f809475b080a75b226bf7eb91a11fdb6eaec7073929fbe85837d4c94b81b707f

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Size

204KB
MD5

186119dce7506ccefe49a256b1709d1d
SHA1

5d9243102cf53c8eb8087d723bc607c2eac67784
SHA256

f809475b080a75b226bf7eb91a11fdb6eaec7073929fbe85837d4c94b81b707f
SHA512

984c2339a49c0da14528b654d2cae98b4052a9aa52fe240c4141bcc3a8f7fd1e3680af6c91b5cb62609fedc9e212b8ead1212f6e9a5030c8d4d3c635ae251150
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001232e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001424e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001232e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000144e4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000144e4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000144e4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000144f0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DEF4756-8D7F-4ac3-B644-C7617764C102}	{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DEF4756-8D7F-4ac3-B644-C7617764C102}\stubpath = "C:\\Windows\\{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe"	{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}\stubpath = "C:\\Windows\\{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe"	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6E1607C-15E8-45a7-AE94-99EE9996D876}\stubpath = "C:\\Windows\\{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe"	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}	{440F1043-947F-4066-AEBA-39A867A438E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831B621B-6FA8-4605-884B-A0A4C108EB6D}\stubpath = "C:\\Windows\\{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe"	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}	{6579ED88-9B37-466e-9951-82023FB4030E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}\stubpath = "C:\\Windows\\{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe"	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6E1607C-15E8-45a7-AE94-99EE9996D876}	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{440F1043-947F-4066-AEBA-39A867A438E1}	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{440F1043-947F-4066-AEBA-39A867A438E1}\stubpath = "C:\\Windows\\{440F1043-947F-4066-AEBA-39A867A438E1}.exe"	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}\stubpath = "C:\\Windows\\{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe"	{440F1043-947F-4066-AEBA-39A867A438E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{831B621B-6FA8-4605-884B-A0A4C108EB6D}	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6579ED88-9B37-466e-9951-82023FB4030E}	{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6579ED88-9B37-466e-9951-82023FB4030E}\stubpath = "C:\\Windows\\{6579ED88-9B37-466e-9951-82023FB4030E}.exe"	{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}\stubpath = "C:\\Windows\\{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}.exe"	{6579ED88-9B37-466e-9951-82023FB4030E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}\stubpath = "C:\\Windows\\{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe"	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}\stubpath = "C:\\Windows\\{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe"	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe
2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe
2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe
3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe
2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe
2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe
1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe
2632	{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe
2988	{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe
2080	{6579ED88-9B37-466e-9951-82023FB4030E}.exe
972	{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
File created	C:\Windows\{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe
File created	C:\Windows\{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe
File created	C:\Windows\{6579ED88-9B37-466e-9951-82023FB4030E}.exe	{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe
File created	C:\Windows\{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}.exe	{6579ED88-9B37-466e-9951-82023FB4030E}.exe
File created	C:\Windows\{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe	{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe
File created	C:\Windows\{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe
File created	C:\Windows\{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe
File created	C:\Windows\{440F1043-947F-4066-AEBA-39A867A438E1}.exe	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe
File created	C:\Windows\{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	{440F1043-947F-4066-AEBA-39A867A438E1}.exe
File created	C:\Windows\{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe
Token: SeIncBasePriorityPrivilege	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe
Token: SeIncBasePriorityPrivilege	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe
Token: SeIncBasePriorityPrivilege	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe
Token: SeIncBasePriorityPrivilege	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe
Token: SeIncBasePriorityPrivilege	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe
Token: SeIncBasePriorityPrivilege	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe
Token: SeIncBasePriorityPrivilege	2632	{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe
Token: SeIncBasePriorityPrivilege	2988	{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe
Token: SeIncBasePriorityPrivilege	2080	{6579ED88-9B37-466e-9951-82023FB4030E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2392	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	28
PID 2512 wrote to memory of 2392	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	28
PID 2512 wrote to memory of 2392	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	28
PID 2512 wrote to memory of 2392	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	28
PID 2512 wrote to memory of 2612	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	29
PID 2512 wrote to memory of 2612	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	29
PID 2512 wrote to memory of 2612	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	29
PID 2512 wrote to memory of 2612	2512	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	29
PID 2392 wrote to memory of 2752	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	30
PID 2392 wrote to memory of 2752	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	30
PID 2392 wrote to memory of 2752	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	30
PID 2392 wrote to memory of 2752	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	30
PID 2392 wrote to memory of 2572	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	31
PID 2392 wrote to memory of 2572	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	31
PID 2392 wrote to memory of 2572	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	31
PID 2392 wrote to memory of 2572	2392	{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe	31
PID 2752 wrote to memory of 2296	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	33
PID 2752 wrote to memory of 2296	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	33
PID 2752 wrote to memory of 2296	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	33
PID 2752 wrote to memory of 2296	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	33
PID 2752 wrote to memory of 2456	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	32
PID 2752 wrote to memory of 2456	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	32
PID 2752 wrote to memory of 2456	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	32
PID 2752 wrote to memory of 2456	2752	{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe	32
PID 2296 wrote to memory of 3032	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	36
PID 2296 wrote to memory of 3032	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	36
PID 2296 wrote to memory of 3032	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	36
PID 2296 wrote to memory of 3032	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	36
PID 2296 wrote to memory of 3024	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	37
PID 2296 wrote to memory of 3024	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	37
PID 2296 wrote to memory of 3024	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	37
PID 2296 wrote to memory of 3024	2296	{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe	37
PID 3032 wrote to memory of 2756	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	38
PID 3032 wrote to memory of 2756	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	38
PID 3032 wrote to memory of 2756	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	38
PID 3032 wrote to memory of 2756	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	38
PID 3032 wrote to memory of 2812	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	39
PID 3032 wrote to memory of 2812	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	39
PID 3032 wrote to memory of 2812	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	39
PID 3032 wrote to memory of 2812	3032	{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe	39
PID 2756 wrote to memory of 2416	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	40
PID 2756 wrote to memory of 2416	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	40
PID 2756 wrote to memory of 2416	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	40
PID 2756 wrote to memory of 2416	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	40
PID 2756 wrote to memory of 2228	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	41
PID 2756 wrote to memory of 2228	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	41
PID 2756 wrote to memory of 2228	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	41
PID 2756 wrote to memory of 2228	2756	{440F1043-947F-4066-AEBA-39A867A438E1}.exe	41
PID 2416 wrote to memory of 1776	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	42
PID 2416 wrote to memory of 1776	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	42
PID 2416 wrote to memory of 1776	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	42
PID 2416 wrote to memory of 1776	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	42
PID 2416 wrote to memory of 1692	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	43
PID 2416 wrote to memory of 1692	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	43
PID 2416 wrote to memory of 1692	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	43
PID 2416 wrote to memory of 1692	2416	{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe	43
PID 1776 wrote to memory of 2632	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	44
PID 1776 wrote to memory of 2632	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	44
PID 1776 wrote to memory of 2632	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	44
PID 1776 wrote to memory of 2632	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	44
PID 1776 wrote to memory of 1616	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	45
PID 1776 wrote to memory of 1616	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	45
PID 1776 wrote to memory of 1616	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	45
PID 1776 wrote to memory of 1616	1776	{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe
  C:\Windows\{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe
    C:\Windows\{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B268C~1.EXE > nul
      4⤵
      PID:2456
  - - C:\Windows\{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe
      C:\Windows\{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe
        
        C:\Windows\{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{440F1043-947F-4066-AEBA-39A867A438E1}.exe
        
        C:\Windows\{440F1043-947F-4066-AEBA-39A867A438E1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe
        
        C:\Windows\{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe
        
        C:\Windows\{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe
        
        C:\Windows\{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe
        
        C:\Windows\{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{6579ED88-9B37-466e-9951-82023FB4030E}.exe
        
        C:\Windows\{6579ED88-9B37-466e-9951-82023FB4030E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}.exe
        
        C:\Windows\{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}.exe
        12⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6579E~1.EXE > nul
        12⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DEF4~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{831B6~1.EXE > nul
        10⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{723C7~1.EXE > nul
        9⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B194~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{440F1~1.EXE > nul
        7⤵
        
        PID:2228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6E16~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2DF4~1.EXE > nul
        5⤵
        
        PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FB494~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DEF4756-8D7F-4ac3-B644-C7617764C102}.exe

Filesize
204KB

MD5
1a5f1499f57aab1bea8b4a7ab611a95f

SHA1
26f218ea6583a3f520f49123f5e9463ef6014722

SHA256
dd53c4aadb83d0c5c6bcd56293558a579a0e747141bcef3b6cfce62d5cc1009a

SHA512
8d6a047986516c7cb2d70919bba823e584ae83a68eaec387ad483e22040492e494aec26d7d22ed387503dc4065cef4a6162b820a20604af0f41f8d96d35a9cf1

Download Submit
C:\Windows\{440F1043-947F-4066-AEBA-39A867A438E1}.exe

Filesize
204KB

MD5
c4eb8c3645b38be9b2a103806a6491a8

SHA1
dc7f26a5b7f6f58fce90f9cf53243117b34b58c3

SHA256
c6d33f5d0ec0c835512e5a833f948a9110f0382dfc26167493215353dada4d42

SHA512
f081ca307d0f7203be69e748c1738b865035ffe232c7bb22f4af4e0e0d8f7f4276881da7a4593edf2e2e5ba9e1100e5e3508640e95f5d084d9eba7228bfe69f1

Download Submit
C:\Windows\{6579ED88-9B37-466e-9951-82023FB4030E}.exe

Filesize
204KB

MD5
cec1da4374f8e1be6ac2ed48f5e80278

SHA1
f098b61e3d16798fc47592316f32be71e37e771e

SHA256
af7c53dd1b08bda0f3714cd54764c15e0bd4e24c551b95c332bfc1cf5471cdef

SHA512
e775d2faec716fb623e8347826a68b7859f92a4c02cd5773a30c9b0b1b16078a2a9aaf4eca2f7d1359601e4f00ed03195df630af504e0705d1f34afaae2768f5

Download Submit
C:\Windows\{723C7AE1-91E5-4c77-8AAD-0605D08C1C27}.exe

Filesize
204KB

MD5
e2bb23d6c36356ae0de1c3ac2a3c54c6

SHA1
a4d1f5cea03fd21046b588f5aa0b2a219676e8ce

SHA256
eb39add5a411fc3a4febad2d7a663329c654b392d85c535edb88cdd9909e6a18

SHA512
ece416ec4eb184893724382c71d7afcdc731794d5a4a618df08e292f0454c31d1e1f84e89ff14f0c08f331fe87712a0f588d59a07d2e742e11d94764646642db

Download Submit
C:\Windows\{831B621B-6FA8-4605-884B-A0A4C108EB6D}.exe

Filesize
204KB

MD5
a4d490bb8f662b2ae87d1f58d648eca0

SHA1
86c4a19eb90b7257c6200749d5c66533de64b406

SHA256
016550739658b4afe7b4e77284a7ba386ebeadfaffe1da39f6830cbd19613962

SHA512
f63f91b85a7672a713b01e81176337985a583b2c27421bb961e4e96b7b4c81e29ce72d91ffd322fc743067b59451e03c9eb16281c050a91f02b9fbc5ee99d705

Download Submit
C:\Windows\{9B1949DC-722C-46c4-BDB5-7EF6AD1AB316}.exe

Filesize
204KB

MD5
e559e04609bea65eb8d121c063a04d78

SHA1
6fe34036105b2d1c08bcab82665b76971abb4385

SHA256
c203df489fd5f9658fe6ba7fa62b7ac1d8a6ce9adbc053095bdfdb518ec7e620

SHA512
995b7ff30b2dcca8b6e5d2e38bef2b580f335ba1f74ecd0abad8772376d23062ed8d785e432dcf8ad7dc18432ade2dc3170cfb688e77779eff43d1fe13276b56

Download Submit
C:\Windows\{A2D6E39E-6039-4b9b-AA3B-375C8FC0B170}.exe

Filesize
204KB

MD5
ed7311ca94dcac8e0a8d1a7c90827590

SHA1
409e41d66d3b9f8832f0a05b8e22493f6e5e0abf

SHA256
4aa689391a047cb392bbcb737d770ff1ba0f3f9a400a46f6229c3311ad2d1952

SHA512
b5cb1e555b951db69d695f88f19e68966862670ce75d00609afdfb1d745bb0684fed9e9c62594b609f3f2adefbbcd5e7e1baf5240d93e358982c35763f072dbd

Download Submit
C:\Windows\{B268CDC1-89B7-4c78-89DE-C684E8ABABDC}.exe

Filesize
204KB

MD5
dbe81390845c2014cc3ef32f04349aa3

SHA1
fd1624a8a2cdab2e247b6079c3cc4aeb22ce13d3

SHA256
3b96726dc64187b07242ed320025bf28ae77484c9fd05adf0f6f6620b37b70c6

SHA512
5ab47fdeed896ab30555a0faf0e21d66bba4c1c5caf29ac8bab55c4446a3753a3868abe8e2c0135516fa652c36f8b4258dee43c3762f827922763b320d9d3d13

Download Submit
C:\Windows\{C2DF44A5-1D39-4832-A9E9-B2DF8D640ACA}.exe

Filesize
204KB

MD5
4f353630838ccbeaa204603f07acf4c2

SHA1
3ae1b11e5586f75617a71cd8cc9da74d11753bf3

SHA256
ee5351013a94e8c15066b19743a9f6ff7bf35e73ee3c9b48799f68b4a6fb686f

SHA512
e7131591e13e32b0ec8b36baef0c7ba3b3eaa616d9b658820da5d6f83a05bbb64c9a503e78310d085f473efd3f67b34fb415039601743811bc82ceb71464ab96

Download Submit
C:\Windows\{D6E1607C-15E8-45a7-AE94-99EE9996D876}.exe

Filesize
204KB

MD5
f0a661f6a8bea1bdb8caea6e89aa89df

SHA1
6796bdf813a326614cdbecefdbd0aa1351900491

SHA256
8df0bd910e696a9e0ed7e8d0ba3c36107cb7b5497bab841fba5c44f1b3f961f9

SHA512
2708af5fb803c1cc39d0b47401deb3b7dd89c45c7f4d483c8b2d8f8b258d5db49a9d1bdbf430f107123d8f3286ada1b313acd3fe2c76073521ae1e65625cc318

Download Submit
C:\Windows\{FB4944D9-F51C-4d0a-9552-C7246D5B06C9}.exe

Filesize
204KB

MD5
8af081ff881240ee7ae7dc688e0aac20

SHA1
6ce609011811eef719a9e2260a8e4a075c2be795

SHA256
8ea3b17bc4b5b56ca1448fe053335377a326608f39ff595cdd84b0205ebf9613

SHA512
d7e1d3cf23db957de3a961d0ce20d91cef5a2cdd7228f7f1f6da4ab68ac22adfe33aa35be7bd647eaa1d6552438890abb74aa6173298ff981a4a0cccf7b848f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads