2258daf0f6b1124bd9b704a9069c803a53fa33a497fe3e6208b0e664fd7e7ee4

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 06:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe
Size

408KB
MD5

e3a69aee9dc0cfee85255467aecf41de
SHA1

4375acbc16121ad9aae38ddb3e9f544e9c30b44c
SHA256

2258daf0f6b1124bd9b704a9069c803a53fa33a497fe3e6208b0e664fd7e7ee4
SHA512

38031a207b5017789dac66661439afa7aead9237f119f958dd860b113d48400adcff0ad41809140813f689c66a537ff2039be7078e4235d5964073f3d82b6b2a
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGwldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001472f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014f57-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012253-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012253-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}	{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}\stubpath = "C:\\Windows\\{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe"	{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}\stubpath = "C:\\Windows\\{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe"	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}\stubpath = "C:\\Windows\\{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe"	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}\stubpath = "C:\\Windows\\{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe"	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42B6D573-078F-463d-BB3C-BF118DE1F17E}\stubpath = "C:\\Windows\\{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe"	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EB6B532-F6CD-4a36-B474-15C29B94DF07}	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77DF311F-F117-42ed-BCC5-F61C5953C3DF}	{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15BE8D87-AEA4-4878-B425-B5A97184602B}\stubpath = "C:\\Windows\\{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe"	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42B6D573-078F-463d-BB3C-BF118DE1F17E}	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEEB2419-D431-421b-913B-13DCCE0D03E4}	{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEEB2419-D431-421b-913B-13DCCE0D03E4}\stubpath = "C:\\Windows\\{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe"	{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15BE8D87-AEA4-4878-B425-B5A97184602B}	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77DF311F-F117-42ed-BCC5-F61C5953C3DF}\stubpath = "C:\\Windows\\{77DF311F-F117-42ed-BCC5-F61C5953C3DF}.exe"	{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}\stubpath = "C:\\Windows\\{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe"	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EB6B532-F6CD-4a36-B474-15C29B94DF07}\stubpath = "C:\\Windows\\{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe"	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}\stubpath = "C:\\Windows\\{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe"	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe
2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe
2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe
2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe
2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe
1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe
1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe
2040	{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe
1992	{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe
692	{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe
352	{77DF311F-F117-42ed-BCC5-F61C5953C3DF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe
File created	C:\Windows\{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe
File created	C:\Windows\{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe
File created	C:\Windows\{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe	{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe
File created	C:\Windows\{77DF311F-F117-42ed-BCC5-F61C5953C3DF}.exe	{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe
File created	C:\Windows\{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe
File created	C:\Windows\{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe
File created	C:\Windows\{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe
File created	C:\Windows\{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe
File created	C:\Windows\{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe
File created	C:\Windows\{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe	{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe
Token: SeIncBasePriorityPrivilege	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe
Token: SeIncBasePriorityPrivilege	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe
Token: SeIncBasePriorityPrivilege	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe
Token: SeIncBasePriorityPrivilege	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe
Token: SeIncBasePriorityPrivilege	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe
Token: SeIncBasePriorityPrivilege	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe
Token: SeIncBasePriorityPrivilege	2040	{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe
Token: SeIncBasePriorityPrivilege	1992	{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe
Token: SeIncBasePriorityPrivilege	692	{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2512	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	28
PID 2784 wrote to memory of 2512	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	28
PID 2784 wrote to memory of 2512	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	28
PID 2784 wrote to memory of 2512	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	28
PID 2784 wrote to memory of 2580	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	29
PID 2784 wrote to memory of 2580	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	29
PID 2784 wrote to memory of 2580	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	29
PID 2784 wrote to memory of 2580	2784	2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe	29
PID 2512 wrote to memory of 2608	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	31
PID 2512 wrote to memory of 2608	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	31
PID 2512 wrote to memory of 2608	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	31
PID 2512 wrote to memory of 2608	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	31
PID 2512 wrote to memory of 2396	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	30
PID 2512 wrote to memory of 2396	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	30
PID 2512 wrote to memory of 2396	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	30
PID 2512 wrote to memory of 2396	2512	{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe	30
PID 2608 wrote to memory of 2600	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	33
PID 2608 wrote to memory of 2600	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	33
PID 2608 wrote to memory of 2600	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	33
PID 2608 wrote to memory of 2600	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	33
PID 2608 wrote to memory of 2384	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	32
PID 2608 wrote to memory of 2384	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	32
PID 2608 wrote to memory of 2384	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	32
PID 2608 wrote to memory of 2384	2608	{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe	32
PID 2600 wrote to memory of 2548	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	37
PID 2600 wrote to memory of 2548	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	37
PID 2600 wrote to memory of 2548	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	37
PID 2600 wrote to memory of 2548	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	37
PID 2600 wrote to memory of 2680	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	36
PID 2600 wrote to memory of 2680	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	36
PID 2600 wrote to memory of 2680	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	36
PID 2600 wrote to memory of 2680	2600	{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe	36
PID 2548 wrote to memory of 2244	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	39
PID 2548 wrote to memory of 2244	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	39
PID 2548 wrote to memory of 2244	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	39
PID 2548 wrote to memory of 2244	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	39
PID 2548 wrote to memory of 2080	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	38
PID 2548 wrote to memory of 2080	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	38
PID 2548 wrote to memory of 2080	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	38
PID 2548 wrote to memory of 2080	2548	{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe	38
PID 2244 wrote to memory of 1260	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	40
PID 2244 wrote to memory of 1260	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	40
PID 2244 wrote to memory of 1260	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	40
PID 2244 wrote to memory of 1260	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	40
PID 2244 wrote to memory of 1808	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	41
PID 2244 wrote to memory of 1808	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	41
PID 2244 wrote to memory of 1808	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	41
PID 2244 wrote to memory of 1808	2244	{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe	41
PID 1260 wrote to memory of 1368	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	42
PID 1260 wrote to memory of 1368	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	42
PID 1260 wrote to memory of 1368	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	42
PID 1260 wrote to memory of 1368	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	42
PID 1260 wrote to memory of 1332	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	43
PID 1260 wrote to memory of 1332	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	43
PID 1260 wrote to memory of 1332	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	43
PID 1260 wrote to memory of 1332	1260	{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe	43
PID 1368 wrote to memory of 2040	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	44
PID 1368 wrote to memory of 2040	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	44
PID 1368 wrote to memory of 2040	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	44
PID 1368 wrote to memory of 2040	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	44
PID 1368 wrote to memory of 1968	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	45
PID 1368 wrote to memory of 1968	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	45
PID 1368 wrote to memory of 1968	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	45
PID 1368 wrote to memory of 1968	1368	{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_e3a69aee9dc0cfee85255467aecf41de_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe
  C:\Windows\{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{15BE8~1.EXE > nul
    3⤵
    PID:2396
- - C:\Windows\{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe
    C:\Windows\{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4A666~1.EXE > nul
      4⤵
      PID:2384
  - - C:\Windows\{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe
      C:\Windows\{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C70BC~1.EXE > nul
        5⤵
        
        PID:2680
    - - C:\Windows\{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe
        
        C:\Windows\{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A380C~1.EXE > nul
        6⤵
        
        PID:2080
      - C:\Windows\{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe
        
        C:\Windows\{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe
        
        C:\Windows\{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe
        
        C:\Windows\{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe
        
        C:\Windows\{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe
        
        C:\Windows\{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe
        
        C:\Windows\{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEEB2~1.EXE > nul
        12⤵
        
        PID:2308
        
        C:\Windows\{77DF311F-F117-42ed-BCC5-F61C5953C3DF}.exe
        
        C:\Windows\{77DF311F-F117-42ed-BCC5-F61C5953C3DF}.exe
        12⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58C22~1.EXE > nul
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EB6B~1.EXE > nul
        10⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADBEA~1.EXE > nul
        9⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42B6D~1.EXE > nul
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF23A~1.EXE > nul
        7⤵
        
        PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15BE8D87-AEA4-4878-B425-B5A97184602B}.exe

Filesize
408KB

MD5
3f506cbb618cb5104ecb6f1e9f4ff3d7

SHA1
c2ba4da973c160ca89a9272dc1c37a862ac9ce67

SHA256
89155b60164f58a785f655e2be5dff51faf50eba48ffbb60aaae7249ed3e0d74

SHA512
1cc3ae577d2687e76f71dd729c0f5471bc4c1b0e04bd54f792aca4d90f44ff592a3c8569098e29867722ce82a3d7e89fe851eefce4dfb0b9b234dd0e2551c412

Download Submit
C:\Windows\{42B6D573-078F-463d-BB3C-BF118DE1F17E}.exe

Filesize
408KB

MD5
513dcfc8b6ebd12b151e8ea5de959b2a

SHA1
ceaff3e1416062860cec0245089316bc86fbce30

SHA256
6aaa5d3bb9d223aac5baba1233c8f38fcd76a4008aa95cd4ecbbc31082a6b220

SHA512
c404d41b999e640f3538ca939e8ba844a367f12328496dcfb03c6675b015c74bc994916aaf40958e79bdc5bc07707742d305635036e7dc2c2262e41b4faf2596

Download Submit
C:\Windows\{4A6664D1-FD5E-4242-90C0-CA0EED0D94FC}.exe

Filesize
408KB

MD5
ec5470d5b2a004ceb2d37a86f3d4a821

SHA1
4d2a438cb4717b12c041efe3b99b54d62c45f473

SHA256
ae18c41b22869f017633120ca64e6e368364627a3de9d619d1186c94b4c38d5f

SHA512
98ac5fe53ecb5ff548663269e4db2e6898667d4828fecc58669ec0933efb89b5a2f5eb05e7dcd7d6fb3467197458e5e491740d78299c3f30559b694444b03c37

Download Submit
C:\Windows\{58C225B8-2EC0-449b-BB8B-8BB5AC70EB7C}.exe

Filesize
408KB

MD5
ae3ed738ac9338f67d9b936605d2c0dc

SHA1
c608d6a5d986f0b190929db7a44517ffc77a0f14

SHA256
b74140a3058e9c664bdafe105055b609c1ecf585252924fb214039393e963dec

SHA512
98570dcfc426a45f6ad9555d2ec12a15fcc14b6d0c49b9b18ce59e605501bf7612a8f284719ff157906850baba5d5793161b73b4417fc4e4cd276aeff6aff142

Download Submit
C:\Windows\{77DF311F-F117-42ed-BCC5-F61C5953C3DF}.exe

Filesize
408KB

MD5
eb444c90269767404467bc09f0e48370

SHA1
f86a492b2cf3e444c0c480da8ac57c0beb13a442

SHA256
bc08fbe6b5f663d18e33d2401d6769a790149c12ed5b8b0373b85515690d0242

SHA512
10d7d4fd97ef9dc3e21814bdacd1b8b0928d7ece97eff5817f80055c2f82e0f860d374c8bb63ac07fe32c106abb7e12510ee2d004ad6e449a377906919a7f1b7

Download Submit
C:\Windows\{7EB6B532-F6CD-4a36-B474-15C29B94DF07}.exe

Filesize
408KB

MD5
5faeffeec1fa25101a9f8aabb8f003cb

SHA1
daefee4c35a2ddd323b97d804607c7278c12e030

SHA256
0e2437d50b43b414b231195bff176979b4bc865b52726244b62136527cf56767

SHA512
8ab85b5a9a7e8f86321a4c1b953222f114977c57caafa612e247b44192c8ff50e131f2fa8b951988834dbbdab7b0cfcf8e95d94cbaef6620ecfef5f6782c64cb

Download Submit
C:\Windows\{A380CCD2-BA25-4f8a-8354-FBDEF415B2EA}.exe

Filesize
408KB

MD5
23302f9109b968847970054728677d53

SHA1
1f1dc4ccff3fa4fc2ce15eabe230c6a3f57ba6fa

SHA256
e0c0da2ef59ea17322a78b052f1b85bf5e96bef934823f68c00e693bdb2f7621

SHA512
5a0edf4ae10443dd49f1564e41e3dcf3c0a6e767d71ee5f39cfa65a7b677930b53df71aa4d086639f100a6fbf232a8e5d37f248c06e4a54a3b6e3e7f59186de5

Download Submit
C:\Windows\{ADBEA1C4-D08F-4e18-9F37-581820B4F9C2}.exe

Filesize
408KB

MD5
71d6c0e977b722ac54c7a01f3e456382

SHA1
c44e019625cc6ea42ab74bd4f62982f818093d00

SHA256
1f5ad19925569720b1d01f0dd8eddb6148138f8aac625ecf4341532a18fafbc0

SHA512
a1163c4d6e0ddaba6d02d6d85e6e0797de4adb2588cfcbaf123e96a8d0eab4089e935cb699168f9285a9b8adf0beb47d0c03639df8ee0dabc1b8679c23161d0c

Download Submit
C:\Windows\{AEEB2419-D431-421b-913B-13DCCE0D03E4}.exe

Filesize
408KB

MD5
fc57c621d7a51bba0062b69d10d3596f

SHA1
703e39057bbe4bf8ad6b481799a2fd121484c3f5

SHA256
0cbfd74d27c11a15dee1bd9fdc0f3b85057bc2833ecc4076c2d121b9d8e5eb20

SHA512
c1a089bbf28f87fc4a4a3089dde2bd108f582f718af7ccd4984fa2d4ebd171b1e1ba9ab3a2214c8ecaa679c6fcd7e04615cba568c048be38897b132fe8d17c2e

Download Submit
C:\Windows\{C70BC894-09FC-4d27-B9C9-B5E23A98FB4D}.exe

Filesize
408KB

MD5
1bdb3927c304ca24f399c55abf72bef3

SHA1
dc9f9df0c4ebd62ca0b55b0f2c6deb066ed681a0

SHA256
63005ea8b433d3d54064b63970c83baea42dae40f6d4c4ed442e0fad8982ecc3

SHA512
4805b6b6c4f422513a3432a9dfeeb484e96dc6e29ef9c3227698ab784d77697574d216f71e9132022efc93c784a1f0f57801c22c3121ad4a06d78ca44f9be12a

Download Submit
C:\Windows\{CF23AD3D-684E-4feb-8D9A-19D5BF78D8CF}.exe

Filesize
408KB

MD5
85764811fadfe83fd57d224db1610d62

SHA1
49fdc05b9ddc2f2eb0d2bb3b29c3f6acf61c6b83

SHA256
511f2a121e896d336fc727ef524590578b53dd95423ae5b2062a43d2bcd8f3b2

SHA512
d54f58159ec1a8da7013a30a9937515ae908b0276e28fe6cd8f25df83467b915059a880eb9989568a4540b77fe80e2af70836f8f670e42ffd55220138f645af7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads