c58246660651d2c2a6f35d5c7e52282c5630cfe15635258e20467f251c7fe565

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Size

180KB
MD5

e32494cc6c4716c6f589d5eb5d2af5e8
SHA1

b29168da82f2fcb39d9b626e90db48fb6fa542b1
SHA256

c58246660651d2c2a6f35d5c7e52282c5630cfe15635258e20467f251c7fe565
SHA512

31abb9852224b36b03fcb9deff3b932c46e24cd6f6aa9fda545aaa101ca763efa5a4313aec09b6caf5fab283dc34e3d0acaac45b862baddd1590036d8c677db9
SSDEEP

3072:jEGh0ollfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGzl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122e6-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122e6-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000155a0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122e6-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}	{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{326BB197-3918-4e5d-88E7-B7728371E027}\stubpath = "C:\\Windows\\{326BB197-3918-4e5d-88E7-B7728371E027}.exe"	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}\stubpath = "C:\\Windows\\{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe"	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}\stubpath = "C:\\Windows\\{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe"	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572EA52C-2E86-48c8-BACD-A80C14989ABD}\stubpath = "C:\\Windows\\{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe"	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}\stubpath = "C:\\Windows\\{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe"	{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2B0DF4A-59AD-42a5-859C-785013DD59DA}	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2B0DF4A-59AD-42a5-859C-785013DD59DA}\stubpath = "C:\\Windows\\{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe"	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572EA52C-2E86-48c8-BACD-A80C14989ABD}	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67EB4A6-C428-4572-ACB2-350F02AE38FF}	{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67EB4A6-C428-4572-ACB2-350F02AE38FF}\stubpath = "C:\\Windows\\{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe"	{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}	{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}\stubpath = "C:\\Windows\\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe"	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}	{326BB197-3918-4e5d-88E7-B7728371E027}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}\stubpath = "C:\\Windows\\{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe"	{326BB197-3918-4e5d-88E7-B7728371E027}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}\stubpath = "C:\\Windows\\{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe"	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}\stubpath = "C:\\Windows\\{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}.exe"	{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{326BB197-3918-4e5d-88E7-B7728371E027}	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe
2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe
2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe
2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe
3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe
2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe
672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe
2796	{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe
2100	{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe
2208	{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe
824	{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{326BB197-3918-4e5d-88E7-B7728371E027}.exe	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe
File created	C:\Windows\{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe
File created	C:\Windows\{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe
File created	C:\Windows\{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe
File created	C:\Windows\{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe	{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe
File created	C:\Windows\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
File created	C:\Windows\{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe
File created	C:\Windows\{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	{326BB197-3918-4e5d-88E7-B7728371E027}.exe
File created	C:\Windows\{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe
File created	C:\Windows\{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe	{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe
File created	C:\Windows\{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}.exe	{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe
Token: SeIncBasePriorityPrivilege	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe
Token: SeIncBasePriorityPrivilege	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe
Token: SeIncBasePriorityPrivilege	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe
Token: SeIncBasePriorityPrivilege	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe
Token: SeIncBasePriorityPrivilege	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe
Token: SeIncBasePriorityPrivilege	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe
Token: SeIncBasePriorityPrivilege	2796	{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe
Token: SeIncBasePriorityPrivilege	2100	{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe
Token: SeIncBasePriorityPrivilege	2208	{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1732	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	28
PID 2512 wrote to memory of 1732	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	28
PID 2512 wrote to memory of 1732	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	28
PID 2512 wrote to memory of 1732	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	28
PID 2512 wrote to memory of 2816	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	29
PID 2512 wrote to memory of 2816	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	29
PID 2512 wrote to memory of 2816	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	29
PID 2512 wrote to memory of 2816	2512	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	29
PID 1732 wrote to memory of 2576	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	30
PID 1732 wrote to memory of 2576	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	30
PID 1732 wrote to memory of 2576	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	30
PID 1732 wrote to memory of 2576	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	30
PID 1732 wrote to memory of 2684	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	31
PID 1732 wrote to memory of 2684	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	31
PID 1732 wrote to memory of 2684	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	31
PID 1732 wrote to memory of 2684	1732	{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe	31
PID 2576 wrote to memory of 2736	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	32
PID 2576 wrote to memory of 2736	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	32
PID 2576 wrote to memory of 2736	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	32
PID 2576 wrote to memory of 2736	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	32
PID 2576 wrote to memory of 2632	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	33
PID 2576 wrote to memory of 2632	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	33
PID 2576 wrote to memory of 2632	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	33
PID 2576 wrote to memory of 2632	2576	{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe	33
PID 2736 wrote to memory of 2776	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	37
PID 2736 wrote to memory of 2776	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	37
PID 2736 wrote to memory of 2776	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	37
PID 2736 wrote to memory of 2776	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	37
PID 2736 wrote to memory of 2932	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	36
PID 2736 wrote to memory of 2932	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	36
PID 2736 wrote to memory of 2932	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	36
PID 2736 wrote to memory of 2932	2736	{326BB197-3918-4e5d-88E7-B7728371E027}.exe	36
PID 2776 wrote to memory of 3000	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	39
PID 2776 wrote to memory of 3000	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	39
PID 2776 wrote to memory of 3000	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	39
PID 2776 wrote to memory of 3000	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	39
PID 2776 wrote to memory of 2668	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	38
PID 2776 wrote to memory of 2668	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	38
PID 2776 wrote to memory of 2668	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	38
PID 2776 wrote to memory of 2668	2776	{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe	38
PID 3000 wrote to memory of 2620	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	41
PID 3000 wrote to memory of 2620	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	41
PID 3000 wrote to memory of 2620	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	41
PID 3000 wrote to memory of 2620	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	41
PID 3000 wrote to memory of 2480	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	40
PID 3000 wrote to memory of 2480	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	40
PID 3000 wrote to memory of 2480	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	40
PID 3000 wrote to memory of 2480	3000	{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe	40
PID 2620 wrote to memory of 672	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	42
PID 2620 wrote to memory of 672	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	42
PID 2620 wrote to memory of 672	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	42
PID 2620 wrote to memory of 672	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	42
PID 2620 wrote to memory of 1056	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	43
PID 2620 wrote to memory of 1056	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	43
PID 2620 wrote to memory of 1056	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	43
PID 2620 wrote to memory of 1056	2620	{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe	43
PID 672 wrote to memory of 2796	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	44
PID 672 wrote to memory of 2796	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	44
PID 672 wrote to memory of 2796	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	44
PID 672 wrote to memory of 2796	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	44
PID 672 wrote to memory of 1648	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	45
PID 672 wrote to memory of 1648	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	45
PID 672 wrote to memory of 1648	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	45
PID 672 wrote to memory of 1648	672	{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe
  C:\Windows\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe
    C:\Windows\{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\{326BB197-3918-4e5d-88E7-B7728371E027}.exe
      C:\Windows\{326BB197-3918-4e5d-88E7-B7728371E027}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{326BB~1.EXE > nul
        5⤵
        
        PID:2932
    - - C:\Windows\{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe
        
        C:\Windows\{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BD0B~1.EXE > nul
        6⤵
        
        PID:2668
      - C:\Windows\{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe
        
        C:\Windows\{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FF8E~1.EXE > nul
        7⤵
        
        PID:2480
        
        C:\Windows\{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe
        
        C:\Windows\{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe
        
        C:\Windows\{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe
        
        C:\Windows\{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe
        
        C:\Windows\{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe
        
        C:\Windows\{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}.exe
        
        C:\Windows\{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}.exe
        12⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E67EB~1.EXE > nul
        12⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{229C7~1.EXE > nul
        11⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{572EA~1.EXE > nul
        10⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03722~1.EXE > nul
        9⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25EFB~1.EXE > nul
        8⤵
        
        PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2B0D~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C76EB~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03722CD0-B8E3-491a-8AF4-56B7644D0B2D}.exe

Filesize
180KB

MD5
6d4c919aac744d68bce8e4d177e4ec63

SHA1
3303eda5f4e4edac8c3b5dbc1250626323e691e3

SHA256
3c464e0f7875d3ed9e42af83b8793bbd01bde36968059ce0d9ea1b1444c95a68

SHA512
8de93ce6a58177febca306926e46874f53e75318293dda9027f4a5bc4af46b86c29d392f40e685755f5bed0d1317c01f465b7ac1402c1835225e85776bcf35e1

Download Submit
C:\Windows\{1BD0BCC8-86A3-4e23-87AF-FD69D47EBA28}.exe

Filesize
180KB

MD5
3db104d047cd576d761a577120b60cc9

SHA1
69508f787c19e0896d6d53d2fa3f8d117dd7df2e

SHA256
70d7e1d164540e478497e0a7f938811f32ee4133ebd172c348cfcac0a55f3208

SHA512
2dd7d142809842f623ba8c3955c09ca907f2dbc1588fb0dcd3b7d26eacf53f6c6f953891fc1094a2f743fa3d04485f24f090bfdee058a694dc4d425aa7f4ac44

Download Submit
C:\Windows\{1FF8E31E-3CB9-4a2c-85CB-203CBCD5BF4D}.exe

Filesize
180KB

MD5
9bd9a93af794ce131f38b4d340bda13f

SHA1
e12d87859daf97a9a0097b2e293f8c7251210fc2

SHA256
478373c729f55b4d8311b2a465973a6f4320584e152b7828f6ffd8fee52fb2a2

SHA512
37f7cc71d043bc442fbcbd3947e5ba7641f2a30230eaa8e59856b10fd4cd0748d13e16b869156c62f96ca0adddd0ab5266b7c8a7d59babd6de1e0b4511a6125b

Download Submit
C:\Windows\{229C7129-2BF8-47e7-91EA-A2947F8DC3E6}.exe

Filesize
180KB

MD5
08d03b327f3d1d97f19efd14f47f0c5c

SHA1
6b6dc0d78a1910abb546c1a5a353f0fc4e656ce9

SHA256
205fefb6a784a7838af5ec7db0aab525e2b08bad7c8bec1c8100f7caab8297c2

SHA512
31d5f4987eadd846e4e5a41fea99a87d25edb9dcf52aef1bdd5b75f7887426f977f7acd94fab122b257e6288887a4e58f5eac8c1c25d9732680503054f800bbb

Download Submit
C:\Windows\{25EFB43B-14D2-4c8a-9951-41B13AAB1C76}.exe

Filesize
180KB

MD5
c4c98639ebeddd43a61a7946e8b5d986

SHA1
437807744ab0d54ebf824e8d86edd26d50519c17

SHA256
558cd54184f16cbf65018d720cb46ae85c1b03e7fb7aa14b2e0759d4221e88a1

SHA512
d07d8cdf0a8adeff70b99da4cbfb7604a518099c9845e5ade13702ba6b156e5c0f8ae0a457f6301062a87b9fb95953107ab1f4b711b18e611e3fd5164a7b6ebe

Download Submit
C:\Windows\{326BB197-3918-4e5d-88E7-B7728371E027}.exe

Filesize
180KB

MD5
d85081c4bcabd51175c46ee863912ad3

SHA1
50594eab31a3c166c4255b6be27b20156eae6e53

SHA256
dfe91e3f88c0b3f8e291bd4773a827abe70b48b0005106c2be243f75367f4d89

SHA512
b6f47fae32b9c42a820aa3b208a471f469262b602163a8b4c49da08c9710f4b7f8fab9d5231ba73dd7e6aed6c7500d5c0cc8798a8123ba4e087e6978d4f52a68

Download Submit
C:\Windows\{572EA52C-2E86-48c8-BACD-A80C14989ABD}.exe

Filesize
180KB

MD5
ea4e1601a7a05e3040e67796152cc8ad

SHA1
d48a31f4b9eabad5736fca8a0e33b02cce546ff5

SHA256
701453cfd36305bc1e7e4868dd07c6fca49b9a0b643afba4f285ce45018e02c0

SHA512
5ad8cb750c675e5a0d2d7f0124020f5edea59a5741fb01eb1b5d6f0f44d781632cedbbb71f084e13512da1cc3ffddd8891e585fd5eb506e97e87ab38e2c4443f

Download Submit
C:\Windows\{A2B0DF4A-59AD-42a5-859C-785013DD59DA}.exe

Filesize
180KB

MD5
242867ad0b4e3573902da48086f3c784

SHA1
179c96639a09de8db0fea0badec22b22ac12ed08

SHA256
a459078e855c273578c72c7a7154a4b9683056206dd7c30dd34ae9b8d2c5dfa1

SHA512
64d8fe0e703b066a39e8ae869ea6856a97c2bcd439da96009d210866eb26490ad167af1987cbb3ac9835d0dfcd8f16a9f22f450c708ad6465e74b288435ea679

Download Submit
C:\Windows\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe

Filesize
180KB

MD5
1f6364f1b0bd9daf95720b66f07d34cc

SHA1
d3c095e4cacd9575d1992d577369087f6c4f07c7

SHA256
c783ee5aca70db97fbfc03b6ee51ed09698451f4a887bb419c1299aa2de3470c

SHA512
6d83a023c5ce875ebbd67adba03af1e060795c530ca9c5594062540b6851961b038d608f0731ec04ab6e6487b1329b5c3096ec1e2d5bddcddc21e607720336f1

Download Submit
C:\Windows\{C76EBB1D-920E-4ff9-9C2D-67F33373C6AB}.exe

Filesize
133KB

MD5
33618d02acfbb60b936d18151e40ca9d

SHA1
05f134de60827549f0169c988e97becfe800141b

SHA256
abbfd46c0f947d1d688a1831584a890f51a1a06078513248c6a0915324491fc7

SHA512
796a93bc8ff059a73f9d334900944a39ce4aa18a1c515cd5bea1036ad578aea0455ce07e166ca965b9b329d3a0405b3e272691a225ae0f79f35ab503aeb55735

Download Submit
C:\Windows\{D30A92E4-80F4-45c7-B97A-1F35FE5D7731}.exe

Filesize
180KB

MD5
c7f3e0bda7e3021669654505972a7be7

SHA1
19abaec45c63518fecf6125ef58e2e5e92de6bdd

SHA256
3fd7bcbc41a41e95e517dec6d11c79893e1a5376eb7645b8f6ca648b7abddd5f

SHA512
24514eddd32f585e3f9b3ca15124239c7633fa0c12f7b34eeb7381f5fb203a4bd88a38eb90fd16c24cf30714840c08501a703452f78de40f14e2cb5061d2e0e3

Download Submit
C:\Windows\{E67EB4A6-C428-4572-ACB2-350F02AE38FF}.exe

Filesize
180KB

MD5
e274ba8b0daab921f8c97dfe54a3be78

SHA1
a2c009b9c1c56ba2ca4f9eb74a6d86e2ea59a0c0

SHA256
13d4d72d9ae5678116daef6bd4707232b5893a0418f4a5f12e97460aa2ed9a4e

SHA512
cb455c1ef62b32142e6f8ead327fa172876b6ef90e8387e29fb2646d21de677ac18180d6f7a56f5abd5b081b4d952b344e4d3790b8a4343ad7d98e898e153e9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads