9f45b969c0cf639c63420fc32dd732ef2234281b7e716b1d69edd3f33d213bb4

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Size

380KB
MD5

6a9af0b6e639d9980880308b947e7d8f
SHA1

b2daa996d4643c047d99bfa7b24702d5eae2767b
SHA256

9f45b969c0cf639c63420fc32dd732ef2234281b7e716b1d69edd3f33d213bb4
SHA512

c288bfd66784c26c04186f2a1f3be24796bfa52493031aff6ea59fd23f2bd3af8da62d30b7599e9334e8370377b2e04baa320338db05d36da47349ee88b0b196
SSDEEP

3072:mEGh0oIlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGOl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122af-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122af-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d0000000142b4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0014000000014464-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001446c-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001446c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014498-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001446c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014515-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001446c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E3D7FC-2252-4668-975F-7319B2D6BD96}	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C37E2B6-E0BB-4431-9463-4FB5112EA686}	{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E436BE5-3FA9-487d-9129-8DC53812E9D4}	{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E436BE5-3FA9-487d-9129-8DC53812E9D4}\stubpath = "C:\\Windows\\{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe"	{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381EDBAD-36F9-4c6a-ACA8-45539E480B17}\stubpath = "C:\\Windows\\{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe"	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}\stubpath = "C:\\Windows\\{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe"	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}\stubpath = "C:\\Windows\\{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe"	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}\stubpath = "C:\\Windows\\{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe"	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381EDBAD-36F9-4c6a-ACA8-45539E480B17}	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}\stubpath = "C:\\Windows\\{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe"	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E3D7FC-2252-4668-975F-7319B2D6BD96}\stubpath = "C:\\Windows\\{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe"	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F61AD201-4C55-462f-A161-6A8D4E96F0E6}\stubpath = "C:\\Windows\\{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe"	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}\stubpath = "C:\\Windows\\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe"	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F61AD201-4C55-462f-A161-6A8D4E96F0E6}	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C37E2B6-E0BB-4431-9463-4FB5112EA686}\stubpath = "C:\\Windows\\{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe"	{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}	{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}\stubpath = "C:\\Windows\\{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}.exe"	{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe
2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe
2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe
1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe
2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe
1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe
764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe
1500	{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe
1620	{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe
2028	{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe
940	{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe
File created	C:\Windows\{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe
File created	C:\Windows\{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe
File created	C:\Windows\{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe
File created	C:\Windows\{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe
File created	C:\Windows\{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe	{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe
File created	C:\Windows\{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}.exe	{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe
File created	C:\Windows\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
File created	C:\Windows\{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe
File created	C:\Windows\{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe
File created	C:\Windows\{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe	{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe
Token: SeIncBasePriorityPrivilege	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe
Token: SeIncBasePriorityPrivilege	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe
Token: SeIncBasePriorityPrivilege	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe
Token: SeIncBasePriorityPrivilege	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe
Token: SeIncBasePriorityPrivilege	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe
Token: SeIncBasePriorityPrivilege	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe
Token: SeIncBasePriorityPrivilege	1500	{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe
Token: SeIncBasePriorityPrivilege	1620	{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe
Token: SeIncBasePriorityPrivilege	2028	{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2268	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	28
PID 2024 wrote to memory of 2268	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	28
PID 2024 wrote to memory of 2268	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	28
PID 2024 wrote to memory of 2268	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	28
PID 2024 wrote to memory of 2860	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	29
PID 2024 wrote to memory of 2860	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	29
PID 2024 wrote to memory of 2860	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	29
PID 2024 wrote to memory of 2860	2024	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	29
PID 2268 wrote to memory of 2912	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	30
PID 2268 wrote to memory of 2912	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	30
PID 2268 wrote to memory of 2912	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	30
PID 2268 wrote to memory of 2912	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	30
PID 2268 wrote to memory of 2796	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	31
PID 2268 wrote to memory of 2796	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	31
PID 2268 wrote to memory of 2796	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	31
PID 2268 wrote to memory of 2796	2268	{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe	31
PID 2912 wrote to memory of 2660	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	34
PID 2912 wrote to memory of 2660	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	34
PID 2912 wrote to memory of 2660	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	34
PID 2912 wrote to memory of 2660	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	34
PID 2912 wrote to memory of 2144	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	35
PID 2912 wrote to memory of 2144	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	35
PID 2912 wrote to memory of 2144	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	35
PID 2912 wrote to memory of 2144	2912	{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe	35
PID 2660 wrote to memory of 1656	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	36
PID 2660 wrote to memory of 1656	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	36
PID 2660 wrote to memory of 1656	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	36
PID 2660 wrote to memory of 1656	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	36
PID 2660 wrote to memory of 672	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	37
PID 2660 wrote to memory of 672	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	37
PID 2660 wrote to memory of 672	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	37
PID 2660 wrote to memory of 672	2660	{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe	37
PID 1656 wrote to memory of 2948	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	38
PID 1656 wrote to memory of 2948	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	38
PID 1656 wrote to memory of 2948	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	38
PID 1656 wrote to memory of 2948	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	38
PID 1656 wrote to memory of 2980	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	39
PID 1656 wrote to memory of 2980	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	39
PID 1656 wrote to memory of 2980	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	39
PID 1656 wrote to memory of 2980	1656	{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe	39
PID 2948 wrote to memory of 1924	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	40
PID 2948 wrote to memory of 1924	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	40
PID 2948 wrote to memory of 1924	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	40
PID 2948 wrote to memory of 1924	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	40
PID 2948 wrote to memory of 1948	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	41
PID 2948 wrote to memory of 1948	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	41
PID 2948 wrote to memory of 1948	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	41
PID 2948 wrote to memory of 1948	2948	{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe	41
PID 1924 wrote to memory of 764	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	42
PID 1924 wrote to memory of 764	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	42
PID 1924 wrote to memory of 764	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	42
PID 1924 wrote to memory of 764	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	42
PID 1924 wrote to memory of 2496	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	43
PID 1924 wrote to memory of 2496	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	43
PID 1924 wrote to memory of 2496	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	43
PID 1924 wrote to memory of 2496	1924	{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe	43
PID 764 wrote to memory of 1500	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	44
PID 764 wrote to memory of 1500	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	44
PID 764 wrote to memory of 1500	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	44
PID 764 wrote to memory of 1500	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	44
PID 764 wrote to memory of 1064	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	45
PID 764 wrote to memory of 1064	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	45
PID 764 wrote to memory of 1064	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	45
PID 764 wrote to memory of 1064	764	{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe
  C:\Windows\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe
    C:\Windows\{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe
      C:\Windows\{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe
        
        C:\Windows\{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe
        
        C:\Windows\{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe
        
        C:\Windows\{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe
        
        C:\Windows\{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe
        
        C:\Windows\{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe
        
        C:\Windows\{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe
        
        C:\Windows\{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}.exe
        
        C:\Windows\{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}.exe
        12⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E436~1.EXE > nul
        12⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C37E~1.EXE > nul
        11⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA36B~1.EXE > nul
        10⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B13A~1.EXE > nul
        9⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0E5F~1.EXE > nul
        8⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F61AD~1.EXE > nul
        7⤵
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58E3D~1.EXE > nul
        6⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD6B1~1.EXE > nul
        5⤵
        
        PID:672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{381ED~1.EXE > nul
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{450A5~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E436BE5-3FA9-487d-9129-8DC53812E9D4}.exe

Filesize
380KB

MD5
114532a9a358c4a1755aa02a71345c4a

SHA1
6380382279e46ca66219e316979ff2a103369251

SHA256
89f758450f1e06128ce345455b954c8fccab1fe5dd487f998f6679228348c1ea

SHA512
647943a05a4a6987b85a3de007a602b32e5b23d2c21a4045c04ff00267fa0f1b9ad7a18ed4b188ef843ea02900185a587dfcc3c45ed1f292bf601fc0bc1fb603

Download Submit
C:\Windows\{381EDBAD-36F9-4c6a-ACA8-45539E480B17}.exe

Filesize
380KB

MD5
4579975375ab264c22c947ccf6744343

SHA1
56841efd7cd0211c24c3ee30ee9f0d1d42ee8c1f

SHA256
eae8ac39120f722db2c09aefc17f909760b85f0256af9f4b8ca67b2bdc7ddefa

SHA512
58ae5b7423c5e7efa1ceb21dc657568487297568fb088af47e1b4e6d65397f1de6f5981fad9755d3bf6f53a64eaaff77f064de2b681c70619894cd712838bc3c

Download Submit
C:\Windows\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe

Filesize
380KB

MD5
1d86aa24fe5966898b31699e63edb63c

SHA1
cbb828399d509b334b0da4afc9c0c1500cb5209a

SHA256
940126b36ee9e0a128632ebd125793fb10616029419bbc931b77243addb7b772

SHA512
c5032884557134f6bb8581d61199a7ca8a040b98f3745c3707195ddf76e29bafb93ba9be7efd9c77cec3b0dae5dae22f3b08df090aeaf725f6bf439d65a3b942

Download Submit
C:\Windows\{450A5F28-C7B2-4f0d-92F6-C1BF2E3AB793}.exe

Filesize
304KB

MD5
e78b36891dd6a0501af407ff703d8897

SHA1
e78a397cff6a21d993f80489f53bef2aa8b9af46

SHA256
f1ce8b43f3accc6ab94a71accac6ddc0dd68e31604ac0177976d73bf7e4d9b2a

SHA512
0f1698270ee5504df1eafc25f39d6ff8061c1fb06ec86096530ac533d3d93c25b88415c1cf5b0eb58a0be2e81dad9f8d4d1d35b73b05fc7f3f6127d8c9a4ec63

Download Submit
C:\Windows\{58E3D7FC-2252-4668-975F-7319B2D6BD96}.exe

Filesize
380KB

MD5
cbf139f6559202ede9f7222f52e4bf56

SHA1
9d4fde11937804338882eef750badedcc4433ede

SHA256
6bd077f1995e591de2da60d947650b9d52605286f9c94f9e8cf8284a5caa3fb7

SHA512
cf3fa57268191b6e73b1ac4e7c6a1a789ff709ade55f5854d38ea8384a560d09ba01b21d5514e601aaf7755078a284cb66b99c76f37b80702bc6c36242382779

Download Submit
C:\Windows\{6A9C3D6B-9BC0-4181-A7D5-C021FCB0BD2B}.exe

Filesize
380KB

MD5
37357d0fa6971df4c61acc5520dcc321

SHA1
6982bf1df19b99c3b084c894fb59dc314efb175a

SHA256
151177bec1d368cd0eb45fb4e076487864462e2e68e311f666b998e2f48bdc69

SHA512
7f7b31dd2dde02a2ac44ff6592baf8b48cfeadbe3ac53495dad7e68ba8764faf905adae821183bfd7cef3807b471df7951fa44f54decfea48fac39ec3a7d76d6

Download Submit
C:\Windows\{8B13AB6E-CFBD-48b8-8296-30D9E7BF1A17}.exe

Filesize
380KB

MD5
7dd7ed69cf18a89dfa37318ac5ed4e45

SHA1
ab627b5897437262e5b20e466633b44f62fa7c29

SHA256
0199a706b93bd328f6a18296c11f11ade367345a242fe3dacccbb6b9c6e4667a

SHA512
56e1a7b9ea5fb6bdb5ee83e03125987cc710a094a60a6efb63432b62b6755c610a45285e8b6e644ccea2721f9d97e9b208940c9ca72ef27a8b1eff9fbd1e8964

Download Submit
C:\Windows\{8C37E2B6-E0BB-4431-9463-4FB5112EA686}.exe

Filesize
380KB

MD5
8c2eb6779dbc5656f14270f1459be4ea

SHA1
8ab9581ed2512cfe445f80aa03eead0807de11c5

SHA256
5f4afe7ed2ac60de52831638438f8d3ea60ed791f40d22ea8c83c9beadc19606

SHA512
635c838d48ad80c54cb1398d9e5c7689d1e38d80581ff22b0ef59f0dfe6d1f821cca1d69ea051641e4bb7e82a88cb068e00f388e96667bac22567cc54ee60eeb

Download Submit
C:\Windows\{C0E5F437-9DC4-44e5-81D6-A3E0543E9E37}.exe

Filesize
380KB

MD5
3023e6b46d46b5f092a056470bd70895

SHA1
6bf6f9381df5a6ba8c84d38eea1c70b5be7c5c3e

SHA256
3a8e812de422d50e1efb1d1ddee9310c9529541c10d3b3d5432c8a268da6a41f

SHA512
0901438316584fa4e3490146091f769c51ce92270948a43e6599008dd55bd618a1410e621f7f63323c7f8511f03da973707003b18dfd89dc9ab5284d4cf7e019

Download Submit
C:\Windows\{F61AD201-4C55-462f-A161-6A8D4E96F0E6}.exe

Filesize
380KB

MD5
e36702adb09b16ef123154298b49fc06

SHA1
5fdbfa04d4d090f5e0006482733de566035ebd91

SHA256
fbf76bc26f9bad42541a441976af47b0e32a083c69bd41f616d7053cda61a1cc

SHA512
35a2f11a7a886c844cdc1d542149d072014a4bf96dc1852386511ae4da8381e2cb42a8db02808a6295d05abb16089185c0927f1168af7fe2ac03b49692a4b4a4

Download Submit
C:\Windows\{FA36B643-FAE3-4a95-A8FD-B04FE3B8403A}.exe

Filesize
380KB

MD5
55ad13801daf87a7c1d6a71012b8c347

SHA1
08792e8e47cd5fc376a7fd6a79cbad13c7181729

SHA256
af0ad7b5a63abde929a5d7b201f9ea4c4ff33eff753ecf1433965ae0983da043

SHA512
bf5c6cf78b060fd143d265cf435b5c76f70195be3ba55dae69e72047503534492452155fcb75662806888afcadfe74ec64df400aecd8fc224697dabf453a74a1

Download Submit
C:\Windows\{FD6B12B0-63F4-4e66-B26A-3D509D6925A0}.exe

Filesize
380KB

MD5
8b68b91277d8f12e6cf8e949ee140031

SHA1
e2f9e8d90aa4bbcb7ee9df73a22b9e5132e28594

SHA256
de6be95eddbe0e4fce19b01511caf276eae2dc01e269c10a0a2bd8b0bb4e8869

SHA512
9b8237ce051230722fe601ceff976b87ac9285950cf0347e96e02c58682655be80b78e9fe4eb147fddbb7a52c5c53ab40537eeb9f528d35aab1b937f9fefdb06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads