3283dcd16452f7369d2ae736dc09182f21c64955662d288d9ee38af8ff924ccd

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Size

372KB
MD5

ca0cebf8acbac11b2c27076f75497092
SHA1

94ff4c41972f913a8948c9ad342a7cda0b3c390b
SHA256

3283dcd16452f7369d2ae736dc09182f21c64955662d288d9ee38af8ff924ccd
SHA512

ae4396f527c7a1f7e99efa70f436d66929f7f6f477d79f9a812a2272dc74d685ec6b13b1b16efb89004202430d8b517b61566a04e329d5d08ae9ed8265b65b2c
SSDEEP

3072:CEGh0o8lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGClkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e000000015c65-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000015d85-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015e01-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000015d85-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000015d85-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015e01-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015d85-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1306582F-3AEE-4b92-9900-BB8CEF206B62}\stubpath = "C:\\Windows\\{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe"	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FDE105D-AFFB-4561-85FA-27E5964A3D95}\stubpath = "C:\\Windows\\{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe"	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B6453E1-3764-4e05-8FC0-1D596BB738B3}\stubpath = "C:\\Windows\\{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe"	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A6FD3F4-BC13-4122-81CA-9A67268B041C}	{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A6FD3F4-BC13-4122-81CA-9A67268B041C}\stubpath = "C:\\Windows\\{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe"	{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FE6069B-8B5D-4182-A897-6C52AF97207C}\stubpath = "C:\\Windows\\{0FE6069B-8B5D-4182-A897-6C52AF97207C}.exe"	{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}\stubpath = "C:\\Windows\\{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe"	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}\stubpath = "C:\\Windows\\{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe"	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69811C3A-2FB5-47d0-B23F-854B3274412E}	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FDE105D-AFFB-4561-85FA-27E5964A3D95}	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}\stubpath = "C:\\Windows\\{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe"	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E809E1-4E5E-4db4-8CDC-86E062E86857}	{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FE6069B-8B5D-4182-A897-6C52AF97207C}	{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1306582F-3AEE-4b92-9900-BB8CEF206B62}	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E809E1-4E5E-4db4-8CDC-86E062E86857}\stubpath = "C:\\Windows\\{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe"	{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69811C3A-2FB5-47d0-B23F-854B3274412E}\stubpath = "C:\\Windows\\{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe"	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CD769E6-7405-4918-BF4D-40BDB311400F}	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CD769E6-7405-4918-BF4D-40BDB311400F}\stubpath = "C:\\Windows\\{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe"	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B6453E1-3764-4e05-8FC0-1D596BB738B3}	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe

Deletes itself 1 IoCs

pid	Process
1524	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe
2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe
2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe
864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe
3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe
1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe
1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe
576	{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe
1304	{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe
2252	{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe
2504	{0FE6069B-8B5D-4182-A897-6C52AF97207C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe
File created	C:\Windows\{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe
File created	C:\Windows\{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe
File created	C:\Windows\{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe
File created	C:\Windows\{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe	{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe
File created	C:\Windows\{0FE6069B-8B5D-4182-A897-6C52AF97207C}.exe	{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe
File created	C:\Windows\{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
File created	C:\Windows\{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe
File created	C:\Windows\{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe	{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe
File created	C:\Windows\{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe
File created	C:\Windows\{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe
Token: SeIncBasePriorityPrivilege	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe
Token: SeIncBasePriorityPrivilege	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe
Token: SeIncBasePriorityPrivilege	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe
Token: SeIncBasePriorityPrivilege	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe
Token: SeIncBasePriorityPrivilege	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe
Token: SeIncBasePriorityPrivilege	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe
Token: SeIncBasePriorityPrivilege	576	{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe
Token: SeIncBasePriorityPrivilege	1304	{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe
Token: SeIncBasePriorityPrivilege	2252	{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2948	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	28
PID 2196 wrote to memory of 2948	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	28
PID 2196 wrote to memory of 2948	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	28
PID 2196 wrote to memory of 2948	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	28
PID 2196 wrote to memory of 1524	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	29
PID 2196 wrote to memory of 1524	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	29
PID 2196 wrote to memory of 1524	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	29
PID 2196 wrote to memory of 1524	2196	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	29
PID 2948 wrote to memory of 2816	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	30
PID 2948 wrote to memory of 2816	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	30
PID 2948 wrote to memory of 2816	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	30
PID 2948 wrote to memory of 2816	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	30
PID 2948 wrote to memory of 2540	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	31
PID 2948 wrote to memory of 2540	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	31
PID 2948 wrote to memory of 2540	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	31
PID 2948 wrote to memory of 2540	2948	{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe	31
PID 2816 wrote to memory of 2472	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	34
PID 2816 wrote to memory of 2472	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	34
PID 2816 wrote to memory of 2472	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	34
PID 2816 wrote to memory of 2472	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	34
PID 2816 wrote to memory of 2888	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	35
PID 2816 wrote to memory of 2888	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	35
PID 2816 wrote to memory of 2888	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	35
PID 2816 wrote to memory of 2888	2816	{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe	35
PID 2472 wrote to memory of 864	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	37
PID 2472 wrote to memory of 864	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	37
PID 2472 wrote to memory of 864	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	37
PID 2472 wrote to memory of 864	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	37
PID 2472 wrote to memory of 324	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	36
PID 2472 wrote to memory of 324	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	36
PID 2472 wrote to memory of 324	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	36
PID 2472 wrote to memory of 324	2472	{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe	36
PID 864 wrote to memory of 3068	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	38
PID 864 wrote to memory of 3068	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	38
PID 864 wrote to memory of 3068	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	38
PID 864 wrote to memory of 3068	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	38
PID 864 wrote to memory of 2144	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	39
PID 864 wrote to memory of 2144	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	39
PID 864 wrote to memory of 2144	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	39
PID 864 wrote to memory of 2144	864	{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe	39
PID 3068 wrote to memory of 1636	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	40
PID 3068 wrote to memory of 1636	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	40
PID 3068 wrote to memory of 1636	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	40
PID 3068 wrote to memory of 1636	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	40
PID 3068 wrote to memory of 1476	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	41
PID 3068 wrote to memory of 1476	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	41
PID 3068 wrote to memory of 1476	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	41
PID 3068 wrote to memory of 1476	3068	{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe	41
PID 1636 wrote to memory of 1008	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	43
PID 1636 wrote to memory of 1008	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	43
PID 1636 wrote to memory of 1008	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	43
PID 1636 wrote to memory of 1008	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	43
PID 1636 wrote to memory of 1652	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	42
PID 1636 wrote to memory of 1652	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	42
PID 1636 wrote to memory of 1652	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	42
PID 1636 wrote to memory of 1652	1636	{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe	42
PID 1008 wrote to memory of 576	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	44
PID 1008 wrote to memory of 576	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	44
PID 1008 wrote to memory of 576	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	44
PID 1008 wrote to memory of 576	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	44
PID 1008 wrote to memory of 1104	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	45
PID 1008 wrote to memory of 1104	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	45
PID 1008 wrote to memory of 1104	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	45
PID 1008 wrote to memory of 1104	1008	{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe
  C:\Windows\{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe
    C:\Windows\{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe
      C:\Windows\{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA68C~1.EXE > nul
        5⤵
        
        PID:324
    - - C:\Windows\{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe
        
        C:\Windows\{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe
        
        C:\Windows\{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe
        
        C:\Windows\{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FDE1~1.EXE > nul
        8⤵
        
        PID:1652
        
        C:\Windows\{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe
        
        C:\Windows\{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe
        
        C:\Windows\{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe
        
        C:\Windows\{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16E80~1.EXE > nul
        11⤵
        
        PID:2832
        
        C:\Windows\{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe
        
        C:\Windows\{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{0FE6069B-8B5D-4182-A897-6C52AF97207C}.exe
        
        C:\Windows\{0FE6069B-8B5D-4182-A897-6C52AF97207C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A6FD~1.EXE > nul
        12⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13065~1.EXE > nul
        10⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B645~1.EXE > nul
        9⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CD76~1.EXE > nul
        7⤵
        
        PID:1476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69811~1.EXE > nul
        6⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D45BD~1.EXE > nul
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C27B~1.EXE > nul
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C27BF5F-A19C-451f-A5AA-A41C8AEF6ECE}.exe

Filesize
372KB

MD5
015a0b74888b12e572b84f2bcfe05ac9

SHA1
778ec239f5a2925230e0b8bab728dcde48711146

SHA256
f764cfc99fe279995e23b029ab53955674b8038048ec655be2a73ca665278ea9

SHA512
6f4200babbd1fe4408f8030228fbe9915af03486b59d6fb5b2ef29a966718d563db1baf6b13c8604f88b14e17015cefa8c7045fa88ad6ffb6beb96ded982dab0

Download Submit
C:\Windows\{0FE6069B-8B5D-4182-A897-6C52AF97207C}.exe

Filesize
372KB

MD5
74ab8d5308720325f58c41eb1c0f0749

SHA1
b2812f0af3d813831ab157fd3026003c203b105a

SHA256
a3801109a32ef0a9bb39f44d82a764722881e5b0bec309124ba8c2a36c62fd3d

SHA512
64f88f8a1f6c1c86fc3fd876d8ece187c7d11cace22b97fb998f74e482f030ddcc875aab03f55b34634688860dbba065a2462ef4ed2766d582dfaf194899972b

Download Submit
C:\Windows\{1306582F-3AEE-4b92-9900-BB8CEF206B62}.exe

Filesize
372KB

MD5
8ebedfed509b86b62270435c48fe8adc

SHA1
ed2737ec727f54fb5cc7bc4f32f7ff75043ba07a

SHA256
59dd089103e69ca7081e7133c770c6271e2041bcb09eca185a7a4d24e67bd6b3

SHA512
dfefa7e925a04acb4431175a1ba3b993da36b233e1c821346aa4475fd8b7e3afca4242af0e0e7e3af0d1fbf98d8537dc10b812e804e85a4fe843ba7daa98fd43

Download Submit
C:\Windows\{16E809E1-4E5E-4db4-8CDC-86E062E86857}.exe

Filesize
372KB

MD5
337b161c703b6c17ebe708648feb1d55

SHA1
da098ad778f99bc780054765e055b60d503f7eee

SHA256
8d8626c667cd9f117bfae7bc05d76122d34c27e8d5f5ded90b73c6d3b3770449

SHA512
bfc52abda9af1351708f7726068170ba334dca6503a11ef4e35d70d2bd8ab9d772c97f0d0a6e7c7d8697753996ae2d08b9f44f913e9ea4bfc9309e1d58ac2113

Download Submit
C:\Windows\{1B6453E1-3764-4e05-8FC0-1D596BB738B3}.exe

Filesize
372KB

MD5
fcdd0b73f884d17f8b401f61bc24271b

SHA1
ae1dafaab2f826002de5222d28e9b1e93b0b530f

SHA256
f5a1d63889cd18cdc52d13857e83d7d1618c8d652e956a2b9fea117fba2f3382

SHA512
9fa977b07eba81224563ba5286e944e393780ec9eb804808dea9955c37ebc2d032c17e91bf331b9bd565be6d583cc8925e4171480fa68dc19a0a826e8a115a7e

Download Submit
C:\Windows\{2CD769E6-7405-4918-BF4D-40BDB311400F}.exe

Filesize
372KB

MD5
8ad71ef62285b4cf30a7755f6edc384f

SHA1
3470d558c1b46fd90883aaed54abc60f2d7dccbf

SHA256
569250bf2460368f2c195562915745c8a1fae218da8e50de49d13e7ee521a293

SHA512
168c2f4c33068b8a0aa3c34f8a8022988aacd669cc556f2d21085db9cd7a084c0a11126738bfc60cab167b58b27e81d5a6498952821614b606a61e0f7def0bb7

Download Submit
C:\Windows\{2FDE105D-AFFB-4561-85FA-27E5964A3D95}.exe

Filesize
372KB

MD5
234f67ec7a9096891bceb2a74aba1b05

SHA1
c25f215ef420bfcf8b9b0babc2a3bef018b93456

SHA256
e09eab1d8c2325a1c7dc7ed469a3abd5726916f9dce9e963d95dc3df9a577adb

SHA512
f736e531653eadf4211894b8056d30dec4e42c2e348225665085735ab053d61632041db79035678a26391fe1fe5fc8aee1778594c90091b40a90c8d072e25e83

Download Submit
C:\Windows\{69811C3A-2FB5-47d0-B23F-854B3274412E}.exe

Filesize
372KB

MD5
2234f8d22049afcf3464ba24804bb1b4

SHA1
461c0c612013fd37b297027497ec686d9154530f

SHA256
e9734f5f4b3939be592822766dee644ad3953db3cad3368d392436a036b2f5e6

SHA512
9268d45db4e2936e7c2f5b18f017d5ed590b8184eb9cd2c0803c7a7aa05d99f07e0c1ce37d0def560b05e066bc42479cedea8fe579b77017e2744d44613090f1

Download Submit
C:\Windows\{8A6FD3F4-BC13-4122-81CA-9A67268B041C}.exe

Filesize
372KB

MD5
eec98dc4dd8b9ff17ec0c8bb7fe074e0

SHA1
e8fc8c1722666bc8eaaec2c07091a74d1883e60d

SHA256
ec7dae0b21420b19e73cc9e7f27bb1782ee0329f8173739ced4be2ce15f2b112

SHA512
4d752d26ca619aeb9dcb959a00bea1a5626c9a532504ab49c820c08acce3fe2749821770a2379b1f44eb9f8a620339f5dacebf9d0641a40af14362bfb00faf0c

Download Submit
C:\Windows\{AA68CBC1-8AEF-454f-9C7C-350B9D9327C5}.exe

Filesize
372KB

MD5
0c207200ba31a5b8949a92009fbb6a4c

SHA1
48d9d3e0e970d5990cfaa15abb70ade529460536

SHA256
e8e38ff8bb87a2e5a7de29fd642ef00307ff5d484403f8e8b4ab8eb94666cd2d

SHA512
cce3967ae5cb1dba1959083e0043e406f79ee9a2c47d86aa8bc66dd1dd9b1ba0a430898da12989862c6bdef217ff3a05a19a741c84e351db83dcf360ae3efddf

Download Submit
C:\Windows\{D45BDCAC-CB5C-475b-8935-60F2554B7F1A}.exe

Filesize
372KB

MD5
1a76b67f3ef0ccdc8c3d8a606f8cb3cb

SHA1
2bb109a3c4f437788a40019ffc96a45f55e771d1

SHA256
fb88c2d08b67a98fd7f04b337fd68216aeae2fb580d4d983ac53be7440bdd15c

SHA512
9d968671eb200310f9276866311de44d0cf5ddf63d5ed83494f642f4fdaad1c59ffcf59ace143592f83b1c7723d6fd953db8623f18a3a7f28b2687dbccaf05e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads