b82ce454cd720b808f55e9df66a87cf64fe27c8e7781326829f26f2d8c72c0ea

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe
Size

180KB
MD5

998875e8cc5bfcdc63663abfca2c5685
SHA1

5b0e3700768eb4f0a22ef2597784854f52285573
SHA256

b82ce454cd720b808f55e9df66a87cf64fe27c8e7781326829f26f2d8c72c0ea
SHA512

17a26062e7d435468ac9ec64c378e2af7bfa3af4f6388b86eb5976ec144c82b65ca63e435050f3aed4fef4d0c235bad31e40578ea56fbce555134298d16403cc
SSDEEP

3072:jEGh0oAlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG6l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122fa-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014af6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155f3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122fa-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122fa-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122fa-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{553D474F-904C-4827-8120-ECEB12467BCD}	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4ACCE26-C898-4475-86A8-29DC45604751}	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84686B84-90E1-469c-B3DC-9482288FB09D}\stubpath = "C:\\Windows\\{84686B84-90E1-469c-B3DC-9482288FB09D}.exe"	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}	{84686B84-90E1-469c-B3DC-9482288FB09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}\stubpath = "C:\\Windows\\{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe"	{84686B84-90E1-469c-B3DC-9482288FB09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}\stubpath = "C:\\Windows\\{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe"	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}\stubpath = "C:\\Windows\\{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe"	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9143079D-9529-4bd5-982E-83B0C7BF5FDB}\stubpath = "C:\\Windows\\{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe"	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E012C95-D7BA-421d-8C4F-80272193A7A1}	{553D474F-904C-4827-8120-ECEB12467BCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}\stubpath = "C:\\Windows\\{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe"	{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}	{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}\stubpath = "C:\\Windows\\{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}.exe"	{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{553D474F-904C-4827-8120-ECEB12467BCD}\stubpath = "C:\\Windows\\{553D474F-904C-4827-8120-ECEB12467BCD}.exe"	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E012C95-D7BA-421d-8C4F-80272193A7A1}\stubpath = "C:\\Windows\\{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe"	{553D474F-904C-4827-8120-ECEB12467BCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}\stubpath = "C:\\Windows\\{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe"	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4ACCE26-C898-4475-86A8-29DC45604751}\stubpath = "C:\\Windows\\{E4ACCE26-C898-4475-86A8-29DC45604751}.exe"	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84686B84-90E1-469c-B3DC-9482288FB09D}	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}	{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9143079D-9529-4bd5-982E-83B0C7BF5FDB}	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe
2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe
2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe
2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe
2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe
1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe
1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe
1124	{84686B84-90E1-469c-B3DC-9482288FB09D}.exe
2980	{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe
1268	{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe
660	{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{553D474F-904C-4827-8120-ECEB12467BCD}.exe	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe
File created	C:\Windows\{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	{553D474F-904C-4827-8120-ECEB12467BCD}.exe
File created	C:\Windows\{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe
File created	C:\Windows\{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe
File created	C:\Windows\{84686B84-90E1-469c-B3DC-9482288FB09D}.exe	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe
File created	C:\Windows\{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe
File created	C:\Windows\{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe
File created	C:\Windows\{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe
File created	C:\Windows\{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe	{84686B84-90E1-469c-B3DC-9482288FB09D}.exe
File created	C:\Windows\{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe	{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe
File created	C:\Windows\{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}.exe	{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe
Token: SeIncBasePriorityPrivilege	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe
Token: SeIncBasePriorityPrivilege	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe
Token: SeIncBasePriorityPrivilege	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe
Token: SeIncBasePriorityPrivilege	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe
Token: SeIncBasePriorityPrivilege	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe
Token: SeIncBasePriorityPrivilege	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe
Token: SeIncBasePriorityPrivilege	1124	{84686B84-90E1-469c-B3DC-9482288FB09D}.exe
Token: SeIncBasePriorityPrivilege	2980	{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe
Token: SeIncBasePriorityPrivilege	1268	{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2968	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	28
PID 1404 wrote to memory of 2968	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	28
PID 1404 wrote to memory of 2968	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	28
PID 1404 wrote to memory of 2968	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	28
PID 1404 wrote to memory of 3032	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	29
PID 1404 wrote to memory of 3032	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	29
PID 1404 wrote to memory of 3032	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	29
PID 1404 wrote to memory of 3032	1404	2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe	29
PID 2968 wrote to memory of 2276	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	30
PID 2968 wrote to memory of 2276	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	30
PID 2968 wrote to memory of 2276	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	30
PID 2968 wrote to memory of 2276	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	30
PID 2968 wrote to memory of 2608	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	31
PID 2968 wrote to memory of 2608	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	31
PID 2968 wrote to memory of 2608	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	31
PID 2968 wrote to memory of 2608	2968	{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe	31
PID 2276 wrote to memory of 2856	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	33
PID 2276 wrote to memory of 2856	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	33
PID 2276 wrote to memory of 2856	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	33
PID 2276 wrote to memory of 2856	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	33
PID 2276 wrote to memory of 2656	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	32
PID 2276 wrote to memory of 2656	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	32
PID 2276 wrote to memory of 2656	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	32
PID 2276 wrote to memory of 2656	2276	{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe	32
PID 2856 wrote to memory of 2512	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	36
PID 2856 wrote to memory of 2512	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	36
PID 2856 wrote to memory of 2512	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	36
PID 2856 wrote to memory of 2512	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	36
PID 2856 wrote to memory of 1956	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	37
PID 2856 wrote to memory of 1956	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	37
PID 2856 wrote to memory of 1956	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	37
PID 2856 wrote to memory of 1956	2856	{553D474F-904C-4827-8120-ECEB12467BCD}.exe	37
PID 2512 wrote to memory of 2412	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	38
PID 2512 wrote to memory of 2412	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	38
PID 2512 wrote to memory of 2412	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	38
PID 2512 wrote to memory of 2412	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	38
PID 2512 wrote to memory of 2188	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	39
PID 2512 wrote to memory of 2188	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	39
PID 2512 wrote to memory of 2188	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	39
PID 2512 wrote to memory of 2188	2512	{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe	39
PID 2412 wrote to memory of 1872	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	41
PID 2412 wrote to memory of 1872	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	41
PID 2412 wrote to memory of 1872	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	41
PID 2412 wrote to memory of 1872	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	41
PID 2412 wrote to memory of 1072	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	40
PID 2412 wrote to memory of 1072	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	40
PID 2412 wrote to memory of 1072	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	40
PID 2412 wrote to memory of 1072	2412	{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe	40
PID 1872 wrote to memory of 1912	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	43
PID 1872 wrote to memory of 1912	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	43
PID 1872 wrote to memory of 1912	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	43
PID 1872 wrote to memory of 1912	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	43
PID 1872 wrote to memory of 1080	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	42
PID 1872 wrote to memory of 1080	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	42
PID 1872 wrote to memory of 1080	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	42
PID 1872 wrote to memory of 1080	1872	{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe	42
PID 1912 wrote to memory of 1124	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	44
PID 1912 wrote to memory of 1124	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	44
PID 1912 wrote to memory of 1124	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	44
PID 1912 wrote to memory of 1124	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	44
PID 1912 wrote to memory of 2924	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	45
PID 1912 wrote to memory of 2924	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	45
PID 1912 wrote to memory of 2924	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	45
PID 1912 wrote to memory of 2924	1912	{E4ACCE26-C898-4475-86A8-29DC45604751}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_998875e8cc5bfcdc63663abfca2c5685_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe
  C:\Windows\{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe
    C:\Windows\{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{91430~1.EXE > nul
      4⤵
      PID:2656
  - - C:\Windows\{553D474F-904C-4827-8120-ECEB12467BCD}.exe
      C:\Windows\{553D474F-904C-4827-8120-ECEB12467BCD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe
        
        C:\Windows\{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe
        
        C:\Windows\{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B66C~1.EXE > nul
        7⤵
        
        PID:1072
        
        C:\Windows\{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe
        
        C:\Windows\{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B33B6~1.EXE > nul
        8⤵
        
        PID:1080
        
        C:\Windows\{E4ACCE26-C898-4475-86A8-29DC45604751}.exe
        
        C:\Windows\{E4ACCE26-C898-4475-86A8-29DC45604751}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{84686B84-90E1-469c-B3DC-9482288FB09D}.exe
        
        C:\Windows\{84686B84-90E1-469c-B3DC-9482288FB09D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe
        
        C:\Windows\{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe
        
        C:\Windows\{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93EBF~1.EXE > nul
        12⤵
        
        PID:1500
        
        C:\Windows\{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}.exe
        
        C:\Windows\{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}.exe
        12⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AA76~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84686~1.EXE > nul
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4ACC~1.EXE > nul
        9⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E012~1.EXE > nul
        6⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{553D4~1.EXE > nul
        5⤵
        
        PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BFC79~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2AA767FD-5015-48e0-B5D4-C4643F69FBA1}.exe

Filesize
180KB

MD5
e15a4754285798f0c45cfb0a589837c4

SHA1
4a974daa80114043c914ac328cbf8a00655a8c2c

SHA256
02ea223df2c264e4e2a646c8bffa23c48c823d746489cba53682f88be6c51453

SHA512
b5724a09080073662178fb521b07ab76ef0af9476330bf73ee2206971c9c6afe7962d1b95dc7f5e818b1b735a33f306e3869973940cfdde23c77f52bf059412b

Download Submit
C:\Windows\{553D474F-904C-4827-8120-ECEB12467BCD}.exe

Filesize
180KB

MD5
d692858fc92ce7e819ad1e5c685845a7

SHA1
6a9a34c919e58d4eab39cfec008e6f7f39e1a19c

SHA256
140579d7b0ce75e2a979f16f2c9f4e737f9ae879b603a1a06d619f849e3e6269

SHA512
599c06dc00954103edb9cf9f95bfd0ae2a314e55d33951aebd043c364b7074f38db2c88533443d28c8e497f6e1ac6fb1157e528eef79c5edc4981a6dcf0c79cd

Download Submit
C:\Windows\{6B66CC6D-1501-4a7b-90AE-B42B13D5FFBE}.exe

Filesize
180KB

MD5
f23a3699a0b1966e952cd9bcb1bfb522

SHA1
6955565ca7fb60914db807215427142e41f91503

SHA256
50b03c2c18e1644a8f2718e2b44a06ab75e46c46849663a860fdc80eaccc4218

SHA512
3eb573e2171d7b93c9aa7846f96bc92bb129d50e3fbe576ea63b585e276d633591d8b7bafbd35212d60b9eab355bea9f0bafb94de35c74098d2e000ebddfd484

Download Submit
C:\Windows\{84686B84-90E1-469c-B3DC-9482288FB09D}.exe

Filesize
180KB

MD5
dd77e5967775b8e663cb9fdc1012d148

SHA1
8e1646b022dbd264d7f2fedb870fd7007ba21c2f

SHA256
f20a7e2d5b4317ed04c8854ce242f0487def9847246c0b8f7bc25ddb3a43d59b

SHA512
14b6cec652cdc9ba7accc302e38351d301a0ca0ebe4b367f9972efb2d7a7e8ec2f84b1604572e5e0892cce228a58a19bc9cf121e412a3efb71c6eccdb20e2cdf

Download Submit
C:\Windows\{9143079D-9529-4bd5-982E-83B0C7BF5FDB}.exe

Filesize
180KB

MD5
cc21e4f0ea3f4e4e16ac174affcf687c

SHA1
1646c13efed2b79acab138bffce194ee8e1d42d1

SHA256
c24b6a746557d6ee74f1a555d7db50fc3e762182521134edb9c893c69043356e

SHA512
df18bbf57f82d03a1d00f2f123d3e92331660379dec4ab2817e10888e0186a46b4a8c1bd02d3747a35d8ba0893b28855616cae751012ebb990d616aa2445d603

Download Submit
C:\Windows\{93EBF7F9-D797-4839-AFC0-B2B8A2DD38B6}.exe

Filesize
180KB

MD5
ad2c6b1da51e52cb2396ee6b0551539d

SHA1
1e634c7068f33daed69b783c62947d6e40ef5e6e

SHA256
4f68d12d9b8b9e81dfb76934899ad091506cdd184f0e7354ccdc4ecf382f8bd0

SHA512
670eb7e329c86230722638951529a375ad6946e35356e9b93d19a0d5fe926f9756332447f0ce23ee076b2a92a4dc087d4fe659b94d4a1be9c8588e62aae14012

Download Submit
C:\Windows\{9E012C95-D7BA-421d-8C4F-80272193A7A1}.exe

Filesize
180KB

MD5
6b29c655d7c882fadfc05cb7053ae4cc

SHA1
07474bc19ff433c64098b94b746bf777a14d0dec

SHA256
412ee4a567a3546bf6814d7b3f1242a887f4c981728bed3f2815d66e6a068cbb

SHA512
645261bd85632386897c971553e1d3e65639780ab9dc211d1dc7ed1cc702ad29bec9b9bca88ef9b034db2b6888fc13d8ae24a2ad913cbbbe458a203c7a683b66

Download Submit
C:\Windows\{B33B65DC-5D62-4046-AAF0-D3C66B4365ED}.exe

Filesize
180KB

MD5
c143d48482b875140a5a9ff3a69524f0

SHA1
20c39abdee68eb0bc3832bb4604706451c9db2ca

SHA256
649e20346655c15304cd6156b64b870e213c71abc0612c59f806ac9bbb65735e

SHA512
7408363fb0bb07c604fe6bc914c4e1a0808a6c51ddb18f16b2e550e1a41f948ef57800e87208670f106a2d365168ec32f4a47f1a35d0dd4350789ae9a3fc4076

Download Submit
C:\Windows\{BFC79E9F-91F9-42e4-B92A-A01C91CD9B15}.exe

Filesize
180KB

MD5
5cd6484fe9b1db6b2743bd3f1df6a05d

SHA1
7cba2c313cdc9daedd0eff36c7149f17b782be9e

SHA256
2497f4b9d479fe418a19705e68574bbc396c7efb7bfc89efd8cd4f078e6de9fd

SHA512
a5331f6288f3ce5b54d48e12c3df33aba6c4fd333414013b231832cdedab636ceae7762f582c77be1d2e884f9ab9f6859d3af3ff11f5fba5849da52f8094494a

Download Submit
C:\Windows\{D0EF3C52-5826-4b2a-8354-59C12CE00DF0}.exe

Filesize
180KB

MD5
318abbbf0f1c7e07b897d583c4666b5a

SHA1
257e4014b10173eb161d6c90be12d9b1158c73e7

SHA256
753fdf4587d21ddd417091c5c8ad9194679f7dc9289f53ba45844e95d2baeac4

SHA512
369d3119e52fee2a02d7d7c7684fbbe288bdf310a1bbed0a59208d3bfbe1f8adb8bcb2a01b79bf816aa1e795b127a775116592decc8a6db09ba402ff5ea968af

Download Submit
C:\Windows\{E4ACCE26-C898-4475-86A8-29DC45604751}.exe

Filesize
180KB

MD5
18369eb1085e8978f45894cfbe63b479

SHA1
e5e9eb779966682bf9fff90edf3c6d7649c3b934

SHA256
12e330f25de710d7c1a12076e8772f2c1ce29c7291c179e24b938d50d8751dc1

SHA512
48fdc90174bd2c22e467a49e21263321a9b7b0967f8ffe6cd8ae464d0896aef4c99dc0d398db1e247555e89ce65650b56e801be71024df81c9a2a4b57c55ac7e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads