e2554e12fab39f62c699419a6243e70a4181d8fc932542258886cdf8b4627a1f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 01:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Size

372KB
MD5

e02cc5b504d42790ffc3c0638f307d95
SHA1

e4b3434e3d8004880cfbe10c596cb399d20e3604
SHA256

e2554e12fab39f62c699419a6243e70a4181d8fc932542258886cdf8b4627a1f
SHA512

ec6157ec42971744c8057d6780f5c168e97ab81121e9c8fd39896654250d94810328a629ef663a0a4b1002ce3d2233292bfd09c15911eb1aca180639f7e10e5a
SSDEEP

3072:CEGh0oMlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG+lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012243-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000015c6f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015c83-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d03-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015dbb-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e09-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e82-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015e09-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015e82-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}\stubpath = "C:\\Windows\\{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe"	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11E83EF8-8FFE-4895-B10D-3A8C51950454}	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}\stubpath = "C:\\Windows\\{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe"	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09629906-8D52-413b-96FC-EBEDA1890357}	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F07FBBC-3E37-4165-801B-789127333038}\stubpath = "C:\\Windows\\{3F07FBBC-3E37-4165-801B-789127333038}.exe"	{09629906-8D52-413b-96FC-EBEDA1890357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}	{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}\stubpath = "C:\\Windows\\{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe"	{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}	{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}\stubpath = "C:\\Windows\\{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe"	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}\stubpath = "C:\\Windows\\{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe"	{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}\stubpath = "C:\\Windows\\{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}.exe"	{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11E83EF8-8FFE-4895-B10D-3A8C51950454}\stubpath = "C:\\Windows\\{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe"	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81D8B055-3C42-47ce-880F-FA44FD7AF724}	{3F07FBBC-3E37-4165-801B-789127333038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81D8B055-3C42-47ce-880F-FA44FD7AF724}\stubpath = "C:\\Windows\\{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe"	{3F07FBBC-3E37-4165-801B-789127333038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}	{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}\stubpath = "C:\\Windows\\{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe"	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09629906-8D52-413b-96FC-EBEDA1890357}\stubpath = "C:\\Windows\\{09629906-8D52-413b-96FC-EBEDA1890357}.exe"	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F07FBBC-3E37-4165-801B-789127333038}	{09629906-8D52-413b-96FC-EBEDA1890357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe
2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe
2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe
2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe
948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe
2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe
2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe
1300	{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe
2972	{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe
2384	{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe
2160	{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe
File created	C:\Windows\{3F07FBBC-3E37-4165-801B-789127333038}.exe	{09629906-8D52-413b-96FC-EBEDA1890357}.exe
File created	C:\Windows\{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe	{3F07FBBC-3E37-4165-801B-789127333038}.exe
File created	C:\Windows\{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe	{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe
File created	C:\Windows\{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe	{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe
File created	C:\Windows\{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}.exe	{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe
File created	C:\Windows\{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
File created	C:\Windows\{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe
File created	C:\Windows\{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe
File created	C:\Windows\{09629906-8D52-413b-96FC-EBEDA1890357}.exe	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe
File created	C:\Windows\{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe
Token: SeIncBasePriorityPrivilege	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe
Token: SeIncBasePriorityPrivilege	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe
Token: SeIncBasePriorityPrivilege	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe
Token: SeIncBasePriorityPrivilege	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe
Token: SeIncBasePriorityPrivilege	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe
Token: SeIncBasePriorityPrivilege	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe
Token: SeIncBasePriorityPrivilege	1300	{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe
Token: SeIncBasePriorityPrivilege	2972	{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe
Token: SeIncBasePriorityPrivilege	2384	{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2876	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	28
PID 1032 wrote to memory of 2876	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	28
PID 1032 wrote to memory of 2876	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	28
PID 1032 wrote to memory of 2876	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	28
PID 1032 wrote to memory of 3052	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	29
PID 1032 wrote to memory of 3052	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	29
PID 1032 wrote to memory of 3052	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	29
PID 1032 wrote to memory of 3052	1032	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	29
PID 2876 wrote to memory of 2564	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	32
PID 2876 wrote to memory of 2564	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	32
PID 2876 wrote to memory of 2564	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	32
PID 2876 wrote to memory of 2564	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	32
PID 2876 wrote to memory of 2552	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	33
PID 2876 wrote to memory of 2552	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	33
PID 2876 wrote to memory of 2552	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	33
PID 2876 wrote to memory of 2552	2876	{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe	33
PID 2564 wrote to memory of 2544	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	34
PID 2564 wrote to memory of 2544	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	34
PID 2564 wrote to memory of 2544	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	34
PID 2564 wrote to memory of 2544	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	34
PID 2564 wrote to memory of 2600	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	35
PID 2564 wrote to memory of 2600	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	35
PID 2564 wrote to memory of 2600	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	35
PID 2564 wrote to memory of 2600	2564	{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe	35
PID 2544 wrote to memory of 2200	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	36
PID 2544 wrote to memory of 2200	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	36
PID 2544 wrote to memory of 2200	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	36
PID 2544 wrote to memory of 2200	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	36
PID 2544 wrote to memory of 1156	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	37
PID 2544 wrote to memory of 1156	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	37
PID 2544 wrote to memory of 1156	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	37
PID 2544 wrote to memory of 1156	2544	{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe	37
PID 2200 wrote to memory of 948	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	38
PID 2200 wrote to memory of 948	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	38
PID 2200 wrote to memory of 948	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	38
PID 2200 wrote to memory of 948	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	38
PID 2200 wrote to memory of 1856	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	39
PID 2200 wrote to memory of 1856	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	39
PID 2200 wrote to memory of 1856	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	39
PID 2200 wrote to memory of 1856	2200	{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe	39
PID 948 wrote to memory of 2628	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	40
PID 948 wrote to memory of 2628	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	40
PID 948 wrote to memory of 2628	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	40
PID 948 wrote to memory of 2628	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	40
PID 948 wrote to memory of 2832	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	41
PID 948 wrote to memory of 2832	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	41
PID 948 wrote to memory of 2832	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	41
PID 948 wrote to memory of 2832	948	{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe	41
PID 2628 wrote to memory of 2460	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	42
PID 2628 wrote to memory of 2460	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	42
PID 2628 wrote to memory of 2460	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	42
PID 2628 wrote to memory of 2460	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	42
PID 2628 wrote to memory of 2452	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	43
PID 2628 wrote to memory of 2452	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	43
PID 2628 wrote to memory of 2452	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	43
PID 2628 wrote to memory of 2452	2628	{09629906-8D52-413b-96FC-EBEDA1890357}.exe	43
PID 2460 wrote to memory of 1300	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	44
PID 2460 wrote to memory of 1300	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	44
PID 2460 wrote to memory of 1300	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	44
PID 2460 wrote to memory of 1300	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	44
PID 2460 wrote to memory of 1808	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	45
PID 2460 wrote to memory of 1808	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	45
PID 2460 wrote to memory of 1808	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	45
PID 2460 wrote to memory of 1808	2460	{3F07FBBC-3E37-4165-801B-789127333038}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe
  C:\Windows\{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe
    C:\Windows\{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe
      C:\Windows\{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe
        
        C:\Windows\{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe
        
        C:\Windows\{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{09629906-8D52-413b-96FC-EBEDA1890357}.exe
        
        C:\Windows\{09629906-8D52-413b-96FC-EBEDA1890357}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{3F07FBBC-3E37-4165-801B-789127333038}.exe
        
        C:\Windows\{3F07FBBC-3E37-4165-801B-789127333038}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe
        
        C:\Windows\{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe
        
        C:\Windows\{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe
        
        C:\Windows\{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}.exe
        
        C:\Windows\{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}.exe
        12⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6825~1.EXE > nul
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51D66~1.EXE > nul
        11⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81D8B~1.EXE > nul
        10⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F07F~1.EXE > nul
        9⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09629~1.EXE > nul
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3F95~1.EXE > nul
        7⤵
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AC03~1.EXE > nul
        6⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F3AF~1.EXE > nul
        5⤵
        
        PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11E83~1.EXE > nul
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6C76C~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09629906-8D52-413b-96FC-EBEDA1890357}.exe

Filesize
372KB

MD5
d1410d90c21308f054fb078993d77032

SHA1
c1838b7c553f63d248cd7c346cf3a43851fdf111

SHA256
ba411f968f189e1a6192cc64797b2c57deae5ca34bfcaa6f118ccf96a369fa60

SHA512
604b9a3c343269c9f4972fa2afd6f9baa5b9e641fbd5f6a8d7eec52c380dfa22baf9291e72f970d5ab529c97f275e4024f367ecddd72d76f21f7eda0c4122e29

Download Submit
C:\Windows\{11E83EF8-8FFE-4895-B10D-3A8C51950454}.exe

Filesize
372KB

MD5
dc84c644250460cd4aff6eb0088a0103

SHA1
5aaf8abdd209a8958964ee591cb9e2a733befb50

SHA256
82b77d06417558f3fd2db3fe34569480ae61326f52c817b1a1587ba5c6876714

SHA512
456d77b603a064035bc78dfe68c85d6492c55c4516f3bc966d58f1e94de24f38c0f1e2cb2431a52d3e67c04af75413fbd712ca8a472c90228c527ae3681a0c08

Download Submit
C:\Windows\{1F3AF5E1-F6F2-4c8f-91F0-AF656AB4442D}.exe

Filesize
372KB

MD5
1f92634ce02e8220100c79b9f9051247

SHA1
1dce4f1af78edf8b32bd5c55c514df912cd0231f

SHA256
6b89afa7273b9cc7334e792b07a010c6e638f5028c5c7f9c7bf867fc9898d914

SHA512
56c674b354d573be77352ffd0571096b2e587b680efc54e905928ef2f4ce9a189988ab06cd7a416d5c3e3009ac31dfcfcb32bb1c4ed3eeec7598df6a232637f2

Download Submit
C:\Windows\{3F07FBBC-3E37-4165-801B-789127333038}.exe

Filesize
372KB

MD5
42224176a59ca44a2f6c35e0d504d0f1

SHA1
202b23dc4388d7dff2b699d1b0df34f05ecd5b6c

SHA256
59081be9693441d4c7569d36d4454738e633c91616776a1f704cbba058201623

SHA512
98fb966945c470ae927f30fd3a0f1c199895bffd8d0577a0ee1821f45736f06f0746bada30fd5a149c52f92081ca32a1b4a9986205c631c1f11d5ded93b267c8

Download Submit
C:\Windows\{51D66B81-B106-4c9c-91EE-AE07C3BFDDD3}.exe

Filesize
372KB

MD5
8ce86fd0784f678f11726a4914608ecb

SHA1
ed2339ccc1456fe357b682ea6005254785c18c13

SHA256
fbfabbde32dfaaf0aef82e71e4518868a77c3320145820919b9489a72e70ae0b

SHA512
ae02d87f23055ac46572509379b80e70dd97a14319767a8600cd2c407741227281f4baa9b533e5c94b4031ff62a40d66fcb6c1d1eb404e8ae5a0304b898f86c6

Download Submit
C:\Windows\{6C76CAF8-36B7-4e95-AB91-A1740780B9B5}.exe

Filesize
372KB

MD5
3ed8e03475eac2f05f63cb506282913f

SHA1
dfbae95f6e96f58862e0c887e7c7853196e483fa

SHA256
be113f4980f03217c7f0bb963985b549037206df2011ac7cb81a21e24d1fe05f

SHA512
e9ac95fec79a4aa5df12e6631b2ea72ba09d36403f03c0eda496a89881f4b05ff20cb9305498f7767b5033cd2c81784067864c3aac960b9f9cb949982a34336a

Download Submit
C:\Windows\{81D8B055-3C42-47ce-880F-FA44FD7AF724}.exe

Filesize
372KB

MD5
05c0982311b19df9c6fc41d902814753

SHA1
ee39cfe5c024eee159da9762a234044785168127

SHA256
e6fae508dcbf494d12692e1d03a8bf13c6425bd30b2b27d7717f454ab2b4de75

SHA512
47f3e3274bd0d2564b784e2d82beb2246cf6d92decca76ccf76bf0c9a5f9ca2a7de39c1bc4cfa172b817f20bfd7a853504f8695ac566255471a1904d9185b5b3

Download Submit
C:\Windows\{8AC03DCE-43B4-4917-8B6B-86E2387BAB8C}.exe

Filesize
372KB

MD5
7eb2d4c57f0ce7e300b87830a990577f

SHA1
cb5a5f2227953f80eed64825799810077399224d

SHA256
c933b32ccee6de3f17379cb140bcbb191d0c8295d5c464868bf4aeb7456c7ec1

SHA512
9ab18b6df22b0414a35af5ab3c6544d1bcbbbd47346754bc252784679a04c88008ec3ae3f35101e8ae53eaf299ff031f99b340c898789d7df46546b852463cc3

Download Submit
C:\Windows\{B6825E7B-AAFC-41fd-9827-636EA55BDDF8}.exe

Filesize
372KB

MD5
cfed62fc5b152ddc49933089df861533

SHA1
edfba2615a2f0585a88c56b1c4c64cf1bb0be623

SHA256
b7a6d2250069a409329eea35936e00b4e0195432818279c0d182f4e9b03b53a6

SHA512
fe951f338fc2d95cd36633e5b26dcbe993ae905a6bd7967fddd33d8cbf56a123c6514f97b46257d47f70c9e2dc9ce12869c42c5ceeb9ab5b0208b7e5e7228a72

Download Submit
C:\Windows\{DD9D4817-F286-439c-A723-CAB9D5C0ADC0}.exe

Filesize
372KB

MD5
b643d704dbb0bab7911227ab43b19b72

SHA1
c43be56b7c8a90ad1df517e4d472bb07c38de139

SHA256
00ac82860263422e890e3079cdc4d9684bf44620ba32ea36989bc8f4e991ca23

SHA512
fbc5be35e9cd6ed06c6562a08fc80209125ac237c4180708371d11fa83827e0fce81d0ec252de4fd6e5728966c3215dd07c064f637c26e62371baf453e7779c1

Download Submit
C:\Windows\{F3F955C4-EE0A-4f05-A4AF-F1FD77E5FF71}.exe

Filesize
372KB

MD5
0379ead6b44a0a390ea1dcc9b173ce82

SHA1
a445c92c0fd782d27442cb744ffc448819c7f27f

SHA256
c364d71f59289a0377574304d5825d6a506fed708dcddcb9f250697392308861

SHA512
5808e50feb87d76f41d7c375ad34350f765a45802143080f47ffb9270aad722a2752bb25d2fe455c22464621b4203dbe9eefb14b00fe7b556eec6512ea7bab30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads