088e03e610949c10112e06f70e88ce44ca738204ceeea16c6bcf3cb8f3c66da3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Size

372KB
MD5

34659c8136b568e9b09b6716181f2edc
SHA1

d002b98ad28a4719fb8770bcee5a3061c6ff88f6
SHA256

088e03e610949c10112e06f70e88ce44ca738204ceeea16c6bcf3cb8f3c66da3
SHA512

f873258844bac659a589d9eee0a6b2ec582e8ca00aac5dca13c51249711315e23c1f82610534b9d4a7b4c1180fe095be2e5e9c5d4dd603cf6d7e8fdc9f6e7422
SSDEEP

3072:CEGh0oClMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG0lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014502-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E72407DA-F36D-4c41-B190-805DD9D4531D}	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E72407DA-F36D-4c41-B190-805DD9D4531D}\stubpath = "C:\\Windows\\{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe"	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD769E1-0A6B-44ad-A36C-4541E52C907F}	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09411CB0-945E-4e88-B591-2F0EB38181AA}	{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68634BA2-F89A-48bf-A68E-6E99C37A3110}\stubpath = "C:\\Windows\\{68634BA2-F89A-48bf-A68E-6E99C37A3110}.exe"	{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}\stubpath = "C:\\Windows\\{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe"	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD769E1-0A6B-44ad-A36C-4541E52C907F}\stubpath = "C:\\Windows\\{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe"	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}	{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68634BA2-F89A-48bf-A68E-6E99C37A3110}	{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A521BB-FE5E-44bb-B850-549A6DB30312}\stubpath = "C:\\Windows\\{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe"	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}\stubpath = "C:\\Windows\\{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe"	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}\stubpath = "C:\\Windows\\{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe"	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}\stubpath = "C:\\Windows\\{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe"	{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}\stubpath = "C:\\Windows\\{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe"	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}\stubpath = "C:\\Windows\\{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe"	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A521BB-FE5E-44bb-B850-549A6DB30312}	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09411CB0-945E-4e88-B591-2F0EB38181AA}\stubpath = "C:\\Windows\\{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe"	{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe
2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe
2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe
2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe
2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe
328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe
1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe
640	{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe
2012	{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe
2328	{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe
1164	{68634BA2-F89A-48bf-A68E-6E99C37A3110}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe
File created	C:\Windows\{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe
File created	C:\Windows\{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe
File created	C:\Windows\{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe
File created	C:\Windows\{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe	{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe
File created	C:\Windows\{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe	{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe
File created	C:\Windows\{68634BA2-F89A-48bf-A68E-6E99C37A3110}.exe	{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe
File created	C:\Windows\{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
File created	C:\Windows\{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe
File created	C:\Windows\{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe
File created	C:\Windows\{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe
Token: SeIncBasePriorityPrivilege	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe
Token: SeIncBasePriorityPrivilege	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe
Token: SeIncBasePriorityPrivilege	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe
Token: SeIncBasePriorityPrivilege	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe
Token: SeIncBasePriorityPrivilege	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe
Token: SeIncBasePriorityPrivilege	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe
Token: SeIncBasePriorityPrivilege	640	{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe
Token: SeIncBasePriorityPrivilege	2012	{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe
Token: SeIncBasePriorityPrivilege	2328	{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2756	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	28
PID 2396 wrote to memory of 2756	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	28
PID 2396 wrote to memory of 2756	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	28
PID 2396 wrote to memory of 2756	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	28
PID 2396 wrote to memory of 2036	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	29
PID 2396 wrote to memory of 2036	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	29
PID 2396 wrote to memory of 2036	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	29
PID 2396 wrote to memory of 2036	2396	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	29
PID 2756 wrote to memory of 2616	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	31
PID 2756 wrote to memory of 2616	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	31
PID 2756 wrote to memory of 2616	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	31
PID 2756 wrote to memory of 2616	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	31
PID 2756 wrote to memory of 2472	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	30
PID 2756 wrote to memory of 2472	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	30
PID 2756 wrote to memory of 2472	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	30
PID 2756 wrote to memory of 2472	2756	{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe	30
PID 2616 wrote to memory of 2796	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	32
PID 2616 wrote to memory of 2796	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	32
PID 2616 wrote to memory of 2796	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	32
PID 2616 wrote to memory of 2796	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	32
PID 2616 wrote to memory of 2488	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	33
PID 2616 wrote to memory of 2488	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	33
PID 2616 wrote to memory of 2488	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	33
PID 2616 wrote to memory of 2488	2616	{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe	33
PID 2796 wrote to memory of 2972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	37
PID 2796 wrote to memory of 2972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	37
PID 2796 wrote to memory of 2972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	37
PID 2796 wrote to memory of 2972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	37
PID 2796 wrote to memory of 1972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	36
PID 2796 wrote to memory of 1972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	36
PID 2796 wrote to memory of 1972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	36
PID 2796 wrote to memory of 1972	2796	{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe	36
PID 2972 wrote to memory of 2820	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	39
PID 2972 wrote to memory of 2820	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	39
PID 2972 wrote to memory of 2820	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	39
PID 2972 wrote to memory of 2820	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	39
PID 2972 wrote to memory of 2952	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	38
PID 2972 wrote to memory of 2952	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	38
PID 2972 wrote to memory of 2952	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	38
PID 2972 wrote to memory of 2952	2972	{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe	38
PID 2820 wrote to memory of 328	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	41
PID 2820 wrote to memory of 328	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	41
PID 2820 wrote to memory of 328	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	41
PID 2820 wrote to memory of 328	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	41
PID 2820 wrote to memory of 2176	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	40
PID 2820 wrote to memory of 2176	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	40
PID 2820 wrote to memory of 2176	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	40
PID 2820 wrote to memory of 2176	2820	{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe	40
PID 328 wrote to memory of 1640	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	43
PID 328 wrote to memory of 1640	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	43
PID 328 wrote to memory of 1640	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	43
PID 328 wrote to memory of 1640	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	43
PID 328 wrote to memory of 1580	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	42
PID 328 wrote to memory of 1580	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	42
PID 328 wrote to memory of 1580	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	42
PID 328 wrote to memory of 1580	328	{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe	42
PID 1640 wrote to memory of 640	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	44
PID 1640 wrote to memory of 640	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	44
PID 1640 wrote to memory of 640	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	44
PID 1640 wrote to memory of 640	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	44
PID 1640 wrote to memory of 1548	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	45
PID 1640 wrote to memory of 1548	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	45
PID 1640 wrote to memory of 1548	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	45
PID 1640 wrote to memory of 1548	1640	{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe
  C:\Windows\{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8D83E~1.EXE > nul
    3⤵
    PID:2472
- - C:\Windows\{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe
    C:\Windows\{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe
      C:\Windows\{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4A52~1.EXE > nul
        5⤵
        
        PID:1972
    - - C:\Windows\{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe
        
        C:\Windows\{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54FA2~1.EXE > nul
        6⤵
        
        PID:2952
      - C:\Windows\{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe
        
        C:\Windows\{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB2CF~1.EXE > nul
        7⤵
        
        PID:2176
        
        C:\Windows\{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe
        
        C:\Windows\{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7240~1.EXE > nul
        8⤵
        
        PID:1580
        
        C:\Windows\{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe
        
        C:\Windows\{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe
        
        C:\Windows\{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe
        
        C:\Windows\{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5D0E~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe
        
        C:\Windows\{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09411~1.EXE > nul
        12⤵
        
        PID:916
        
        C:\Windows\{68634BA2-F89A-48bf-A68E-6E99C37A3110}.exe
        
        C:\Windows\{68634BA2-F89A-48bf-A68E-6E99C37A3110}.exe
        12⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD76~1.EXE > nul
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF7A5~1.EXE > nul
        9⤵
        
        PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F6DCB~1.EXE > nul
      4⤵
      PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09411CB0-945E-4e88-B591-2F0EB38181AA}.exe

Filesize
372KB

MD5
0fd3061e6f976d4019e39b8315394fa0

SHA1
2fae45a35f68737dfebbcf2da344bd9009232cab

SHA256
0a4530ccb9a2d51c0f0ee1d77a30e26f1d56d7cd805a68b188c2bad386eeca1a

SHA512
35bbf859c310047df7add7c267d0bd85cab33d248d3ac6ac4c6cab3db4eeb5115f016e634e8da5fb42a9243eeb03202edb2b8f7d653c67542e3de570b0f854b1

Download Submit
C:\Windows\{1CD769E1-0A6B-44ad-A36C-4541E52C907F}.exe

Filesize
372KB

MD5
90009fed549ac04cabda16c0a21ddd11

SHA1
b60c04ebe479d1c55c867e661fbe84c439cbd99d

SHA256
ecd918bc1528f2ca16c346486d7bf99529af8e8971080eb22a494b3911c2beec

SHA512
8dac6958ec0e160acca910bc365880e6353bf6b2185bb2850e82b7262d46e5855adbb85541208f904a215c08ebded8d02ae32ec859a5db285a4ae28af1d18d3a

Download Submit
C:\Windows\{54FA23C9-F47A-489a-99B5-3A044ABBCB8A}.exe

Filesize
372KB

MD5
c959f1bc831e99b020a78ad26bd6902b

SHA1
3f0ff0c7d1c7718e83d8794b679e1b1f86d8c8e7

SHA256
305616373ed1be58af3392bbaf58821ebafe09a1b13a7a8641902ba59fa0ae9e

SHA512
1a56d66bb2117bac5ed315f79b20ce37751824b1dbc53b784b283bed4a41563dc2d7b6ae567af2672add6199f9bd5ed2ba3267ce227d661570a05dd54221381a

Download Submit
C:\Windows\{68634BA2-F89A-48bf-A68E-6E99C37A3110}.exe

Filesize
372KB

MD5
18d5ef09668ccac3b4a5271319a9cff5

SHA1
2b2e1f1faf8bf0d764994ca079be0335d4665eb3

SHA256
d8616921bcab926a2bc52bde66280c09ce9256ccd3d0a1ddd16a200512a679b7

SHA512
80a9fc10f2eb7c52fee78444940556764ad767d67f7f0254183ce10106b376e179a0563fbe5d605a8e9656809efec648cf4402e8280c66d98f085dd8a7017819

Download Submit
C:\Windows\{8D83E6ED-A858-4b1c-B5EC-42A8013EDA6F}.exe

Filesize
372KB

MD5
e8f1d857c666c43858e096a29cae85d2

SHA1
8ab0b5e4c7feaa28fc6b66f8861c27a4956adb2b

SHA256
a30b66c9fd30b219db534ca55c6c2dedeff695ae0827afd246473236900940f6

SHA512
6b4183e7535e62640b7def4ffe9920c95a176435d6ad4f4958cbb875193e4d38096372c7c3a2e67409b9ebfe3d98613fffc652798891c4b6b6aefd2dd80fb36d

Download Submit
C:\Windows\{AB2CF43F-1F60-4f1b-B15D-3A4A2D463B9B}.exe

Filesize
372KB

MD5
df1a0fc4804680e69c83757376ce47df

SHA1
a2c25ef64d8ed0b6257b7a70ecf7db5572d5e2e7

SHA256
2083378ae1c33a614d62f508982ec14ba7cd81092cea2046eef370f5d1054176

SHA512
cc47d50aa0f3b912d3e63f6e8fd0bf354ae5cbe23abdfd9a30f6aa2df3c0c2941ba4ced3266b3ae0c8c8f88ea21a440abec032deca00789a6ba84049a65e609c

Download Submit
C:\Windows\{B4A521BB-FE5E-44bb-B850-549A6DB30312}.exe

Filesize
372KB

MD5
02217fedc507f75955e4821c0563b294

SHA1
2de82a9ad69d82dd005c2dec8a2eb943afd56f70

SHA256
0339b5f4805e3d6b8d3a57edf8d05439dfdbc56850a9d7d4baf2b5700e98cd3f

SHA512
739507b9d41b389e93c1e5eac9dbefb7d901c550983635b4e7536606c9f40502e68837369010ffa1b5c433fc393d651839286fd371dbfbc25e00f6b41d61acf6

Download Submit
C:\Windows\{B5D0E497-7B18-4c6e-928B-7D4C6CA2DC95}.exe

Filesize
372KB

MD5
c48755c622e3fb608a79f89c94e0ba50

SHA1
ee79eb6212f44757d1ac2dc297e0afa0e4031a52

SHA256
a4841965a0641bb813e6038db71774e077d9e1a703fe0bfc534dcc5b494b8369

SHA512
6d16b029589258f387eed19d73130d57024d05e2a09b8e4d60cf8b9e2551ee6fd4d605357ed11e55d8e0e5d5092851b51c079bf7e0f67e404f9cc03460f59988

Download Submit
C:\Windows\{E72407DA-F36D-4c41-B190-805DD9D4531D}.exe

Filesize
372KB

MD5
2b17a551070131d6fc98790a1b233383

SHA1
d2da31bbb255ec55f7b1a61a8dae4985e6744876

SHA256
e55536095d0eed125fd69e78145b1059ee8fc170e3e15839446126774da620ff

SHA512
d410938b30fcfc1f8a97d99b4c1f8c2b82cf980310a286ea3a3c46e811fd0797f1e4641debe5df7ab3753d48c0c0375c40beb765e42dfee7bcbcdb7f14858abd

Download Submit
C:\Windows\{F6DCB42A-AA11-43a7-968C-D228ECBFCB01}.exe

Filesize
372KB

MD5
31ecec9e39d0d303a062574247a1b7ad

SHA1
da0b72cbfe7d98de1e697eed8ef6465f990356f4

SHA256
bdb7813d9da7ec444e06f72b7a9503d579a2bc4510bca9ab1d9a9f13c574d1ea

SHA512
68e5e17eab4569a3be9c42526dbb92d554f84a62887ea1175baffdc0e0d80683a808d12559c41d06d10e4b315a0181115b83f3e5469dd64798b99f5a67aafd92

Download Submit
C:\Windows\{FF7A5F0C-B1C5-451a-8EC1-07DFE8C4DD62}.exe

Filesize
372KB

MD5
84708d372e1f57f0262aaf5a6c62948f

SHA1
6327a40f64c32359e5923753826172007e5b35a7

SHA256
981baf661983bffb498b935e94716cc7511c533428013f4434d1d0c6a507626f

SHA512
891427542e2186666dd04d0903d9b22fce41a02d9f5295cc4b3d262ad15c714934444d339627e002c6635b32729215b22b6fd9af3e52aa27684796f2ecba3ce4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads