c1365f9dcf2e3bbd52a54571dd2a8b732125b96b0570139bb6a81f34c37c27a6

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe
Size

408KB
MD5

4bae404766b8ff52abff8337ba3de905
SHA1

7328dc4e10ebf9b112c00a2951f6f69ad62bc16f
SHA256

c1365f9dcf2e3bbd52a54571dd2a8b732125b96b0570139bb6a81f34c37c27a6
SHA512

18fdfc5c337d455ddad7e8471177681a024e32d1b5f6032ab8cc9dbefecfbc5e50bac89e14bb2fbe753f9ce9181ae2dbe66e2dd7de51136e16d3ac9a4e0407a1
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGCldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012257-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015c41-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A550E64A-45D3-4479-84B8-DE40455254B9}\stubpath = "C:\\Windows\\{A550E64A-45D3-4479-84B8-DE40455254B9}.exe"	{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A84A910-5541-4870-8614-20ACEB0BE7F5}\stubpath = "C:\\Windows\\{2A84A910-5541-4870-8614-20ACEB0BE7F5}.exe"	{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31BDB169-52BB-4d76-8A75-5283D34ED5AB}	{C3298334-B4AB-4571-8400-46FF574325E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{134B26FB-6016-418b-A2C9-16DC066A99F8}	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}\stubpath = "C:\\Windows\\{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe"	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF06D963-DBE8-4024-9516-3B055931DA96}\stubpath = "C:\\Windows\\{AF06D963-DBE8-4024-9516-3B055931DA96}.exe"	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1F09C1C-252F-409a-9AD9-3D4863762216}	{A550E64A-45D3-4479-84B8-DE40455254B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A84A910-5541-4870-8614-20ACEB0BE7F5}	{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24925B2A-51F5-458e-BDDE-CCEC6B659203}\stubpath = "C:\\Windows\\{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe"	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3298334-B4AB-4571-8400-46FF574325E9}	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31BDB169-52BB-4d76-8A75-5283D34ED5AB}\stubpath = "C:\\Windows\\{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe"	{C3298334-B4AB-4571-8400-46FF574325E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A550E64A-45D3-4479-84B8-DE40455254B9}	{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1F09C1C-252F-409a-9AD9-3D4863762216}\stubpath = "C:\\Windows\\{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe"	{A550E64A-45D3-4479-84B8-DE40455254B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}\stubpath = "C:\\Windows\\{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe"	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24925B2A-51F5-458e-BDDE-CCEC6B659203}	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}\stubpath = "C:\\Windows\\{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe"	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{134B26FB-6016-418b-A2C9-16DC066A99F8}\stubpath = "C:\\Windows\\{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe"	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3298334-B4AB-4571-8400-46FF574325E9}\stubpath = "C:\\Windows\\{C3298334-B4AB-4571-8400-46FF574325E9}.exe"	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF06D963-DBE8-4024-9516-3B055931DA96}	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe
2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe
2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe
1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe
2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe
1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe
2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe
1648	{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe
1560	{A550E64A-45D3-4479-84B8-DE40455254B9}.exe
2968	{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe
1264	{2A84A910-5541-4870-8614-20ACEB0BE7F5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe
File created	C:\Windows\{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	{C3298334-B4AB-4571-8400-46FF574325E9}.exe
File created	C:\Windows\{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe
File created	C:\Windows\{A550E64A-45D3-4479-84B8-DE40455254B9}.exe	{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe
File created	C:\Windows\{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe
File created	C:\Windows\{C3298334-B4AB-4571-8400-46FF574325E9}.exe	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe
File created	C:\Windows\{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe
File created	C:\Windows\{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe
File created	C:\Windows\{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe
File created	C:\Windows\{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe	{A550E64A-45D3-4479-84B8-DE40455254B9}.exe
File created	C:\Windows\{2A84A910-5541-4870-8614-20ACEB0BE7F5}.exe	{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe
Token: SeIncBasePriorityPrivilege	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe
Token: SeIncBasePriorityPrivilege	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe
Token: SeIncBasePriorityPrivilege	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe
Token: SeIncBasePriorityPrivilege	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe
Token: SeIncBasePriorityPrivilege	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe
Token: SeIncBasePriorityPrivilege	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe
Token: SeIncBasePriorityPrivilege	1648	{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe
Token: SeIncBasePriorityPrivilege	1560	{A550E64A-45D3-4479-84B8-DE40455254B9}.exe
Token: SeIncBasePriorityPrivilege	2968	{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2668	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	28
PID 1888 wrote to memory of 2668	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	28
PID 1888 wrote to memory of 2668	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	28
PID 1888 wrote to memory of 2668	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	28
PID 1888 wrote to memory of 2720	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	29
PID 1888 wrote to memory of 2720	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	29
PID 1888 wrote to memory of 2720	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	29
PID 1888 wrote to memory of 2720	1888	2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe	29
PID 2668 wrote to memory of 2952	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	30
PID 2668 wrote to memory of 2952	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	30
PID 2668 wrote to memory of 2952	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	30
PID 2668 wrote to memory of 2952	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	30
PID 2668 wrote to memory of 2784	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	31
PID 2668 wrote to memory of 2784	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	31
PID 2668 wrote to memory of 2784	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	31
PID 2668 wrote to memory of 2784	2668	{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe	31
PID 2952 wrote to memory of 2648	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	35
PID 2952 wrote to memory of 2648	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	35
PID 2952 wrote to memory of 2648	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	35
PID 2952 wrote to memory of 2648	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	35
PID 2952 wrote to memory of 3024	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	34
PID 2952 wrote to memory of 3024	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	34
PID 2952 wrote to memory of 3024	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	34
PID 2952 wrote to memory of 3024	2952	{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe	34
PID 2648 wrote to memory of 1928	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	37
PID 2648 wrote to memory of 1928	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	37
PID 2648 wrote to memory of 1928	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	37
PID 2648 wrote to memory of 1928	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	37
PID 2648 wrote to memory of 2860	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	36
PID 2648 wrote to memory of 2860	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	36
PID 2648 wrote to memory of 2860	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	36
PID 2648 wrote to memory of 2860	2648	{C3298334-B4AB-4571-8400-46FF574325E9}.exe	36
PID 1928 wrote to memory of 2664	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	39
PID 1928 wrote to memory of 2664	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	39
PID 1928 wrote to memory of 2664	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	39
PID 1928 wrote to memory of 2664	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	39
PID 1928 wrote to memory of 2148	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	38
PID 1928 wrote to memory of 2148	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	38
PID 1928 wrote to memory of 2148	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	38
PID 1928 wrote to memory of 2148	1928	{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe	38
PID 2664 wrote to memory of 1988	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	41
PID 2664 wrote to memory of 1988	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	41
PID 2664 wrote to memory of 1988	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	41
PID 2664 wrote to memory of 1988	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	41
PID 2664 wrote to memory of 2220	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	40
PID 2664 wrote to memory of 2220	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	40
PID 2664 wrote to memory of 2220	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	40
PID 2664 wrote to memory of 2220	2664	{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe	40
PID 1988 wrote to memory of 2928	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	43
PID 1988 wrote to memory of 2928	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	43
PID 1988 wrote to memory of 2928	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	43
PID 1988 wrote to memory of 2928	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	43
PID 1988 wrote to memory of 324	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	42
PID 1988 wrote to memory of 324	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	42
PID 1988 wrote to memory of 324	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	42
PID 1988 wrote to memory of 324	1988	{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe	42
PID 2928 wrote to memory of 1648	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	44
PID 2928 wrote to memory of 1648	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	44
PID 2928 wrote to memory of 1648	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	44
PID 2928 wrote to memory of 1648	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	44
PID 2928 wrote to memory of 1856	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	45
PID 2928 wrote to memory of 1856	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	45
PID 2928 wrote to memory of 1856	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	45
PID 2928 wrote to memory of 1856	2928	{AF06D963-DBE8-4024-9516-3B055931DA96}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_4bae404766b8ff52abff8337ba3de905_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe
  C:\Windows\{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe
    C:\Windows\{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{24925~1.EXE > nul
      4⤵
      PID:3024
  - - C:\Windows\{C3298334-B4AB-4571-8400-46FF574325E9}.exe
      C:\Windows\{C3298334-B4AB-4571-8400-46FF574325E9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3298~1.EXE > nul
        5⤵
        
        PID:2860
    - - C:\Windows\{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe
        
        C:\Windows\{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31BDB~1.EXE > nul
        6⤵
        
        PID:2148
      - C:\Windows\{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe
        
        C:\Windows\{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D03~1.EXE > nul
        7⤵
        
        PID:2220
        
        C:\Windows\{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe
        
        C:\Windows\{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5803F~1.EXE > nul
        8⤵
        
        PID:324
        
        C:\Windows\{AF06D963-DBE8-4024-9516-3B055931DA96}.exe
        
        C:\Windows\{AF06D963-DBE8-4024-9516-3B055931DA96}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe
        
        C:\Windows\{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{134B2~1.EXE > nul
        10⤵
        
        PID:1872
        
        C:\Windows\{A550E64A-45D3-4479-84B8-DE40455254B9}.exe
        
        C:\Windows\{A550E64A-45D3-4479-84B8-DE40455254B9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe
        
        C:\Windows\{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1F09~1.EXE > nul
        12⤵
        
        PID:1628
        
        C:\Windows\{2A84A910-5541-4870-8614-20ACEB0BE7F5}.exe
        
        C:\Windows\{2A84A910-5541-4870-8614-20ACEB0BE7F5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A550E~1.EXE > nul
        11⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF06D~1.EXE > nul
        9⤵
        
        PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C6F6~1.EXE > nul
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{134B26FB-6016-418b-A2C9-16DC066A99F8}.exe

Filesize
408KB

MD5
cfb80f3f6f4e3783a36130ce35c59a13

SHA1
0e26fc60a07dd1e839f079ecb04e341226cb7f11

SHA256
b802e3257e64628fb3739e719340d9cd3ab0642d8fd2507722df151e9d44f77b

SHA512
6713144cd2a51f849f4b0e68fd9befe88ba7ee9b4c173e14d21ffcaf5f783307cdc9d111c22dec934378645d6ab94d6ae5a7fcc76dd395b70796f17abfddf491

Download Submit
C:\Windows\{1C6F6292-FF8F-445c-86A9-8EF4CDC8EE97}.exe

Filesize
408KB

MD5
efadb6d8d663cf22ad6ffa3c901880c0

SHA1
1e7e619cb4f487207fea38929d8da9233bfe1667

SHA256
b6b6a79f2e0fb8779b9b36dc4a9967523ff343583395c67c05c6e41a3c0e4248

SHA512
f2b39cf7276784ed7e5d5d7b037ca96d4dc7b8723266a8ca5221574777e7e0a4ba7063c35e38681ad73557aeb305c9470d95a1cb8ed11d8e72b34ebaac8dbc21

Download Submit
C:\Windows\{24925B2A-51F5-458e-BDDE-CCEC6B659203}.exe

Filesize
408KB

MD5
fb00664bf80440b84ceaccc66c565a1d

SHA1
9e6903831e71dd3ca8e96838641af9de9ccbb029

SHA256
dacd5df52fd8f711eb999a5bb291b82be917cdf381f4e9318b25ec4bf6fca10a

SHA512
1404c1da328216bc9d88238769c289f61bba720f32b76e94f6538b269709db42e9d788ff85e454e1d5526fa8f62b34bce160d0bf5c85745bc024959780cd40bd

Download Submit
C:\Windows\{2A84A910-5541-4870-8614-20ACEB0BE7F5}.exe

Filesize
408KB

MD5
66c41e2ec4a208c2a937552cb7771393

SHA1
d0362929f82271248ae04bed1679e55bb5432a65

SHA256
f2ece731fc18e2158ab0837ecd86c25d81d0fcd4bd0c75f471635055e9a65ff8

SHA512
f41e63da933c2df8d8427af1de0d5df995e0d4d88a03f6eb7842bc2f3f79bcc4d7b5fd1726d6e7658de87f221a3ce3455983eaba8cd81448f69cc681233c42e5

Download Submit
C:\Windows\{31BDB169-52BB-4d76-8A75-5283D34ED5AB}.exe

Filesize
408KB

MD5
21e862d102947e39e8486f432c311f88

SHA1
2977112cdee54e3f5b21e038c45ad61053ce8689

SHA256
ac059ec5e3b740cc596614e62c4ea1c99b9cbc25e53cd46993857c32f8cd5483

SHA512
0de36388e0540b024c32f917e78221a59d693dbe83f1fa83e5b66b3c265854715ae074b774b3e0b8beca400b3cae9a45ff03aee9c7b5d46ed2db18070776287d

Download Submit
C:\Windows\{5803FB41-8F64-4b02-B4E5-12A9C9AD65AE}.exe

Filesize
408KB

MD5
b63032a1f58c7606d5ef479472ca0d92

SHA1
66905ba0a862fcc1d4bf4c1dd4a8edbacebc1a52

SHA256
4175e0624c4b54dff6d7f9a853743315bad188d8f6085fb53c4101f6a8d918fe

SHA512
14afa8bb155caf9bc12407e64864aa782c2a744e516995c41ca5a0bab046b60e1222cbf989b5d8ce955eb873bb9d4949032a5da16fa2955e48b926493caca789

Download Submit
C:\Windows\{A550E64A-45D3-4479-84B8-DE40455254B9}.exe

Filesize
408KB

MD5
5490f928fa3abf47f2bacde975bcd471

SHA1
4de2d3140a698da5ebf47daab5e2f4355e3467ac

SHA256
696120a176fa4f8f1a83173a7a92915b603316d8b7c134de4d7664449fb23ee9

SHA512
c866ae7ec7764ab65c02672210980845d5bfe7fcaec224575641e30b8de1fe352ff2793a2962c8927c64eab7d2a5da9873dcf226efcb3bb8a9077ba65400762b

Download Submit
C:\Windows\{AF06D963-DBE8-4024-9516-3B055931DA96}.exe

Filesize
408KB

MD5
6e2e04bd8d69dd11df2bfdec39d17b3e

SHA1
8fc603939593873a4185d5eb770402ec98d4a300

SHA256
2493ae3406d67f6324c17be082212d0b6db3efdeb950699bd5de7a063d6bc7e0

SHA512
2434dfb7c6f013da91534dc3be44031ad52e0d4f9a7b8c722871758344509e8acb0c11b42e7e539ff0c6121e6fe154827be5cec0b87ffb23401522cbfc7eabaf

Download Submit
C:\Windows\{B6D03FA8-1074-4f39-A1FC-E17DAEEA6D02}.exe

Filesize
408KB

MD5
53b4dca442c4c8f4d300ac2288e32325

SHA1
750f9e70bfcf689d399eed1367fb0c469f68ad3e

SHA256
ca2f98333e7678c8352746dfdfcfcfcbb9f3386f1c74e5d1d86299ed9795c8f4

SHA512
d5141d995b9fcb93ab327714b43b38bb055d7d66fd0c39c4e7f460bc8e2ee9b2c59a366f7960296724c1ec782ee31d9bb8597e1b1ea2c91e47d446dca7d67ce0

Download Submit
C:\Windows\{C1F09C1C-252F-409a-9AD9-3D4863762216}.exe

Filesize
408KB

MD5
4c5802b828e287a3dab415e470b351e5

SHA1
eef0bbc09bd72f4fd94f8a6664404569384d972b

SHA256
8346bbb4d6f3447b638b24f46b869981321d2ee122db6d74e75b2a0402a36777

SHA512
1fd00f28b4bfd28d4fbf271e087475166373b7113fa62c6514c42036a611354682634e2a4c7f2f0b32b3569a52540b40a0d22f63dfe6ae9afc4f6d3373b0828f

Download Submit
C:\Windows\{C3298334-B4AB-4571-8400-46FF574325E9}.exe

Filesize
408KB

MD5
d1eca524823e89771298e0d2739db492

SHA1
f9ec9f4a7de57eddc2077b0b4ebf786d0af5801c

SHA256
9d41e409b67f0be015f1d1e40d07016bda70447845b9ff556953c402371aa5f1

SHA512
bd5b78dd218da1ae3fbc7b095d7d4bfdde96bc3ee08bf2e9a83d7d093f9350d63d49654e3dc71e2b2791e469e1edfef73b9870dab0e61988e0323bf339991b1c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads