0124e795fbf5cc5a798f43675891c5cb4bc9404e181a1b18ff63f63cd801e91c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe
Size

372KB
MD5

c50aa7dbc5872ac0268d32a2d7859f7a
SHA1

2ede0250313ffd0e7bf3726ac3e59961929c2817
SHA256

0124e795fbf5cc5a798f43675891c5cb4bc9404e181a1b18ff63f63cd801e91c
SHA512

7a103330bb87d282b9fc0f38179ca35eea1c38f258351ac01d47a96e1b8c9866966d43ab35fb2225274fe41b87cdc78e74697b978ec869da8eb0087562df6e2b
SSDEEP

3072:CEGh0oblMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGxlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000131a1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016270-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000131a1-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000016270-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000131a1-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497348A5-0B35-40ef-8F93-99C1AB2F4B84}	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F28DDF5B-65F5-4eea-AD02-500093871FCE}	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2BC647C-5950-48c2-A8B6-D15B10A056BA}	{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEE43396-AA25-4292-B43B-FCE3FB68F859}\stubpath = "C:\\Windows\\{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe"	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F28DDF5B-65F5-4eea-AD02-500093871FCE}\stubpath = "C:\\Windows\\{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe"	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{056579B7-B085-4a0e-B405-6CA4ECC70AFF}	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{056579B7-B085-4a0e-B405-6CA4ECC70AFF}\stubpath = "C:\\Windows\\{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe"	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E12B85-10DA-4f81-BD7D-FC6F62970096}	{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}\stubpath = "C:\\Windows\\{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe"	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497348A5-0B35-40ef-8F93-99C1AB2F4B84}\stubpath = "C:\\Windows\\{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe"	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AB9929-E8E4-4dad-9F54-774B780CAEB8}	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F97C8C02-F631-460d-AF83-0820684DEC97}	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F97C8C02-F631-460d-AF83-0820684DEC97}\stubpath = "C:\\Windows\\{F97C8C02-F631-460d-AF83-0820684DEC97}.exe"	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}	{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2BC647C-5950-48c2-A8B6-D15B10A056BA}\stubpath = "C:\\Windows\\{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe"	{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E12B85-10DA-4f81-BD7D-FC6F62970096}\stubpath = "C:\\Windows\\{80E12B85-10DA-4f81-BD7D-FC6F62970096}.exe"	{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEE43396-AA25-4292-B43B-FCE3FB68F859}	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDF76D0-01E7-476a-945C-940CE0079338}	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDF76D0-01E7-476a-945C-940CE0079338}\stubpath = "C:\\Windows\\{CCDF76D0-01E7-476a-945C-940CE0079338}.exe"	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AB9929-E8E4-4dad-9F54-774B780CAEB8}\stubpath = "C:\\Windows\\{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe"	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}\stubpath = "C:\\Windows\\{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe"	{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe
2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe
2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe
2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe
592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe
1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe
848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe
1100	{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe
1800	{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe
2384	{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe
2512	{80E12B85-10DA-4f81-BD7D-FC6F62970096}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe	{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe
File created	C:\Windows\{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe
File created	C:\Windows\{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe
File created	C:\Windows\{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe
File created	C:\Windows\{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe
File created	C:\Windows\{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe	{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe
File created	C:\Windows\{80E12B85-10DA-4f81-BD7D-FC6F62970096}.exe	{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe
File created	C:\Windows\{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe
File created	C:\Windows\{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe
File created	C:\Windows\{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe
File created	C:\Windows\{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe
Token: SeIncBasePriorityPrivilege	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe
Token: SeIncBasePriorityPrivilege	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe
Token: SeIncBasePriorityPrivilege	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe
Token: SeIncBasePriorityPrivilege	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe
Token: SeIncBasePriorityPrivilege	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe
Token: SeIncBasePriorityPrivilege	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe
Token: SeIncBasePriorityPrivilege	1100	{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe
Token: SeIncBasePriorityPrivilege	1800	{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe
Token: SeIncBasePriorityPrivilege	2384	{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3032	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	28
PID 2176 wrote to memory of 3032	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	28
PID 2176 wrote to memory of 3032	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	28
PID 2176 wrote to memory of 3032	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	28
PID 2176 wrote to memory of 2544	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	29
PID 2176 wrote to memory of 2544	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	29
PID 2176 wrote to memory of 2544	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	29
PID 2176 wrote to memory of 2544	2176	2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe	29
PID 3032 wrote to memory of 2772	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	30
PID 3032 wrote to memory of 2772	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	30
PID 3032 wrote to memory of 2772	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	30
PID 3032 wrote to memory of 2772	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	30
PID 3032 wrote to memory of 2672	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	31
PID 3032 wrote to memory of 2672	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	31
PID 3032 wrote to memory of 2672	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	31
PID 3032 wrote to memory of 2672	3032	{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe	31
PID 2772 wrote to memory of 2928	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	34
PID 2772 wrote to memory of 2928	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	34
PID 2772 wrote to memory of 2928	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	34
PID 2772 wrote to memory of 2928	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	34
PID 2772 wrote to memory of 2984	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	35
PID 2772 wrote to memory of 2984	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	35
PID 2772 wrote to memory of 2984	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	35
PID 2772 wrote to memory of 2984	2772	{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe	35
PID 2928 wrote to memory of 2752	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	36
PID 2928 wrote to memory of 2752	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	36
PID 2928 wrote to memory of 2752	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	36
PID 2928 wrote to memory of 2752	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	36
PID 2928 wrote to memory of 2788	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	37
PID 2928 wrote to memory of 2788	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	37
PID 2928 wrote to memory of 2788	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	37
PID 2928 wrote to memory of 2788	2928	{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe	37
PID 2752 wrote to memory of 592	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	38
PID 2752 wrote to memory of 592	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	38
PID 2752 wrote to memory of 592	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	38
PID 2752 wrote to memory of 592	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	38
PID 2752 wrote to memory of 2032	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	39
PID 2752 wrote to memory of 2032	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	39
PID 2752 wrote to memory of 2032	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	39
PID 2752 wrote to memory of 2032	2752	{CCDF76D0-01E7-476a-945C-940CE0079338}.exe	39
PID 592 wrote to memory of 1652	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	40
PID 592 wrote to memory of 1652	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	40
PID 592 wrote to memory of 1652	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	40
PID 592 wrote to memory of 1652	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	40
PID 592 wrote to memory of 2164	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	41
PID 592 wrote to memory of 2164	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	41
PID 592 wrote to memory of 2164	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	41
PID 592 wrote to memory of 2164	592	{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe	41
PID 1652 wrote to memory of 848	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	42
PID 1652 wrote to memory of 848	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	42
PID 1652 wrote to memory of 848	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	42
PID 1652 wrote to memory of 848	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	42
PID 1652 wrote to memory of 1976	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	43
PID 1652 wrote to memory of 1976	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	43
PID 1652 wrote to memory of 1976	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	43
PID 1652 wrote to memory of 1976	1652	{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe	43
PID 848 wrote to memory of 1100	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	44
PID 848 wrote to memory of 1100	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	44
PID 848 wrote to memory of 1100	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	44
PID 848 wrote to memory of 1100	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	44
PID 848 wrote to memory of 2644	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	45
PID 848 wrote to memory of 2644	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	45
PID 848 wrote to memory of 2644	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	45
PID 848 wrote to memory of 2644	848	{F97C8C02-F631-460d-AF83-0820684DEC97}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_c50aa7dbc5872ac0268d32a2d7859f7a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe
  C:\Windows\{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe
    C:\Windows\{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe
      C:\Windows\{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\{CCDF76D0-01E7-476a-945C-940CE0079338}.exe
        
        C:\Windows\{CCDF76D0-01E7-476a-945C-940CE0079338}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe
        
        C:\Windows\{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe
        
        C:\Windows\{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{F97C8C02-F631-460d-AF83-0820684DEC97}.exe
        
        C:\Windows\{F97C8C02-F631-460d-AF83-0820684DEC97}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe
        
        C:\Windows\{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe
        
        C:\Windows\{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe
        
        C:\Windows\{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{80E12B85-10DA-4f81-BD7D-FC6F62970096}.exe
        
        C:\Windows\{80E12B85-10DA-4f81-BD7D-FC6F62970096}.exe
        12⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2BC6~1.EXE > nul
        12⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2DFC~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05657~1.EXE > nul
        10⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F97C8~1.EXE > nul
        9⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81AB9~1.EXE > nul
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F28DD~1.EXE > nul
        7⤵
        
        PID:2164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCDF7~1.EXE > nul
        6⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEE43~1.EXE > nul
        5⤵
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49734~1.EXE > nul
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69DEB~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{056579B7-B085-4a0e-B405-6CA4ECC70AFF}.exe

Filesize
372KB

MD5
7474164ff5efa244e8530871c889facf

SHA1
2dd602dc4a24e7c7b39732c699e5a54c3532befe

SHA256
05f0cd62f145788dbb076a096ab79ee3be3577764403cd61a84c6adacc719a25

SHA512
19fe91135164b320c4eb59c46839a011c70a14a2b8c40be2f53967710ae3002847c28ae9a426384ced956e0d3f330f86a904818a31b3771e17144d60567ab3af

Download Submit
C:\Windows\{497348A5-0B35-40ef-8F93-99C1AB2F4B84}.exe

Filesize
372KB

MD5
8c7c76e0420f6b0fa59c6298d864a452

SHA1
fb37d97ef318fe62bc6236eafa8bc90b8e9efa1d

SHA256
503252c5e2ad4dddbaa3629c67657db8b2af07d2f80aa5322130542df0696183

SHA512
75a574f57bb89e9740ea2ffe3512f5dfce0abf1e69df28cf23b9635bc13ec758da6dd938bcf11065924048e80e114a6d469cc9540d58c9bfddac3e2d841bc33c

Download Submit
C:\Windows\{69DEB017-01BE-4bfa-A17C-93CFB801D1C9}.exe

Filesize
372KB

MD5
659716364c867664623d2cd6e6e503aa

SHA1
33051b0aee0dceb1ed52e748f76704c1a7356aff

SHA256
28bcd529da277a65d5f80bba35167efe4ac44f3245988e81fa5da3e57564a36f

SHA512
35d5afbfff603e88792a4d398a1616af7990f747fb0f79676daddbc16363d965dc0ecb350b9bd20ee3312774f5136b5a86f350e16db6179f039fff226416e96f

Download Submit
C:\Windows\{80E12B85-10DA-4f81-BD7D-FC6F62970096}.exe

Filesize
372KB

MD5
d4537fbd4af42bc058d7085aad7c8a1d

SHA1
a3487006fb1a8eaf04b28a70ca7f1c6e1a6e03ca

SHA256
e4926cfa7f89154178fc914bbe15e32ca6638ae704461422be9b84c4666ab76f

SHA512
21e3884a7452f7df32fb0dd727b309ee7296a5ee128e46a10c537a911b18158c65c65608ba336d823a4217d56d67aaa267ffd5a571707c33104afd333005d94c

Download Submit
C:\Windows\{80E12B85-10DA-4f81-BD7D-FC6F62970096}.exe

Filesize
5KB

MD5
dced0a3c1d041f2fcb706e6f962b402a

SHA1
6797bc1f4a8baed184c85735ddad0a23090eb837

SHA256
e52366a6556982967a3c8aaf1ded9e8a542cd439cbea425956e1e99cfd6fa3d4

SHA512
c20acdfff30caecf2b3f36c1b351e1ce1d07772c94c3f9007d6dfce7217d51054af3563cb1d8084456fafc3a47351ccc77fab4e1b697b12813f301ecfafb3544

Download Submit
C:\Windows\{81AB9929-E8E4-4dad-9F54-774B780CAEB8}.exe

Filesize
372KB

MD5
196c63cacf58bbec6f377a4cba71bb45

SHA1
1e5572ac314cb3e1d00d9c6d77ede48519518810

SHA256
358aa58ecca77a872a2dfc96859f8678249942a34c29af1c8a204c87dd6ab9d5

SHA512
8b99a530770f0d68a90264ce6c1833192b42ce9944815b726a9b3af6a8e9c0d96c4755f08ee4936d6cf51cee068789d8e15f5a01deed8f498fe592eb45df2633

Download Submit
C:\Windows\{A2DFCDB4-4454-4004-AAF4-52CEF7994FF3}.exe

Filesize
372KB

MD5
fe2d48c9bf63d17c4dcb82707a232921

SHA1
161a72d1206f1b839b48482e70aaa62fcae4e07b

SHA256
c4b19ca6ba64d66715e56db17c78662158d9b2bc2412273013b4220b2da214ea

SHA512
828a63f3864ea95245614b590a38bc6bffe879a5fa4c55e0a44a4cd44f0745a3b5214d917ac80a2c8284aef82a853835a4119142cfe00b1634a650aca3590809

Download Submit
C:\Windows\{BEE43396-AA25-4292-B43B-FCE3FB68F859}.exe

Filesize
372KB

MD5
a559aa423d5f76bcde52dce4d8c5696f

SHA1
fa2bf493c933d6a975245da6093499b308c7c6d4

SHA256
8ca6f8763b43a5890d952a3f62f374cb9dc724225a0ad40d8e37ae7e042f3fba

SHA512
fdb744d0f85b8e875f1088e8d7d9dd8b452a62831b38b9b3adb676401dfaf6a51d1f9d2766c13d5d10a6134fb1c6b13b4621a4a5440160f617f888918938331a

Download Submit
C:\Windows\{CCDF76D0-01E7-476a-945C-940CE0079338}.exe

Filesize
372KB

MD5
55257ffb7909ee35b49c573b39d09b06

SHA1
3b6d4977e0b2a0a13174e137fcebf184fa08ffdb

SHA256
ca34ccebfed7b541e28566f527fcdbef07b769116c9e1a6de4b9bbc980d8366c

SHA512
5c5bdf92aeb19935a8153540b4f296b4cb1340c4ae0fbb99182a935f0219b2a1b4ac72354e10022646d804d65710b94f8c70c12709c2fbeb9e015fd35794c7b7

Download Submit
C:\Windows\{E2BC647C-5950-48c2-A8B6-D15B10A056BA}.exe

Filesize
372KB

MD5
5fbf5aa945e10ff6a2c548e7fe9f7c68

SHA1
d48f205fa1e538fd51e7cd1a23da7a0155a0ed42

SHA256
f34887fc425af7dbf20f395281c6cc7ec04e4d285383a77e5f3a2307655ff06b

SHA512
26afd67602caab8c0a3eb054651bfc85daa4a87a295eca6360a1dc18133f9024f5d78374a4823375534f95010a1f024e1cdb05b631d281324971bd40d981de85

Download Submit
C:\Windows\{F28DDF5B-65F5-4eea-AD02-500093871FCE}.exe

Filesize
372KB

MD5
4797bfe2a97838af8fc0466c1228b73f

SHA1
c86f3060423c7c9e93e70f5eaf1864b83031ec8d

SHA256
7de8f69b3fb3337b1a77a4de6983621b085fdbc26cef3b030485e3fd37ed739e

SHA512
54185fc814d4ec40db20b42b2f2e580272a8b3c9f459ee348f6089d6ede2324169efce42678edae54c83af38ef875db4bf3a434d22e58589af82eb20dc1e4f57

Download Submit
C:\Windows\{F97C8C02-F631-460d-AF83-0820684DEC97}.exe

Filesize
372KB

MD5
2082ff332f118cad961a7a36c2e03f01

SHA1
cf213503f874bdb311017f37e2e4024aec03e521

SHA256
66fd20da99274e3a03b54da062eb7f0c7d87e54508d46ff97c273b27abc908a7

SHA512
d47cdf4792e02ee032309a40f1fcc7894658a72c4b9356ece6f8ac8b390fa38da78be6639be25809e337890b762c8299683e9982360001eed36ea122fd672a56

Download Submit
C:\Windows\{F97C8C02-F631-460d-AF83-0820684DEC97}.exe

Filesize
278KB

MD5
52bb4fa02cb82dcbd386aecbb39cf2be

SHA1
4acf43977692f7887c83df780493a9e3c86b7e85

SHA256
7a216663c82877fc15ce5b7b73381b51898b1842db50d2f53599cf8bb4fe9f04

SHA512
b20fb951bf3a0d36a2fd3c0b0f1b8130d2c5c02c147ef409098ca560b225fcdb2d28fe5d48afc802bbca0dd1014194094513323f481fc4efff1136ceabff9119

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads