5ca6c276208840a89dcdb54d003d6f5c03e75341094abc08dfe1cbcf47b706fa

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe
Size

408KB
MD5

3e104abc5b55867e82f64bc9b5217107
SHA1

3eebd8442b337e13861aeb1fae3c0c84bfe0a8cb
SHA256

5ca6c276208840a89dcdb54d003d6f5c03e75341094abc08dfe1cbcf47b706fa
SHA512

23e95ead69b8b0b651062fc4eea773f89ee21fd618ed7887554243dda640bdb79a1822cbe0b03a3bfa499a7af7cd1b967bbfd3905ed860cdf80a7f54c0eb986c
SSDEEP

3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGQldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015c83-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015c83-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001225c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015c83-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015c83-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c9f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d03-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c9f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015d03-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622F60CB-BF81-4089-A15C-0DFA2099AE8C}\stubpath = "C:\\Windows\\{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe"	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3008652-0F47-428d-8904-C2D004C5AD2D}\stubpath = "C:\\Windows\\{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe"	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE868B6-DD93-440c-9171-E8099935D621}	{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE868B6-DD93-440c-9171-E8099935D621}\stubpath = "C:\\Windows\\{6DE868B6-DD93-440c-9171-E8099935D621}.exe"	{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603416C3-355D-4ba7-880C-10934585ED92}	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603416C3-355D-4ba7-880C-10934585ED92}\stubpath = "C:\\Windows\\{603416C3-355D-4ba7-880C-10934585ED92}.exe"	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC2CA9B-9889-42c6-8D71-F35F814B5503}	{603416C3-355D-4ba7-880C-10934585ED92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}	{6DE868B6-DD93-440c-9171-E8099935D621}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}\stubpath = "C:\\Windows\\{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe"	{6DE868B6-DD93-440c-9171-E8099935D621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4434B889-363D-4dab-B9AF-D32B0B066A3B}	{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}\stubpath = "C:\\Windows\\{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe"	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA33809-135B-4378-B70D-78F8E6A02D90}\stubpath = "C:\\Windows\\{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe"	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622F60CB-BF81-4089-A15C-0DFA2099AE8C}	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3008652-0F47-428d-8904-C2D004C5AD2D}	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4434B889-363D-4dab-B9AF-D32B0B066A3B}\stubpath = "C:\\Windows\\{4434B889-363D-4dab-B9AF-D32B0B066A3B}.exe"	{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC2CA9B-9889-42c6-8D71-F35F814B5503}\stubpath = "C:\\Windows\\{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe"	{603416C3-355D-4ba7-880C-10934585ED92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA33809-135B-4378-B70D-78F8E6A02D90}	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}\stubpath = "C:\\Windows\\{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe"	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}\stubpath = "C:\\Windows\\{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe"	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe

Deletes itself 1 IoCs

pid	Process
2236	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe
2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe
2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe
1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe
2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe
2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe
2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe
1300	{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe
2972	{6DE868B6-DD93-440c-9171-E8099935D621}.exe
2352	{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe
2160	{4434B889-363D-4dab-B9AF-D32B0B066A3B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{603416C3-355D-4ba7-880C-10934585ED92}.exe	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe
File created	C:\Windows\{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe
File created	C:\Windows\{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe
File created	C:\Windows\{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe
File created	C:\Windows\{6DE868B6-DD93-440c-9171-E8099935D621}.exe	{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe
File created	C:\Windows\{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe	{6DE868B6-DD93-440c-9171-E8099935D621}.exe
File created	C:\Windows\{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe
File created	C:\Windows\{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe
File created	C:\Windows\{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe
File created	C:\Windows\{4434B889-363D-4dab-B9AF-D32B0B066A3B}.exe	{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe
File created	C:\Windows\{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	{603416C3-355D-4ba7-880C-10934585ED92}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe
Token: SeIncBasePriorityPrivilege	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe
Token: SeIncBasePriorityPrivilege	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe
Token: SeIncBasePriorityPrivilege	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe
Token: SeIncBasePriorityPrivilege	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe
Token: SeIncBasePriorityPrivilege	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe
Token: SeIncBasePriorityPrivilege	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe
Token: SeIncBasePriorityPrivilege	1300	{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe
Token: SeIncBasePriorityPrivilege	2972	{6DE868B6-DD93-440c-9171-E8099935D621}.exe
Token: SeIncBasePriorityPrivilege	2352	{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 3008	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	28
PID 1032 wrote to memory of 3008	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	28
PID 1032 wrote to memory of 3008	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	28
PID 1032 wrote to memory of 3008	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	28
PID 1032 wrote to memory of 2236	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	29
PID 1032 wrote to memory of 2236	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	29
PID 1032 wrote to memory of 2236	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	29
PID 1032 wrote to memory of 2236	1032	2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe	29
PID 3008 wrote to memory of 2556	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	32
PID 3008 wrote to memory of 2556	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	32
PID 3008 wrote to memory of 2556	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	32
PID 3008 wrote to memory of 2556	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	32
PID 3008 wrote to memory of 2856	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	33
PID 3008 wrote to memory of 2856	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	33
PID 3008 wrote to memory of 2856	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	33
PID 3008 wrote to memory of 2856	3008	{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe	33
PID 2556 wrote to memory of 2548	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	34
PID 2556 wrote to memory of 2548	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	34
PID 2556 wrote to memory of 2548	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	34
PID 2556 wrote to memory of 2548	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	34
PID 2556 wrote to memory of 2652	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	35
PID 2556 wrote to memory of 2652	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	35
PID 2556 wrote to memory of 2652	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	35
PID 2556 wrote to memory of 2652	2556	{603416C3-355D-4ba7-880C-10934585ED92}.exe	35
PID 2548 wrote to memory of 1016	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	36
PID 2548 wrote to memory of 1016	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	36
PID 2548 wrote to memory of 1016	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	36
PID 2548 wrote to memory of 1016	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	36
PID 2548 wrote to memory of 700	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	37
PID 2548 wrote to memory of 700	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	37
PID 2548 wrote to memory of 700	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	37
PID 2548 wrote to memory of 700	2548	{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe	37
PID 1016 wrote to memory of 2464	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	39
PID 1016 wrote to memory of 2464	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	39
PID 1016 wrote to memory of 2464	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	39
PID 1016 wrote to memory of 2464	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	39
PID 1016 wrote to memory of 952	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	38
PID 1016 wrote to memory of 952	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	38
PID 1016 wrote to memory of 952	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	38
PID 1016 wrote to memory of 952	1016	{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe	38
PID 2464 wrote to memory of 2628	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	40
PID 2464 wrote to memory of 2628	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	40
PID 2464 wrote to memory of 2628	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	40
PID 2464 wrote to memory of 2628	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	40
PID 2464 wrote to memory of 2832	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	41
PID 2464 wrote to memory of 2832	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	41
PID 2464 wrote to memory of 2832	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	41
PID 2464 wrote to memory of 2832	2464	{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe	41
PID 2628 wrote to memory of 2460	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	43
PID 2628 wrote to memory of 2460	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	43
PID 2628 wrote to memory of 2460	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	43
PID 2628 wrote to memory of 2460	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	43
PID 2628 wrote to memory of 2452	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	42
PID 2628 wrote to memory of 2452	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	42
PID 2628 wrote to memory of 2452	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	42
PID 2628 wrote to memory of 2452	2628	{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe	42
PID 2460 wrote to memory of 1300	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	44
PID 2460 wrote to memory of 1300	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	44
PID 2460 wrote to memory of 1300	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	44
PID 2460 wrote to memory of 1300	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	44
PID 2460 wrote to memory of 1808	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	45
PID 2460 wrote to memory of 1808	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	45
PID 2460 wrote to memory of 1808	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	45
PID 2460 wrote to memory of 1808	2460	{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_3e104abc5b55867e82f64bc9b5217107_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe
  C:\Windows\{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\{603416C3-355D-4ba7-880C-10934585ED92}.exe
    C:\Windows\{603416C3-355D-4ba7-880C-10934585ED92}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe
      C:\Windows\{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe
        
        C:\Windows\{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA33~1.EXE > nul
        6⤵
        
        PID:952
      - C:\Windows\{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe
        
        C:\Windows\{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe
        
        C:\Windows\{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3008~1.EXE > nul
        8⤵
        
        PID:2452
        
        C:\Windows\{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe
        
        C:\Windows\{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe
        
        C:\Windows\{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\{6DE868B6-DD93-440c-9171-E8099935D621}.exe
        
        C:\Windows\{6DE868B6-DD93-440c-9171-E8099935D621}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe
        
        C:\Windows\{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\{4434B889-363D-4dab-B9AF-D32B0B066A3B}.exe
        
        C:\Windows\{4434B889-363D-4dab-B9AF-D32B0B066A3B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF7FD~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE86~1.EXE > nul
        11⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A8EB~1.EXE > nul
        10⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B10F~1.EXE > nul
        9⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{622F6~1.EXE > nul
        7⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC2C~1.EXE > nul
        5⤵
        
        PID:700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{60341~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A18A~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AC2CA9B-9889-42c6-8D71-F35F814B5503}.exe

Filesize
408KB

MD5
693d6991718fd5ba3c3d63189c633b61

SHA1
9d0bf14d64fd37b22ed931708cd9ed30d67c9b58

SHA256
9b8d3c568020b25093d6dbdd7d300a1975ee1cd6223464b4c77e337d0069e377

SHA512
c52e4198996db66f706ed0420364ea6b00d9dd8b157544bfa6a3438b8efaa8320ade239a24691775aeaff28a60f261ac64aeb81234bb95f575e028c77bb2f1a8

Download Submit
C:\Windows\{2A8EB106-CD4B-47f4-969C-3CBF09CBD99D}.exe

Filesize
408KB

MD5
afd50b18f3c64739b372d6b9bee6a6ad

SHA1
e206f33ad4d8ce9cc3e1a148f9362a994fa244f1

SHA256
c3adb487f0551b8bd024c90b7c060f12e9e3ca6a3d848dfbcd71ab1067a793d5

SHA512
dd79b849689a021ff3a43f2f14fd71166504c8a6e7ad2c53b9500f7f29693c7fc0f38591e832cbe58e257f480494710de51482c540741dd4eaa022dc9ab17bd2

Download Submit
C:\Windows\{4434B889-363D-4dab-B9AF-D32B0B066A3B}.exe

Filesize
408KB

MD5
5303e301b71225aef5c1af9296403054

SHA1
50067410673b3ada43c22fa75d2f604f6504e17a

SHA256
a98876147dbc64c31f0f88af0edbb0db9859dcd1a88756fef836b4ca5facb051

SHA512
1f1262535c922d33fbb0b1c06d0e85806bd14bd7864a78cd4abc11c67abceed740c8a9195e49c233c08be65435a80090df26bdf541d81ae6f904da48b70be6fe

Download Submit
C:\Windows\{603416C3-355D-4ba7-880C-10934585ED92}.exe

Filesize
408KB

MD5
b377ffd812f50fa44b2e143eb461fae0

SHA1
7a970af43934794c81d68798862d6a6e28b40bae

SHA256
73f80d17115249f643b387aca379171e0f7ce5d82e7ee5add7aab1398c144105

SHA512
0775da101b49ec81a7f495acf4fb2f1dcfc12b6d9199099b239fceb61f740a0e144ee6898606e16d330d8a71c23730bf9e5cdc5216582ba54c69536d80038c3a

Download Submit
C:\Windows\{603416C3-355D-4ba7-880C-10934585ED92}.exe

Filesize
5KB

MD5
dced0a3c1d041f2fcb706e6f962b402a

SHA1
6797bc1f4a8baed184c85735ddad0a23090eb837

SHA256
e52366a6556982967a3c8aaf1ded9e8a542cd439cbea425956e1e99cfd6fa3d4

SHA512
c20acdfff30caecf2b3f36c1b351e1ce1d07772c94c3f9007d6dfce7217d51054af3563cb1d8084456fafc3a47351ccc77fab4e1b697b12813f301ecfafb3544

Download Submit
C:\Windows\{622F60CB-BF81-4089-A15C-0DFA2099AE8C}.exe

Filesize
408KB

MD5
bb4c7165e4ff7e081169f1f3c9ef2e8e

SHA1
3911e8f7e7db79765a4f3a3e67590b2fe6606127

SHA256
47a4bc9eef229213f6052e8f727d9644f3b0386b4341d7113c166ebc815f5bf1

SHA512
ecf5c7a8460ecc3cf99676eb22c42312f9486f0b95ab71a76b58dd21ca3b8e39cdf85710aaf37ec4c05b3c8c7a1a0fe73b8a1dddf4618ba4e29cdbc687b97917

Download Submit
C:\Windows\{6A18A851-5F93-4f9b-82EF-B5A1545ABD0B}.exe

Filesize
408KB

MD5
1d532cbeb1b6c728241cff03b1cc1031

SHA1
a8818d0f14b64c4325e86021009a7359e95f9ae1

SHA256
4f8038d140277cea55119ac7c22ff563918f04bc1b052693bc1202c978958481

SHA512
ebe261ab7731376f67b6569a67eab4dc156d6c9cd295035fb28adc87b4a78f02427198da75cc745659a9fe1abdf42f75c89ff97aef9a80abf1c794c77406e56c

Download Submit
C:\Windows\{6DE868B6-DD93-440c-9171-E8099935D621}.exe

Filesize
408KB

MD5
c8c4f0e5a37084af8ab9b4a5a287d37e

SHA1
b3982d564414e8e5f238a0c142bad35c77528a34

SHA256
693fee8dc8d9e70c2b1ecdc82522a188c95c2e2be94698909cfc02fdf3fea871

SHA512
533db1203c1af38eaa50498df8ad22388a324eff1b90e7c0af1107e6e3a6e76c14417367fc35bdead3bbab628180c25c7311f0049e9de26a59ee4c67ec13f916

Download Submit
C:\Windows\{7B10F2C3-9160-4db5-A1F9-31FD727CADA4}.exe

Filesize
408KB

MD5
a863f0f744a4fb240b75209afd63c412

SHA1
a62ad5945a336c8d99ca35c2209ce8ddc9f0f9a8

SHA256
6ebf48371bcf776ae612578c3ebc1af35062e46503b5334a799ecfc32ed59baa

SHA512
40f8b54262947385786f9f411927d5ce1dab2207419386200b9d7e004e482c8dda8897996ca3b08dc8c86d6ee244cd2658b1ad15daf7ae47ef17e25e0180ff81

Download Submit
C:\Windows\{CEA33809-135B-4378-B70D-78F8E6A02D90}.exe

Filesize
408KB

MD5
9c8b38eecca7a49142d9bedc194b4e3f

SHA1
1996db00e32cdee83dc1fcbc177c127a4d725a36

SHA256
14fd0998b456d988ba61cd966f4892042dbc703ff97737667330d436254928ff

SHA512
9584460f6cf57fa64fd85d638605f481b43eb910e8f639cd45c206a1a047ed15b1137dd27928f68364db3a2c950564b68be7f2161cd39cd31b3771cb66305765

Download Submit
C:\Windows\{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe

Filesize
408KB

MD5
a3374b4d6d0756f349b7733a036a86a3

SHA1
04bac30989a8a7e5d706a4444f5bee7b225ec0c5

SHA256
6c332763356ae9487400958214d6c2be8206cda1374409cb15abbe6acad08041

SHA512
09b348ad5f9d134356549d34b8ffe70524bc0751bdf5aa45c04a28ef3407728ed678c05ffd33267434e84a00dea69728a49f8757b37b91f09eb48d804c3bffb1

Download Submit
C:\Windows\{D3008652-0F47-428d-8904-C2D004C5AD2D}.exe

Filesize
170KB

MD5
6646f2767ae627bcd94646d625a5f121

SHA1
b43bc8bd200b6ce8df00128021416ca368ae86d1

SHA256
477c31e5510d013410a8b3eb931728ceb55cfc7517e2aec96700a8c08b87f380

SHA512
22c53cf1c278152dcae3f16ec57e199b4ba97a3ea3765585840b578a939529571ae23f41ee876dfbafe0e67840716cc48a82aee22c02c8eff144a3254bbc2c13

Download Submit
C:\Windows\{DF7FD5BF-2BA4-4fa0-9F90-7CE4B1BD0341}.exe

Filesize
408KB

MD5
c906944c376337c355c08a5fa460c1d1

SHA1
6e7e8acb4e26ea9b58922cb6d48c68bcfc369425

SHA256
7530a684e33bc0664466f7e0a7eb057d481d3aff2844bde9afd3186b76fe0b43

SHA512
91a9467574dff52a9d7bc302a730028ddc77212ff6b74f11feef05cee166a516e595f9c336809b5ba505b50a4b87825b594fb6db60eb9ff0ff68b37558d3b87a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads