b9a0182ec522a022f2ee1f7804ef8cf540503a1a7d6604c523bf1acfbfa71f53

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Size

216KB
MD5

30e235408f0e1c206818a933d1aea018
SHA1

c71844a25df9178589092f746065fab8e6fd2b6b
SHA256

b9a0182ec522a022f2ee1f7804ef8cf540503a1a7d6604c523bf1acfbfa71f53
SHA512

601e1de8887db9debcfc13c245707b52c0050b81224fbc6a841b44e23ddc3fd30f61504ce22ac5b456337ec7fa4dba6d5cae0a27ac873713e88a430866c90fe6
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012258-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012274-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000012687-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012274-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E31CC9-420F-4c34-A0E4-F268920C3F26}\stubpath = "C:\\Windows\\{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe"	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F142204-0220-471a-BA82-FB0216A90079}\stubpath = "C:\\Windows\\{6F142204-0220-471a-BA82-FB0216A90079}.exe"	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A415652-6773-425d-ACEC-66EF106BEDD9}\stubpath = "C:\\Windows\\{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe"	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FD074E0-1D08-411b-BBE8-72DCC39690E5}	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D6C7C5-12D9-4a61-8381-40154E6254EC}	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F77543C-89F3-4e4f-A2CC-127EBDD19394}	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821A2E92-A0AB-43d9-851E-5932C27D3140}	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A4370E-303D-4207-B764-588CB4AA9ADB}	{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85A87C2C-9915-48bf-B2C3-9E43B726F63E}\stubpath = "C:\\Windows\\{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe"	{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55FB42D4-B0CF-4807-8826-1DEEA872B569}\stubpath = "C:\\Windows\\{55FB42D4-B0CF-4807-8826-1DEEA872B569}.exe"	{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED82561-CB16-4f00-B122-80C1BE1F6F74}	{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E31CC9-420F-4c34-A0E4-F268920C3F26}	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F142204-0220-471a-BA82-FB0216A90079}	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}	{6F142204-0220-471a-BA82-FB0216A90079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}\stubpath = "C:\\Windows\\{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe"	{6F142204-0220-471a-BA82-FB0216A90079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A415652-6773-425d-ACEC-66EF106BEDD9}	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D6C7C5-12D9-4a61-8381-40154E6254EC}\stubpath = "C:\\Windows\\{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe"	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{821A2E92-A0AB-43d9-851E-5932C27D3140}\stubpath = "C:\\Windows\\{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe"	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FD074E0-1D08-411b-BBE8-72DCC39690E5}\stubpath = "C:\\Windows\\{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe"	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F77543C-89F3-4e4f-A2CC-127EBDD19394}\stubpath = "C:\\Windows\\{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe"	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED82561-CB16-4f00-B122-80C1BE1F6F74}\stubpath = "C:\\Windows\\{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe"	{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A4370E-303D-4207-B764-588CB4AA9ADB}\stubpath = "C:\\Windows\\{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe"	{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85A87C2C-9915-48bf-B2C3-9E43B726F63E}	{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55FB42D4-B0CF-4807-8826-1DEEA872B569}	{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe

Deletes itself 1 IoCs

pid	Process
2144	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe
2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe
2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe
1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe
2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe
340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe
856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe
576	{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe
1208	{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe
2396	{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe
2028	{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe
400	{55FB42D4-B0CF-4807-8826-1DEEA872B569}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6F142204-0220-471a-BA82-FB0216A90079}.exe	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe
File created	C:\Windows\{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe
File created	C:\Windows\{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe	{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe
File created	C:\Windows\{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe	{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe
File created	C:\Windows\{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe	{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe
File created	C:\Windows\{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
File created	C:\Windows\{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	{6F142204-0220-471a-BA82-FB0216A90079}.exe
File created	C:\Windows\{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe
File created	C:\Windows\{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe
File created	C:\Windows\{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe
File created	C:\Windows\{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe
File created	C:\Windows\{55FB42D4-B0CF-4807-8826-1DEEA872B569}.exe	{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe
Token: SeIncBasePriorityPrivilege	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe
Token: SeIncBasePriorityPrivilege	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe
Token: SeIncBasePriorityPrivilege	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe
Token: SeIncBasePriorityPrivilege	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe
Token: SeIncBasePriorityPrivilege	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe
Token: SeIncBasePriorityPrivilege	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe
Token: SeIncBasePriorityPrivilege	576	{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe
Token: SeIncBasePriorityPrivilege	1208	{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe
Token: SeIncBasePriorityPrivilege	2396	{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe
Token: SeIncBasePriorityPrivilege	2028	{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2848	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	28
PID 2040 wrote to memory of 2848	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	28
PID 2040 wrote to memory of 2848	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	28
PID 2040 wrote to memory of 2848	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	28
PID 2040 wrote to memory of 2144	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	29
PID 2040 wrote to memory of 2144	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	29
PID 2040 wrote to memory of 2144	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	29
PID 2040 wrote to memory of 2144	2040	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	29
PID 2848 wrote to memory of 2632	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	30
PID 2848 wrote to memory of 2632	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	30
PID 2848 wrote to memory of 2632	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	30
PID 2848 wrote to memory of 2632	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	30
PID 2848 wrote to memory of 2640	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	31
PID 2848 wrote to memory of 2640	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	31
PID 2848 wrote to memory of 2640	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	31
PID 2848 wrote to memory of 2640	2848	{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe	31
PID 2632 wrote to memory of 2532	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	34
PID 2632 wrote to memory of 2532	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	34
PID 2632 wrote to memory of 2532	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	34
PID 2632 wrote to memory of 2532	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	34
PID 2632 wrote to memory of 2628	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	35
PID 2632 wrote to memory of 2628	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	35
PID 2632 wrote to memory of 2628	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	35
PID 2632 wrote to memory of 2628	2632	{6F142204-0220-471a-BA82-FB0216A90079}.exe	35
PID 2532 wrote to memory of 1804	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	36
PID 2532 wrote to memory of 1804	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	36
PID 2532 wrote to memory of 1804	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	36
PID 2532 wrote to memory of 1804	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	36
PID 2532 wrote to memory of 2740	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	37
PID 2532 wrote to memory of 2740	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	37
PID 2532 wrote to memory of 2740	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	37
PID 2532 wrote to memory of 2740	2532	{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe	37
PID 1804 wrote to memory of 2916	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	38
PID 1804 wrote to memory of 2916	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	38
PID 1804 wrote to memory of 2916	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	38
PID 1804 wrote to memory of 2916	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	38
PID 1804 wrote to memory of 2152	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	39
PID 1804 wrote to memory of 2152	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	39
PID 1804 wrote to memory of 2152	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	39
PID 1804 wrote to memory of 2152	1804	{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe	39
PID 2916 wrote to memory of 340	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	40
PID 2916 wrote to memory of 340	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	40
PID 2916 wrote to memory of 340	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	40
PID 2916 wrote to memory of 340	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	40
PID 2916 wrote to memory of 1856	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	41
PID 2916 wrote to memory of 1856	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	41
PID 2916 wrote to memory of 1856	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	41
PID 2916 wrote to memory of 1856	2916	{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe	41
PID 340 wrote to memory of 856	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	42
PID 340 wrote to memory of 856	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	42
PID 340 wrote to memory of 856	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	42
PID 340 wrote to memory of 856	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	42
PID 340 wrote to memory of 528	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	43
PID 340 wrote to memory of 528	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	43
PID 340 wrote to memory of 528	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	43
PID 340 wrote to memory of 528	340	{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe	43
PID 856 wrote to memory of 576	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	44
PID 856 wrote to memory of 576	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	44
PID 856 wrote to memory of 576	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	44
PID 856 wrote to memory of 576	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	44
PID 856 wrote to memory of 2744	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	45
PID 856 wrote to memory of 2744	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	45
PID 856 wrote to memory of 2744	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	45
PID 856 wrote to memory of 2744	856	{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe
  C:\Windows\{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\{6F142204-0220-471a-BA82-FB0216A90079}.exe
    C:\Windows\{6F142204-0220-471a-BA82-FB0216A90079}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe
      C:\Windows\{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe
        
        C:\Windows\{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe
        
        C:\Windows\{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe
        
        C:\Windows\{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe
        
        C:\Windows\{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe
        
        C:\Windows\{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe
        
        C:\Windows\{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe
        
        C:\Windows\{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe
        
        C:\Windows\{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{55FB42D4-B0CF-4807-8826-1DEEA872B569}.exe
        
        C:\Windows\{55FB42D4-B0CF-4807-8826-1DEEA872B569}.exe
        13⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85A87~1.EXE > nul
        13⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A43~1.EXE > nul
        12⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED82~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{821A2~1.EXE > nul
        10⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F775~1.EXE > nul
        9⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12D6C~1.EXE > nul
        8⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FD07~1.EXE > nul
        7⤵
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A415~1.EXE > nul
        6⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F31D0~1.EXE > nul
        5⤵
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F142~1.EXE > nul
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{76E31~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12D6C7C5-12D9-4a61-8381-40154E6254EC}.exe

Filesize
216KB

MD5
60f853586d1b3d80c034bd46ff8995df

SHA1
5d984c4d0cc89558663d330e82bea02cf1069e8c

SHA256
6e085be45c5a0db5ead213df300dcf8e02abb40155db2699143080c624ca5024

SHA512
28cc0fe32ad85ed39f2a1625d72f323e4f01e11e63bcf408b4a56727d11428d24c14c1b0c5d2ccd0907d5b20fd67093cb6346423b30d2b54e7827aef9c14de05

Download Submit
C:\Windows\{1A415652-6773-425d-ACEC-66EF106BEDD9}.exe

Filesize
216KB

MD5
2a9761a029e2b5218c1414cb9481187f

SHA1
7410cb83309b4e88ed45e7388516a2aa69524f55

SHA256
2f6f23718eda2bcb8327363cf39502dde09247a86a08904a8ce368c093b4b5dc

SHA512
74e8559fca4b7a3ecc81c7d2a852646201768fad8cb60bf96d036eaa7bf7ba4eefbe195417af9e129ba578b0f524e06847a87bf5059f30da7a894dd368fc9e32

Download Submit
C:\Windows\{55FB42D4-B0CF-4807-8826-1DEEA872B569}.exe

Filesize
216KB

MD5
db652a5390b7b82a5b82f28fa9080a0a

SHA1
f64d32939ffa41b7d754f048e5254dd278044187

SHA256
1bde59fde3435a29fd749531e072ebe0da3d4ce4e41562b82b6a9cd8353711d1

SHA512
c71dfe1f1dc6c5945a588b2781e72080ad69011c1224b16a7f3532f6647a012c6090856da72627dde950d68fdd542b126d326f874f6f6c3c094611d582e6b319

Download Submit
C:\Windows\{6ED82561-CB16-4f00-B122-80C1BE1F6F74}.exe

Filesize
216KB

MD5
7441c92271cbf26dacf430cd28d937e2

SHA1
9be425e34ccb2007d5ede670216df798d90f7a1c

SHA256
03f73ddec069b00dc9d53e2573c53980201015ba69e93aa408345b46a5700987

SHA512
326cce2a7d49b10731559f2f86d8d0b3330bc5265c721fd918ebb19cc3f9cb30bcaca659b8f3b165b1c3a3b816a66db6ac505a3a5064d14b0f964f2e4f8d0d31

Download Submit
C:\Windows\{6F142204-0220-471a-BA82-FB0216A90079}.exe

Filesize
216KB

MD5
3f6851da37911d7cae1a57aed9676462

SHA1
b312780bf7131b7bad81c461a8d28548f9c22b88

SHA256
9b2f64c3b435fe43de9237a0aff391d45087a6394ee37110d7e5d436ab58d323

SHA512
e34c27da5ac033262e426af6dfeee37cebfaef5d7209916e8e4b335533778aa95aa2a69daaaaf67b50d40a1f75359ccf8ece1d78f25664b5ff75ce4179044cf3

Download Submit
C:\Windows\{71A4370E-303D-4207-B764-588CB4AA9ADB}.exe

Filesize
216KB

MD5
041eeb23941a8ba2f23c91919482e0b5

SHA1
5905a2a6846e0edff37cda15fbd4182f7e26f198

SHA256
54d977f7f1585e41f590db07865deb0f49968c47771fb18ee25fb11943f66651

SHA512
559d16a01daee05c18c9f71ccc1fc2f959a7e72f3b4cfb225d27c6b8653e66882a952d8b269ccc46ca0320c2101ce8166b7ac1c1e2717aa889496b00f1b0e11a

Download Submit
C:\Windows\{76E31CC9-420F-4c34-A0E4-F268920C3F26}.exe

Filesize
216KB

MD5
87d77ea22ede27fb2d038c69539b79c4

SHA1
aeabe7973a498a66307284d6c5116f7be6bea968

SHA256
c1897de08a79c0896cef7e4fe438a78f90709a0c5807e68104a269db7a8f8b47

SHA512
0b3e5aaacf6090330018bddccd96035af3059b1d90f2b6755bcdd8afaecb1f6f2e368c01f951bf2599a2f185eb6e54544d2d096293e4f71dfa66de5cfcc616a2

Download Submit
C:\Windows\{7F77543C-89F3-4e4f-A2CC-127EBDD19394}.exe

Filesize
216KB

MD5
04b89bd81c613d34b21101cbcbc78ef3

SHA1
fb6406e3851bcbae7d40d0b9063570ff6818dbec

SHA256
0e4fc04144015fd73247ece2b9f68f62604afeb69b7c91b2c71e513801ecc797

SHA512
74879603e71f5611724bf39f04e6cb156a15de8606d69794cf5d2a9594b37482d2f9cf7cd6612119b233055c13bf10b9dc21c8a0958f747ab1090cc82b92ecaa

Download Submit
C:\Windows\{821A2E92-A0AB-43d9-851E-5932C27D3140}.exe

Filesize
216KB

MD5
6d85c0f1115cdcde0cd2875cee36dbf1

SHA1
41817eec337bfc32093e412c970acf4db28bf1f8

SHA256
451269de66277f8a64c4138e27865dcb810dfe2040d19bd8fa66568302ec8b6f

SHA512
d16fd2a54bdb93b4122421c7c61904fea9ddb5c4e7e8177941abbffa3a394121cb8e5c0e1d978756348d36dc7b9ec57b02bd758530195f78c408a4a20723d74b

Download Submit
C:\Windows\{85A87C2C-9915-48bf-B2C3-9E43B726F63E}.exe

Filesize
216KB

MD5
96f97d25b81777a846f4fab1f89c899c

SHA1
a3c1c6600fc2f8646ebce66a2416e86c3390e0b2

SHA256
30a64643ce794038ea34bc8f38aeece1e317698cf705b1fdd2b221d0a86f1af2

SHA512
8270ed61bada9289b0abc06b9ec43e2ae28fecb18ce6ca7ea4a46e05c61f419f2d387f793133e776b22a1f01f2c27ca07cc8c8dab585702ef626aee0a5f4ab94

Download Submit
C:\Windows\{9FD074E0-1D08-411b-BBE8-72DCC39690E5}.exe

Filesize
216KB

MD5
6e93fa4a20c031f3eae91c89a98f1ee7

SHA1
f5141a00af8ebfed6a1b097125cf0d5038395bc3

SHA256
5115749ce5dcf22e5ddd02eb0a0e45037f0186413480ebd78bc8249ff77aecfd

SHA512
2bddda45611fc06a28c72ca98a3db34de3d69dfd9db86359d89e2d880d8001f3d5ac835fab6f47894704cd56dfc2f0091cf26780f11ed76a2f33f4620711e7ef

Download Submit
C:\Windows\{F31D0ACC-A4B5-4fdd-9584-23C8AC272854}.exe

Filesize
216KB

MD5
070eeca50fcdfd134681bdc4015459f6

SHA1
dd483572357cc0460d8cb518771c6373e335c9f7

SHA256
077e1d45532a8b6995151051728e8b69c8e69a9a9900f6a530033c157443e053

SHA512
00b588960e6f28ae9f195c74e10a44c2eb2924c2eab3be471dbf7bec40c2c96caf1f5d8f7181d9a8ea27adb1ab115658a9cf54c700ca62ef2003ef6f7449d2e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads