09fb6aa3befdf3ea62500981ac68f7f6abc9ed49af17e3a10307a973578b178f

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Size

408KB
MD5

2f57e2372c83a7f62aa6addd709749fb
SHA1

6ed1941fd03305bb6f1e8301d0c26c609a166525
SHA256

09fb6aa3befdf3ea62500981ac68f7f6abc9ed49af17e3a10307a973578b178f
SHA512

5df017c3b634c8cd37c5637e4504e94da51509c55068bdc468a94abc94679bdb04e4e9afa588057db9fb180911d28a46e3838cc0f181aafc73b50d58e6d0d739
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGaldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012185-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122e4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122e4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015c9f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015dbb-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e09-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015dbb-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015dbb-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015e82-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015e82-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015dbb-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}\stubpath = "C:\\Windows\\{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe"	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5107BA8D-8127-472a-BDFF-E5737B98B68A}\stubpath = "C:\\Windows\\{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe"	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46517393-EB91-40d9-B766-3FA12BA2B2C4}	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5685FE78-551F-4e08-B195-8D47FCD6E25E}	{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}	{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4778DDE-61D4-4a2f-B180-00DC632344C1}	{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D986E6E-D964-41f6-A4F5-B319E9229DA9}	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FCEC8F1-F116-48a9-9E14-75B623D8116A}\stubpath = "C:\\Windows\\{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe"	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B117003A-5B53-4917-8E6D-9D37EC05BA08}	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46517393-EB91-40d9-B766-3FA12BA2B2C4}\stubpath = "C:\\Windows\\{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe"	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4778DDE-61D4-4a2f-B180-00DC632344C1}\stubpath = "C:\\Windows\\{D4778DDE-61D4-4a2f-B180-00DC632344C1}.exe"	{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}\stubpath = "C:\\Windows\\{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe"	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5685FE78-551F-4e08-B195-8D47FCD6E25E}\stubpath = "C:\\Windows\\{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe"	{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}\stubpath = "C:\\Windows\\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe"	{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D986E6E-D964-41f6-A4F5-B319E9229DA9}\stubpath = "C:\\Windows\\{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe"	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}\stubpath = "C:\\Windows\\{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe"	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5107BA8D-8127-472a-BDFF-E5737B98B68A}	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FCEC8F1-F116-48a9-9E14-75B623D8116A}	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B117003A-5B53-4917-8E6D-9D37EC05BA08}\stubpath = "C:\\Windows\\{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe"	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe
2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe
3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe
1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe
1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe
2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe
2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe
1880	{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe
1444	{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe
1724	{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe
1840	{D4778DDE-61D4-4a2f-B180-00DC632344C1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe
File created	C:\Windows\{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe
File created	C:\Windows\{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe	{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe
File created	C:\Windows\{D4778DDE-61D4-4a2f-B180-00DC632344C1}.exe	{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe
File created	C:\Windows\{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
File created	C:\Windows\{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe
File created	C:\Windows\{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe
File created	C:\Windows\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe	{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe
File created	C:\Windows\{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe
File created	C:\Windows\{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe
File created	C:\Windows\{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe
Token: SeIncBasePriorityPrivilege	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe
Token: SeIncBasePriorityPrivilege	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe
Token: SeIncBasePriorityPrivilege	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe
Token: SeIncBasePriorityPrivilege	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe
Token: SeIncBasePriorityPrivilege	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe
Token: SeIncBasePriorityPrivilege	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe
Token: SeIncBasePriorityPrivilege	1880	{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe
Token: SeIncBasePriorityPrivilege	1444	{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe
Token: SeIncBasePriorityPrivilege	1724	{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2268	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	28
PID 2360 wrote to memory of 2268	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	28
PID 2360 wrote to memory of 2268	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	28
PID 2360 wrote to memory of 2268	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	28
PID 2360 wrote to memory of 2744	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	29
PID 2360 wrote to memory of 2744	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	29
PID 2360 wrote to memory of 2744	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	29
PID 2360 wrote to memory of 2744	2360	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	29
PID 2268 wrote to memory of 2540	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	30
PID 2268 wrote to memory of 2540	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	30
PID 2268 wrote to memory of 2540	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	30
PID 2268 wrote to memory of 2540	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	30
PID 2268 wrote to memory of 2800	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	31
PID 2268 wrote to memory of 2800	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	31
PID 2268 wrote to memory of 2800	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	31
PID 2268 wrote to memory of 2800	2268	{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe	31
PID 2540 wrote to memory of 3048	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	34
PID 2540 wrote to memory of 3048	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	34
PID 2540 wrote to memory of 3048	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	34
PID 2540 wrote to memory of 3048	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	34
PID 2540 wrote to memory of 2400	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	35
PID 2540 wrote to memory of 2400	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	35
PID 2540 wrote to memory of 2400	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	35
PID 2540 wrote to memory of 2400	2540	{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe	35
PID 3048 wrote to memory of 1476	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	36
PID 3048 wrote to memory of 1476	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	36
PID 3048 wrote to memory of 1476	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	36
PID 3048 wrote to memory of 1476	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	36
PID 3048 wrote to memory of 772	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	37
PID 3048 wrote to memory of 772	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	37
PID 3048 wrote to memory of 772	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	37
PID 3048 wrote to memory of 772	3048	{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe	37
PID 1476 wrote to memory of 1780	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	38
PID 1476 wrote to memory of 1780	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	38
PID 1476 wrote to memory of 1780	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	38
PID 1476 wrote to memory of 1780	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	38
PID 1476 wrote to memory of 2768	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	39
PID 1476 wrote to memory of 2768	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	39
PID 1476 wrote to memory of 2768	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	39
PID 1476 wrote to memory of 2768	1476	{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe	39
PID 1780 wrote to memory of 2920	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	40
PID 1780 wrote to memory of 2920	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	40
PID 1780 wrote to memory of 2920	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	40
PID 1780 wrote to memory of 2920	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	40
PID 1780 wrote to memory of 1856	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	41
PID 1780 wrote to memory of 1856	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	41
PID 1780 wrote to memory of 1856	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	41
PID 1780 wrote to memory of 1856	1780	{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe	41
PID 2920 wrote to memory of 2032	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	42
PID 2920 wrote to memory of 2032	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	42
PID 2920 wrote to memory of 2032	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	42
PID 2920 wrote to memory of 2032	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	42
PID 2920 wrote to memory of 860	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	43
PID 2920 wrote to memory of 860	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	43
PID 2920 wrote to memory of 860	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	43
PID 2920 wrote to memory of 860	2920	{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe	43
PID 2032 wrote to memory of 1880	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	44
PID 2032 wrote to memory of 1880	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	44
PID 2032 wrote to memory of 1880	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	44
PID 2032 wrote to memory of 1880	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	44
PID 2032 wrote to memory of 2004	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	45
PID 2032 wrote to memory of 2004	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	45
PID 2032 wrote to memory of 2004	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	45
PID 2032 wrote to memory of 2004	2032	{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe
  C:\Windows\{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe
    C:\Windows\{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe
      C:\Windows\{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe
        
        C:\Windows\{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Windows\{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe
        
        C:\Windows\{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe
        
        C:\Windows\{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe
        
        C:\Windows\{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe
        
        C:\Windows\{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe
        
        C:\Windows\{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe
        
        C:\Windows\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\{D4778DDE-61D4-4a2f-B180-00DC632344C1}.exe
        
        C:\Windows\{D4778DDE-61D4-4a2f-B180-00DC632344C1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{226FB~1.EXE > nul
        12⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5685F~1.EXE > nul
        11⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46517~1.EXE > nul
        10⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1170~1.EXE > nul
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FCEC~1.EXE > nul
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5107B~1.EXE > nul
        7⤵
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8C88~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D986~1.EXE > nul
        5⤵
        
        PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F01AB~1.EXE > nul
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{22CEC~1.EXE > nul
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FCEC8F1-F116-48a9-9E14-75B623D8116A}.exe

Filesize
408KB

MD5
40e742efb09dfa3d890b9d88a9420bfa

SHA1
74127d3f9ccdd63f690356ea93f0be434e904412

SHA256
1b674591e868de05cf0023592cd7ec5393a56deae777599557077c0216e8f590

SHA512
1033f321f9969216e3b10b1cc4d9e1995acd4bc28ce78b1051f77472307b85fee61d3a260f8c14a0742606176f7cf6ca4f893ea674323f171c1de8c742252836

Download Submit
C:\Windows\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe

Filesize
68KB

MD5
64a50d687732dbda4cc0919050b23427

SHA1
4f05b50d2855627bf5be2d187880fbce40f2954e

SHA256
290ccdc1a9fdd58e856347d53129e8c2b5be4302dde14dbacadf9e756c24c832

SHA512
5f6b8c2b923673317f71fde4183845612bcb07e1defeaf8bfbde819de24f150de6095ef60bf90145e0aebc59fa488e7562b43f82fee47b87173e4f2cb71a0386

Download Submit
C:\Windows\{226FBDC8-A59A-4fb6-9DDF-D5B871E018DC}.exe

Filesize
408KB

MD5
f8674c6706ccf75343a4996e74df8ea1

SHA1
9d15f0261d09eb4d5256014e14f384b854d90b4d

SHA256
5affaafb57480c61331c4049e82a2db383d86445e420bc0c852381f62cb663ad

SHA512
eb3576b4869d6e6ad8b4c3e3e6490a6b7ef434f76a7b3cc947c439b6d757b21fad8ce017da793223350f40cd118335eb1ab723e0ed8cdcc779f9de22044411f3

Download Submit
C:\Windows\{22CECA12-AEAC-4feb-A6B9-89D5A70FE4F9}.exe

Filesize
408KB

MD5
68d3cb0c4496d4ba5857b784e93ec4cf

SHA1
95322da7a5343f4dc3d48eab802bc9b305c2a21b

SHA256
60a99595ae44f44188ff3459bb68a571c9d11aec40d15e07c2c57799a6d32035

SHA512
ad304b1b083e6bda2238f1adf3cedb4ece1cdd49e611d5025c8c74bcbbad8b5b51e0a3f6b5a187ded38f2acc732c6e242dd76cdd3960fb12780cb0b5e4d87f16

Download Submit
C:\Windows\{3D986E6E-D964-41f6-A4F5-B319E9229DA9}.exe

Filesize
408KB

MD5
2d683837cc52c2cda1bd7af2ac4cfbf0

SHA1
b3ca1f7243d964ef56c9db4d0e44d2c211882790

SHA256
d57f461d9415151d9ff3a98a251e885f1cbf19c548a09c4e50294ba1c8e7fc46

SHA512
b38c720ee4e7817e5bd0fe0f5e945f767a9e786dcb0dac078fce5bd2141cf554f2f2cfae5d278922fcc2c5ee00b6bb6c3b2f6b08af2fd247310ceb4a7453a696

Download Submit
C:\Windows\{46517393-EB91-40d9-B766-3FA12BA2B2C4}.exe

Filesize
408KB

MD5
fe26d9f9a8b580ed87e7a99390f97e8a

SHA1
a232585b0d6c4e260a425dfb19721e6af4b02a94

SHA256
9fcdf6d18c5ebd706e76e82ea95f63c7b8a54746597d548410443b6d3cd765a6

SHA512
e51092c9e3ea3766a2e02cf04c7478af80c7036db62cd158842685b8f675a9233a04ecb999fdd8e16d8feac3afc1bdce8f33f278058d71a7023e15938a834fed

Download Submit
C:\Windows\{5107BA8D-8127-472a-BDFF-E5737B98B68A}.exe

Filesize
408KB

MD5
f695dec8df0436fa5dfe44bfb6966a20

SHA1
5d97680c737cc998b3efd0844fe9bbaf9b7ea7b5

SHA256
ebcb1481d46f952cbcaaf5a0defd2bcdad757b44ed59970beac09c5a6f7e130f

SHA512
5c90573279bc9dc15503ef795a2398a75c3764832408928de3631e0021b84b8aef1ea353e0cd1ae7fb80bc9db815ad6b954f27f41049988e1c94f92b03f38fef

Download Submit
C:\Windows\{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe

Filesize
408KB

MD5
ec3b8671e1a815dd5ec8800ba865999e

SHA1
bfd55306b9bbe89b898a3a4b87d64ccd62f7b370

SHA256
ea376fbc4ede5d851f4bd91b84d5d10d612d8d93c11894ce08a5a85d2a198bde

SHA512
a6f6da2fbeb221fd75c4c6ad3ceb27ef7f0933681495d23d2e7a02b94ae029ce111e42cd2cdc66d270b4a7d70df821798617a713cd3afa1b22f38af9e545df45

Download Submit
C:\Windows\{5685FE78-551F-4e08-B195-8D47FCD6E25E}.exe

Filesize
194KB

MD5
2a76f7ce08fc4c18e9393857d8e899c3

SHA1
ed96703729d89cc3a9a1fc6765a57d5a3bba82b3

SHA256
d9b5a927168b396e0951a9e1eb30a4aa4c3b425209c1ff1502924e68a58e05ae

SHA512
ce7b00d1b0079da95a4eb17e7c3b52e83413af4bd64d116ed3fec9d61438f2558e7bbf84b46f04ab425dcaf8e9f0d9eefc6ff54d9bbc9a5c21c9005a9d4449b7

Download Submit
C:\Windows\{B117003A-5B53-4917-8E6D-9D37EC05BA08}.exe

Filesize
408KB

MD5
d9887b473093b0b8be23cc0379c23f9f

SHA1
0f5f1f73e3c2b31c97a553cfed0072290addbd99

SHA256
8f8eafb5b9d70c3251be6df899711523e0138fd16a5bdffbd048d4a659a48bd4

SHA512
a3d5fa6491845f8116482940be89e401ed397d97d8fb1e4ca9c721793f82456138e031929fce6c56378795aaac5a96e7f71fde64f7f6c7c65f00639229691e6e

Download Submit
C:\Windows\{C8C88F1E-ACE5-41e1-9E9A-85F19855324B}.exe

Filesize
408KB

MD5
b5917ef6a8e2ae573e6b86cf36b2c4be

SHA1
7bce575e1dab8bb4e13e6e7047552b601554f77d

SHA256
8541cd6fe2aec7d5662fc697d5adfdafdf2850b2e76dd0f0116fae06f3f3cc93

SHA512
4f824da245f38900f9e5369a3162c3a1a66d5dd20825cc58425984185c5784b63fbb400a611909edf9a48040386617e822642d37ba74a8424b3918c50735b409

Download Submit
C:\Windows\{D4778DDE-61D4-4a2f-B180-00DC632344C1}.exe

Filesize
408KB

MD5
87a1440abb5567321e7e1918b139984e

SHA1
f05dbdcd1c037fa46d1ff17ee8f6cc0bc6374086

SHA256
54d08006ba3c5ed8e4f287215bd8c7aed6168eff2d49c6e60d1d5291524bd799

SHA512
b24c4a67f098cb4bb4c5c6abe2f40eaa7062ea3e8a3cc4cbfeaa3741bd9225e6e08e5f2dd5a1c3b237cd1a1849661713ee2c6edffacaf87d051bb0922cd785ec

Download Submit
C:\Windows\{F01AB06A-BCB4-4a9d-9E96-0B7CB603457F}.exe

Filesize
408KB

MD5
23b42a26f5d2e6b3f90cde129d275bcd

SHA1
1cb8d4db1f40509ab20b430673255ccc1f5c408f

SHA256
05011023031dc1310669836383e7c901e5060d6d603de02471ff86db98183db8

SHA512
e8ce709a87c644b2bf4c6b81353d4bc89307131f9581b6f3d95b1e452630f9166c7ed8ad65fa061ad06798903b328a8ad95f350a1fbcae7b7ef39bcf30460511

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads