382c9c9f66e4965a5c45be832e1ad9ffa004ffeb405278b7774aa441eefea485

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Size

197KB
MD5

86f2e507771e7f0ef93d3a82d3292444
SHA1

bf690dd9242fcdfa3b978ffdf6b5c532cdb48b5e
SHA256

382c9c9f66e4965a5c45be832e1ad9ffa004ffeb405278b7774aa441eefea485
SHA512

f96db401b2ee2cc690bb751bb99196a9267fab00d73d6b1103c25a4614fdb92367a5cad2b4a50ec486c0bb0590c317526171767488e56fb4d55012f5536afc9c
SSDEEP

3072:jEGh0o3l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGFlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012325-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000001444d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F729D5B0-2AA2-4216-8F45-41917B2F92F1}\stubpath = "C:\\Windows\\{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe"	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}\stubpath = "C:\\Windows\\{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe"	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{671AC84A-154E-459e-ABCF-EE5350259436}	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{671AC84A-154E-459e-ABCF-EE5350259436}\stubpath = "C:\\Windows\\{671AC84A-154E-459e-ABCF-EE5350259436}.exe"	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}\stubpath = "C:\\Windows\\{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe"	{671AC84A-154E-459e-ABCF-EE5350259436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E51D7CB-9462-4b45-B55C-5367B375B2DB}	{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}\stubpath = "C:\\Windows\\{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe"	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}\stubpath = "C:\\Windows\\{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe"	{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E51D7CB-9462-4b45-B55C-5367B375B2DB}\stubpath = "C:\\Windows\\{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe"	{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}\stubpath = "C:\\Windows\\{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}.exe"	{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}	{671AC84A-154E-459e-ABCF-EE5350259436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}\stubpath = "C:\\Windows\\{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe"	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}\stubpath = "C:\\Windows\\{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe"	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}	{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F729D5B0-2AA2-4216-8F45-41917B2F92F1}	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}\stubpath = "C:\\Windows\\{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe"	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}	{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe
2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe
2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe
864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe
1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe
332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe
1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe
2044	{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe
1996	{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe
488	{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe
1800	{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{671AC84A-154E-459e-ABCF-EE5350259436}.exe	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe
File created	C:\Windows\{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe
File created	C:\Windows\{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe
File created	C:\Windows\{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe
File created	C:\Windows\{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe	{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe
File created	C:\Windows\{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}.exe	{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe
File created	C:\Windows\{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
File created	C:\Windows\{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	{671AC84A-154E-459e-ABCF-EE5350259436}.exe
File created	C:\Windows\{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe
File created	C:\Windows\{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe	{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe
File created	C:\Windows\{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe
Token: SeIncBasePriorityPrivilege	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe
Token: SeIncBasePriorityPrivilege	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe
Token: SeIncBasePriorityPrivilege	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe
Token: SeIncBasePriorityPrivilege	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe
Token: SeIncBasePriorityPrivilege	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe
Token: SeIncBasePriorityPrivilege	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe
Token: SeIncBasePriorityPrivilege	2044	{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe
Token: SeIncBasePriorityPrivilege	1996	{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe
Token: SeIncBasePriorityPrivilege	488	{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2708	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	28
PID 2460 wrote to memory of 2708	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	28
PID 2460 wrote to memory of 2708	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	28
PID 2460 wrote to memory of 2708	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	28
PID 2460 wrote to memory of 2788	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	29
PID 2460 wrote to memory of 2788	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	29
PID 2460 wrote to memory of 2788	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	29
PID 2460 wrote to memory of 2788	2460	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	29
PID 2708 wrote to memory of 2680	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	30
PID 2708 wrote to memory of 2680	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	30
PID 2708 wrote to memory of 2680	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	30
PID 2708 wrote to memory of 2680	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	30
PID 2708 wrote to memory of 2836	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	31
PID 2708 wrote to memory of 2836	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	31
PID 2708 wrote to memory of 2836	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	31
PID 2708 wrote to memory of 2836	2708	{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe	31
PID 2680 wrote to memory of 2792	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	32
PID 2680 wrote to memory of 2792	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	32
PID 2680 wrote to memory of 2792	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	32
PID 2680 wrote to memory of 2792	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	32
PID 2680 wrote to memory of 2560	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	33
PID 2680 wrote to memory of 2560	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	33
PID 2680 wrote to memory of 2560	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	33
PID 2680 wrote to memory of 2560	2680	{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe	33
PID 2792 wrote to memory of 864	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	36
PID 2792 wrote to memory of 864	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	36
PID 2792 wrote to memory of 864	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	36
PID 2792 wrote to memory of 864	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	36
PID 2792 wrote to memory of 2848	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	37
PID 2792 wrote to memory of 2848	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	37
PID 2792 wrote to memory of 2848	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	37
PID 2792 wrote to memory of 2848	2792	{671AC84A-154E-459e-ABCF-EE5350259436}.exe	37
PID 864 wrote to memory of 1808	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	38
PID 864 wrote to memory of 1808	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	38
PID 864 wrote to memory of 1808	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	38
PID 864 wrote to memory of 1808	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	38
PID 864 wrote to memory of 2992	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	39
PID 864 wrote to memory of 2992	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	39
PID 864 wrote to memory of 2992	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	39
PID 864 wrote to memory of 2992	864	{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe	39
PID 1808 wrote to memory of 332	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	40
PID 1808 wrote to memory of 332	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	40
PID 1808 wrote to memory of 332	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	40
PID 1808 wrote to memory of 332	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	40
PID 1808 wrote to memory of 1564	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	41
PID 1808 wrote to memory of 1564	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	41
PID 1808 wrote to memory of 1564	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	41
PID 1808 wrote to memory of 1564	1808	{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe	41
PID 332 wrote to memory of 1356	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	43
PID 332 wrote to memory of 1356	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	43
PID 332 wrote to memory of 1356	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	43
PID 332 wrote to memory of 1356	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	43
PID 332 wrote to memory of 632	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	42
PID 332 wrote to memory of 632	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	42
PID 332 wrote to memory of 632	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	42
PID 332 wrote to memory of 632	332	{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe	42
PID 1356 wrote to memory of 2044	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	44
PID 1356 wrote to memory of 2044	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	44
PID 1356 wrote to memory of 2044	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	44
PID 1356 wrote to memory of 2044	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	44
PID 1356 wrote to memory of 2388	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	45
PID 1356 wrote to memory of 2388	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	45
PID 1356 wrote to memory of 2388	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	45
PID 1356 wrote to memory of 2388	1356	{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe
  C:\Windows\{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe
    C:\Windows\{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{671AC84A-154E-459e-ABCF-EE5350259436}.exe
      C:\Windows\{671AC84A-154E-459e-ABCF-EE5350259436}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe
        
        C:\Windows\{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe
        
        C:\Windows\{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe
        
        C:\Windows\{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38D30~1.EXE > nul
        8⤵
        
        PID:632
        
        C:\Windows\{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe
        
        C:\Windows\{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe
        
        C:\Windows\{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe
        
        C:\Windows\{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6541A~1.EXE > nul
        11⤵
        
        PID:584
        
        C:\Windows\{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe
        
        C:\Windows\{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E51D~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}.exe
        
        C:\Windows\{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}.exe
        12⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FEC1~1.EXE > nul
        10⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF714~1.EXE > nul
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8282B~1.EXE > nul
        7⤵
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18A0E~1.EXE > nul
        6⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{671AC~1.EXE > nul
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7254A~1.EXE > nul
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F729D~1.EXE > nul
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FEC151E-F089-4ab7-ABCC-F89701A1FA55}.exe

Filesize
197KB

MD5
dd7639463c3bd1fed644893d3b1b49ca

SHA1
8d7f027d7dccd8842722ab6fd670f324bd8a47ae

SHA256
01e774e4fafd0bb4868ed62525263d010dd06d63e9826e8ba249f79c8519c951

SHA512
b9e23b4db9f7680940cf20e1e5072e481f7b90379c0a025c0e48faef520071d1625881e4de2782fe52b8b6e3d5ce8b9f31abaf946aa07f4b7a0a835b45aaf498

Download Submit
C:\Windows\{18A0EE41-B7EF-43bd-AEF1-674985E0D9C3}.exe

Filesize
197KB

MD5
b0c649a6480d18a3f74bc29bab209c1b

SHA1
f1635952fb077e57962963050ce84b7c32ace576

SHA256
4a914fbf36cd06330702a02721b275aabd2aef7b6865f6d3a03e13ec696b98d5

SHA512
6bf9057ed0aef44580f4f0e650d9260004d069147b3110305e199d081cef87530727bea755a4667ea1c3b6099492a12b60feb2394bad9135453f959d30e85770

Download Submit
C:\Windows\{38D30A7B-A479-4a3d-A4C6-E92AD90C17D1}.exe

Filesize
197KB

MD5
5636159a0aff8809c441e88d85db7d56

SHA1
df1ec1a6cdb37b1a471f921dbcdf02324193b265

SHA256
2767092356a2ffefce40380d7a34d6c43563a4e5bedb5f238524ad9ed4cd29cd

SHA512
e239374efc80aee9eab5a185e3212457a61a499090dd869d265d605061e3a2a2176da033eeef6ed7b2ee9c90eeec7cb7ad79dc9e9160f634bd7902f39bd429fa

Download Submit
C:\Windows\{6541A262-B904-45a3-B9AB-70CBDBD2E1F9}.exe

Filesize
197KB

MD5
caf8c57dc6a4e64906285d15ebaff18d

SHA1
651f12f19c69f934ef696f6ccf7353d4598c8a96

SHA256
303e5b5b653d5150e9e6cc0865ce7eac0640ef8667cc16e088810f2c20fbf24b

SHA512
0b5b00201a567d9df12b455de53d2484cc3e05ab6c9df859a83343a6637af1eebadfe1eca99ee3622452ce6b8e634808da014b1eee643ee0ff7dc558bb9ce532

Download Submit
C:\Windows\{671AC84A-154E-459e-ABCF-EE5350259436}.exe

Filesize
197KB

MD5
35105f0bb9d6f2c516a15847d92ab6ec

SHA1
f7a6c4a9759fc36f70d938deaef4ca4e0d47eb41

SHA256
1736746251f54becfdab10f98263557396766d939013df9663197102e96111de

SHA512
7d94a467b3725cb12cc5e035b991c23ccc18cbca82a6777079266bcb1906484338922741a82121a197a57a0ad5ac572f04f2c7dc9bfcbe0696c6f6eff2859117

Download Submit
C:\Windows\{7254A35C-F1A9-4e68-AC18-2E61C1FE93A1}.exe

Filesize
197KB

MD5
4a1c885da5f080bc40860df13bef9fcf

SHA1
e23f5e5b22f0b825cb840c1573beeed9e5732a03

SHA256
a363b21d25a0655c75931640d744f7d96f43555fd108e254ce757e5b95d5cfb9

SHA512
3500b00ada865b5a85519e776efbfc14bc5ec205b81a1588f9c0250cc0a61caab1c822003673a215912333b16ab6fd49e0fa9d0cf8a9b02f166d4a35b575d128

Download Submit
C:\Windows\{7E51D7CB-9462-4b45-B55C-5367B375B2DB}.exe

Filesize
197KB

MD5
489efb19a54154dbc0bc8546eb186835

SHA1
f6bb01eb4263cfea73cc3fc042ddf46f5cca30c5

SHA256
90aa03d0512fb366289196565e3f9dc57c1420363dc409c13e3750931095da5a

SHA512
5dc66b1253331d5e6cdbd05ffd395d2c91640c67efdf44f3fa3fb780866697d1b7df6b67651e091a1c325a5ce90eb9e4ebe2a98f88f6b7b28c58a9612ce23043

Download Submit
C:\Windows\{8282B28A-B1FD-4710-9C1A-9F14DBD5D068}.exe

Filesize
197KB

MD5
898ed6140bec1e6636df9a317de5a1d2

SHA1
4de7e2d9c116d8050a9b010ddddff6d5a22db0c0

SHA256
b784f5b2f9d598e7b0059bf9bd4f331005f1a580c04c39581f662da1ab4c8c8e

SHA512
6adbd480b6675fb06452bef7aa7f7a67e4e5a7e4a124b645c9a395b39e285d0a01005ae0dcd6c4de89d1c4399e725f8e6bd66f4634ca25137062974dd823bd96

Download Submit
C:\Windows\{BC909CE1-6B0E-4b09-83EE-4DF9B9323048}.exe

Filesize
197KB

MD5
9d07927c47ce1540181b301cd528c1d9

SHA1
83a1e96f75c6700ad5d555d419e0d75dd67b4193

SHA256
6d4892f9c538c8c6c8a4b0aabcf11894df4929c6da4c96795132634c36482abb

SHA512
71f9b9924e0a341644aa4dc6ee705179f40187c568d4bb36be812befb8c9a696e8c363756c648bf994688061f2798738e3412077df1fa3c18e17a4c93fe58e59

Download Submit
C:\Windows\{CF714ECD-CDBB-4cf4-B2B9-64955F642FF4}.exe

Filesize
197KB

MD5
78b578139398c936bcba13643dc01d64

SHA1
9f8acbfdc1627eb79124c8e75e60d50a05c14019

SHA256
0a51fed6b9a8d4347bb21538ee3e3fbba8fcb398c3e86b7f37e129fa3fdee278

SHA512
e8444c97493170eae5d8ee2926a0dfb70b8ec602a1e92bfddece3b98af20897a3b6a2a0101185411862936a7d85110ea5af0beffc6b3e14639c77c9f6fcdb44b

Download Submit
C:\Windows\{F729D5B0-2AA2-4216-8F45-41917B2F92F1}.exe

Filesize
197KB

MD5
fd61b300cce5b147eeef030e7ed5488d

SHA1
8f98246b41797c641ea9a83fe0f1fa4e1444b1ae

SHA256
b8a83ce06b45df534e80da7dc1b9e84d86a729a8ed14258e7ec34d2666f15d29

SHA512
dd025df0c7b20fbd02dd4a311c9bbb5ec6e64a723cb390f6962808828efb3884c295acc4bd794e80d3cd187b1a9f47c91edee5ec672c413ec6d4deb28270053c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads