2dcfe08e3305803f7c253aa644c97143a937a00711e311c5274325c550cc3aec

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Size

408KB
MD5

489728ae15e396cdc45425e9e5bd8635
SHA1

9126e4d023b7f4cfc9d03e24ca9520eb5f36406b
SHA256

2dcfe08e3305803f7c253aa644c97143a937a00711e311c5274325c550cc3aec
SHA512

95a91238adb4e89082e4728e0f4f03b36cd09158ad24142afb20a9838fd9bcc4643a09ca7ec5f19192047dd115db33c9f60b17fe31838faeaa559393ab21911d
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG+ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122c4-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122c4-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122c4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014177-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122c4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122c4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F677747A-06EE-4a60-B989-5FE4B838C924}\stubpath = "C:\\Windows\\{F677747A-06EE-4a60-B989-5FE4B838C924}.exe"	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580CD03B-B460-40d6-AE9C-17CF310EC5F6}	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57D900BB-A385-4527-B1BA-46878ADF0F45}	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A688866C-F050-4bfe-BD63-149AD902164F}	{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}\stubpath = "C:\\Windows\\{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe"	{A688866C-F050-4bfe-BD63-149AD902164F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}\stubpath = "C:\\Windows\\{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe"	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F677747A-06EE-4a60-B989-5FE4B838C924}	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BFDE726-304F-47d3-AB73-934C86CEA6A4}	{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDF7A66-0A80-4963-B214-34208AB5C568}\stubpath = "C:\\Windows\\{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe"	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}	{A688866C-F050-4bfe-BD63-149AD902164F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F25629-83B7-4523-B76E-6CC4B78E6E78}	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}\stubpath = "C:\\Windows\\{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe"	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F25629-83B7-4523-B76E-6CC4B78E6E78}\stubpath = "C:\\Windows\\{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe"	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580CD03B-B460-40d6-AE9C-17CF310EC5F6}\stubpath = "C:\\Windows\\{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe"	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BFDE726-304F-47d3-AB73-934C86CEA6A4}\stubpath = "C:\\Windows\\{9BFDE726-304F-47d3-AB73-934C86CEA6A4}.exe"	{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}\stubpath = "C:\\Windows\\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe"	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDF7A66-0A80-4963-B214-34208AB5C568}	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A688866C-F050-4bfe-BD63-149AD902164F}\stubpath = "C:\\Windows\\{A688866C-F050-4bfe-BD63-149AD902164F}.exe"	{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57D900BB-A385-4527-B1BA-46878ADF0F45}\stubpath = "C:\\Windows\\{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe"	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe
2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe
2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe
1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe
2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe
2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe
1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe
1472	{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe
2224	{A688866C-F050-4bfe-BD63-149AD902164F}.exe
596	{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe
1412	{9BFDE726-304F-47d3-AB73-934C86CEA6A4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe
File created	C:\Windows\{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe
File created	C:\Windows\{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe
File created	C:\Windows\{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe
File created	C:\Windows\{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe
File created	C:\Windows\{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe	{A688866C-F050-4bfe-BD63-149AD902164F}.exe
File created	C:\Windows\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
File created	C:\Windows\{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe
File created	C:\Windows\{9BFDE726-304F-47d3-AB73-934C86CEA6A4}.exe	{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe
File created	C:\Windows\{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe
File created	C:\Windows\{A688866C-F050-4bfe-BD63-149AD902164F}.exe	{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe
Token: SeIncBasePriorityPrivilege	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe
Token: SeIncBasePriorityPrivilege	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe
Token: SeIncBasePriorityPrivilege	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe
Token: SeIncBasePriorityPrivilege	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe
Token: SeIncBasePriorityPrivilege	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe
Token: SeIncBasePriorityPrivilege	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe
Token: SeIncBasePriorityPrivilege	1472	{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe
Token: SeIncBasePriorityPrivilege	2224	{A688866C-F050-4bfe-BD63-149AD902164F}.exe
Token: SeIncBasePriorityPrivilege	596	{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2024	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	28
PID 1728 wrote to memory of 2024	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	28
PID 1728 wrote to memory of 2024	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	28
PID 1728 wrote to memory of 2024	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	28
PID 1728 wrote to memory of 2756	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	29
PID 1728 wrote to memory of 2756	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	29
PID 1728 wrote to memory of 2756	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	29
PID 1728 wrote to memory of 2756	1728	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	29
PID 2024 wrote to memory of 2688	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	30
PID 2024 wrote to memory of 2688	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	30
PID 2024 wrote to memory of 2688	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	30
PID 2024 wrote to memory of 2688	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	30
PID 2024 wrote to memory of 2852	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	31
PID 2024 wrote to memory of 2852	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	31
PID 2024 wrote to memory of 2852	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	31
PID 2024 wrote to memory of 2852	2024	{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe	31
PID 2688 wrote to memory of 2628	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	32
PID 2688 wrote to memory of 2628	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	32
PID 2688 wrote to memory of 2628	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	32
PID 2688 wrote to memory of 2628	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	32
PID 2688 wrote to memory of 2568	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	33
PID 2688 wrote to memory of 2568	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	33
PID 2688 wrote to memory of 2568	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	33
PID 2688 wrote to memory of 2568	2688	{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe	33
PID 2628 wrote to memory of 1504	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	36
PID 2628 wrote to memory of 1504	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	36
PID 2628 wrote to memory of 1504	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	36
PID 2628 wrote to memory of 1504	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	36
PID 2628 wrote to memory of 2816	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	37
PID 2628 wrote to memory of 2816	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	37
PID 2628 wrote to memory of 2816	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	37
PID 2628 wrote to memory of 2816	2628	{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe	37
PID 1504 wrote to memory of 2936	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	38
PID 1504 wrote to memory of 2936	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	38
PID 1504 wrote to memory of 2936	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	38
PID 1504 wrote to memory of 2936	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	38
PID 1504 wrote to memory of 1572	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	39
PID 1504 wrote to memory of 1572	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	39
PID 1504 wrote to memory of 1572	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	39
PID 1504 wrote to memory of 1572	1504	{F677747A-06EE-4a60-B989-5FE4B838C924}.exe	39
PID 2936 wrote to memory of 2624	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	40
PID 2936 wrote to memory of 2624	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	40
PID 2936 wrote to memory of 2624	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	40
PID 2936 wrote to memory of 2624	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	40
PID 2936 wrote to memory of 1884	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	41
PID 2936 wrote to memory of 1884	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	41
PID 2936 wrote to memory of 1884	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	41
PID 2936 wrote to memory of 1884	2936	{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe	41
PID 2624 wrote to memory of 1156	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	43
PID 2624 wrote to memory of 1156	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	43
PID 2624 wrote to memory of 1156	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	43
PID 2624 wrote to memory of 1156	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	43
PID 2624 wrote to memory of 1368	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	42
PID 2624 wrote to memory of 1368	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	42
PID 2624 wrote to memory of 1368	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	42
PID 2624 wrote to memory of 1368	2624	{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe	42
PID 1156 wrote to memory of 1472	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	44
PID 1156 wrote to memory of 1472	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	44
PID 1156 wrote to memory of 1472	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	44
PID 1156 wrote to memory of 1472	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	44
PID 1156 wrote to memory of 3032	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	45
PID 1156 wrote to memory of 3032	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	45
PID 1156 wrote to memory of 3032	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	45
PID 1156 wrote to memory of 3032	1156	{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe
  C:\Windows\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe
    C:\Windows\{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe
      C:\Windows\{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{F677747A-06EE-4a60-B989-5FE4B838C924}.exe
        
        C:\Windows\{F677747A-06EE-4a60-B989-5FE4B838C924}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe
        
        C:\Windows\{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe
        
        C:\Windows\{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{580CD~1.EXE > nul
        8⤵
        
        PID:1368
        
        C:\Windows\{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe
        
        C:\Windows\{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe
        
        C:\Windows\{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\{A688866C-F050-4bfe-BD63-149AD902164F}.exe
        
        C:\Windows\{A688866C-F050-4bfe-BD63-149AD902164F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6888~1.EXE > nul
        11⤵
        
        PID:560
        
        C:\Windows\{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe
        
        C:\Windows\{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{9BFDE726-304F-47d3-AB73-934C86CEA6A4}.exe
        
        C:\Windows\{9BFDE726-304F-47d3-AB73-934C86CEA6A4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E87D~1.EXE > nul
        12⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDF7~1.EXE > nul
        10⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57D90~1.EXE > nul
        9⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34FDC~1.EXE > nul
        7⤵
        
        PID:1884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6777~1.EXE > nul
        6⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24B04~1.EXE > nul
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{23F25~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D80DE~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23F25629-83B7-4523-B76E-6CC4B78E6E78}.exe

Filesize
408KB

MD5
b982608c46c539ed6f55278c831ed754

SHA1
951277f9333642fb0f64dcbc8c9167c69b6a916c

SHA256
59d919450ff8d4eb5accb26334566676f365ab3b3bd3c6e9c52a0f15058c68ad

SHA512
c8b2531479b7e77012985e5f0909c317f7b7a8980870725b953a9900befa9d915cb1b7c128883251363d1b172460e55f334d112061697902779be1deccbf6faa

Download Submit
C:\Windows\{24B04ABC-F31E-44c2-A0F3-3B0644D9A716}.exe

Filesize
408KB

MD5
77ea6fa8b06fd7bc581801eae3e619bb

SHA1
63d79776ac618f16394c790c931ed6a784a05a23

SHA256
868b6f7eeedc8453117fae9eca978d33165199611da547ce7bef4d50c60457ab

SHA512
03fb01870791f9362f734c381aa0c4b8ba08fe5d524ae477305472c08a9808cb7619c889a15cbfec1a8aac99a25add36d89e04aff786a98495b269f1d464c341

Download Submit
C:\Windows\{2BDF7A66-0A80-4963-B214-34208AB5C568}.exe

Filesize
408KB

MD5
c1ed1b02748d8e1114365d57109c558f

SHA1
fd8866ada3bd0fcd17dbc8c354a556ff5f43a926

SHA256
de95fec53ab1f425782870795344ee049941c62b1f693015d6d5b89325502671

SHA512
57939e25aab3517ce1bb812ad06bbd6daf4a96daca72ffad1d758acb3e857274e75cd73286ceec28e7556e93f6c6ea16f996040c2f98e9f2c51f2c2de814be74

Download Submit
C:\Windows\{2E87DF94-7A00-427f-9D65-34BC3D87B5DA}.exe

Filesize
408KB

MD5
22f147a4ae51730a4f4aeacdb0309926

SHA1
697a932536d4c2f0b5c3b7dc5ff60d3349089df1

SHA256
af257897a0d08454c5c35745b53b031e0dede4966b02b8207d8067190d62253d

SHA512
ff41d2bcf37f4c9712c267f973adf627414d56739d9010487fc0be126a7a1eb9837def70fc61201f83dec7fd2265639522486d7e6bb25f6565fa619bb207236c

Download Submit
C:\Windows\{34FDC8C4-1014-4e1b-9476-DA5F38D4BD7D}.exe

Filesize
408KB

MD5
0968e7f9b883fc28edd80fcb08e4fe77

SHA1
ea834c71820a998f5d3354a37aeb7cfedf327cd2

SHA256
4db2da1afe395cbdff8948c9f11b7304519df25b088c79348b8d0302e6e2dbe8

SHA512
1a3c145de9d43a766ce45d063878fa97f36055af84775c41a440872af6e47c244cd454b6b859a17bb4de647a8dd6777cf1f45e7ffc96593a688dddf70e57347e

Download Submit
C:\Windows\{57D900BB-A385-4527-B1BA-46878ADF0F45}.exe

Filesize
408KB

MD5
ee99c43f47a13eb1d297eee8cbbadede

SHA1
8737b70a14281b736ad36caf92f3087272c766c5

SHA256
551230998798510d44ce9085a9982214b5079dd882c6f654924ee11a7b1f12ad

SHA512
d3cf3352229b046c2a29a750061107d7f0428dd663c5eedc657901c35fb648c3416af0e7080afb1faecd373136fe0406e781e81131b01cf8ba59f0ace11163d1

Download Submit
C:\Windows\{580CD03B-B460-40d6-AE9C-17CF310EC5F6}.exe

Filesize
408KB

MD5
7f22c54b60b71c6f52b0b02be4e8c6be

SHA1
0037de866ffb288a278971f3080639616b7345e8

SHA256
bb26c23aa9336d94d25fc9468c0749fb22691cc7535ac5e9cf27a5aa60a849c2

SHA512
df9bcae4cf319de48aa917e8d7f88e8a77f3d1cdbdd028ce3a68e55e5a34c895e748ec136e31341d6d676f63bbe1661fe58f1e874fb1069d9ac2d8fd60142fe7

Download Submit
C:\Windows\{9BFDE726-304F-47d3-AB73-934C86CEA6A4}.exe

Filesize
408KB

MD5
b80038c95fec2f2583352d4d7bcf3a0d

SHA1
2c8c1caa8a93d8458fa1aad7bcc84494173fc920

SHA256
5bc6d12c07e666633462df28c204e6b8afa899cfce554431fa3ab1f153c77e51

SHA512
53ee97a72d3f7a89dfdd9ff3934c6fe4ac6c86e5278f4cecb1882ac2b1afb0b85f17cc11cb68327135b43232e243f0f18897ba054655e38f98218753fb7c639e

Download Submit
C:\Windows\{A688866C-F050-4bfe-BD63-149AD902164F}.exe

Filesize
408KB

MD5
83e49f368e415354a149418c710bebc1

SHA1
2448adb833356427c0f9ef0b7a06b60791249f6f

SHA256
3bf8c929a89e1e3ca5c64242e971f572bb73dcef8060ceea46c32a68a1dfd285

SHA512
b792204a9d7e202d337aac8b08ae54ba2e4df7fc66afec3ba7e847d8a2434f6d8e0238da2134ac9eb8013eed0759fe40bb31c721e8c700ee102f7833bd921b44

Download Submit
C:\Windows\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe

Filesize
408KB

MD5
2384175a245ec8c4f3897e969926d959

SHA1
d4168bfd8d70ba83a09f9b4860088d88929737f8

SHA256
844183b29861d6f6a08225cca87a4590c1d0b6a0027a67100e34cf2037f40ba6

SHA512
4cbf90c421da11511d72d9d4acf002d547cb20e01390d9eba781ee48ee7313d65565cc3a4789cbf80077a8e4d5fc841cbe9b92a88b7994ad0601cf72470c28ae

Download Submit
C:\Windows\{D80DECD0-4454-4f1b-B504-7FE7DD870C49}.exe

Filesize
253KB

MD5
6beb4ee4025cb0f76f023b9e3b8dccf7

SHA1
1670306f22f18cc3a89d7c94f8c092f2bfab3e62

SHA256
16dc8ea36a05dc0d517eb1e82837c2e7cae7196bb75af0ed7f11ee970eb014fc

SHA512
d9f22b7363f63fe73e7338f8c7343dab3cf3e0878cf6b379ab43b2921c5c912ea51699fddb0c124e494a380d621184b0cf7e51ad43f54b9d89f85913021673d8

Download Submit
C:\Windows\{F677747A-06EE-4a60-B989-5FE4B838C924}.exe

Filesize
408KB

MD5
db4224f487b21124b02b761a2f3abaae

SHA1
5a59624eadd2157af0629c19cc6ebdd2c575b5c3

SHA256
637df3310c3deeec65d06663e1e6125957f7feb38d738b0227cf69dec6c94730

SHA512
1f60fc14d10be9277cd87ce69fba51fed06dd0630732d7cbb40c4c44a891ac492f21ff72615070123e05f1ae98a0ee52ba417274ba3fd5f515975023c54f2545

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads