cdb44972aca2e6c6d3676ddb972dae3c2a8df09079415aed2bc13f961ee02d01

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Size

180KB
MD5

5353669f3b260cac7741983da6e7ad7a
SHA1

ba99404ba14b707dc368cad2095a2891e7097b20
SHA256

cdb44972aca2e6c6d3676ddb972dae3c2a8df09079415aed2bc13f961ee02d01
SHA512

04e4fad2357416a691b70ebc38ff3d3fa327dc6a747ba06b4262739b12a23629ad9aafa58d1019604e1eec029f105ece69afde58847d2998575982ffeda16b06
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014b5b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001564e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}\stubpath = "C:\\Windows\\{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe"	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63855156-0C51-4c5d-94A3-DFD99C6662E5}	{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233D6B1A-148A-43b1-90A1-44BFB8370353}\stubpath = "C:\\Windows\\{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe"	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1766CBE-BC92-4f16-8A21-4BF658EED740}	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1766CBE-BC92-4f16-8A21-4BF658EED740}\stubpath = "C:\\Windows\\{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe"	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F717C86-3AD9-4039-95A0-4F84C292293B}\stubpath = "C:\\Windows\\{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe"	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63855156-0C51-4c5d-94A3-DFD99C6662E5}\stubpath = "C:\\Windows\\{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe"	{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}\stubpath = "C:\\Windows\\{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe"	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D96092E0-BC98-4711-9F29-AA0A92999A6B}\stubpath = "C:\\Windows\\{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe"	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D82F57-7CB8-44a1-B8B2-240AFD36D706}	{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D82F57-7CB8-44a1-B8B2-240AFD36D706}\stubpath = "C:\\Windows\\{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe"	{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}\stubpath = "C:\\Windows\\{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}.exe"	{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E192CA1B-485B-40fb-AACA-58F1C09FD711}\stubpath = "C:\\Windows\\{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe"	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}	{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233D6B1A-148A-43b1-90A1-44BFB8370353}	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D96092E0-BC98-4711-9F29-AA0A92999A6B}	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BD52A3-2C0D-4254-A96A-13C445C74D55}	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BD52A3-2C0D-4254-A96A-13C445C74D55}\stubpath = "C:\\Windows\\{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe"	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F717C86-3AD9-4039-95A0-4F84C292293B}	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E192CA1B-485B-40fb-AACA-58F1C09FD711}	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe
2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe
2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe
2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe
2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe
764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe
2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe
2056	{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe
2308	{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe
2116	{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe
600	{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe
File created	C:\Windows\{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe
File created	C:\Windows\{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe
File created	C:\Windows\{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe	{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe
File created	C:\Windows\{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe
File created	C:\Windows\{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe
File created	C:\Windows\{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe
File created	C:\Windows\{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe
File created	C:\Windows\{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe	{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe
File created	C:\Windows\{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}.exe	{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe
File created	C:\Windows\{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe
Token: SeIncBasePriorityPrivilege	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe
Token: SeIncBasePriorityPrivilege	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe
Token: SeIncBasePriorityPrivilege	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe
Token: SeIncBasePriorityPrivilege	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe
Token: SeIncBasePriorityPrivilege	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe
Token: SeIncBasePriorityPrivilege	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe
Token: SeIncBasePriorityPrivilege	2056	{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe
Token: SeIncBasePriorityPrivilege	2308	{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe
Token: SeIncBasePriorityPrivilege	2116	{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2244	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	28
PID 1904 wrote to memory of 2244	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	28
PID 1904 wrote to memory of 2244	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	28
PID 1904 wrote to memory of 2244	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	28
PID 1904 wrote to memory of 2040	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	29
PID 1904 wrote to memory of 2040	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	29
PID 1904 wrote to memory of 2040	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	29
PID 1904 wrote to memory of 2040	1904	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	29
PID 2244 wrote to memory of 2904	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	30
PID 2244 wrote to memory of 2904	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	30
PID 2244 wrote to memory of 2904	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	30
PID 2244 wrote to memory of 2904	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	30
PID 2244 wrote to memory of 2740	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	31
PID 2244 wrote to memory of 2740	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	31
PID 2244 wrote to memory of 2740	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	31
PID 2244 wrote to memory of 2740	2244	{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe	31
PID 2904 wrote to memory of 2864	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	32
PID 2904 wrote to memory of 2864	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	32
PID 2904 wrote to memory of 2864	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	32
PID 2904 wrote to memory of 2864	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	32
PID 2904 wrote to memory of 2656	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	33
PID 2904 wrote to memory of 2656	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	33
PID 2904 wrote to memory of 2656	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	33
PID 2904 wrote to memory of 2656	2904	{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe	33
PID 2864 wrote to memory of 2472	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	36
PID 2864 wrote to memory of 2472	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	36
PID 2864 wrote to memory of 2472	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	36
PID 2864 wrote to memory of 2472	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	36
PID 2864 wrote to memory of 1856	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	37
PID 2864 wrote to memory of 1856	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	37
PID 2864 wrote to memory of 1856	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	37
PID 2864 wrote to memory of 1856	2864	{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe	37
PID 2472 wrote to memory of 2956	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	39
PID 2472 wrote to memory of 2956	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	39
PID 2472 wrote to memory of 2956	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	39
PID 2472 wrote to memory of 2956	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	39
PID 2472 wrote to memory of 1364	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	38
PID 2472 wrote to memory of 1364	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	38
PID 2472 wrote to memory of 1364	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	38
PID 2472 wrote to memory of 1364	2472	{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe	38
PID 2956 wrote to memory of 764	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	40
PID 2956 wrote to memory of 764	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	40
PID 2956 wrote to memory of 764	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	40
PID 2956 wrote to memory of 764	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	40
PID 2956 wrote to memory of 1960	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	41
PID 2956 wrote to memory of 1960	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	41
PID 2956 wrote to memory of 1960	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	41
PID 2956 wrote to memory of 1960	2956	{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe	41
PID 764 wrote to memory of 2348	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	43
PID 764 wrote to memory of 2348	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	43
PID 764 wrote to memory of 2348	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	43
PID 764 wrote to memory of 2348	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	43
PID 764 wrote to memory of 1692	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	42
PID 764 wrote to memory of 1692	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	42
PID 764 wrote to memory of 1692	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	42
PID 764 wrote to memory of 1692	764	{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe	42
PID 2348 wrote to memory of 2056	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	44
PID 2348 wrote to memory of 2056	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	44
PID 2348 wrote to memory of 2056	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	44
PID 2348 wrote to memory of 2056	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	44
PID 2348 wrote to memory of 1568	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	45
PID 2348 wrote to memory of 1568	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	45
PID 2348 wrote to memory of 1568	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	45
PID 2348 wrote to memory of 1568	2348	{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe
  C:\Windows\{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe
    C:\Windows\{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe
      C:\Windows\{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe
        
        C:\Windows\{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9609~1.EXE > nul
        6⤵
        
        PID:1364
      - C:\Windows\{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe
        
        C:\Windows\{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe
        
        C:\Windows\{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BD5~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe
        
        C:\Windows\{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe
        
        C:\Windows\{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe
        
        C:\Windows\{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63855~1.EXE > nul
        11⤵
        
        PID:324
        
        C:\Windows\{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe
        
        C:\Windows\{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}.exe
        
        C:\Windows\{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82D82~1.EXE > nul
        12⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E192C~1.EXE > nul
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F717~1.EXE > nul
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1766~1.EXE > nul
        7⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{233D6~1.EXE > nul
        5⤵
        
        PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8BFA~1.EXE > nul
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F2FF9~1.EXE > nul
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{233D6B1A-148A-43b1-90A1-44BFB8370353}.exe

Filesize
180KB

MD5
73ad20c269058a273d7425ce80504a4b

SHA1
fd4de5365d9de52eec740f474cbd8c8250795375

SHA256
a664ae9eabc877423c26de9e91fd3089ff25c28ba7a38e94643c17d5426f50c9

SHA512
2bda948f6e00bece5993b0dc161751c6b91559f11a0b33dbf15f8ce15c9b9bfd118bd9febe5bb1fd93d6f67838d2e0aaf9350d756afd36bf8f3b2c4f26b4caba

Download Submit
C:\Windows\{63855156-0C51-4c5d-94A3-DFD99C6662E5}.exe

Filesize
180KB

MD5
6adc37e47e3a7dd1d44e119f423e258d

SHA1
8c18140170bc18ed53debd28968efa0e5538be7e

SHA256
c69875b92dfefa6dfb89ed37fcf6b3ba0a487408bfde7ef1167a0f377c9b4572

SHA512
1f46381f369f4e8ac1793944243c39cdaf53451c96f50053d936feb4088f056912427cf381ebc503bac57c142523584e785b318fd74cf6701d713c967b809f6c

Download Submit
C:\Windows\{82D82F57-7CB8-44a1-B8B2-240AFD36D706}.exe

Filesize
180KB

MD5
3fe295a9af4d33a5262e1a7746839817

SHA1
427dcd6c055c653bc4d4d2f8232e15fb844adfaf

SHA256
3ced26cc140e6bb774652579e8c217be6b9d962bdbd3b60d9927af8e973ddb3f

SHA512
93e8f16aa8e41a088491084c27446c8e60bb6bbe5c2964aa3be2a53aea64da3cf5ac3238aa3e329a54c07fcc0755e5f4edd2529da4fa7e1bba5b08f0d3f5e149

Download Submit
C:\Windows\{8F717C86-3AD9-4039-95A0-4F84C292293B}.exe

Filesize
180KB

MD5
26f9094cbb70ca91a90ee6f9e28a9f09

SHA1
3fbb8c48e326bf96fd333b41d3a409ca5d4895ad

SHA256
99d96d973c52d9f03fcf21b25602faac23a67c1e10cec7b7b3284e4ec752ae7b

SHA512
adeb36072405e8081ae9796ef29cf0bc803a34965aebc5a7363fad24a5a1b3b67236aa0faa45734e057927932bdd0feac39db6a16783bc62e8e5eb3624853eb8

Download Submit
C:\Windows\{9E7BBC9D-257B-48e7-B4F1-66C1E1D914AA}.exe

Filesize
180KB

MD5
576ab940586c03a1130fcfcb09d00af7

SHA1
c0f3769bc0108c663f8ed293e6d4104e4e3017c4

SHA256
eb925ba5467e4965a8cbd7285911c40e0fd904acb9ee5d707dc769de348c214d

SHA512
691478c0a93a41a2e7fa60018aba3cc040468e27bea4c2eb8c5cfb61ca000042814ac4fcd4d96e312f34afdb0a3fcbf94e239d63ff6d3dc9dedcae3bca20d42f

Download Submit
C:\Windows\{C4BD52A3-2C0D-4254-A96A-13C445C74D55}.exe

Filesize
180KB

MD5
f133f9156c7ca6f0bb73e38ce3aefaa3

SHA1
af10114a54d8fc76ca6451e3debc0ecc4fe3ee93

SHA256
19d5c1e07e758e284a6c277817d8ad444b0101c862c2895b1edc82c251d40c6c

SHA512
a35efc5e89cb104cd0e963c46e20082edab9143975a3f3df71d0282de424002f035091c02ad35bd87c3c74bf5735bd410be4d6d0d18a1ced88edb5124889ebf4

Download Submit
C:\Windows\{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe

Filesize
180KB

MD5
6a34c1dea8cbcdc40705bd32e21e3a29

SHA1
1ce5f255eec45ab5b05a3964fca03e26865f72f2

SHA256
e2dd7f869fce5a370998f9101b35dc80763f76ba7196edba1b0be6efaff99f98

SHA512
93419e4782b19a89184bec4afbf0f59eb0fdf83c628820e213badd537d5982dfd8853befffb2dc88fe8437e8093a7e790741ef143cf610a2f6e56f428364b0da

Download Submit
C:\Windows\{D1766CBE-BC92-4f16-8A21-4BF658EED740}.exe

Filesize
11KB

MD5
4670babfe06c639bb1427c7c93dc0188

SHA1
9e4272c19e8a9c542e82009e2f33ba10f729d446

SHA256
775f6fdbfccde27942595d434af10b64d8f6d83aa2dfbe59d0c44c600fdd9b6d

SHA512
93f4d642a267ef9efc4c55b37600c9e49a6a40ef0854530330cd4e4f510b5455247bcbe17cf80cd244cd0d310c2cffd99a319fbe51f3cdb8e7115d191e7a79ff

Download Submit
C:\Windows\{D96092E0-BC98-4711-9F29-AA0A92999A6B}.exe

Filesize
180KB

MD5
d50d6cefb6e9fafad60904d4ecf055b9

SHA1
36fb6e5b7ef04100b68b777229b60d4e07856a5a

SHA256
5309462ab1d17e0d299113fa0b48af13637649faabba381b124846aff10acc0e

SHA512
69fe363f9e0e61d96e4f7e9381cff63a316ff03f5e4998f78e3712e825958ee85ce59c42de8944f906b9c234ac4737c71e1e938748e700a8e7450b632b0516fe

Download Submit
C:\Windows\{E192CA1B-485B-40fb-AACA-58F1C09FD711}.exe

Filesize
180KB

MD5
22e1015bb93bc4ed19c71a14a4c2be33

SHA1
a2f655ddd85d2bd1fe0ae64d090ddeda4448903b

SHA256
e9f3d01e4eab7651fdbdd84e14cd4f1fd1ee3f873d7fb4885ec04b693b21202d

SHA512
f9dee7e18c657829823eb2312f68a8cb817b1f326d4da0c393a31ead93cb274fe19acd33edfaa12955398f0fafa2a98aaec9a0ba476dd6988fe7cec0742927a9

Download Submit
C:\Windows\{F2FF9E72-1F98-4da2-8A5C-6BF520E81321}.exe

Filesize
180KB

MD5
97996a83a01cf838b29b8f6e1f3faebb

SHA1
2f26d122aee09e22f9e122859be917f7d873fc0d

SHA256
5dc2cb181674196401ca62a9b4ed6c027b9593cc7d146b76175a8e141fd40cd3

SHA512
5204de57f42bf08ed0cb7f9a1335fec03d0b3c9d17c4536b8f3796b81d7508cdff3da2f9bbfa27e163bd72e5bc84620eb497ee9cc90310a51de4bad6809a6437

Download Submit
C:\Windows\{F8BFA5C1-A0FE-4def-A48C-1A11B19A3FC4}.exe

Filesize
180KB

MD5
0b2ef9e8b30b780df4b8c335eae554a3

SHA1
eeade1cf478cb05291603a2d3011191a7bceb03a

SHA256
55f31412a60650c33d983727a79e7b2a6c7b8a2b1377716db040085be164e1ab

SHA512
0f41de7b149721d05c1f2a74b138996921bb3cacd516cc67c56004502040ade43f1cbeb0469fe830c4371886e0fab147b0f6d9069688e71bac7dd4eac28ce8bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads