-D27646070012}	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF28F83-396C-4967-AF12-5D9B9906F836}	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF28F83-396C-4967-AF12-5D9B9906F836}\stubpath = "C:\\Windows\\{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe"	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F71618-9410-4f15-9520-B0062C902E51}\stubpath = "C:\\Windows\\{E2F71618-9410-4f15-9520-B0062C902E51}.exe"	{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5A71F55-5484-46b8-819F-453EB9B6C00D}\stubpath = "C:\\Windows\\{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe"	{E2F71618-9410-4f15-9520-B0062C902E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AB05CDE-7940-46f9-983B-DA24B5976451}\stubpath = "C:\\Windows\\{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe"	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}\stubpath = "C:\\Windows\\{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe"	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8D39AC-6FFD-4b53-A5CD-D27646070012}\stubpath = "C:\\Windows\\{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe"	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AB05CDE-7940-46f9-983B-DA24B5976451}	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85B1F10C-A000-4b8d-A251-55AAFC82C55E}	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD250A7-4204-47f2-919B-A0FA5231E241}\stubpath = "C:\\Windows\\{9DD250A7-4204-47f2-919B-A0FA5231E241}.exe"	{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe

Deletes itself 1 IoCs

pid	Process
288	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe
2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe
2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe
2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe
1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe
764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe
2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe
304	{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe
2096	{E2F71618-9410-4f15-9520-B0062C902E51}.exe
596	{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe
2272	{9DD250A7-4204-47f2-919B-A0FA5231E241}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe
File created	C:\Windows\{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe
File created	C:\Windows\{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe
File created	C:\Windows\{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe
File created	C:\Windows\{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe
File created	C:\Windows\{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe
File created	C:\Windows\{E2F71618-9410-4f15-9520-B0062C902E51}.exe	{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe
File created	C:\Windows\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe
File created	C:\Windows\{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe
File created	C:\Windows\{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe	{E2F71618-9410-4f15-9520-B0062C902E51}.exe
File created	C:\Windows\{9DD250A7-4204-47f2-919B-A0FA5231E241}.exe	{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe
Token: SeIncBasePriorityPrivilege	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe
Token: SeIncBasePriorityPrivilege	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe
Token: SeIncBasePriorityPrivilege	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe
Token: SeIncBasePriorityPrivilege	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe
Token: SeIncBasePriorityPrivilege	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe
Token: SeIncBasePriorityPrivilege	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe
Token: SeIncBasePriorityPrivilege	304	{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe
Token: SeIncBasePriorityPrivilege	2096	{E2F71618-9410-4f15-9520-B0062C902E51}.exe
Token: SeIncBasePriorityPrivilege	596	{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1344	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	28
PID 2536 wrote to memory of 1344	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	28
PID 2536 wrote to memory of 1344	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	28
PID 2536 wrote to memory of 1344	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	28
PID 2536 wrote to memory of 288	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	29
PID 2536 wrote to memory of 288	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	29
PID 2536 wrote to memory of 288	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	29
PID 2536 wrote to memory of 288	2536	2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe	29
PID 1344 wrote to memory of 2800	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	30
PID 1344 wrote to memory of 2800	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	30
PID 1344 wrote to memory of 2800	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	30
PID 1344 wrote to memory of 2800	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	30
PID 1344 wrote to memory of 2868	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	31
PID 1344 wrote to memory of 2868	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	31
PID 1344 wrote to memory of 2868	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	31
PID 1344 wrote to memory of 2868	1344	{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe	31
PID 2800 wrote to memory of 2876	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	32
PID 2800 wrote to memory of 2876	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	32
PID 2800 wrote to memory of 2876	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	32
PID 2800 wrote to memory of 2876	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	32
PID 2800 wrote to memory of 2884	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	33
PID 2800 wrote to memory of 2884	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	33
PID 2800 wrote to memory of 2884	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	33
PID 2800 wrote to memory of 2884	2800	{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe	33
PID 2876 wrote to memory of 2724	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	36
PID 2876 wrote to memory of 2724	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	36
PID 2876 wrote to memory of 2724	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	36
PID 2876 wrote to memory of 2724	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	36
PID 2876 wrote to memory of 2084	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	37
PID 2876 wrote to memory of 2084	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	37
PID 2876 wrote to memory of 2084	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	37
PID 2876 wrote to memory of 2084	2876	{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe	37
PID 2724 wrote to memory of 1956	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	38
PID 2724 wrote to memory of 1956	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	38
PID 2724 wrote to memory of 1956	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	38
PID 2724 wrote to memory of 1956	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	38
PID 2724 wrote to memory of 1076	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	39
PID 2724 wrote to memory of 1076	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	39
PID 2724 wrote to memory of 1076	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	39
PID 2724 wrote to memory of 1076	2724	{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe	39
PID 1956 wrote to memory of 764	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	40
PID 1956 wrote to memory of 764	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	40
PID 1956 wrote to memory of 764	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	40
PID 1956 wrote to memory of 764	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	40
PID 1956 wrote to memory of 1460	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	41
PID 1956 wrote to memory of 1460	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	41
PID 1956 wrote to memory of 1460	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	41
PID 1956 wrote to memory of 1460	1956	{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe	41
PID 764 wrote to memory of 2940	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	42
PID 764 wrote to memory of 2940	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	42
PID 764 wrote to memory of 2940	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	42
PID 764 wrote to memory of 2940	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	42
PID 764 wrote to memory of 2956	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	43
PID 764 wrote to memory of 2956	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	43
PID 764 wrote to memory of 2956	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	43
PID 764 wrote to memory of 2956	764	{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe	43
PID 2940 wrote to memory of 304	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	44
PID 2940 wrote to memory of 304	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	44
PID 2940 wrote to memory of 304	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	44
PID 2940 wrote to memory of 304	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	44
PID 2940 wrote to memory of 2992	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	45
PID 2940 wrote to memory of 2992	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	45
PID 2940 wrote to memory of 2992	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	45
PID 2940 wrote to memory of 2992	2940	{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_d513c4794f4fed8a661a20e58e58f5b3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe
  C:\Windows\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe
    C:\Windows\{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe
      C:\Windows\{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe
        
        C:\Windows\{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe
        
        C:\Windows\{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe
        
        C:\Windows\{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe
        
        C:\Windows\{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe
        
        C:\Windows\{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\{E2F71618-9410-4f15-9520-B0062C902E51}.exe
        
        C:\Windows\{E2F71618-9410-4f15-9520-B0062C902E51}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe
        
        C:\Windows\{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{9DD250A7-4204-47f2-919B-A0FA5231E241}.exe
        
        C:\Windows\{9DD250A7-4204-47f2-919B-A0FA5231E241}.exe
        12⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5A71~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2F71~1.EXE > nul
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22867~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF28~1.EXE > nul
        9⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85B1F~1.EXE > nul
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F8D3~1.EXE > nul
        7⤵
        
        PID:1460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D768~1.EXE > nul
        6⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AB05~1.EXE > nul
        5⤵
        
        PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EA280~1.EXE > nul
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC7F8~1.EXE > nul
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F8D39AC-6FFD-4b53-A5CD-D27646070012}.exe

Filesize
197KB

MD5
0b59766456f747d0528cc409b28b45b2

SHA1
5366527f9b541522c48f102406c823f05e94070a

SHA256
cb3366f00c5daa897cfa8ce0a9bb8b500101c1c7a206e75e48d43da8545ee091

SHA512
664291d4dbfb00b4c8da40587a146103980ea8b538c0a3450234f1dc820d9f917fe0cd54a84369e9fdd51dd061c76e00239776c6387a33cda7c131eac6fcc568

Download Submit
C:\Windows\{22867E05-D561-4ba8-8E58-E5F8EEEBBCEC}.exe

Filesize
197KB

MD5
168cf471f425a415d8d1840a3510d891

SHA1
17545b2213efd974396274e0c1b2e2cd9b3a794f

SHA256
c795de8411fba64cde215d8889d3761c514318267d5d0373de7597bcab275bfa

SHA512
6e26ba58255b1e0aaea3c1729b2e475966e965921015cb4754dc41d6595facc68fc70240ba68ec078242ccb290be5e33c4003784d45de9c2f5a560df45a88096

Download Submit
C:\Windows\{2AB05CDE-7940-46f9-983B-DA24B5976451}.exe

Filesize
197KB

MD5
234aeb359e55ff8efce3b43c9e9d98f1

SHA1
a1bfd5d88144407450d1c397a80ca8ac785cb62c

SHA256
baae50413e67ad23670c019b42e1ee56ed0da74aac4f5a4b3fb68275b24cf3f1

SHA512
416c039292c516e38490a3cb8f3d8a6ebcbe4aa432837b62506e0119af053d74d0c7513da3dbac0a8999586f63dbe52526293af89fdd4f69341a78c8c2d25373

Download Submit
C:\Windows\{3D768A85-F1C2-429f-A772-A8A8D5B2B4D9}.exe

Filesize
197KB

MD5
23b8bcac776fcccb3e82336816d1a18d

SHA1
bed0e0a6fad3cda0a264daf20a64e08e546b14d8

SHA256
7e1226badc6aeddb8b08192bbed27d80890173d1e45e60094202b88801bae05c

SHA512
3d088fde63e9bdea148e13f8821fe0cee6bb20d1e86a7bd859acc2493e4f0802e02ec29bd4976bb5e06d6dfb51cc054db9330b5b1206fb86b64216220419dece

Download Submit
C:\Windows\{5FF28F83-396C-4967-AF12-5D9B9906F836}.exe

Filesize
197KB

MD5
fe2668c6ac1c01a04228e377ccb66b79

SHA1
d566b6f5d4ed29762c91e907ed500c8c299b88ce

SHA256
12ae1aa596bc360e1de728f92f48031bdbe407d2c7fac7e385d3b57de8f6eae1

SHA512
fa422912c1d988551f95609d074be8c3f194b40469f3beaf5675ffcb45dbd03c4cff443612a368b7f455b29bceab3dd62387346ed88704eea3d8b518e5d7acaf

Download Submit
C:\Windows\{85B1F10C-A000-4b8d-A251-55AAFC82C55E}.exe

Filesize
197KB

MD5
d2993435d07661813b18fd9563b916e4

SHA1
fcab1e8c6b18eb2dd7a11d35c93c65b19bdb177c

SHA256
cfcb8c5afd57a3ccdba80be5a5ebdd2443742b4f65b9e5a369cc35199ad67f2b

SHA512
e05dd65de30368a251aa7b89d87f29c30f5389d88930de3ebadd883b964f7249be17214e073c9059fdf845775ae7ec221d7eebf781d0b981c90996ded58f5a1c

Download Submit
C:\Windows\{9DD250A7-4204-47f2-919B-A0FA5231E241}.exe

Filesize
197KB

MD5
3747ce81473de6a849aadb2116eb2670

SHA1
1baf4c6a3a44018a9b547ecc77e86b9173734a0c

SHA256
0d88ff15eb2fa86cecc5f945e6408d76980e0c692b334ce3241e08f9b95a6796

SHA512
8d1ba98faaa09a5b75ec49cd51dbb10a78d404f481db233c47885e3818549c2976bb78d3ba0690235620a8619137ae05a1795d6829ceff86d26b978c98afa90d

Download Submit
C:\Windows\{A5A71F55-5484-46b8-819F-453EB9B6C00D}.exe

Filesize
197KB

MD5
2b1938b1ef5c2f84575549644d49953b

SHA1
e3c22494114554a6728d08e2a0ea149503561887

SHA256
e348f65ee07a0ba1372f08035f0a5f2b4071203ce3fbe2b748eab476e224c974

SHA512
eae1555432095713f6e9598cfdb773fd58531124385b86683d100db4aa59e639594ea988328bddd36c0ca9c1d881b54dda59a30f238cc9b18c93a8befd67e657

Download Submit
C:\Windows\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe

Filesize
64KB

MD5
dcaf7ec15ed086d8fb94f3e53346d5dd

SHA1
99b14fe5e7c58d7ef4761eea3bea6a73a90740d8

SHA256
25df7d7c24e9ba328b9c7ea90d53fa2a9ed653e181d43d45e01493d456872292

SHA512
86d336382a9601ccfc5cb26a90d61287d1bd4aa80625dee5fa48c33b023bfb36bde8a12a7fd9a369c95501f5fabca3b76fdf969e967ef9f167b9c4739624e7b1

Download Submit
C:\Windows\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe

Filesize
83KB

MD5
d1d88561933168831308c5d3ef1d5f53

SHA1
2ac62b772c5d459e5c2384b3a45890b3710ed9f6

SHA256
c278a108b3cd10e2dfadcec0531009cf05b4641b55e154ada2d11ddf40fc4978

SHA512
e031ffae244d6117b8fc27187106bb6c62ded97dbcb4e34b8d09fffd8fb2dc3591258372bcd7234c0aee99ea4c6f7c2f0a2fa6fb1503915acd41aa6396c7ff66

Download Submit
C:\Windows\{AC7F839D-A183-4c9a-9478-CE85D17E7B50}.exe

Filesize
197KB

MD5
f9fbfef75484d00a329690656d3f030b

SHA1
cf92b8e99e4d97a987643b573550863b8768b213

SHA256
9e507d5d8f016f38591cadfe401f8f2a4a837002d1a56fa505d37d44fc4cc315

SHA512
9f561b7777381b389e7ae6027a067c236aef4ce917cb98a91c91d41dd11b6f9e8ecd70a48ba48f8d89388b1760eb8c66db47a69e94a6a824c67805667bf8598c

Download Submit
C:\Windows\{E2F71618-9410-4f15-9520-B0062C902E51}.exe

Filesize
197KB

MD5
c139ba57d16a80636370611dc5de8f31

SHA1
147e0e557218929235a5f8fb33a9a11886234858

SHA256
53b3e382f6d586a7e4f427a067c26de1aaa14c3e638e36a1b874c9696a26918b

SHA512
9f40195c1a7fca6f9ab0f75e589100cb0bd35bd69131ab568792aeaf5ce3abc061aff80a10a7a79d1af02de96de1816b1ffa8f089d2026f0751ed59804ef7041

Download Submit
C:\Windows\{EA280C94-827A-4750-BCD6-B2A5E8FB6B10}.exe

Filesize
197KB

MD5
02bd5b2df8033b30e83994d2ad8c097c

SHA1
5678bad477078f99013ab0b81a52a303b0791431

SHA256
30f6e74b15997f820c5a5a216756e4d25cccf34268ee722dc519e5a47298e7c3

SHA512
197f1e2858bed70ade66d73a91dfdf6a18727f229f7e1b42a5619eae3a14d1bde7a33acb76bc4fc0a053ad4a2a053025a27ccfdf5c60d59105da777b925b00b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads