e6997a4bc477225ba0d81f71453738240ff25beabbe06a10cc3af3beb8635b12

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Size

192KB
MD5

86afcb3c235fe58010f810d671aeae33
SHA1

95bc3c5cf29a0b09b0a48dc07edd3e2c39746eeb
SHA256

e6997a4bc477225ba0d81f71453738240ff25beabbe06a10cc3af3beb8635b12
SHA512

200ff717f65d7be304f683085aa00e7d711b538888b06a1b99ac22d9693e55122d6f8d6f07fb5a4b799a0f41ceed850b75ebb66b0a28791039fd6b2c6c2ba8f9
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o8l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012327-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001484b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012327-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000014fa0-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012327-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012327-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012327-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}\stubpath = "C:\\Windows\\{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe"	{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4892D47-5A96-494c-8C5F-5369F17B92EA}	{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}\stubpath = "C:\\Windows\\{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}.exe"	{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}\stubpath = "C:\\Windows\\{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe"	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}	{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}\stubpath = "C:\\Windows\\{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe"	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5965FF1B-96FC-46ed-8B5F-499810A33023}	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5965FF1B-96FC-46ed-8B5F-499810A33023}\stubpath = "C:\\Windows\\{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe"	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}\stubpath = "C:\\Windows\\{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe"	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF579BF-AA10-497d-AF3F-2BF9327236CE}\stubpath = "C:\\Windows\\{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe"	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}	{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D967318C-AD22-4396-9C67-A29CEEDE821A}\stubpath = "C:\\Windows\\{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe"	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}\stubpath = "C:\\Windows\\{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe"	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFF579BF-AA10-497d-AF3F-2BF9327236CE}	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D967318C-AD22-4396-9C67-A29CEEDE821A}	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A135BB30-A202-4ef3-84FA-1E105E1D6666}	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A135BB30-A202-4ef3-84FA-1E105E1D6666}\stubpath = "C:\\Windows\\{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe"	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4892D47-5A96-494c-8C5F-5369F17B92EA}\stubpath = "C:\\Windows\\{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe"	{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe

Deletes itself 1 IoCs

pid	Process
1836	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe
2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe
1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe
2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe
2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe
1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe
1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe
2044	{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe
2416	{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe
2236	{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe
1776	{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe
File created	C:\Windows\{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe
File created	C:\Windows\{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe
File created	C:\Windows\{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe	{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe
File created	C:\Windows\{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}.exe	{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe
File created	C:\Windows\{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
File created	C:\Windows\{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe
File created	C:\Windows\{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe
File created	C:\Windows\{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe
File created	C:\Windows\{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe
File created	C:\Windows\{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe	{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe
Token: SeIncBasePriorityPrivilege	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe
Token: SeIncBasePriorityPrivilege	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe
Token: SeIncBasePriorityPrivilege	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe
Token: SeIncBasePriorityPrivilege	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe
Token: SeIncBasePriorityPrivilege	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe
Token: SeIncBasePriorityPrivilege	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe
Token: SeIncBasePriorityPrivilege	2044	{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe
Token: SeIncBasePriorityPrivilege	2416	{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe
Token: SeIncBasePriorityPrivilege	2236	{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2888	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	28
PID 1992 wrote to memory of 2888	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	28
PID 1992 wrote to memory of 2888	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	28
PID 1992 wrote to memory of 2888	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	28
PID 1992 wrote to memory of 1836	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	29
PID 1992 wrote to memory of 1836	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	29
PID 1992 wrote to memory of 1836	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	29
PID 1992 wrote to memory of 1836	1992	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	29
PID 2888 wrote to memory of 2716	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	30
PID 2888 wrote to memory of 2716	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	30
PID 2888 wrote to memory of 2716	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	30
PID 2888 wrote to memory of 2716	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	30
PID 2888 wrote to memory of 2568	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	31
PID 2888 wrote to memory of 2568	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	31
PID 2888 wrote to memory of 2568	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	31
PID 2888 wrote to memory of 2568	2888	{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe	31
PID 2716 wrote to memory of 1980	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	33
PID 2716 wrote to memory of 1980	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	33
PID 2716 wrote to memory of 1980	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	33
PID 2716 wrote to memory of 1980	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	33
PID 2716 wrote to memory of 2884	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	32
PID 2716 wrote to memory of 2884	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	32
PID 2716 wrote to memory of 2884	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	32
PID 2716 wrote to memory of 2884	2716	{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe	32
PID 1980 wrote to memory of 2608	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	36
PID 1980 wrote to memory of 2608	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	36
PID 1980 wrote to memory of 2608	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	36
PID 1980 wrote to memory of 2608	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	36
PID 1980 wrote to memory of 1352	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	37
PID 1980 wrote to memory of 1352	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	37
PID 1980 wrote to memory of 1352	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	37
PID 1980 wrote to memory of 1352	1980	{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe	37
PID 2608 wrote to memory of 2804	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	38
PID 2608 wrote to memory of 2804	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	38
PID 2608 wrote to memory of 2804	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	38
PID 2608 wrote to memory of 2804	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	38
PID 2608 wrote to memory of 2904	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	39
PID 2608 wrote to memory of 2904	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	39
PID 2608 wrote to memory of 2904	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	39
PID 2608 wrote to memory of 2904	2608	{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe	39
PID 2804 wrote to memory of 1012	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	40
PID 2804 wrote to memory of 1012	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	40
PID 2804 wrote to memory of 1012	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	40
PID 2804 wrote to memory of 1012	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	40
PID 2804 wrote to memory of 1768	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	41
PID 2804 wrote to memory of 1768	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	41
PID 2804 wrote to memory of 1768	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	41
PID 2804 wrote to memory of 1768	2804	{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe	41
PID 1012 wrote to memory of 1628	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	42
PID 1012 wrote to memory of 1628	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	42
PID 1012 wrote to memory of 1628	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	42
PID 1012 wrote to memory of 1628	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	42
PID 1012 wrote to memory of 2936	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	43
PID 1012 wrote to memory of 2936	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	43
PID 1012 wrote to memory of 2936	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	43
PID 1012 wrote to memory of 2936	1012	{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe	43
PID 1628 wrote to memory of 2044	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	44
PID 1628 wrote to memory of 2044	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	44
PID 1628 wrote to memory of 2044	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	44
PID 1628 wrote to memory of 2044	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	44
PID 1628 wrote to memory of 2012	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	45
PID 1628 wrote to memory of 2012	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	45
PID 1628 wrote to memory of 2012	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	45
PID 1628 wrote to memory of 2012	1628	{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe
  C:\Windows\{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe
    C:\Windows\{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D9673~1.EXE > nul
      4⤵
      PID:2884
  - - C:\Windows\{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe
      C:\Windows\{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe
        
        C:\Windows\{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe
        
        C:\Windows\{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe
        
        C:\Windows\{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe
        
        C:\Windows\{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe
        
        C:\Windows\{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe
        
        C:\Windows\{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F1D~1.EXE > nul
        11⤵
        
        PID:676
        
        C:\Windows\{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe
        
        C:\Windows\{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}.exe
        
        C:\Windows\{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}.exe
        12⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4892~1.EXE > nul
        12⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBDE8~1.EXE > nul
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF57~1.EXE > nul
        9⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A135B~1.EXE > nul
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3BE~1.EXE > nul
        7⤵
        
        PID:1768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD3D6~1.EXE > nul
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5965F~1.EXE > nul
        5⤵
        
        PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC71B~1.EXE > nul
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18F1DAEB-F382-47d4-8ED0-B8C5A593347E}.exe

Filesize
192KB

MD5
ea75a84c7c6a5e1e21dd2d46255cb8c7

SHA1
039f1f80a6de0761f31aec7b1d1f5c5abdcb4d70

SHA256
e16c48be6ac5ff88a7496a7b37c602a0da0258cd04f6c2712aa5221178f15b05

SHA512
0c189cd4cf590e9248576e72ecb57111d4105cf6fbf6f71f85abad96b03cfad3429c243d7aa8df964c32fdd009cc9a603b58295f8faaa1f5a65707637f7a86bb

Download Submit
C:\Windows\{26283B4B-E7E0-4f7d-A6ED-B8D8A2E95862}.exe

Filesize
192KB

MD5
ecd7d2f608dd79478f74ff5ad0b77e68

SHA1
22e0d3001c8f601ef85a797ee323656b982e2296

SHA256
5f0673c7f5737367bb2b07a55bdf2dd91d91719d00435610b1acbaf44fae23e8

SHA512
5e9f8b2569bb65cfb1f3ac9616fdc6189abfa64ee870605c6b0ba26adbb4ac0fa90402fefdb2f21ad0d68b8c3d8a971626cfb00d7e93d979eb44814c015e4c6a

Download Submit
C:\Windows\{5965FF1B-96FC-46ed-8B5F-499810A33023}.exe

Filesize
192KB

MD5
29fd733478b5180a49411df512a9590d

SHA1
1f3a03d3dd6d67ed804f815adc5eb55b96e772d6

SHA256
461d95586e55a1a4c02ca6283a45beffc6187da998ffdca03133a718040c7374

SHA512
fd16285d623b9f80d892bbc68b709f5c1e36c479bc87a8127bb85f55fd8101dbb1c19e4414ba1773a7e440e548141ad13c62850c05efda919d6812539bbd0c13

Download Submit
C:\Windows\{A135BB30-A202-4ef3-84FA-1E105E1D6666}.exe

Filesize
192KB

MD5
0c12ab661e05fc4a82d636b2f7f4c96c

SHA1
d60e3ed054bf8a8397b6fd979a8a77a87fc5e7aa

SHA256
6dfc99d22ea2df64c377df042119bed3d0803578d238f0059b2dc7c4137f2206

SHA512
4eaa30d542a2ac591c405f85262c7e4f3280b4f24711f5b63463027dd7e6ede5d893810f6ee2149cca8429ac375854131226e6a8b610871218c55f9c5b5ecedf

Download Submit
C:\Windows\{AFF579BF-AA10-497d-AF3F-2BF9327236CE}.exe

Filesize
192KB

MD5
925fb057787df5092dd96155e79a2ba9

SHA1
1b2569df5099a402f9d4cd321b77ce1cf733750e

SHA256
dc76af2a45e7ab115ef1877a1a2ff668dab198758c14b5d94709db495b4a2b4b

SHA512
b14d6c913eb550a18696122d3442f05f11e7dbb97c387ea1f8ae624c8f1d6d930a93277fc28aba8850b0e0f929520a112c7f4ad87bfa699057c7a05c1ee6f0e7

Download Submit
C:\Windows\{CBDE8BCE-3612-4626-8CDA-86F9EA6B58A6}.exe

Filesize
192KB

MD5
0dee9952316ca656c6f02c6d29cd46d7

SHA1
80b257f7acc26885e363da75c9c5e0a54681a896

SHA256
292e74992f5f300732ec9917c88be29f98af3c0d544a8fa1d2f7ab80bdec03a5

SHA512
cc89a6d72d85c8b1e040a38943f107ed01c1c8a010cb6cf3e018c46c16990c31fa4b42afcaf60879d104c678ace574e8d0bbb9e17cf41a52f5a348c1f1b733e3

Download Submit
C:\Windows\{D967318C-AD22-4396-9C67-A29CEEDE821A}.exe

Filesize
192KB

MD5
380e4a6c88d83deddf0f4f4fce33fe81

SHA1
3e9d30f086bb036b3e9711223e27aa64b35e71af

SHA256
09bf4ed5a76bf14f7daf1c5198e74d196694aeef9da17e8c15d8956660f9abdc

SHA512
e4270c520b9954e4fee015cfdbffb1e9726bf1317e606b0230590075fe8328b10713f703e82d6ddccf2991ee94b13a75c5ec21ee6d36da7c276db1d146f2f356

Download Submit
C:\Windows\{DC71B18F-C949-45fe-95D7-A3ADE912D7E0}.exe

Filesize
192KB

MD5
8ab72b98ad952861142a9581d8ad54f2

SHA1
b6147cdbdb98ebcde0045b480b5d9a203680b612

SHA256
0cf9d45b5bdf9e264515b7432e816477dd398a225b19f45f2917d3a7e66bd78a

SHA512
182d47d6bec67150fb88efb419a53c747eccefe03bf61a398d213f30c4e19aee056b6f2447af4c14a67e6e0fc5440b48deebb40854a1087b3d02ea5519004782

Download Submit
C:\Windows\{E4892D47-5A96-494c-8C5F-5369F17B92EA}.exe

Filesize
192KB

MD5
673ce539ba564867b9c7bbb96671bdde

SHA1
f8835cfe7afd13dae806acb3640f6981b7964d21

SHA256
3c8cf8029039954814f11d9a79b0a3b6991b2d4d944ac26d9d03663a3208250f

SHA512
50dbb65a4ebdcc89e60e39b047c5061b83515dc784d3cdad26684fbb7a3146a93ebfa7fe4053b4f2cd489f1e3c6f6ae521475d5a57227e1e20fc1f61b1254501

Download Submit
C:\Windows\{EB3BE19E-F3D2-4957-92D9-E10308B72AC1}.exe

Filesize
192KB

MD5
1dd305218f7d3160e3f3cf8453c69c63

SHA1
ee0c67dc994cf83374a577caf917b551be4c6da1

SHA256
1ab1d6c15fb400cf6b257e13581bcc7001fe11300c1665deb4dc852d13d07689

SHA512
bb11e6add796d8efb6d405b13286be041ce30deefbed8a86408c15c992531fc42b165f660d2201e6fa5f85a262f4e2421a0432128a84b93274d130d7abd3f692

Download Submit
C:\Windows\{FD3D6BC5-6FA2-4371-9948-CDFF5AEE001D}.exe

Filesize
192KB

MD5
c34ea1a6df840afa354b99229f7970a4

SHA1
5f93945d510af2fb390e7af211065bb77f8eede5

SHA256
ac8360695ee7b82589ea627ab2810a53a64d560a92a5d6459c692c24d38eed22

SHA512
c60fa9c1d484c13a6f3c60e641a8c27bed0d1c8a34c6d7ed6277d98f65090d3b2170a7901aff2524425773b45ae9a064c3a548a896022a832a63bb5bf4e6f5bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads