be33315be151410b5b07c1975edede05ba2595c3c6bb7314224d8afc55bdaeed

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Size

197KB
MD5

20044cb9ceb4146700223b0bac616a7d
SHA1

b18fd5d2373a34884c5f418652706dd6de676ced
SHA256

be33315be151410b5b07c1975edede05ba2595c3c6bb7314224d8afc55bdaeed
SHA512

fe390ea9988c0a917acf18b859e64b34ae4f35314533973850d2dca407213c119fbd078febbdfd917ab04e0c1aff8a7959f8189ebefd199c26b5d1696ade33fc
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c71-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015ca3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c71-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015d23-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c71-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c71-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015c71-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}\stubpath = "C:\\Windows\\{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe"	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}\stubpath = "C:\\Windows\\{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe"	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEBD7081-7F71-480d-A83C-B0BE13B87877}\stubpath = "C:\\Windows\\{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe"	{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}\stubpath = "C:\\Windows\\{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe"	{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}	{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{455E712A-13D5-4701-A64C-999F474703CA}\stubpath = "C:\\Windows\\{455E712A-13D5-4701-A64C-999F474703CA}.exe"	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}	{455E712A-13D5-4701-A64C-999F474703CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}\stubpath = "C:\\Windows\\{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe"	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31418FE6-898F-472b-A293-D984E2A1BD58}	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}\stubpath = "C:\\Windows\\{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe"	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{455E712A-13D5-4701-A64C-999F474703CA}	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31418FE6-898F-472b-A293-D984E2A1BD58}\stubpath = "C:\\Windows\\{31418FE6-898F-472b-A293-D984E2A1BD58}.exe"	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557532BC-3298-4f35-A130-5C6AA06E2EE4}	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557532BC-3298-4f35-A130-5C6AA06E2EE4}\stubpath = "C:\\Windows\\{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe"	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEBD7081-7F71-480d-A83C-B0BE13B87877}	{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}\stubpath = "C:\\Windows\\{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}.exe"	{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}\stubpath = "C:\\Windows\\{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe"	{455E712A-13D5-4701-A64C-999F474703CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}	{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe

Deletes itself 1 IoCs

pid	Process
2176	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe
2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe
2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe
3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe
2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe
1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe
2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe
1376	{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe
2280	{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe
692	{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe
2904	{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe
File created	C:\Windows\{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe	{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe
File created	C:\Windows\{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	{455E712A-13D5-4701-A64C-999F474703CA}.exe
File created	C:\Windows\{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe
File created	C:\Windows\{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe
File created	C:\Windows\{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe
File created	C:\Windows\{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}.exe	{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe
File created	C:\Windows\{455E712A-13D5-4701-A64C-999F474703CA}.exe	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
File created	C:\Windows\{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe
File created	C:\Windows\{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe
File created	C:\Windows\{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe	{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe
Token: SeIncBasePriorityPrivilege	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe
Token: SeIncBasePriorityPrivilege	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe
Token: SeIncBasePriorityPrivilege	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe
Token: SeIncBasePriorityPrivilege	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe
Token: SeIncBasePriorityPrivilege	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe
Token: SeIncBasePriorityPrivilege	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe
Token: SeIncBasePriorityPrivilege	1376	{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe
Token: SeIncBasePriorityPrivilege	2280	{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe
Token: SeIncBasePriorityPrivilege	692	{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3060	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	28
PID 880 wrote to memory of 3060	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	28
PID 880 wrote to memory of 3060	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	28
PID 880 wrote to memory of 3060	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	28
PID 880 wrote to memory of 2176	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	29
PID 880 wrote to memory of 2176	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	29
PID 880 wrote to memory of 2176	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	29
PID 880 wrote to memory of 2176	880	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	29
PID 3060 wrote to memory of 2700	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	30
PID 3060 wrote to memory of 2700	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	30
PID 3060 wrote to memory of 2700	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	30
PID 3060 wrote to memory of 2700	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	30
PID 3060 wrote to memory of 2732	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	31
PID 3060 wrote to memory of 2732	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	31
PID 3060 wrote to memory of 2732	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	31
PID 3060 wrote to memory of 2732	3060	{455E712A-13D5-4701-A64C-999F474703CA}.exe	31
PID 2700 wrote to memory of 2628	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	33
PID 2700 wrote to memory of 2628	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	33
PID 2700 wrote to memory of 2628	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	33
PID 2700 wrote to memory of 2628	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	33
PID 2700 wrote to memory of 2848	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	32
PID 2700 wrote to memory of 2848	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	32
PID 2700 wrote to memory of 2848	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	32
PID 2700 wrote to memory of 2848	2700	{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe	32
PID 2628 wrote to memory of 3024	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	37
PID 2628 wrote to memory of 3024	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	37
PID 2628 wrote to memory of 3024	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	37
PID 2628 wrote to memory of 3024	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	37
PID 2628 wrote to memory of 2284	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	36
PID 2628 wrote to memory of 2284	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	36
PID 2628 wrote to memory of 2284	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	36
PID 2628 wrote to memory of 2284	2628	{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe	36
PID 3024 wrote to memory of 2748	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	39
PID 3024 wrote to memory of 2748	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	39
PID 3024 wrote to memory of 2748	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	39
PID 3024 wrote to memory of 2748	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	39
PID 3024 wrote to memory of 1840	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	38
PID 3024 wrote to memory of 1840	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	38
PID 3024 wrote to memory of 1840	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	38
PID 3024 wrote to memory of 1840	3024	{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe	38
PID 2748 wrote to memory of 1084	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	41
PID 2748 wrote to memory of 1084	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	41
PID 2748 wrote to memory of 1084	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	41
PID 2748 wrote to memory of 1084	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	41
PID 2748 wrote to memory of 320	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	40
PID 2748 wrote to memory of 320	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	40
PID 2748 wrote to memory of 320	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	40
PID 2748 wrote to memory of 320	2748	{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe	40
PID 1084 wrote to memory of 2764	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	43
PID 1084 wrote to memory of 2764	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	43
PID 1084 wrote to memory of 2764	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	43
PID 1084 wrote to memory of 2764	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	43
PID 1084 wrote to memory of 2756	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	42
PID 1084 wrote to memory of 2756	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	42
PID 1084 wrote to memory of 2756	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	42
PID 1084 wrote to memory of 2756	1084	{31418FE6-898F-472b-A293-D984E2A1BD58}.exe	42
PID 2764 wrote to memory of 1376	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	44
PID 2764 wrote to memory of 1376	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	44
PID 2764 wrote to memory of 1376	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	44
PID 2764 wrote to memory of 1376	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	44
PID 2764 wrote to memory of 2564	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	45
PID 2764 wrote to memory of 2564	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	45
PID 2764 wrote to memory of 2564	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	45
PID 2764 wrote to memory of 2564	2764	{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\{455E712A-13D5-4701-A64C-999F474703CA}.exe
  C:\Windows\{455E712A-13D5-4701-A64C-999F474703CA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe
    C:\Windows\{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D4C3~1.EXE > nul
      4⤵
      PID:2848
  - - C:\Windows\{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe
      C:\Windows\{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F16F~1.EXE > nul
        5⤵
        
        PID:2284
    - - C:\Windows\{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe
        
        C:\Windows\{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01EEB~1.EXE > nul
        6⤵
        
        PID:1840
      - C:\Windows\{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe
        
        C:\Windows\{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0250D~1.EXE > nul
        7⤵
        
        PID:320
        
        C:\Windows\{31418FE6-898F-472b-A293-D984E2A1BD58}.exe
        
        C:\Windows\{31418FE6-898F-472b-A293-D984E2A1BD58}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31418~1.EXE > nul
        8⤵
        
        PID:2756
        
        C:\Windows\{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe
        
        C:\Windows\{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe
        
        C:\Windows\{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe
        
        C:\Windows\{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEBD7~1.EXE > nul
        11⤵
        
        PID:1168
        
        C:\Windows\{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe
        
        C:\Windows\{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}.exe
        
        C:\Windows\{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}.exe
        12⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A97E~1.EXE > nul
        12⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83223~1.EXE > nul
        10⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55753~1.EXE > nul
        9⤵
        
        PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{455E7~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01EEB8BB-7EEE-415b-AB89-A8A09A7F2C92}.exe

Filesize
197KB

MD5
f868982f53f46fd0424f33cef6e1260b

SHA1
b12c08ddfd6f34556494a06e388e53ac45e3333a

SHA256
5dbe70c0969bdc26fad039e544bfe248c24d5a712e4cd0e8a1e10bf55bf82796

SHA512
3aabcdd52776d648cb64d4e2fdafe1afbce496b7b31f488251f429811016e7633d11c5b34320c7b3f669f03a69edc36246d82d17ce412d2c98f3b601171c36a8

Download Submit
C:\Windows\{0250D8C7-7F0D-4964-A050-E2B6FB551BA1}.exe

Filesize
197KB

MD5
92584691db6609c1935c31b02b074001

SHA1
c25308b20f852ec0d206d884106d631b543efa3d

SHA256
205122f16284543eca5e0211dc031864377d9dad36b27b7119279a63e5f7455e

SHA512
73a29af3ed512e7821301c2ed2706b6a258fd8c187c7ab5415d0f58552fcad9ef70d694852d8d6b7c7db5b5dae41f21fce87ad8351f216cc4ff0bb12a088b5dd

Download Submit
C:\Windows\{2A97EB76-47D3-4fe6-B672-03E4DD9C200C}.exe

Filesize
197KB

MD5
7f76857f68da33d31d88f31478a667c5

SHA1
f9f5b427aec9bf6d29b218fae6682d58ad81c20f

SHA256
fc36528a5f24bab2415b289c313f2a1cf7a756f8c7d8892195d196598a99a045

SHA512
7c6c50cb66e333021a37218c4955b9da633f5cdfbbd238455b365f773cf414a325a82a402fa77ebdb874b867cd72712681a3bd0734106886b45cd3764e86c7f2

Download Submit
C:\Windows\{2D4C3AAB-2192-4b40-AFA1-B71E70C2C93D}.exe

Filesize
197KB

MD5
2c3b57ccce57b7f092664943ca86ad3d

SHA1
59af693e898d48c7ce83095514d8ae3fbfcb4767

SHA256
cdf64049d44a02ce20eb9ad1eee01b710e5e7aad072cb4d315691e531448774e

SHA512
b90d437fc58f1385e26888aa70f37e9122947f65f2a0362d4bbb26aef6af16441af19588517d911cf46912da9fb82c461d78507bfb71a731146a58047fd6a415

Download Submit
C:\Windows\{31418FE6-898F-472b-A293-D984E2A1BD58}.exe

Filesize
197KB

MD5
a3932de16d1e3889319fc2d51fa5d6ef

SHA1
4410629c38804e2a956bb88a67f843f95f320c6a

SHA256
0b0fe7f6b84de1f1f46f40195f48faf15fd63f7d4d7461c05c0959f0b0a96b52

SHA512
712a86583db2a06f79791b0c1ec12ba0cb5d4b9d63f67d413a5c407baeef57edbff7c16d0807cfdd079eead70ac882eb39a55a64a930f5a357b34478f8afbe17

Download Submit
C:\Windows\{455E712A-13D5-4701-A64C-999F474703CA}.exe

Filesize
197KB

MD5
8675d09dbdefb0d48caa373500b726ce

SHA1
a45c153f06d900b510de4446c5a30669523cb605

SHA256
591f29c62a80293c877b6725011a6ef929b6bf6af1ff6416c9d69a11c8e4b008

SHA512
248d7a3925af3ca57fc9016a53e8d28bf951dfb205c6d3a8fca75555bb948bffeee84e1920fa42852913cdf44e98476cedfa691235868bedd465385fdbe6b6f5

Download Submit
C:\Windows\{557532BC-3298-4f35-A130-5C6AA06E2EE4}.exe

Filesize
197KB

MD5
8f4f1a1e084393699e46760068d579de

SHA1
ab7d4e973b64371a35a9c50e784a210e03b3e6ed

SHA256
fad80d6f9d7e3d2be3248f1f92e4f30fd6eb33d0ec0b400c8c8758517c35a970

SHA512
fd1d528d86c15377e4fa361cdab07c37476d4a112bf0734b2d131033b2d013d14b29588b5a4180f81635885b648d76c578761157d7e5cdd1312ba4d8c245c95b

Download Submit
C:\Windows\{5F16FE52-15D8-4be2-BC3F-C82C6F968B25}.exe

Filesize
197KB

MD5
7a1bba56413feb45f178cbcd706bb998

SHA1
d322232d73c873ef77d6534b6e4642d1c1b2a3fe

SHA256
5d1e0fa88c673e05da0090eb685e0dc5d674d20f184f6d237ef4611817eae6a6

SHA512
6e6790c9339582437626e10d27d477b48d6c2d16b26a5f2d42792e8aa204bdb34db4e5c629da2413acba087f4e05db76692c59ad6b11b93f05917634a6e95aab

Download Submit
C:\Windows\{6D68BFDE-9F91-4b9a-BE05-8D57AD2C3D72}.exe

Filesize
197KB

MD5
681143c64b5c69de882d90b2232598f5

SHA1
13deccbcfcc64464cbe4892716348cbc965009be

SHA256
343b2bfae4c9b95e509a38c2551464338f6b33d9557125c4c9ff3cf131dd1584

SHA512
c3d49fcedcb4ef700dd917f8adc06ed120a4349f82b22401ed312439dc35e90e4252c60c4e6656fff5cc4d598d11f683f5b8716ec89c97b0dd464e1ab2f46531

Download Submit
C:\Windows\{8322340B-A987-4c8b-8F4C-6BD6CFB64E64}.exe

Filesize
197KB

MD5
54e3dead7cd6978a80fcdd02a425e50d

SHA1
5d5882239cc71406f49ea91dc2acfa0be89398b1

SHA256
bd09b2dd9bf43f53be70aa0fc90839c062d032ed61edfec76c23a6001e2a3c53

SHA512
d7cbc956442d3722f9a6ef45553f97e518dc19dfaa9d0cf60f4896b511adf66ead50893c0d9be1420c670f830c994ec3f6a2937d3346b8138632c401bb445ade

Download Submit
C:\Windows\{AEBD7081-7F71-480d-A83C-B0BE13B87877}.exe

Filesize
197KB

MD5
3d9e285e5a9f6583f31970907ff07001

SHA1
4829ed81566b85d7bcd33aa815654229c5107c0f

SHA256
93b06f3ecca722ca8ba2959865b4383aac43698cb9f4fcb8a927cb2d355ff1ec

SHA512
4587dc2a6d029ab89767fe1d0ee76165c0ab8e48b713137e615ac08156d14433e9f01878b754e81ccc64fc771bf8bcf228aee30493b9716d28233c90fc5dc65d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads