5bd624e1e48b40582eedaf94dd4b1e628b164fe5d847f2385449eeafa2556cc3

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe
Size

408KB
MD5

2ce73e36544f566c452f098f07aa5b0a
SHA1

96829e1dd1e09b32adb799a877e198d3451926c2
SHA256

5bd624e1e48b40582eedaf94dd4b1e628b164fe5d847f2385449eeafa2556cc3
SHA512

22c6fb47e5c3ca8be67d48e98886bc413c2d47f1c9cdaf984f4d53cdd01d323cc825addcc2e727342616084ffe57999a5cbf5d6631afc45e149ac085beca6a2c
SSDEEP

3072:CEGh0o5l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGzldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012284-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122ec-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012284-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012284-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012284-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012284-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012284-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79954FF-78FD-467c-BA9C-742EC1647645}	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}\stubpath = "C:\\Windows\\{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe"	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{090B1335-A7B9-4319-8CE1-586E0D24E668}	{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55C27CE-486F-4a8d-9450-D23C82008532}	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55C27CE-486F-4a8d-9450-D23C82008532}\stubpath = "C:\\Windows\\{D55C27CE-486F-4a8d-9450-D23C82008532}.exe"	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DECADE37-E01D-4027-94C7-0A89638FCD05}	{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DECADE37-E01D-4027-94C7-0A89638FCD05}\stubpath = "C:\\Windows\\{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe"	{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}\stubpath = "C:\\Windows\\{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe"	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{395652FC-1615-4d49-8E9D-51E02BD4F532}	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79954FF-78FD-467c-BA9C-742EC1647645}\stubpath = "C:\\Windows\\{D79954FF-78FD-467c-BA9C-742EC1647645}.exe"	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD20C26E-81D7-4832-AADE-0E6C2E183D17}\stubpath = "C:\\Windows\\{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe"	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}	{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}\stubpath = "C:\\Windows\\{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe"	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}\stubpath = "C:\\Windows\\{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe"	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}\stubpath = "C:\\Windows\\{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe"	{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{090B1335-A7B9-4319-8CE1-586E0D24E668}\stubpath = "C:\\Windows\\{090B1335-A7B9-4319-8CE1-586E0D24E668}.exe"	{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{395652FC-1615-4d49-8E9D-51E02BD4F532}\stubpath = "C:\\Windows\\{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe"	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD20C26E-81D7-4832-AADE-0E6C2E183D17}	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe
2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe
2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe
664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe
2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe
1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe
2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe
1912	{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe
1196	{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe
3048	{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe
1880	{090B1335-A7B9-4319-8CE1-586E0D24E668}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe
File created	C:\Windows\{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe
File created	C:\Windows\{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe	{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe
File created	C:\Windows\{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe
File created	C:\Windows\{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe
File created	C:\Windows\{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe
File created	C:\Windows\{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe
File created	C:\Windows\{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe	{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe
File created	C:\Windows\{090B1335-A7B9-4319-8CE1-586E0D24E668}.exe	{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe
File created	C:\Windows\{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe
File created	C:\Windows\{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe
Token: SeIncBasePriorityPrivilege	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe
Token: SeIncBasePriorityPrivilege	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe
Token: SeIncBasePriorityPrivilege	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe
Token: SeIncBasePriorityPrivilege	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe
Token: SeIncBasePriorityPrivilege	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe
Token: SeIncBasePriorityPrivilege	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe
Token: SeIncBasePriorityPrivilege	1912	{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe
Token: SeIncBasePriorityPrivilege	1196	{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe
Token: SeIncBasePriorityPrivilege	3048	{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2280	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	28
PID 2516 wrote to memory of 2280	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	28
PID 2516 wrote to memory of 2280	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	28
PID 2516 wrote to memory of 2280	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	28
PID 2516 wrote to memory of 2740	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	29
PID 2516 wrote to memory of 2740	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	29
PID 2516 wrote to memory of 2740	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	29
PID 2516 wrote to memory of 2740	2516	2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe	29
PID 2280 wrote to memory of 2824	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	30
PID 2280 wrote to memory of 2824	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	30
PID 2280 wrote to memory of 2824	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	30
PID 2280 wrote to memory of 2824	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	30
PID 2280 wrote to memory of 2308	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	31
PID 2280 wrote to memory of 2308	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	31
PID 2280 wrote to memory of 2308	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	31
PID 2280 wrote to memory of 2308	2280	{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe	31
PID 2824 wrote to memory of 2728	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	32
PID 2824 wrote to memory of 2728	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	32
PID 2824 wrote to memory of 2728	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	32
PID 2824 wrote to memory of 2728	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	32
PID 2824 wrote to memory of 2704	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	33
PID 2824 wrote to memory of 2704	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	33
PID 2824 wrote to memory of 2704	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	33
PID 2824 wrote to memory of 2704	2824	{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe	33
PID 2728 wrote to memory of 664	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	36
PID 2728 wrote to memory of 664	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	36
PID 2728 wrote to memory of 664	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	36
PID 2728 wrote to memory of 664	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	36
PID 2728 wrote to memory of 3004	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	37
PID 2728 wrote to memory of 3004	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	37
PID 2728 wrote to memory of 3004	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	37
PID 2728 wrote to memory of 3004	2728	{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe	37
PID 664 wrote to memory of 2056	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	38
PID 664 wrote to memory of 2056	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	38
PID 664 wrote to memory of 2056	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	38
PID 664 wrote to memory of 2056	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	38
PID 664 wrote to memory of 1160	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	39
PID 664 wrote to memory of 1160	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	39
PID 664 wrote to memory of 1160	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	39
PID 664 wrote to memory of 1160	664	{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe	39
PID 2056 wrote to memory of 1684	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	40
PID 2056 wrote to memory of 1684	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	40
PID 2056 wrote to memory of 1684	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	40
PID 2056 wrote to memory of 1684	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	40
PID 2056 wrote to memory of 632	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	41
PID 2056 wrote to memory of 632	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	41
PID 2056 wrote to memory of 632	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	41
PID 2056 wrote to memory of 632	2056	{D79954FF-78FD-467c-BA9C-742EC1647645}.exe	41
PID 1684 wrote to memory of 2908	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	43
PID 1684 wrote to memory of 2908	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	43
PID 1684 wrote to memory of 2908	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	43
PID 1684 wrote to memory of 2908	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	43
PID 1684 wrote to memory of 2960	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	42
PID 1684 wrote to memory of 2960	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	42
PID 1684 wrote to memory of 2960	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	42
PID 1684 wrote to memory of 2960	1684	{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe	42
PID 2908 wrote to memory of 1912	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	44
PID 2908 wrote to memory of 1912	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	44
PID 2908 wrote to memory of 1912	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	44
PID 2908 wrote to memory of 1912	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	44
PID 2908 wrote to memory of 1380	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	45
PID 2908 wrote to memory of 1380	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	45
PID 2908 wrote to memory of 1380	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	45
PID 2908 wrote to memory of 1380	2908	{D55C27CE-486F-4a8d-9450-D23C82008532}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_2ce73e36544f566c452f098f07aa5b0a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe
  C:\Windows\{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe
    C:\Windows\{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe
      C:\Windows\{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe
        
        C:\Windows\{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\{D79954FF-78FD-467c-BA9C-742EC1647645}.exe
        
        C:\Windows\{D79954FF-78FD-467c-BA9C-742EC1647645}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe
        
        C:\Windows\{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FE57~1.EXE > nul
        8⤵
        
        PID:2960
        
        C:\Windows\{D55C27CE-486F-4a8d-9450-D23C82008532}.exe
        
        C:\Windows\{D55C27CE-486F-4a8d-9450-D23C82008532}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe
        
        C:\Windows\{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD20C~1.EXE > nul
        10⤵
        
        PID:2064
        
        C:\Windows\{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe
        
        C:\Windows\{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe
        
        C:\Windows\{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD41E~1.EXE > nul
        12⤵
        
        PID:1536
        
        C:\Windows\{090B1335-A7B9-4319-8CE1-586E0D24E668}.exe
        
        C:\Windows\{090B1335-A7B9-4319-8CE1-586E0D24E668}.exe
        12⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DECAD~1.EXE > nul
        11⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D55C2~1.EXE > nul
        9⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7995~1.EXE > nul
        7⤵
        
        PID:632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39565~1.EXE > nul
        6⤵
        
        PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAA51~1.EXE > nul
        5⤵
        
        PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC1EE~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E26A~1.EXE > nul
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{090B1335-A7B9-4319-8CE1-586E0D24E668}.exe

Filesize
408KB

MD5
0acee61e4e2eb97d9f66dad85f687e70

SHA1
1ac8d9973ee5b2427b457c735ae225e2c320341e

SHA256
28e2e586b90363afdf64bb38ffb5a900696ae67aad602007c4f2cdc9662208c1

SHA512
4f3f6051ebbb331ea3355c28595a0790e36b0c1d5b4574a8db3987c1d5c70bb4ac7a2532c243daf29538ca29c869e46354df765100136e0681f9825cd227ad8e

Download Submit
C:\Windows\{395652FC-1615-4d49-8E9D-51E02BD4F532}.exe

Filesize
408KB

MD5
b28b8f399368fae74ca33700b8ecc572

SHA1
09ec624e8838b8518eadf3216053f8b4211db975

SHA256
5b86f38fe766ce0f085b6bb388ee7e20c2fbe428c70b38bc171ddb88fde5875f

SHA512
a7b5f6fd91167626b47f484236674cda257246bf5726c68cb4a2c71915bef16ce25c23ffaa97caead97f439e88c5191722961b065b6634a934d61df6b593c77e

Download Submit
C:\Windows\{3FE57EE0-CB28-44c6-8F61-EB9AC190B7A6}.exe

Filesize
408KB

MD5
7ff9b23437cba127f28e91405e60c641

SHA1
3d7dc92acc8a78311010da5da39b6961d6db3309

SHA256
96a2cfd489da950c92fe8d9b853aff8f7582abc85f85c11aae8acd1f86e8639f

SHA512
2add6d693d13facb32c5f2698d3ab44e9e0633ef4b4c9d239015d3c4e3b7bb0f5560c2d921e2198e1c669bfcaf1cfb67e1fcb934f7f724430fe70f8a12330d20

Download Submit
C:\Windows\{5E26A5A5-6064-4e70-B1C0-A5BE3ED38E1C}.exe

Filesize
408KB

MD5
1246bc5997dac271a5521dd1274eafd7

SHA1
bd441fbf3657eb1ed50e4fff06219d3ad6d47fbc

SHA256
56b800eead6380f6bbea1a6f188ed0eab482ab813771eda4cca5be4e3e51ee45

SHA512
a09ac4ad17afe0524f79309d7ae20e3b4f37b9745534e193d3ed9b7fd7b70cfbd3ed8456b912f7a62af44df2f1b5d3b3e896971b3ddc67fcc6459f08c12a3a5f

Download Submit
C:\Windows\{CD41EFD5-C4B7-431e-BCB4-AB9825D7FC28}.exe

Filesize
408KB

MD5
240daee652f1e58b01266b8e93ea2483

SHA1
1fa0b9eec36e01e5cb3a6972483316f7776c246c

SHA256
3082ac275ee12d97960a5dc9d02a4ac09a347942e53e7bbcdea7d273c428b23f

SHA512
6bcb01ad6d756984e965cbf55103a423a9b6b319b67d2d76f93e7bf5e977aa95731bb29c1ad90e6a0ceaccad5868ac7af905daa79056e3b43be1e15d0167efde

Download Submit
C:\Windows\{D55C27CE-486F-4a8d-9450-D23C82008532}.exe

Filesize
408KB

MD5
0f5a7da8ef6f8677773c912976caf366

SHA1
f90b958771f2a98a47c986a68b0a4e6a725e7190

SHA256
d411aa4994e09e7dce7c9745a90986e528b1a329ad6bada0581fca2926407b11

SHA512
72b5f3ee23483ca9d631b7374bdf82018de217b72ba3e48ef1fad81fc2f0c14f939e97380aa19e9f530304c0a042d11f7ffeb0ec26a89755b7a420c6bebfd271

Download Submit
C:\Windows\{D79954FF-78FD-467c-BA9C-742EC1647645}.exe

Filesize
408KB

MD5
f78d525d44d941374e99360b430c0664

SHA1
fc750ffb5cddbcb899ee145ef1b73c094ea3427e

SHA256
6a43509c9add94ebb2e2dd78e531cc3c20e3057fb107d8c5d49594232748ea34

SHA512
63051984b137b4a1a52c0a1cc03c35efff0136802488a4493d8780b3c65968804f7a27e1cacad5ed3fc698ad889ff19e580c8d56904c94caa5ec92df7cc9e642

Download Submit
C:\Windows\{DAA51335-9DCC-486b-AF5B-5ABEF39F4448}.exe

Filesize
408KB

MD5
6c56d52be840d33ad7f50084d706049d

SHA1
e8f24064908f8a194b0b0c00e137df1cd64162e8

SHA256
01a33cdde008576984a27bc46647ddab1ca76f5b52bbd1e6e663f5c687f1f4ee

SHA512
7bcca29f3c4092fcec8cb0552e35aa786a2e8581e351b749ccef28e511611e686bdba5c593093ea29c2a0192935034980b99869ac603f8baff41dae5d5f6fc0e

Download Submit
C:\Windows\{DECADE37-E01D-4027-94C7-0A89638FCD05}.exe

Filesize
408KB

MD5
7a44abf76ab6266ab09065126ea709cf

SHA1
a22b694d64b24a6a12fee5126031d4c2bafcbd11

SHA256
777d45ff8b1a37acb41c6c444b5aabd37cb305abd3d618417ed7bcf33ec4b9fb

SHA512
db598fd7949cf3b0fefff5ba6cd9d316ad8115ed4f5e8a5ce575a4c44ab879fa1bf5846f1c25f61a806a0274f3980436ff3b4507a9246cf97e2f021667e3d951

Download Submit
C:\Windows\{EC1EEE1A-F61A-47df-9858-1EBFD57B45BB}.exe

Filesize
408KB

MD5
3dca25d8de84854b2396e28c22fa55f7

SHA1
1c1fd4ecd14278d6418f4ba8a1d10d2eb82613e4

SHA256
cb845703614b54f2dfe52e15a58092a92b607be0ad3f0defb2c27897d4cb8e44

SHA512
e726e39c45b48412cfcf0d083eb4585f700e0622d73ff02d56c95dc331565d48b71b50a5215d657d10c32afff5317f9f30a7c91b5daf0c8835e88a1230458cf0

Download Submit
C:\Windows\{FD20C26E-81D7-4832-AADE-0E6C2E183D17}.exe

Filesize
408KB

MD5
d502a93b8ca108ca59a6d3413ae3e204

SHA1
c8eeb45f79d84ee50081199eb375f9ee431065f6

SHA256
d2436ad8dee21aaa38a893ed896eaad4602f941190d414ad26c01fb07bb49335

SHA512
9bfa5818bcafd79481f7983b988da414083b131832221faf17507bb4481c13f2b70eeff58f9ab5775d4b2cd8858fe119403552d275aec1c1b34309240d161ce1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads