3f0c3fe0604e9f25694a9a8ad802fc3b07c86cdfd9207ab4434c93ba2a3ef79f

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
Size

180KB
MD5

de6248344ac739013058adcef5998d16
SHA1

9341208eb0dac6148f283f350683bd87f6c196ed
SHA256

3f0c3fe0604e9f25694a9a8ad802fc3b07c86cdfd9207ab4434c93ba2a3ef79f
SHA512

d9d058def566fca0eefb62d08bb8fee2b381dce8177bf4fd022c6ed8a7e4d7e4a43103f938fd81d74c0df54f0ca5300a3e32582521eee1fbe849040d9abb8d49
SSDEEP

3072:jEGh0oqlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGwl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001226e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126a6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015c2f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000126a6-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}\stubpath = "C:\\Windows\\{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe"	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7814034-9061-4006-BBC1-5E8D6C176043}\stubpath = "C:\\Windows\\{B7814034-9061-4006-BBC1-5E8D6C176043}.exe"	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDED50F4-CF08-4b45-99E2-1C73A467E448}\stubpath = "C:\\Windows\\{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe"	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3A7246B-D1F9-4076-984C-93F27F84B7FA}	{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ADFE140-3498-48e1-A066-BBE0438FF19D}	{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ADFE140-3498-48e1-A066-BBE0438FF19D}\stubpath = "C:\\Windows\\{0ADFE140-3498-48e1-A066-BBE0438FF19D}.exe"	{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7814034-9061-4006-BBC1-5E8D6C176043}	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52F4A76A-8D82-44af-990C-32FC905AAF9D}	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}\stubpath = "C:\\Windows\\{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe"	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA9BED3-5066-4c50-8677-4774B02A70E0}	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3A7246B-D1F9-4076-984C-93F27F84B7FA}\stubpath = "C:\\Windows\\{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe"	{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52F4A76A-8D82-44af-990C-32FC905AAF9D}\stubpath = "C:\\Windows\\{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe"	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}\stubpath = "C:\\Windows\\{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe"	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDED50F4-CF08-4b45-99E2-1C73A467E448}	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA9BED3-5066-4c50-8677-4774B02A70E0}\stubpath = "C:\\Windows\\{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe"	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A10038-BCBF-4fa5-8A17-9C60D8034A03}	{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A10038-BCBF-4fa5-8A17-9C60D8034A03}\stubpath = "C:\\Windows\\{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe"	{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}\stubpath = "C:\\Windows\\{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe"	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe
2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe
2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe
2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe
780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe
1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe
1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe
2788	{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe
1604	{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe
2460	{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe
2424	{0ADFE140-3498-48e1-A066-BBE0438FF19D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe
File created	C:\Windows\{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe
File created	C:\Windows\{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe	{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe
File created	C:\Windows\{0ADFE140-3498-48e1-A066-BBE0438FF19D}.exe	{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe
File created	C:\Windows\{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
File created	C:\Windows\{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe
File created	C:\Windows\{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe
File created	C:\Windows\{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe
File created	C:\Windows\{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe
File created	C:\Windows\{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe
File created	C:\Windows\{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe	{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe
Token: SeIncBasePriorityPrivilege	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe
Token: SeIncBasePriorityPrivilege	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe
Token: SeIncBasePriorityPrivilege	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe
Token: SeIncBasePriorityPrivilege	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe
Token: SeIncBasePriorityPrivilege	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe
Token: SeIncBasePriorityPrivilege	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe
Token: SeIncBasePriorityPrivilege	2788	{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe
Token: SeIncBasePriorityPrivilege	1604	{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe
Token: SeIncBasePriorityPrivilege	2460	{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2688	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	28
PID 2012 wrote to memory of 2688	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	28
PID 2012 wrote to memory of 2688	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	28
PID 2012 wrote to memory of 2688	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	28
PID 2012 wrote to memory of 2860	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	29
PID 2012 wrote to memory of 2860	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	29
PID 2012 wrote to memory of 2860	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	29
PID 2012 wrote to memory of 2860	2012	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	29
PID 2688 wrote to memory of 2124	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	30
PID 2688 wrote to memory of 2124	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	30
PID 2688 wrote to memory of 2124	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	30
PID 2688 wrote to memory of 2124	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	30
PID 2688 wrote to memory of 1940	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	31
PID 2688 wrote to memory of 1940	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	31
PID 2688 wrote to memory of 1940	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	31
PID 2688 wrote to memory of 1940	2688	{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe	31
PID 2124 wrote to memory of 2112	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	34
PID 2124 wrote to memory of 2112	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	34
PID 2124 wrote to memory of 2112	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	34
PID 2124 wrote to memory of 2112	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	34
PID 2124 wrote to memory of 2172	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	35
PID 2124 wrote to memory of 2172	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	35
PID 2124 wrote to memory of 2172	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	35
PID 2124 wrote to memory of 2172	2124	{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe	35
PID 2112 wrote to memory of 2876	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	36
PID 2112 wrote to memory of 2876	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	36
PID 2112 wrote to memory of 2876	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	36
PID 2112 wrote to memory of 2876	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	36
PID 2112 wrote to memory of 2948	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	37
PID 2112 wrote to memory of 2948	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	37
PID 2112 wrote to memory of 2948	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	37
PID 2112 wrote to memory of 2948	2112	{B7814034-9061-4006-BBC1-5E8D6C176043}.exe	37
PID 2876 wrote to memory of 780	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	38
PID 2876 wrote to memory of 780	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	38
PID 2876 wrote to memory of 780	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	38
PID 2876 wrote to memory of 780	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	38
PID 2876 wrote to memory of 760	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	39
PID 2876 wrote to memory of 760	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	39
PID 2876 wrote to memory of 760	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	39
PID 2876 wrote to memory of 760	2876	{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe	39
PID 780 wrote to memory of 1960	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	40
PID 780 wrote to memory of 1960	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	40
PID 780 wrote to memory of 1960	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	40
PID 780 wrote to memory of 1960	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	40
PID 780 wrote to memory of 1980	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	41
PID 780 wrote to memory of 1980	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	41
PID 780 wrote to memory of 1980	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	41
PID 780 wrote to memory of 1980	780	{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe	41
PID 1960 wrote to memory of 1088	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	42
PID 1960 wrote to memory of 1088	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	42
PID 1960 wrote to memory of 1088	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	42
PID 1960 wrote to memory of 1088	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	42
PID 1960 wrote to memory of 292	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	43
PID 1960 wrote to memory of 292	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	43
PID 1960 wrote to memory of 292	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	43
PID 1960 wrote to memory of 292	1960	{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe	43
PID 1088 wrote to memory of 2788	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	44
PID 1088 wrote to memory of 2788	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	44
PID 1088 wrote to memory of 2788	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	44
PID 1088 wrote to memory of 2788	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	44
PID 1088 wrote to memory of 2648	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	45
PID 1088 wrote to memory of 2648	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	45
PID 1088 wrote to memory of 2648	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	45
PID 1088 wrote to memory of 2648	1088	{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe
  C:\Windows\{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe
    C:\Windows\{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\{B7814034-9061-4006-BBC1-5E8D6C176043}.exe
      C:\Windows\{B7814034-9061-4006-BBC1-5E8D6C176043}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe
        
        C:\Windows\{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe
        
        C:\Windows\{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe
        
        C:\Windows\{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe
        
        C:\Windows\{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe
        
        C:\Windows\{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe
        
        C:\Windows\{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe
        
        C:\Windows\{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\{0ADFE140-3498-48e1-A066-BBE0438FF19D}.exe
        
        C:\Windows\{0ADFE140-3498-48e1-A066-BBE0438FF19D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36A10~1.EXE > nul
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3A72~1.EXE > nul
        11⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA9B~1.EXE > nul
        10⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B2C~1.EXE > nul
        9⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDED5~1.EXE > nul
        8⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCFC~1.EXE > nul
        7⤵
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52F4A~1.EXE > nul
        6⤵
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7814~1.EXE > nul
        5⤵
        
        PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CB05~1.EXE > nul
      4⤵
      PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F40~1.EXE > nul
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ADFE140-3498-48e1-A066-BBE0438FF19D}.exe

Filesize
180KB

MD5
aca0606dc8d4fdb3f44b09d314006cf1

SHA1
f11dfea4bae76222cc0edd28ae11592039ea936b

SHA256
387102ca869b80c2e78bce679d9c216dcc44d83ed967d72916ec00d88dbf1318

SHA512
1ab42c8e8d5bf8298baa8288b7a92956908097fde948dc6dde6946512be0ea0de92824d2fe93ec923ed5ca165c4f467f488aeb172d56490fb4096e49c211d602

Download Submit
C:\Windows\{36A10038-BCBF-4fa5-8A17-9C60D8034A03}.exe

Filesize
180KB

MD5
1c649d0c449126e51f16121294ec68aa

SHA1
0518b6b38dff581829b8effeed8dd8794cc7fa50

SHA256
c279817fe2f71714438439b0cf1762acd142a42ca7469c720ab78830b290ba45

SHA512
2a4f316b86233d6098cbf735ea24f6db162c42e0e1013c362e8accf3184e8b0068c2bfc9813e50d8bd78b9926183a5008716f3e25577c17e1adc6300e9f52d1f

Download Submit
C:\Windows\{3CB050E3-DE4F-4ae5-AF1D-AF357190208E}.exe

Filesize
180KB

MD5
ba00097060b7d41f34cbc13bd9f2bf53

SHA1
0d58e369668ac230ab33764d5eb345f0828d5ccb

SHA256
c855b454b1be5f65663deca8a32f4c8d3a55b57687dd05282905cec4434f7506

SHA512
6f5916b37e9b4aa5ac334b468e3fce86907aad3b9b6ac5ccdeb426b7763c8736f7da5c24e1bd3e315aebf759a1034e976942a502225ce6b4c0df04ce047061b8

Download Submit
C:\Windows\{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe

Filesize
180KB

MD5
f8e63d761e2bba0ffe4ed2d683eeba08

SHA1
978019ef7906957e944b27dd58cb49ff7e299222

SHA256
92ca92345e3172740771305331d6672cdef5b623adad6f9c8ab478a8465afcca

SHA512
913afe48f202ad0738dee9c2243cc85b64948203c4ae2adc4a7c73305eb524641117224014eae41650d384bcb963680e8f35380427247801531561d8c1eb5d22

Download Submit
C:\Windows\{52F4A76A-8D82-44af-990C-32FC905AAF9D}.exe

Filesize
2KB

MD5
a2a093be4e86e81bb30ab9b5aa8e7a79

SHA1
28702f726560335282b42043b7e09a6d41574ad5

SHA256
85d55df484838bdf7b8fc4290b1c79135e06a6ede88978d502383e7ad185ab3c

SHA512
40a346be2e22d3a7885911064fc1d806f1009d98978fa5ec960b3b96afa52195be2b9384c121af40209bc4da699d4773149bfbf9c96cb20adc8226e03977f12d

Download Submit
C:\Windows\{6FA9BED3-5066-4c50-8677-4774B02A70E0}.exe

Filesize
180KB

MD5
2eea5d3496820459608510070e990718

SHA1
53f067d499c0c7d2114208b4617e4c12996080f2

SHA256
22f3062d4c2934a29cbfddb5e3cba403971b20b5e5ccd8bfdea0859636874dd2

SHA512
2a862e9520f189d14180704c6ef43f663bdb3ae4fc1b6723decbf368eef7d664ca5ac0c43de0e8b53284a854372b5e6ad78292922cdbba72e3ce90845a25dfbe

Download Submit
C:\Windows\{92B2CCB8-0EB3-454b-9C49-BAEA91CCBF6E}.exe

Filesize
180KB

MD5
946241d0acd6f672417d26b9dbf65fbb

SHA1
d12f2d6c7ac507856707ad4ecb0202472859f384

SHA256
773762972436e0b1775fc2efe1a7e189e9703708fd46cd3d4068e3d5f88555ac

SHA512
f9c617e9455665687c2710e4c1baf90183d960fc5e0ea5df639e04761d8f19d3e462c624be9260c139cb9ff7ace1cb49d4f5143b98d79153913d4fd8a481e3eb

Download Submit
C:\Windows\{A6F407C6-8E81-49fe-B3D5-A73E4FEB1C2C}.exe

Filesize
180KB

MD5
cc8fd5659a9b33b794446ec1c5d1873a

SHA1
a83c95e5d9f8fb0392c84b2715dc102a2053c592

SHA256
d0c2f9536e81cd7df14e62ded5aa8fd93acc1944b4b84c8a9ccd147673c30869

SHA512
c165a5f7528de8f671b6d40ffa64dc8dea9976e0fa11e7130b5216e23dbffb8854dd5e92862b39f14d3a642e89d5cac7532b0d8d9bb598f0078f203f22977df3

Download Submit
C:\Windows\{B7814034-9061-4006-BBC1-5E8D6C176043}.exe

Filesize
180KB

MD5
8dea22fb88f43ae6f148265e0363232d

SHA1
64678574ab5e05cdde9bd65aab14ba6b0dbb98ec

SHA256
3be42fce3b76ea616e6bb094da43e8e838df770adb761491d10a788c6ce9fae8

SHA512
2726dd6ac5a30104e551ad2cfb4ba4affea37e2eba4696e094a6bfa256c83f8d19bed5467032878cdc1e03adc41994813ffdbe98afbe0ea336a2ccb8e57c195a

Download Submit
C:\Windows\{BFCFC7B2-3F97-448d-A7F3-26E223CD1003}.exe

Filesize
180KB

MD5
5a61331f19bd7afe7e1d8ddb61b170e0

SHA1
8a97e9e69452e1de5881b82938b3000b47bdfff7

SHA256
25007ef8f885b0966a0fc4f8cc420a975e8d7ccb8f55d9fda62c04512cd184d2

SHA512
28debb0f8a119b71261fbe48d5d19ada82726fa03d79aed5431ede9dac21e82fc8c456224b10e6c56d4452f06c2264ca34b1729fe7c0de1fea0b731b621809fc

Download Submit
C:\Windows\{F3A7246B-D1F9-4076-984C-93F27F84B7FA}.exe

Filesize
180KB

MD5
913817085233f47ff9797bf613eace0a

SHA1
8c7b29a104dba7e5c62d996ea657e7fc6e6a160f

SHA256
8b0a0e764a15ba2eddddf5e5a39924816d60a7be711134f68a7c194c0783d39c

SHA512
bf3db61647c1acccc9c345946aec9e78367bf29e5726f63dfa550e2552d4700ec606964ef50b8ebe48f6e66529118ee839f87fba503e761cd5e207941cc7dfb8

Download Submit
C:\Windows\{FDED50F4-CF08-4b45-99E2-1C73A467E448}.exe

Filesize
180KB

MD5
8c7f2ad089dcf633d37572f3130a6cbd

SHA1
c1e2e2d80203e18c27a7ac386a98f4b7f9afcf1d

SHA256
dadb4475503267bec7011d623ce7bd106bd07106ac4c28849cf0385cf08392ff

SHA512
d6cab95e4023398831e222fbf6127a159611805172cfd1d0347ab84485e3064c627c6d85229920e033d0cb6f57eb52683a85421e39d9ced0fff5fb53e46a7ef7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads