5351694cb06043ef5410f1e4718f6a1982a0fe6fc314b6f2eb87aae1f9e5d437

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 21:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe
Size

168KB
MD5

e66da1f236279523c38114b5775195f8
SHA1

708135b928d3533d472d7caad0e6e961384565f9
SHA256

5351694cb06043ef5410f1e4718f6a1982a0fe6fc314b6f2eb87aae1f9e5d437
SHA512

941accdd660bc3731e5ef439c20bc82b1a33123c2e8f0145ea3ed1474929bd33859f8a8bb5289b01825b35696e84199d14646587ac1df2f239c08fd47be5eed8
SSDEEP

1536:1EGh0ojlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ojlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014267-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014267-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014267-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014267-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000014267-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}\stubpath = "C:\\Windows\\{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe"	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F988E40-5947-4b5b-B81B-F96F40086BA1}\stubpath = "C:\\Windows\\{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe"	{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DFD244-3AC6-4664-9255-E88CB5F83ADA}	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DFD244-3AC6-4664-9255-E88CB5F83ADA}\stubpath = "C:\\Windows\\{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe"	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}\stubpath = "C:\\Windows\\{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe"	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E594556-EC71-468a-BB32-FF27B039827D}	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550BD226-B2A5-4cac-A393-31DCD1D0FC39}\stubpath = "C:\\Windows\\{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe"	{0E594556-EC71-468a-BB32-FF27B039827D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}\stubpath = "C:\\Windows\\{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe"	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F988E40-5947-4b5b-B81B-F96F40086BA1}	{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91497229-CF4A-4c8f-BDA8-FF183148547A}	{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}	{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E594556-EC71-468a-BB32-FF27B039827D}\stubpath = "C:\\Windows\\{0E594556-EC71-468a-BB32-FF27B039827D}.exe"	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}\stubpath = "C:\\Windows\\{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}.exe"	{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}\stubpath = "C:\\Windows\\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe"	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}\stubpath = "C:\\Windows\\{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe"	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91497229-CF4A-4c8f-BDA8-FF183148547A}\stubpath = "C:\\Windows\\{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe"	{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{550BD226-B2A5-4cac-A393-31DCD1D0FC39}	{0E594556-EC71-468a-BB32-FF27B039827D}.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe
2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe
2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe
2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe
764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe
1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe
2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe
1368	{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe
1620	{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe
1132	{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe
2256	{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe
File created	C:\Windows\{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe	{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe
File created	C:\Windows\{0E594556-EC71-468a-BB32-FF27B039827D}.exe	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe
File created	C:\Windows\{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	{0E594556-EC71-468a-BB32-FF27B039827D}.exe
File created	C:\Windows\{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe
File created	C:\Windows\{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe
File created	C:\Windows\{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe	{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe
File created	C:\Windows\{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}.exe	{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe
File created	C:\Windows\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe
File created	C:\Windows\{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe
File created	C:\Windows\{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe
Token: SeIncBasePriorityPrivilege	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe
Token: SeIncBasePriorityPrivilege	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe
Token: SeIncBasePriorityPrivilege	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe
Token: SeIncBasePriorityPrivilege	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe
Token: SeIncBasePriorityPrivilege	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe
Token: SeIncBasePriorityPrivilege	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe
Token: SeIncBasePriorityPrivilege	1368	{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe
Token: SeIncBasePriorityPrivilege	1620	{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe
Token: SeIncBasePriorityPrivilege	1132	{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1384	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	28
PID 2032 wrote to memory of 1720	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe	29
PID 1384 wrote to memory of 2880	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	30
PID 1384 wrote to memory of 2880	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	30
PID 1384 wrote to memory of 2880	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	30
PID 1384 wrote to memory of 2880	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	30
PID 1384 wrote to memory of 2504	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	31
PID 1384 wrote to memory of 2504	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	31
PID 1384 wrote to memory of 2504	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	31
PID 1384 wrote to memory of 2504	1384	{0E594556-EC71-468a-BB32-FF27B039827D}.exe	31
PID 2880 wrote to memory of 2400	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	34
PID 2880 wrote to memory of 2400	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	34
PID 2880 wrote to memory of 2400	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	34
PID 2880 wrote to memory of 2400	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	34
PID 2880 wrote to memory of 2540	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	35
PID 2880 wrote to memory of 2540	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	35
PID 2880 wrote to memory of 2540	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	35
PID 2880 wrote to memory of 2540	2880	{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe	35
PID 2400 wrote to memory of 2408	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	36
PID 2400 wrote to memory of 2408	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	36
PID 2400 wrote to memory of 2408	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	36
PID 2400 wrote to memory of 2408	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	36
PID 2400 wrote to memory of 2868	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	37
PID 2400 wrote to memory of 2868	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	37
PID 2400 wrote to memory of 2868	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	37
PID 2400 wrote to memory of 2868	2400	{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe	37
PID 2408 wrote to memory of 764	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	38
PID 2408 wrote to memory of 764	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	38
PID 2408 wrote to memory of 764	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	38
PID 2408 wrote to memory of 764	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	38
PID 2408 wrote to memory of 1948	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	39
PID 2408 wrote to memory of 1948	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	39
PID 2408 wrote to memory of 1948	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	39
PID 2408 wrote to memory of 1948	2408	{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe	39
PID 764 wrote to memory of 1220	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	40
PID 764 wrote to memory of 1220	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	40
PID 764 wrote to memory of 1220	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	40
PID 764 wrote to memory of 1220	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	40
PID 764 wrote to memory of 1372	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	41
PID 764 wrote to memory of 1372	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	41
PID 764 wrote to memory of 1372	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	41
PID 764 wrote to memory of 1372	764	{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe	41
PID 1220 wrote to memory of 2352	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	42
PID 1220 wrote to memory of 2352	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	42
PID 1220 wrote to memory of 2352	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	42
PID 1220 wrote to memory of 2352	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	42
PID 1220 wrote to memory of 924	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	43
PID 1220 wrote to memory of 924	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	43
PID 1220 wrote to memory of 924	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	43
PID 1220 wrote to memory of 924	1220	{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe	43
PID 2352 wrote to memory of 1368	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	44
PID 2352 wrote to memory of 1368	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	44
PID 2352 wrote to memory of 1368	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	44
PID 2352 wrote to memory of 1368	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	44
PID 2352 wrote to memory of 2336	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	45
PID 2352 wrote to memory of 2336	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	45
PID 2352 wrote to memory of 2336	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	45
PID 2352 wrote to memory of 2336	2352	{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_e66da1f236279523c38114b5775195f8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\{0E594556-EC71-468a-BB32-FF27B039827D}.exe
  C:\Windows\{0E594556-EC71-468a-BB32-FF27B039827D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe
    C:\Windows\{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe
      C:\Windows\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe
        
        C:\Windows\{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe
        
        C:\Windows\{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe
        
        C:\Windows\{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe
        
        C:\Windows\{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe
        
        C:\Windows\{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe
        
        C:\Windows\{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe
        
        C:\Windows\{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}.exe
        
        C:\Windows\{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91497~1.EXE > nul
        12⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F988~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB44F~1.EXE > nul
        10⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE5C3~1.EXE > nul
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F17~1.EXE > nul
        8⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A16EC~1.EXE > nul
        7⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67DFD~1.EXE > nul
        6⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937B3~1.EXE > nul
        5⤵
        
        PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{550BD~1.EXE > nul
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E594~1.EXE > nul
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E594556-EC71-468a-BB32-FF27B039827D}.exe

Filesize
168KB

MD5
1e6f74e8cd5c2517351ff03d8dfacfce

SHA1
307f505e2e3549b4b27dfff80191110e4838a8e9

SHA256
094eaec9fa60e2e0c57c328f1661460797731d3e25d8bc144c5efea51ddf19ab

SHA512
25738de029f16ae040b91a195ee8ed78ee1f5100443d481b87bddb5c815d0ab5d23329225e88c9aa3d1db886b358833e04237305e6cf5aab9ef971c7ec027253

Download Submit
C:\Windows\{1BE01779-E5B5-44ad-9741-0DE5A8C0A5D1}.exe

Filesize
168KB

MD5
08649635163024cb823bd702e4e4f790

SHA1
2d4841c8bb767f8988fcdf2db1ae6d15713bcba0

SHA256
6349ad9e3f1b44832d002b5d695e46a4195437337e9a4c9c0b153e2d4cddaba6

SHA512
b12e993a3d704a44716e72e838349c6ad5e2bc3d24ddde5d31f6fae9edb056ae0e969619c4f6cee9a8325d7da41ce0210db391255d53a1c5e102add2adef02ff

Download Submit
C:\Windows\{550BD226-B2A5-4cac-A393-31DCD1D0FC39}.exe

Filesize
168KB

MD5
b1de425ea926fa9b2382f5e1e7f31d06

SHA1
3224ff0cb0b06aa79579724b66524bf355a38168

SHA256
fd2b88655ec5da5000acfa3f4ab073e48f1f149a52c2282daa75e28f81c20a89

SHA512
6f1f2ce57506365b647a3a9b1d1dbff16d9949bb5cb45c2b5df9b5cafea72653f22619d054bffe5d0fd48ca63cb14446ecda5395cb17780ea20bd422fb847079

Download Submit
C:\Windows\{67DFD244-3AC6-4664-9255-E88CB5F83ADA}.exe

Filesize
168KB

MD5
a41afa9dd061a080db68ee66bb1ba508

SHA1
30d521e063c5bc5e009c064ebbab6a7971b1f46a

SHA256
e3e09f444f0fed4c5df3f7759b75316bd20273653b918f6e82e6276a44d4fff0

SHA512
b5bf2c7fced37f3d1d8845869a1a5c112a144de91eee8c575eed8c0aa5fb42392c1cca8e222cfbc36da5e3ebe8dfd23f995cee2500adc43b2a4fc5f28cc07dd6

Download Submit
C:\Windows\{6F988E40-5947-4b5b-B81B-F96F40086BA1}.exe

Filesize
168KB

MD5
e7570ef1270548a9ac01b836d97f6307

SHA1
3cb115b0d03acc0c59070b8037e7577f418a8d68

SHA256
ef731cfba702b227d7871554a542fb69050807da199d3a06f204464035993479

SHA512
d84022bc560411fb3196063b2a8f2d1714a79f80801c1d13dae505b306a019948630caa3a1cf396d5b29ce22f585c8215b3669a44fc93ffeade8b4180f16df07

Download Submit
C:\Windows\{91497229-CF4A-4c8f-BDA8-FF183148547A}.exe

Filesize
168KB

MD5
c76ce1f9f436dbf52fd9bb6bfc734d68

SHA1
7cdade555c757eca1c188175579f04fc113fbd34

SHA256
9837d77eb2b6d161d99e25d54838d487fc441b394b8cd54e29b38085373241ad

SHA512
c13ee3fe184fad9072b6115d576f78fb6a647b412a9bb671848d3e4242351bf7723467832e7b3a2fad4aaa1b63281ba12ceb83df7b63627a5bdd21e612ac92e2

Download Submit
C:\Windows\{91F17690-B7C2-41dc-A24A-C77B6D2D9AE5}.exe

Filesize
168KB

MD5
d846e679194851191576aed9ff6fa602

SHA1
580c4ad90ccae85b20916e071196a811d6a00740

SHA256
a2b19353b2bfe68bd4242e0ee9b1cbb043fb392d7d31f3ec5fb0cd7071441329

SHA512
67919f061715bc0a7d1cfec9588466b4795e50697a7b460e9eedde2a2145f8433f4766ade05d82d4cb9bf622a7cb4c75049a5bf5c3fc7849e57b17ec67a58960

Download Submit
C:\Windows\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe

Filesize
168KB

MD5
0fe095af4e80f2ecdbcbd6c19d55f452

SHA1
44c32e0918eddeec6a0f1aee351e29a50ce9b4bd

SHA256
f3764099bf632177219782a8cf01c5256d7585962acda617fdd35da187132e2e

SHA512
b164b021a3364de95636ed64155bf9a7a10885be609fdfdec307b3b299b3163e4acd3822cba96b02d31c363334dd0364739ee6d5452f0e5660b35daad0c66da3

Download Submit
C:\Windows\{937B3D1D-711D-4c08-97CB-E0B1B55AEED3}.exe

Filesize
163KB

MD5
d2f092f33d2dc40ecee5b780a005614a

SHA1
8482d143194b43f9c3cb2e587f96b259530c54ef

SHA256
de4b605b06cae16b59018bc1d31b53e4cbf8c02bdffae73bfa54139c63198b95

SHA512
f412b04123dbb84492a4520870af314a3f6cd1ffcae5f8ba26f0c0d4ea8166ae45410b930b0336987490a7c8d55d632855f52af8ec7fa15152f4f25e9f645da6

Download Submit
C:\Windows\{A16EC1BF-4DEB-4cfb-80F1-051638B202AC}.exe

Filesize
168KB

MD5
910aaba8c2a079076ab6066500efd8d9

SHA1
48d11e2121b5d447522a50f334d60cb847135199

SHA256
9b51a5b9ffeb342eca0a9d868ca4932f87e4470471d8009fde0018ce18183ee8

SHA512
404db06078d3b6ab0150007cce3793134b1fe5eded4935e04b4509ef5a1e0422eec970b7aee4ff23f39ad261196746d04feaef3a4971b62bc4f85a9733516383

Download Submit
C:\Windows\{AB44F350-BF5E-499a-B0DE-5CD3C583E4CC}.exe

Filesize
168KB

MD5
60dae8fc01336f319505bbe9e92b780b

SHA1
5eae97645d3e14de4934a5b9f464cd9e7f93a92e

SHA256
e158793baff1206c12dd5b071344a48ebc262d6bfc7514844c5a5720e6a9e585

SHA512
2e0b94521ae5730518f80764de488d6427a08a8ba78195661209e8aa39b35f08ec4de17ac598ce733f910512687a71162192e0e62fb4f83bbb6cd9a83c6d7749

Download Submit
C:\Windows\{EE5C3292-0C6B-46a4-B3F4-F158696AAC56}.exe

Filesize
168KB

MD5
2b1be6759370cf53502e9ee4fd573fd9

SHA1
6be9004037f882599649bf3d7d694db3f475867d

SHA256
af219688939d317bb144419879b5c7754ecc9b06b21dff48d836e4b0dd4c76d8

SHA512
a66987cc588ec0ee1e0eddb0d411751d888b887b56a5e5c1ac35a44feb470da3b2580fffc1c86a34cb83a2fc927e0126e94d359cb2723304d6b1910338fca652

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads