a78432e5ec364d6f40c13a43f5a73dac29a749cc3676a04b6905511ccdbf6d5d

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Size

180KB
MD5

b0f56e3b8f947a36356e6bf8c17c728a
SHA1

e764560d135cd9a0fa55a952342fa16fd2b714b8
SHA256

a78432e5ec364d6f40c13a43f5a73dac29a749cc3676a04b6905511ccdbf6d5d
SHA512

6cc99aec606bc108eefe3d5ffa9f0f61301a9f550a2f8db138b0069eb3b8e418050d763c2bfad5636bc104ab0ec03b51dde95167c3e529ede2b511ffb3031a2e
SSDEEP

3072:jEGh0oQlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGGl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 15 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012240-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012240-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012240-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0024000000015c23-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0024000000015c23-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0025000000015c23-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0026000000015c23-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000015c23-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000015c23-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{624E24B6-2E11-4d90-A99E-324512A4EBAC}\stubpath = "C:\\Windows\\{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe"	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F04A444A-C3FB-44bd-8978-6682DEA99B94}\stubpath = "C:\\Windows\\{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe"	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D0E6202-CF36-4f40-AA18-38C8299492F0}\stubpath = "C:\\Windows\\{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe"	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6085B77-E298-4bc7-A435-512F103B8610}\stubpath = "C:\\Windows\\{F6085B77-E298-4bc7-A435-512F103B8610}.exe"	{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{624E24B6-2E11-4d90-A99E-324512A4EBAC}	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A889EC8B-067C-416e-877F-622CEBCB5D99}	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6085B77-E298-4bc7-A435-512F103B8610}	{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}\stubpath = "C:\\Windows\\{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}.exe"	{F6085B77-E298-4bc7-A435-512F103B8610}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}\stubpath = "C:\\Windows\\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe"	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}\stubpath = "C:\\Windows\\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe"	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F77ACE-347E-41c3-ADAB-EA663566EFA2}	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F77ACE-347E-41c3-ADAB-EA663566EFA2}\stubpath = "C:\\Windows\\{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe"	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}\stubpath = "C:\\Windows\\{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe"	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}\stubpath = "C:\\Windows\\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe"	{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}	{F6085B77-E298-4bc7-A435-512F103B8610}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A889EC8B-067C-416e-877F-622CEBCB5D99}\stubpath = "C:\\Windows\\{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe"	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F04A444A-C3FB-44bd-8978-6682DEA99B94}	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D0E6202-CF36-4f40-AA18-38C8299492F0}	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}	{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe
2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe
2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe
2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe
1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe
2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe
1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe
2320	{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe
1604	{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe
2436	{F6085B77-E298-4bc7-A435-512F103B8610}.exe
756	{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe
File created	C:\Windows\{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe
File created	C:\Windows\{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe
File created	C:\Windows\{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe
File created	C:\Windows\{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe
File created	C:\Windows\{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe
File created	C:\Windows\{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}.exe	{F6085B77-E298-4bc7-A435-512F103B8610}.exe
File created	C:\Windows\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
File created	C:\Windows\{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe
File created	C:\Windows\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe	{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe
File created	C:\Windows\{F6085B77-E298-4bc7-A435-512F103B8610}.exe	{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe
Token: SeIncBasePriorityPrivilege	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe
Token: SeIncBasePriorityPrivilege	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe
Token: SeIncBasePriorityPrivilege	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe
Token: SeIncBasePriorityPrivilege	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe
Token: SeIncBasePriorityPrivilege	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe
Token: SeIncBasePriorityPrivilege	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe
Token: SeIncBasePriorityPrivilege	2320	{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe
Token: SeIncBasePriorityPrivilege	1604	{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe
Token: SeIncBasePriorityPrivilege	2436	{F6085B77-E298-4bc7-A435-512F103B8610}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2744	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	28
PID 2936 wrote to memory of 2744	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	28
PID 2936 wrote to memory of 2744	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	28
PID 2936 wrote to memory of 2744	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	28
PID 2936 wrote to memory of 2932	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	29
PID 2936 wrote to memory of 2932	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	29
PID 2936 wrote to memory of 2932	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	29
PID 2936 wrote to memory of 2932	2936	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	29
PID 2744 wrote to memory of 2512	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	32
PID 2744 wrote to memory of 2512	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	32
PID 2744 wrote to memory of 2512	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	32
PID 2744 wrote to memory of 2512	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	32
PID 2744 wrote to memory of 2724	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	33
PID 2744 wrote to memory of 2724	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	33
PID 2744 wrote to memory of 2724	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	33
PID 2744 wrote to memory of 2724	2744	{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe	33
PID 2512 wrote to memory of 2392	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	34
PID 2512 wrote to memory of 2392	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	34
PID 2512 wrote to memory of 2392	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	34
PID 2512 wrote to memory of 2392	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	34
PID 2512 wrote to memory of 2460	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	35
PID 2512 wrote to memory of 2460	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	35
PID 2512 wrote to memory of 2460	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	35
PID 2512 wrote to memory of 2460	2512	{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe	35
PID 2392 wrote to memory of 2848	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	36
PID 2392 wrote to memory of 2848	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	36
PID 2392 wrote to memory of 2848	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	36
PID 2392 wrote to memory of 2848	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	36
PID 2392 wrote to memory of 392	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	37
PID 2392 wrote to memory of 392	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	37
PID 2392 wrote to memory of 392	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	37
PID 2392 wrote to memory of 392	2392	{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe	37
PID 2848 wrote to memory of 1652	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	38
PID 2848 wrote to memory of 1652	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	38
PID 2848 wrote to memory of 1652	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	38
PID 2848 wrote to memory of 1652	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	38
PID 2848 wrote to memory of 1272	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	39
PID 2848 wrote to memory of 1272	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	39
PID 2848 wrote to memory of 1272	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	39
PID 2848 wrote to memory of 1272	2848	{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe	39
PID 1652 wrote to memory of 2384	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	40
PID 1652 wrote to memory of 2384	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	40
PID 1652 wrote to memory of 2384	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	40
PID 1652 wrote to memory of 2384	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	40
PID 1652 wrote to memory of 2688	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	41
PID 1652 wrote to memory of 2688	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	41
PID 1652 wrote to memory of 2688	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	41
PID 1652 wrote to memory of 2688	1652	{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe	41
PID 2384 wrote to memory of 1092	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	42
PID 2384 wrote to memory of 1092	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	42
PID 2384 wrote to memory of 1092	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	42
PID 2384 wrote to memory of 1092	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	42
PID 2384 wrote to memory of 1996	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	43
PID 2384 wrote to memory of 1996	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	43
PID 2384 wrote to memory of 1996	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	43
PID 2384 wrote to memory of 1996	2384	{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe	43
PID 1092 wrote to memory of 2320	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	44
PID 1092 wrote to memory of 2320	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	44
PID 1092 wrote to memory of 2320	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	44
PID 1092 wrote to memory of 2320	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	44
PID 1092 wrote to memory of 2708	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	45
PID 1092 wrote to memory of 2708	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	45
PID 1092 wrote to memory of 2708	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	45
PID 1092 wrote to memory of 2708	1092	{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe
  C:\Windows\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe
    C:\Windows\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe
      C:\Windows\{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe
        
        C:\Windows\{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe
        
        C:\Windows\{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe
        
        C:\Windows\{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe
        
        C:\Windows\{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe
        
        C:\Windows\{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe
        
        C:\Windows\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{F6085B77-E298-4bc7-A435-512F103B8610}.exe
        
        C:\Windows\{F6085B77-E298-4bc7-A435-512F103B8610}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}.exe
        
        C:\Windows\{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}.exe
        12⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6085~1.EXE > nul
        12⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A14B8~1.EXE > nul
        11⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D0E6~1.EXE > nul
        10⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93CAE~1.EXE > nul
        9⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F04A4~1.EXE > nul
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A889E~1.EXE > nul
        7⤵
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{624E2~1.EXE > nul
        6⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40F77~1.EXE > nul
        5⤵
        
        PID:392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9262A~1.EXE > nul
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B27FE~1.EXE > nul
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3BEE64EA-FE3A-47e1-9C46-43D6878055E2}.exe

Filesize
180KB

MD5
b33ee2ac4aa7b19f18128a7cd904d65e

SHA1
c3a559527d582e41b1887ccb0c2997039b4fe08c

SHA256
6352c013b32c3c885907fa291509479f13e390e13d9f96ae73f79c168bb69b60

SHA512
2560524a963efa80438bcaae121fc6ea27c0bbe3a64981c5241d5ebf802bac5caeb7f14ab015da38d7f611fc5f661f35e29b6a4defd64733e01214fd602f2194

Download Submit
C:\Windows\{40F77ACE-347E-41c3-ADAB-EA663566EFA2}.exe

Filesize
180KB

MD5
dcb15da41d5293954586e908aa10ba43

SHA1
67bb753e05da9c05d7ffc4dc0cd4a7cd52aebf0e

SHA256
20f7c32135d045014300ab4ef4f1ae3b26efedda4ee68e9541b3dcb223fb5139

SHA512
0bd275f09f1dd514603f4dac1fe7d2dec20f6bff8036eb67627507fd5214ec824fca818917ff9bdd0750bf8cc7d4aaaf7cd709a006e451cd9270006b4885c537

Download Submit
C:\Windows\{4D0E6202-CF36-4f40-AA18-38C8299492F0}.exe

Filesize
180KB

MD5
a48d75aa0cead92dfc14b29d97810792

SHA1
b3b24ea3d3c75c9f6f0c2240fa49e1888baa138c

SHA256
4670b73d0b944d17f06fe3158b77453ea805acaf4e8eec0e4c595dd0b04933f6

SHA512
a5bc94eb0b8b3ed6cad4cb216e4beb0c09a5d8b1f414cc2ff678b6d0e35c1dd99163199b8fa8b3702adf1a6d3c9f79393baa5b51da6b8a060568d8d0814c0417

Download Submit
C:\Windows\{624E24B6-2E11-4d90-A99E-324512A4EBAC}.exe

Filesize
180KB

MD5
ddaa6154755d2b5eed3ba9b12eea627d

SHA1
f2f105ca29ce6c02ccec43831e98e0bb9dce5358

SHA256
ff0214b9158e28b7c47160867450b6349cbafaa2cb59de75184a12ffaa3d0332

SHA512
54ed640d7fa33f7787af446c678515efa4cffc7d1baaaf8b0a7e64880bc119b76e4583495ecec8ee750b593d6e2868b9fa56ca954bf4457a7242b15ea31e4ab5

Download Submit
C:\Windows\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe

Filesize
147KB

MD5
c4ccbbdc755f18491c6e8a70549d299e

SHA1
e52b23f6e32b1dcecdbe3b3358d11be91f0b2f2c

SHA256
d7517ea270c7be001f744356c4073a120780c0bbc6c65921f63680dd92097bd6

SHA512
d0f06ea1d422824115e62c3b063e10b53c2312020908cbecf633d4edab9c7ac1e32c117dd6295f17e78a78ec901aea35041d12380be4c721781aebe921f16b96

Download Submit
C:\Windows\{9262AC7A-843A-4c5b-ADF5-FD4E12A64C79}.exe

Filesize
180KB

MD5
df882ac49f6a04cde63251390a89aa2d

SHA1
d22a916fb98260d361cf4c5ef37b3d281d1ffd7c

SHA256
eda8f1eeb4845f49c3272a4961051729c153881f76c8f0fa33b0483d875894ae

SHA512
0847fa53321b03917257a30ee4af570a32956d18080b8d281a03adc9f5e28e53d450bb25c51081d4fbd7785c452be15860ffd97478fd8f2e5b6217c2c2ee86cf

Download Submit
C:\Windows\{93CAEDE2-85A1-4de3-A4C6-C2EEC3ADA974}.exe

Filesize
180KB

MD5
e98fae16adbbd8174fe9869722d3d7b2

SHA1
265af8abcb65939ac07d04b8e226186f11c48a02

SHA256
438eb10a1df9f09ba5f63aa555d330775fe5b5dea00a9dd155cee1db63e4d89d

SHA512
542eb7a52bd8f748fbffa714a96161dff7b5dcd90c367084bcccc0daa149979098bb3ea879671657f60d14f061567f5f854925b26021d30d39f523fcb082aa3e

Download Submit
C:\Windows\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe

Filesize
180KB

MD5
24adf41c01fcf57968715ed9bd1e416b

SHA1
b2b2927b82b2d9789c3941d603dd5a9a7f9ca72c

SHA256
8b5b9de9be2f974f5df9fa10330d45e2d2f6419d223f1e4222c0753e2dc7b43c

SHA512
e6a9dc53736c9d757fd90a1b921621b71dde04b791c464882f112f5c054c23b0a52e157d30715e5e8d91080cb7d36edf76739cd3bdb27efeffa3dc243bafd516

Download Submit
C:\Windows\{A14B85F4-2EDD-464b-9D42-85265E2BE93A}.exe

Filesize
163KB

MD5
853c935e864f427b48ecfb58eba62af6

SHA1
c40ba7cb204c4b04630cca0673fc8137d3df65fa

SHA256
b7b9882e8ce389bbecb7c899c3dbc471b4abb54522558ca12daed1e689ccd2d4

SHA512
a548e458589ba65d90fc99acef148b6693c1dc91b485d7cd325f5d2d189cf1924c2cb07672d8452e16b744fa4ce5f6fde77d7d149bcc0943c3defe91904e0d83

Download Submit
C:\Windows\{A889EC8B-067C-416e-877F-622CEBCB5D99}.exe

Filesize
180KB

MD5
34b328775224b5457d2573b1f079a0a4

SHA1
920148ea1fe350706e90d73f18d5d871216d1303

SHA256
fc491d693df097a20e92291fde7c7d28ebefaa278ac6913054e13c6b25e9561f

SHA512
09c31856bde3f1a9a24486af5188b991849abcee60694815873da681d44081d902e895d8ef24777485f76450182413a86bbc296e626bf018d6a633d25b05b5ec

Download Submit
C:\Windows\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe

Filesize
158KB

MD5
f93387b88d4f16c42bb140a4df66068e

SHA1
78000d672bf12906b41e33e65a7ee04e2ed8ee94

SHA256
143d4a1ed1320c5b2693f2d6ad8709f239f2554a67e9cd694040c8bc030229f2

SHA512
a147a2d450d89977685c989dddf6552e572d09a200d0424eb09156c700755911f68ccfecc6a2ee053439eb730678594ce839cfc8b810d3cc7c8236b4c659227d

Download Submit
C:\Windows\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe

Filesize
1KB

MD5
4bc0c8a9188ba80b6b1d123f1538b01c

SHA1
f970f1d1eb981593f5dce6c92a843c45a5c93db2

SHA256
8d808b2a37d78acca7fb3cf18ce2a6c378433f6f09a1700955074eec9d0673ec

SHA512
c9ee2ff3915c0df23c16a774bcd2e4a8584e4d938b10e998e95e7095975d88c825c7d1d681916823e64f9076d739769afadff629f6aa608e4e14a41b9d5b5bd4

Download Submit
C:\Windows\{B27FECDE-ADED-442d-AAA8-BDBF78C5184F}.exe

Filesize
180KB

MD5
f954fefedbc83d41a558f1e7f6dd9654

SHA1
c6b9499bfb915c42bce3dd8bb2e23fb4f5acd706

SHA256
0d2ea79b50e507a0c0540426141b9d1fdc021a3f3bc26ca7bd95e23c4eb74271

SHA512
26ed4e8901a15d75f412a3ee61e44bd5bc8be9c329d47ebcec87553e42bbc81c6f6569f57f62c3f0430d6d54f10fc70d88da50fcf8a24ae9bf361eba5ab1f7e0

Download Submit
C:\Windows\{F04A444A-C3FB-44bd-8978-6682DEA99B94}.exe

Filesize
180KB

MD5
17c91ab85c2671c01c69509d21f416ac

SHA1
25b8e755a299063341349c8c07c9baa701ab2e1b

SHA256
58fcf79f428689a87bc7799194504f12bbe79ae92d5ec7d6cc2a636c59b7212d

SHA512
a2e84be6d70b326e74ec649aabaed61319ecdc51d6cd436631455b4c5d4a8c78c676154d0e224bc4b91a79382bec6e83b5dd06835b5fd4495f641c2e52462076

Download Submit
C:\Windows\{F6085B77-E298-4bc7-A435-512F103B8610}.exe

Filesize
180KB

MD5
cae7f9b933850bb11f948966e1f89825

SHA1
d65871733112fe3ee6aa2383811f533a6de05b4c

SHA256
09a77a90407f9d4b40a844a8f4e0892b5bbcf6b64183e43e7c5cdec07295883e

SHA512
fcf99181b7c796cc8c162e6608b14c6c93d0309dcdd7900ca1606413605ebf91e64b39cbca4f4578ac41007cf7ecff7ef8736175854e8de89319e0172b957930

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads