fb9c0a6ebe76f413d154e446e1ddaab8730f5d0cf354f45759934cfe25c03096

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Size

408KB
MD5

afd63adf694035162ec7f01823e4c55e
SHA1

dc6a2ebd4463295ede6c5147ea1c2037de4bb581
SHA256

fb9c0a6ebe76f413d154e446e1ddaab8730f5d0cf354f45759934cfe25c03096
SHA512

173bd0f96f615413063b835cdb7a6feb492d538257baee1f54f3d76596f54d7d382d6d5cc6040a54f073bc841437db11ee1a4867a57f25ca57d2def36170884a
SSDEEP

3072:CEGh0o6l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGgldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000155ed-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155f7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000155ed-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c6b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000155ed-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155ed-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000155ed-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18EDBF9D-40DE-4535-BEEF-C0224D399359}\stubpath = "C:\\Windows\\{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe"	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}\stubpath = "C:\\Windows\\{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe"	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18EDBF9D-40DE-4535-BEEF-C0224D399359}	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}\stubpath = "C:\\Windows\\{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe"	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7FAE617-43E5-455d-B73F-4251B820491F}\stubpath = "C:\\Windows\\{D7FAE617-43E5-455d-B73F-4251B820491F}.exe"	{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}\stubpath = "C:\\Windows\\{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe"	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33E47A83-3B02-4987-B0F0-61D89C91F530}	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33E47A83-3B02-4987-B0F0-61D89C91F530}\stubpath = "C:\\Windows\\{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe"	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}\stubpath = "C:\\Windows\\{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe"	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{336D752C-D12E-44b8-A8D2-5547C6471E2C}	{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7FAE617-43E5-455d-B73F-4251B820491F}	{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564CDA6E-912C-481a-8264-D8F272C7B163}	{D7FAE617-43E5-455d-B73F-4251B820491F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}\stubpath = "C:\\Windows\\{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe"	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}\stubpath = "C:\\Windows\\{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe"	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{336D752C-D12E-44b8-A8D2-5547C6471E2C}\stubpath = "C:\\Windows\\{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe"	{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564CDA6E-912C-481a-8264-D8F272C7B163}\stubpath = "C:\\Windows\\{564CDA6E-912C-481a-8264-D8F272C7B163}.exe"	{D7FAE617-43E5-455d-B73F-4251B820491F}.exe

Deletes itself 1 IoCs

pid	Process
2380	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe
2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe
2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe
2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe
1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe
1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe
2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe
1784	{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe
2052	{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe
268	{D7FAE617-43E5-455d-B73F-4251B820491F}.exe
1168	{564CDA6E-912C-481a-8264-D8F272C7B163}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
File created	C:\Windows\{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe
File created	C:\Windows\{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe
File created	C:\Windows\{564CDA6E-912C-481a-8264-D8F272C7B163}.exe	{D7FAE617-43E5-455d-B73F-4251B820491F}.exe
File created	C:\Windows\{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe
File created	C:\Windows\{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe	{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe
File created	C:\Windows\{D7FAE617-43E5-455d-B73F-4251B820491F}.exe	{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe
File created	C:\Windows\{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe
File created	C:\Windows\{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe
File created	C:\Windows\{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe
File created	C:\Windows\{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe
Token: SeIncBasePriorityPrivilege	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe
Token: SeIncBasePriorityPrivilege	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe
Token: SeIncBasePriorityPrivilege	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe
Token: SeIncBasePriorityPrivilege	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe
Token: SeIncBasePriorityPrivilege	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe
Token: SeIncBasePriorityPrivilege	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe
Token: SeIncBasePriorityPrivilege	1784	{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe
Token: SeIncBasePriorityPrivilege	2052	{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe
Token: SeIncBasePriorityPrivilege	268	{D7FAE617-43E5-455d-B73F-4251B820491F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2252	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	28
PID 2232 wrote to memory of 2252	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	28
PID 2232 wrote to memory of 2252	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	28
PID 2232 wrote to memory of 2252	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	28
PID 2232 wrote to memory of 2380	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	29
PID 2232 wrote to memory of 2380	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	29
PID 2232 wrote to memory of 2380	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	29
PID 2232 wrote to memory of 2380	2232	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	29
PID 2252 wrote to memory of 2628	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	30
PID 2252 wrote to memory of 2628	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	30
PID 2252 wrote to memory of 2628	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	30
PID 2252 wrote to memory of 2628	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	30
PID 2252 wrote to memory of 2148	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	31
PID 2252 wrote to memory of 2148	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	31
PID 2252 wrote to memory of 2148	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	31
PID 2252 wrote to memory of 2148	2252	{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe	31
PID 2628 wrote to memory of 2748	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	32
PID 2628 wrote to memory of 2748	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	32
PID 2628 wrote to memory of 2748	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	32
PID 2628 wrote to memory of 2748	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	32
PID 2628 wrote to memory of 2608	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	33
PID 2628 wrote to memory of 2608	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	33
PID 2628 wrote to memory of 2608	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	33
PID 2628 wrote to memory of 2608	2628	{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe	33
PID 2748 wrote to memory of 2212	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	36
PID 2748 wrote to memory of 2212	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	36
PID 2748 wrote to memory of 2212	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	36
PID 2748 wrote to memory of 2212	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	36
PID 2748 wrote to memory of 1956	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	37
PID 2748 wrote to memory of 1956	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	37
PID 2748 wrote to memory of 1956	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	37
PID 2748 wrote to memory of 1956	2748	{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe	37
PID 2212 wrote to memory of 1768	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	38
PID 2212 wrote to memory of 1768	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	38
PID 2212 wrote to memory of 1768	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	38
PID 2212 wrote to memory of 1768	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	38
PID 2212 wrote to memory of 808	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	39
PID 2212 wrote to memory of 808	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	39
PID 2212 wrote to memory of 808	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	39
PID 2212 wrote to memory of 808	2212	{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe	39
PID 1768 wrote to memory of 1588	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	40
PID 1768 wrote to memory of 1588	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	40
PID 1768 wrote to memory of 1588	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	40
PID 1768 wrote to memory of 1588	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	40
PID 1768 wrote to memory of 1652	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	41
PID 1768 wrote to memory of 1652	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	41
PID 1768 wrote to memory of 1652	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	41
PID 1768 wrote to memory of 1652	1768	{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe	41
PID 1588 wrote to memory of 2716	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	42
PID 1588 wrote to memory of 2716	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	42
PID 1588 wrote to memory of 2716	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	42
PID 1588 wrote to memory of 2716	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	42
PID 1588 wrote to memory of 2820	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	43
PID 1588 wrote to memory of 2820	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	43
PID 1588 wrote to memory of 2820	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	43
PID 1588 wrote to memory of 2820	1588	{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe	43
PID 2716 wrote to memory of 1784	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	44
PID 2716 wrote to memory of 1784	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	44
PID 2716 wrote to memory of 1784	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	44
PID 2716 wrote to memory of 1784	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	44
PID 2716 wrote to memory of 2796	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	45
PID 2716 wrote to memory of 2796	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	45
PID 2716 wrote to memory of 2796	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	45
PID 2716 wrote to memory of 2796	2716	{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe
  C:\Windows\{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe
    C:\Windows\{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe
      C:\Windows\{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe
        
        C:\Windows\{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe
        
        C:\Windows\{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe
        
        C:\Windows\{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe
        
        C:\Windows\{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe
        
        C:\Windows\{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe
        
        C:\Windows\{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{D7FAE617-43E5-455d-B73F-4251B820491F}.exe
        
        C:\Windows\{D7FAE617-43E5-455d-B73F-4251B820491F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{564CDA6E-912C-481a-8264-D8F272C7B163}.exe
        
        C:\Windows\{564CDA6E-912C-481a-8264-D8F272C7B163}.exe
        12⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FAE~1.EXE > nul
        12⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{336D7~1.EXE > nul
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB5B1~1.EXE > nul
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33E47~1.EXE > nul
        9⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C7CE~1.EXE > nul
        8⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D75A~1.EXE > nul
        7⤵
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EF0E~1.EXE > nul
        6⤵
        
        PID:808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CDB5~1.EXE > nul
        5⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17AE5~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18EDB~1.EXE > nul
    3⤵
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17AE5A0D-F9B1-4a54-948C-2C4CC4CD0114}.exe

Filesize
408KB

MD5
b351c023a2bf6b0a93825525fda15fcd

SHA1
9da73ebf3a0eb478adda6b63a5a342fc76c804cb

SHA256
3207072a0c905286d999ec75a64e238adb29975e403ea30073920fd98e8a183b

SHA512
e26408460bad9bc8d54729f9a8a94d5321c138fa15ed9b66eb04de626488b3aba47d7dfcc56da0c80d257fec091c07171680e199797ff34776d77e736a7a440c

Download Submit
C:\Windows\{18EDBF9D-40DE-4535-BEEF-C0224D399359}.exe

Filesize
408KB

MD5
e3d2be247558dac34f17d3453007c50c

SHA1
ebb91cc982b3e42b2d1e00fdf6107235b5994883

SHA256
90c867a6e3883bd2dc24de351a9355973428a169edcc47c750fca223563445a0

SHA512
9331beb09beb3692db7b820e987eb6fdb4fc3311b95d72cc69409b688ea1a17fbbbf784bd0e3c7eac79125537a78e5c1a65a39fe59a7e73e8d6292e02c34f686

Download Submit
C:\Windows\{1D75ADEC-95B4-4e64-94E0-01B9EF06DF7F}.exe

Filesize
408KB

MD5
2b32003bdbb0b5cb87e8995483826590

SHA1
0e84b1f23869f6ccf9ebef96b0904e6b958a60b6

SHA256
82bd9f0f7c19e85621e49a4dd25b5a808397be6e4835c06a0240d594a0446c4d

SHA512
dc8d19265a8646b81adff67dc702997dfc2e6da0fde906273dfe394e245e40475e74069fcff35835aba9f8867e723a19c514d8e3e3773d55a94b912962cf1040

Download Submit
C:\Windows\{1EF0E2DB-1335-4ca0-8E47-0A832D78B66C}.exe

Filesize
408KB

MD5
489d719e8316f4af9a5b16583f663be3

SHA1
2b47a1d740407c68fc906d8dd11f9f1e2ede476d

SHA256
cbe2dd2ef56c5cef1c887f15e1e5c8ef75368b1217410642d4e7241c2f1540e4

SHA512
34162132cf91ff2c140d3671c5af2d0d89bdc557194ecb482e09f95bd957f417bc89bb9dcbeebd041fbc292d04807d2b35941c66dc49d2e353639b5e9e0792dd

Download Submit
C:\Windows\{336D752C-D12E-44b8-A8D2-5547C6471E2C}.exe

Filesize
408KB

MD5
c19f7e4781fc6cab21dfb437ceeba793

SHA1
cfed218b14140fc111238c4ed27349e4fdb58728

SHA256
b9c7e1752b759bf61f64f8b0d98c4d8858138dc8a7391cbb44a6c4567ae02a59

SHA512
ebb842995ead8daab1f6e2cb611e9c8f6721644c8dca4753608eeaf4e68f81935695e0b04341b2b9c82e4816c620a460a05b43e043b3eef1c88619156d6cd9d7

Download Submit
C:\Windows\{33E47A83-3B02-4987-B0F0-61D89C91F530}.exe

Filesize
408KB

MD5
f33ba169c3b5035def2cd7bde4d5c990

SHA1
ebd3796360abaf4640c432c22b8073d4dd2c0d33

SHA256
787a2def884be53384d2e191fda6620d1390c5b6e6af42eba66cf13e73623219

SHA512
d15a772725aa7e98df3ec5bebe674a8606648114dd735513de5173e6386360550877b25ac4049a4a4745c1dd7dbadb9e74ba65d9b65a60c42f17bed8a2652e61

Download Submit
C:\Windows\{564CDA6E-912C-481a-8264-D8F272C7B163}.exe

Filesize
408KB

MD5
0559592bb319a7c75b30ddfe399f9ee2

SHA1
7020d70c87100b71f1842388e83e9baaa99be0a5

SHA256
deb8c5b96d53535f712b289fb932dfd0956e6004d735dee14d2cdf3ff42060e8

SHA512
0010f56b7577788b465e98c0624b47be4098c26e1509e2bc2e190ab7b3881c4ccc9d2f8d21d87bc80d059808ca9df9c80725c3f75cef3f9886d9f98792245f7f

Download Submit
C:\Windows\{8CDB5F48-DADD-4048-A1D3-2A685F8FF8D9}.exe

Filesize
408KB

MD5
6ecbc995c2b87533106d90be91f1d24a

SHA1
80a3649020ed6807adf20cbe51b743c5157dcafe

SHA256
da08da651914662d377146dff57886bd05ba8443742150c85266a03185b2f95f

SHA512
f1e3f065768fcbd9650aad8e942fd3859093a2088f94f02739d806365726b36a58ed77297731d5a09ae243104d16a4e19cf9c32c53692cde8c222421b8876a92

Download Submit
C:\Windows\{9C7CE231-5D7F-4f89-86AF-D42B9A1E7F35}.exe

Filesize
408KB

MD5
7a4ccf980b4300dcc510ef1c8a2e89b0

SHA1
1fff5801ad771b55ffcceb76cac5f36e6431c168

SHA256
7ded961a32202c329ebd3453b4872970eae019f4d2e2be58482618037798c776

SHA512
85cfaf486a5f64fcb7591dc46945babc75d01d066263d628fec1727c2447f830ef16282b44f74ee17d8dc94067036d59121c5bfd7e2951a0697db5a5a4ac16bd

Download Submit
C:\Windows\{D7FAE617-43E5-455d-B73F-4251B820491F}.exe

Filesize
408KB

MD5
27959b386f19372b3f86b9f01aec8f18

SHA1
545c74fba6ae6645fc8016bee8f0b710c1774f1e

SHA256
68901ee39b4db86517b6a1bfb3dbf56c3b2c78cfd5419d69246ca9429f616f47

SHA512
19ef1bb2a5b243023c25e61859a0e58863702ac6650cf02480deb335d9e374f29ac55c59603cf4bca2419ef01a380186bee22fe8621aa222d89df78ad7be3be0

Download Submit
C:\Windows\{EB5B197F-CD53-4dc5-B366-8A0F5CF0008F}.exe

Filesize
408KB

MD5
6df0ee006794004852b613d48f42b219

SHA1
f68f069c1d8361c8cd48197f31c8fa858918b36f

SHA256
e6794b1c6f1c6606531bdde206b466cd1b8bedc2b24afac98f4b698541e6bd9e

SHA512
520b1bb60bd966028155ec3fd1eebef18830c4544f5fdb093867ada19981ca9d8f71c54f73dbb617792cb943c3e97dc149531fd12bc2bad8d772e3f18a7228ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads