74fc88fb6086dda112302a91e0b180c853b3632c646ab35d7f46926f4728f810

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Size

408KB
MD5

1c30e8576665116797808f923c00bace
SHA1

e6795570149c5617a958b03e0a7e378a31509966
SHA256

74fc88fb6086dda112302a91e0b180c853b3632c646ab35d7f46926f4728f810
SHA512

4316ecdbba240468e02392bf0a7a384e11226cf728a6cd0c89c7eca140c78cdb50c45bdb1e20a56e04863aa7859e622527c2e64e946e237b67468ad788d95b2d
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGWldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00170000000155d9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}\stubpath = "C:\\Windows\\{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe"	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5988EFC9-0B0C-498e-952B-1A186C4D7D43}	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962590D2-7E27-48ce-A63C-F5C18C676C6B}	{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962590D2-7E27-48ce-A63C-F5C18C676C6B}\stubpath = "C:\\Windows\\{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe"	{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}\stubpath = "C:\\Windows\\{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}.exe"	{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}\stubpath = "C:\\Windows\\{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe"	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}\stubpath = "C:\\Windows\\{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe"	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147E6F79-1D53-4d48-94D6-1614275B0064}\stubpath = "C:\\Windows\\{147E6F79-1D53-4d48-94D6-1614275B0064}.exe"	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}\stubpath = "C:\\Windows\\{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe"	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}\stubpath = "C:\\Windows\\{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe"	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}	{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}\stubpath = "C:\\Windows\\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe"	{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}	{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147E6F79-1D53-4d48-94D6-1614275B0064}	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5988EFC9-0B0C-498e-952B-1A186C4D7D43}\stubpath = "C:\\Windows\\{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe"	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}\stubpath = "C:\\Windows\\{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe"	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe
2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe
2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe
2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe
2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe
2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe
2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe
1964	{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe
1680	{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe
2172	{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe
568	{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}.exe	{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe
File created	C:\Windows\{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe
File created	C:\Windows\{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe
File created	C:\Windows\{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe
File created	C:\Windows\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe	{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe
File created	C:\Windows\{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe
File created	C:\Windows\{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe	{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe
File created	C:\Windows\{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
File created	C:\Windows\{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe
File created	C:\Windows\{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe
File created	C:\Windows\{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe
Token: SeIncBasePriorityPrivilege	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe
Token: SeIncBasePriorityPrivilege	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe
Token: SeIncBasePriorityPrivilege	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe
Token: SeIncBasePriorityPrivilege	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe
Token: SeIncBasePriorityPrivilege	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe
Token: SeIncBasePriorityPrivilege	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe
Token: SeIncBasePriorityPrivilege	1964	{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe
Token: SeIncBasePriorityPrivilege	1680	{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe
Token: SeIncBasePriorityPrivilege	2172	{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2876	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	28
PID 2768 wrote to memory of 2876	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	28
PID 2768 wrote to memory of 2876	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	28
PID 2768 wrote to memory of 2876	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	28
PID 2768 wrote to memory of 3060	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	29
PID 2768 wrote to memory of 3060	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	29
PID 2768 wrote to memory of 3060	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	29
PID 2768 wrote to memory of 3060	2768	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	29
PID 2876 wrote to memory of 2492	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	32
PID 2876 wrote to memory of 2492	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	32
PID 2876 wrote to memory of 2492	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	32
PID 2876 wrote to memory of 2492	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	32
PID 2876 wrote to memory of 2640	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	33
PID 2876 wrote to memory of 2640	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	33
PID 2876 wrote to memory of 2640	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	33
PID 2876 wrote to memory of 2640	2876	{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe	33
PID 2492 wrote to memory of 2184	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	34
PID 2492 wrote to memory of 2184	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	34
PID 2492 wrote to memory of 2184	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	34
PID 2492 wrote to memory of 2184	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	34
PID 2492 wrote to memory of 2424	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	35
PID 2492 wrote to memory of 2424	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	35
PID 2492 wrote to memory of 2424	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	35
PID 2492 wrote to memory of 2424	2492	{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe	35
PID 2184 wrote to memory of 2480	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	37
PID 2184 wrote to memory of 2480	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	37
PID 2184 wrote to memory of 2480	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	37
PID 2184 wrote to memory of 2480	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	37
PID 2184 wrote to memory of 2408	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	36
PID 2184 wrote to memory of 2408	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	36
PID 2184 wrote to memory of 2408	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	36
PID 2184 wrote to memory of 2408	2184	{147E6F79-1D53-4d48-94D6-1614275B0064}.exe	36
PID 2480 wrote to memory of 2152	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	38
PID 2480 wrote to memory of 2152	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	38
PID 2480 wrote to memory of 2152	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	38
PID 2480 wrote to memory of 2152	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	38
PID 2480 wrote to memory of 2180	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	39
PID 2480 wrote to memory of 2180	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	39
PID 2480 wrote to memory of 2180	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	39
PID 2480 wrote to memory of 2180	2480	{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe	39
PID 2152 wrote to memory of 2680	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	41
PID 2152 wrote to memory of 2680	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	41
PID 2152 wrote to memory of 2680	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	41
PID 2152 wrote to memory of 2680	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	41
PID 2152 wrote to memory of 2760	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	40
PID 2152 wrote to memory of 2760	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	40
PID 2152 wrote to memory of 2760	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	40
PID 2152 wrote to memory of 2760	2152	{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe	40
PID 2680 wrote to memory of 2228	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	43
PID 2680 wrote to memory of 2228	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	43
PID 2680 wrote to memory of 2228	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	43
PID 2680 wrote to memory of 2228	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	43
PID 2680 wrote to memory of 2096	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	42
PID 2680 wrote to memory of 2096	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	42
PID 2680 wrote to memory of 2096	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	42
PID 2680 wrote to memory of 2096	2680	{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe	42
PID 2228 wrote to memory of 1964	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	45
PID 2228 wrote to memory of 1964	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	45
PID 2228 wrote to memory of 1964	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	45
PID 2228 wrote to memory of 1964	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	45
PID 2228 wrote to memory of 2944	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	44
PID 2228 wrote to memory of 2944	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	44
PID 2228 wrote to memory of 2944	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	44
PID 2228 wrote to memory of 2944	2228	{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe
  C:\Windows\{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe
    C:\Windows\{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\{147E6F79-1D53-4d48-94D6-1614275B0064}.exe
      C:\Windows\{147E6F79-1D53-4d48-94D6-1614275B0064}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{147E6~1.EXE > nul
        5⤵
        
        PID:2408
    - - C:\Windows\{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe
        
        C:\Windows\{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe
        
        C:\Windows\{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5988E~1.EXE > nul
        7⤵
        
        PID:2760
        
        C:\Windows\{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe
        
        C:\Windows\{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{702C9~1.EXE > nul
        8⤵
        
        PID:2096
        
        C:\Windows\{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe
        
        C:\Windows\{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E985~1.EXE > nul
        9⤵
        
        PID:2944
        
        C:\Windows\{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe
        
        C:\Windows\{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe
        
        C:\Windows\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe
        
        C:\Windows\{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96259~1.EXE > nul
        12⤵
        
        PID:1160
        
        C:\Windows\{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}.exe
        
        C:\Windows\{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}.exe
        12⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8D8~1.EXE > nul
        11⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFB0E~1.EXE > nul
        10⤵
        
        PID:528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD675~1.EXE > nul
        6⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{89F2D~1.EXE > nul
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9108~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{147E6F79-1D53-4d48-94D6-1614275B0064}.exe

Filesize
408KB

MD5
97b29cd3f92aeaf3896acd0bb01e3eb2

SHA1
4b20506a38cbb223567b941c24a6a84f685baa98

SHA256
fa20aa2d2710244926e238f4ed86b22c29970c3bc9a3a95a7c6578a5bd3036c2

SHA512
423fa80e628cd7ba702bce0240c022de30c76f58cd94d8f5a94de45dd2dd29b6bcb370d2a7fee66dacfc7939418e8ca2c7101dc815bc7e11f8e6fc3c7e947de9

Download Submit
C:\Windows\{5988EFC9-0B0C-498e-952B-1A186C4D7D43}.exe

Filesize
408KB

MD5
123d09939d261fd86110dbec93f31b47

SHA1
c2d23df936a9fab67b58b23c02e6a43505c9fbe6

SHA256
0c6aeb6eb4b8e3defd6e5876fa5412d47818e9dee6903950235a92ca2eb0b92d

SHA512
b4b4fd576765f173ffb5871e71018f61bc76a1de83e91d53b1dd6e299d6771797eac51b612234b4e417c52aa695c77fa3bf1dfd309f35211fbc98bbe3987e092

Download Submit
C:\Windows\{702C9DE6-6610-48f8-94E3-BC0A5CD5DFD9}.exe

Filesize
408KB

MD5
e1d5a8abda3e61219e16434b49e5ab28

SHA1
29eb68ad35e9a6b00b449f94ce7cd2afadcfbc6a

SHA256
dd01b1a5f52e8d565e6ec43141c0b326de72dd55c51fa6af568ebcd7d49dc46e

SHA512
3159ce9a5515d7402b4ddcd74d8f443273d0ba7db6467b1e1155d363dac0e2b7b8bb5026c5a11ad1f24a5b5f8d7495e789dd3e985007f04f0d89cc5aac2b1935

Download Submit
C:\Windows\{89F2DCDA-7FEA-4717-864E-DA1F7A02C645}.exe

Filesize
408KB

MD5
fc51e1b6d693e41a069be654412c8ae0

SHA1
f4079a392368ab152eed97696e98adfd99b9306b

SHA256
8b8250fdf85875766df8c1b1e114a306368e3e225c4c3d9c1ba00f353876e28b

SHA512
6fb4362b062a70307e351c30b5c1419ce4ce4f2a944894bc1189d6ed777f4b63e00a73f9aa7f95f03d8a24563a441fed56863a9c651c70e15da3fe682540b9fa

Download Submit
C:\Windows\{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe

Filesize
31KB

MD5
9feefb897dc0b3741a01697787a2eb58

SHA1
9f0a80e692fc8e63bc5ecc8f06f9d1ef9834fe25

SHA256
548e5a3189da7aca8cdb389bb06592d60111cfa0efe49a69915779fd771ca326

SHA512
07e27d677a71472f7b65c56293ce90a361b15554bb11d579a09f3c72c13ff0271c34ed0d02530db6a4803b60891bafe30b242cf4ed860c5c6c966d56705a242d

Download Submit
C:\Windows\{962590D2-7E27-48ce-A63C-F5C18C676C6B}.exe

Filesize
128KB

MD5
700b9139305138fb433ab442c4dcc721

SHA1
b420436b3a77bf64f283bd2a973924ed60ab700c

SHA256
663dca95fd60f5a1f418b556031c1456afedb3f0dcb00098d029e6926eeb9d29

SHA512
1f4c242daf96e667c9f7edd2072d820fc662bb99ccef52032d7a558f7ed4e8bb0fd9b168ecba798636472fe6aba6a92d1f5acaa0e09b901dd72a2eb9a3dc19bf

Download Submit
C:\Windows\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe

Filesize
408KB

MD5
c699441542026207100531745d8b4bf1

SHA1
ac3c3bb40637b153a930ebae148f38c2a99434ba

SHA256
afda113683988209653db349da20132967b1662090f72bf10d61077647fadd7e

SHA512
7f11c2cf1074b7b6f68d0925053b205ea75708b648efee999f62b228d5b6fb6a481ceeae5b3c85d07071783efc0a638436036a35b4526ae417caa45725b607ac

Download Submit
C:\Windows\{9B8D8C3C-28C7-4515-974A-F81CAA498C4A}.exe

Filesize
21KB

MD5
1a4d3d65c1919fab29974946c0ae1691

SHA1
f8f6f564c5040796759f29371818b09d3fd8129a

SHA256
af3483451d18efab3a992b1b93325e20aee72b53d1ef206c3c163403889aeb8b

SHA512
437b0365fd357c2337e54d4f2de9a6d4bb266cf8a3f6aeb144a6c157c40f574b3c75e8f3d28ebfc39e74a9d946771ba69edbc5f9304ef584b50f55becbf2c9c6

Download Submit
C:\Windows\{9E985D3C-33DD-4787-8DCE-C8599DF68EE8}.exe

Filesize
408KB

MD5
71a9676cb9dc129733f74bf07dddf5f5

SHA1
3c368664e23864fdfda8a5a9ee8605cd715e5144

SHA256
9229b86c1e1d50e0d86d85cf52636ca640939d9494a4ea7dcf3afccae3688e36

SHA512
b2ccb6401a3709a483f54ad3291ef531813710cbde70e38ea3d806fa5407bdee25d55f94f50ec594a3ec72676db9e086c18ec907c1427f004e95ac0a2897cb56

Download Submit
C:\Windows\{A9108F4C-CE43-4b22-A12C-B98EA2FB0E45}.exe

Filesize
408KB

MD5
de1bd19ab6fd4be517cdb693a9307162

SHA1
4e50a4c453aceb6d81306ad30cbf6da0090a53c4

SHA256
46dd1ef6d6bd66695fd27e7302042a24ddbbd59515605de4099181e16f816e05

SHA512
17bacc2fb2b61dd895ce28bebc4f977a37e3ce0f2a900c14ee40212801f1d1a14e56def183792bb58721d3dfb17d653b6f3f836ccad94fb1581b4e01e66abd61

Download Submit
C:\Windows\{AD6752C3-60D3-4181-9E4C-94DF3ADF425F}.exe

Filesize
408KB

MD5
fb19207296a782b8a23e195a170572f7

SHA1
1a854bdfa3d8adf6089534836643898e26636406

SHA256
51d582f727efa8910f795d5d18ab56ceb19b5a89f3968eb2923fb2ecd79595fe

SHA512
8c1fda9863014d16d21d1843a17137a8d2e8a3a574b2bbaf037726758710273a554b63fdcdb0ad68ea66549480f9712a1f212d48077c9ed0ebeeb8ddd8261ac6

Download Submit
C:\Windows\{DA9BC9F9-3580-44f5-B8E6-4530D3EC1F0C}.exe

Filesize
408KB

MD5
f0bd3785f1c58622142f1570ae134a7d

SHA1
72135db690114f6d5c39ce5bfcaddfe05d624da2

SHA256
690d820b4d42d0b16006e77e60d5609cc89ab08aa862cbeb6685f12643008fd1

SHA512
89665c1bcb48c75ec08512ab8a50d2a647b5ba44d42393780ba74232227cd901e7e7d6ec2bab4186b99d6b0e36a037a98d429a90ef79a59e4ff17d2620be636d

Download Submit
C:\Windows\{DFB0E7D0-D92A-4d45-8E58-F55F51B55BED}.exe

Filesize
408KB

MD5
f98893bedcfb6a9f7deaf0fb98d79cf4

SHA1
bcd5c667a8e44a28cf852006cb89d64360529c43

SHA256
631e98166a98e7ee0d7101a3211411d09a7d3cba3a25779ab21180b596e43cc4

SHA512
6e3011871755141db14b90dc90c50cf72af0674c6d579f8a7508a2e027306bdd8821373037c96e62a411f3a2dc144bb0bdbf9cd5b7a43bc5c82c94c738013f55

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads