7fd8ca70ace33ac55b368e22c7c8db8ef8a063ac2895891747c6540749212321

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Size

180KB
MD5

f38d004e248272f9cf5fbc0dd4b47b6e
SHA1

a9126081e45c200f2dfa82a22464b2761913d5f0
SHA256

7fd8ca70ace33ac55b368e22c7c8db8ef8a063ac2895891747c6540749212321
SHA512

d609e01bd8145b6afd12d2f73c1c6287895195fa42d9d8cdbe0994cf5b83cf83c19208dff4277c0e67e90f4bc185cac1f3d82f7087605b9d2c03cfbe595b06a7
SSDEEP

3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGYl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012274-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000012687-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000132eb-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000012687-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000133d5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000133da-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000133f6-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000013524-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000139ec-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64597DF2-F628-4794-B92F-58170BF1EFA4}\stubpath = "C:\\Windows\\{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe"	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}	{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC47F971-2F05-49e9-9AB6-9E2FA8860621}	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}\stubpath = "C:\\Windows\\{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe"	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}\stubpath = "C:\\Windows\\{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe"	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}\stubpath = "C:\\Windows\\{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe"	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}\stubpath = "C:\\Windows\\{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe"	{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC47F971-2F05-49e9-9AB6-9E2FA8860621}\stubpath = "C:\\Windows\\{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe"	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{596AED6D-0F81-4e77-81E8-B07AA12D3899}	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{413BBAF7-E6E4-4e93-8516-F5AE14101D32}	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{413BBAF7-E6E4-4e93-8516-F5AE14101D32}\stubpath = "C:\\Windows\\{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe"	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE0698D-0F85-44e9-A69C-2723C8D17489}	{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FE0698D-0F85-44e9-A69C-2723C8D17489}\stubpath = "C:\\Windows\\{3FE0698D-0F85-44e9-A69C-2723C8D17489}.exe"	{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7E3621D-F952-4b5b-85C2-2EDC13748823}	{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7E3621D-F952-4b5b-85C2-2EDC13748823}\stubpath = "C:\\Windows\\{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe"	{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{596AED6D-0F81-4e77-81E8-B07AA12D3899}\stubpath = "C:\\Windows\\{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe"	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}\stubpath = "C:\\Windows\\{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe"	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64597DF2-F628-4794-B92F-58170BF1EFA4}	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe
2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe
2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe
2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe
2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe
1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe
2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe
900	{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe
1288	{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe
2360	{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe
1656	{3FE0698D-0F85-44e9-A69C-2723C8D17489}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
File created	C:\Windows\{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe
File created	C:\Windows\{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe
File created	C:\Windows\{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe	{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe
File created	C:\Windows\{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe	{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe
File created	C:\Windows\{3FE0698D-0F85-44e9-A69C-2723C8D17489}.exe	{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe
File created	C:\Windows\{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe
File created	C:\Windows\{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe
File created	C:\Windows\{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe
File created	C:\Windows\{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe
File created	C:\Windows\{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe
Token: SeIncBasePriorityPrivilege	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe
Token: SeIncBasePriorityPrivilege	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe
Token: SeIncBasePriorityPrivilege	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe
Token: SeIncBasePriorityPrivilege	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe
Token: SeIncBasePriorityPrivilege	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe
Token: SeIncBasePriorityPrivilege	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe
Token: SeIncBasePriorityPrivilege	900	{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe
Token: SeIncBasePriorityPrivilege	1288	{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe
Token: SeIncBasePriorityPrivilege	2360	{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1980	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	28
PID 2016 wrote to memory of 1980	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	28
PID 2016 wrote to memory of 1980	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	28
PID 2016 wrote to memory of 1980	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	28
PID 2016 wrote to memory of 2604	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	29
PID 2016 wrote to memory of 2604	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	29
PID 2016 wrote to memory of 2604	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	29
PID 2016 wrote to memory of 2604	2016	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	29
PID 1980 wrote to memory of 2764	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	30
PID 1980 wrote to memory of 2764	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	30
PID 1980 wrote to memory of 2764	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	30
PID 1980 wrote to memory of 2764	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	30
PID 1980 wrote to memory of 2860	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	31
PID 1980 wrote to memory of 2860	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	31
PID 1980 wrote to memory of 2860	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	31
PID 1980 wrote to memory of 2860	1980	{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe	31
PID 2764 wrote to memory of 2516	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	34
PID 2764 wrote to memory of 2516	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	34
PID 2764 wrote to memory of 2516	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	34
PID 2764 wrote to memory of 2516	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	34
PID 2764 wrote to memory of 2556	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	35
PID 2764 wrote to memory of 2556	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	35
PID 2764 wrote to memory of 2556	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	35
PID 2764 wrote to memory of 2556	2764	{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe	35
PID 2516 wrote to memory of 2472	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	36
PID 2516 wrote to memory of 2472	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	36
PID 2516 wrote to memory of 2472	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	36
PID 2516 wrote to memory of 2472	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	36
PID 2516 wrote to memory of 1920	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	37
PID 2516 wrote to memory of 1920	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	37
PID 2516 wrote to memory of 1920	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	37
PID 2516 wrote to memory of 1920	2516	{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe	37
PID 2472 wrote to memory of 2688	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	38
PID 2472 wrote to memory of 2688	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	38
PID 2472 wrote to memory of 2688	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	38
PID 2472 wrote to memory of 2688	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	38
PID 2472 wrote to memory of 2928	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	39
PID 2472 wrote to memory of 2928	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	39
PID 2472 wrote to memory of 2928	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	39
PID 2472 wrote to memory of 2928	2472	{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe	39
PID 2688 wrote to memory of 1588	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	40
PID 2688 wrote to memory of 1588	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	40
PID 2688 wrote to memory of 1588	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	40
PID 2688 wrote to memory of 1588	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	40
PID 2688 wrote to memory of 2036	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	41
PID 2688 wrote to memory of 2036	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	41
PID 2688 wrote to memory of 2036	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	41
PID 2688 wrote to memory of 2036	2688	{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe	41
PID 1588 wrote to memory of 2128	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	42
PID 1588 wrote to memory of 2128	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	42
PID 1588 wrote to memory of 2128	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	42
PID 1588 wrote to memory of 2128	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	42
PID 1588 wrote to memory of 2572	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	43
PID 1588 wrote to memory of 2572	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	43
PID 1588 wrote to memory of 2572	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	43
PID 1588 wrote to memory of 2572	1588	{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe	43
PID 2128 wrote to memory of 900	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	44
PID 2128 wrote to memory of 900	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	44
PID 2128 wrote to memory of 900	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	44
PID 2128 wrote to memory of 900	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	44
PID 2128 wrote to memory of 1496	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	45
PID 2128 wrote to memory of 1496	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	45
PID 2128 wrote to memory of 1496	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	45
PID 2128 wrote to memory of 1496	2128	{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe
  C:\Windows\{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe
    C:\Windows\{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe
      C:\Windows\{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe
        
        C:\Windows\{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe
        
        C:\Windows\{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe
        
        C:\Windows\{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe
        
        C:\Windows\{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe
        
        C:\Windows\{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe
        
        C:\Windows\{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe
        
        C:\Windows\{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\{3FE0698D-0F85-44e9-A69C-2723C8D17489}.exe
        
        C:\Windows\{3FE0698D-0F85-44e9-A69C-2723C8D17489}.exe
        12⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7E36~1.EXE > nul
        12⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{743D8~1.EXE > nul
        11⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64597~1.EXE > nul
        10⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E9C1~1.EXE > nul
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E555~1.EXE > nul
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BC49~1.EXE > nul
        7⤵
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{409EB~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{413BB~1.EXE > nul
        5⤵
        
        PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{596AE~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC47F~1.EXE > nul
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BC4908E-083E-4ae4-99A4-7F6D5C2D706F}.exe

Filesize
180KB

MD5
674006ea910a8b19817856651d17fdf0

SHA1
359cf3162026fe37b2e9ebe2d7349cdb51eea9e6

SHA256
0089aa466742dba27b10e6c206a732ff370bb49ffdd6f7fe7a374fdb618f2902

SHA512
f208f8b63445f69ef1d00f249717ba4dd869c0f76e98b911fc5dceb4ba4e77b618a06ab6ed390b139abea1b4186c84c2a91bfce2ba1d6e8b2dfe8ba0329cd28f

Download Submit
C:\Windows\{3FE0698D-0F85-44e9-A69C-2723C8D17489}.exe

Filesize
180KB

MD5
cbea5901004f45805f8b0be5cd3e9f8f

SHA1
81bac258e2cd7f31e31dc1d67e2004dbc3f50c1e

SHA256
a9c821f0edb114dcfbb52b268a36a6e3c7e3fdd45df7eaf01ebadda78a18924c

SHA512
e8422b748cbf22c858b8d9f0330a898dfd97ad33daebbb596396673bc04f65b03efba7e5188d44037fcdc0fd33a044136989476aa924c0699995bdefb28c1efb

Download Submit
C:\Windows\{409EB24E-BB39-4fb9-A8CA-BAE081BA5E9D}.exe

Filesize
180KB

MD5
7044abb519ceb1ca148e72def75bc1e5

SHA1
966dc92f7578b8d892c02421d00df0d15a43a6e4

SHA256
a8b38af525c37a553f744bf7224682db5a131790d9b41b5b9276768c7309ca79

SHA512
e9bd5fc3fbed7af2452629014cc1d8474f209f913b591762addc7f5e6d6272d5ea1c4224d9f5e37114c18e48635e77a4b44e697a12199969e00905a8736593eb

Download Submit
C:\Windows\{413BBAF7-E6E4-4e93-8516-F5AE14101D32}.exe

Filesize
180KB

MD5
a6563aaf449f38c5ff504207a670bfda

SHA1
a25f1e396d3a97aa8052ea3c30d72766b78ae479

SHA256
037a0fcfb075b571f19befa54c6b9be69fd46ee8eab85a62e441fddbbef60aba

SHA512
3e7da14f2428d5129c90b074276964f4ea78aa71701db76e27c5c931b410d77dcb4f36fc5ad1060383d4689a5f1aef6a69d1dbaecd4405bcc5b85020532059bf

Download Submit
C:\Windows\{4E55586E-A1E1-499b-A617-F7AE5CB67FCB}.exe

Filesize
180KB

MD5
5e7620fbb324f42113aae1a92e547537

SHA1
932bca1f1f6d38edc336bdd76efe8ed102123232

SHA256
33765eebebe681a62254ecc25fd76a8bb3325fe9a4305693a34e7a6bc2186f4e

SHA512
9309a50ffcfe20eba7c58dc325a9def292294e5bb80eaeca0b7452c22ce6566955fb6f30cbb33d493f47c88387585dcc92ead78e4b6b6abc4bce9d3ccbf25413

Download Submit
C:\Windows\{596AED6D-0F81-4e77-81E8-B07AA12D3899}.exe

Filesize
180KB

MD5
3ce31174dca958e8f31dbf7680b92eab

SHA1
e49e0af028f5f27e35738fc113d352485c578ceb

SHA256
4909d7b42596f0143f8c8361092c8b73857b0c005ce97dcbfabfbb15afadefb3

SHA512
6c9e60535dd44b0828cd5dc694eebeb9901294e0c1ede9708b9c625a5de9db6fa709801f036fc8e59a1f4886760e36db5c2022884832e4baf8c83bbbd67bdafb

Download Submit
C:\Windows\{64597DF2-F628-4794-B92F-58170BF1EFA4}.exe

Filesize
180KB

MD5
a802dbe74c52c6f3786abb683e5b087f

SHA1
b5b5be5ef0acda267162b898e69731ef142d74af

SHA256
5d9071ccfe18e615fa045c8207a9a0768d0d721fe32121b45103337526a7f305

SHA512
f0c536f8de581f6a90705b9ffc5f1bf462329cf02962347190971d332250fc4d0222d72df37f2edddaf10ea42c46ef70b4a80f3978ff458104c5a3f46ed562fb

Download Submit
C:\Windows\{743D8CF2-66AF-4ab7-A9FD-4A6E70FE1680}.exe

Filesize
180KB

MD5
4439004ca571dde22bf657741a1974ef

SHA1
537a32ebbd417d8979530b61237c6b2af20567fe

SHA256
0bd13167ee9e63ea871db89462e5c1fd683ba379de8b31d8c63bba48879384d0

SHA512
5c5621095d6b80f0a6ac1a12bd386c189ad6882f36342349d24d82ef1ceec41923351227d8bc2bf1a8413832a3d368ef8d0d1c983998cd890a4ce1b58d216ee3

Download Submit
C:\Windows\{7E9C16CB-569C-4de4-AB74-F3C1EBC61D35}.exe

Filesize
180KB

MD5
01f71cb96a34dd42f3260e5cb6203f8a

SHA1
1eda645b2d78b05e26876a236ddab1498e83767d

SHA256
a68703723c1248c30636a92c78442cda0c8d2c02dee5f8d4c032072d4fa8a092

SHA512
ca8396bbbcee2b300231ebd8001f7cb67e9531f4f88cc20468ec1b791153e06abdf7341d942229c6eab7163fd0a6c4ee372ecf135528b97026262f71abb1f6ac

Download Submit
C:\Windows\{DC47F971-2F05-49e9-9AB6-9E2FA8860621}.exe

Filesize
180KB

MD5
950f86abf77b183e6a472f251ec31b1f

SHA1
c93eb49696ec2a19b3541b2cfd6f9feb9fc4ae49

SHA256
b5c61d03e0b8440798a7e22bb548d7549baa8f4ef1b675b046391a884fa00c20

SHA512
74deb605a0731f9379575f539c8c37888cfd0092b5a34289e1c57aa553bee0ee88e2cd7c1f073fc78ef0e67c9d21323b9d85cfd99802b4116cf966937bf8e11b

Download Submit
C:\Windows\{F7E3621D-F952-4b5b-85C2-2EDC13748823}.exe

Filesize
180KB

MD5
1e848990d1c375f4b3716c973af8fbd5

SHA1
b10820888058cf9e4769a5998db1144daa8951be

SHA256
7adcf4e68c049974af287515abd1747c4a7ab588fef6973297cf7292f8d9d6ed

SHA512
fcadb841068173fdf83c602027aa403188dbdf7c6ece2a32a8ff5a43eba8e3d94d8a870e3bf571edc888f70442728100a1a41f09362d117255c2349e65641505

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads