a5c8795050e34692a6fe2f01af9f29a9a06b303ec9969fb98826fe42b63f5fa3

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Size

380KB
MD5

c38a63f7e9d858e8f293a7e5dc7cf962
SHA1

3d5e95a9434aa8cc0d3d3ac35d304b9d5adb02b2
SHA256

a5c8795050e34692a6fe2f01af9f29a9a06b303ec9969fb98826fe42b63f5fa3
SHA512

fc5d50ba7535d39060636d69041a2e3e0e2c3bcd8940fd661f676e47ba1f6f800569d6aeac0e6f2ea320d9fc67dfbfa27c345bf65612fb49d8dfd7d113e3d8d4
SSDEEP

3072:mEGh0oglPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGOl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000016c0e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016cde-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016cf4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016cde-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016cf4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016cde-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016cf4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016cde-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016cf4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016cde-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6A1C5C-7630-42ef-8D56-3238C3B45006}	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6A1C5C-7630-42ef-8D56-3238C3B45006}\stubpath = "C:\\Windows\\{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe"	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}	{50968DCB-44F0-41f3-9746-131911E98A51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BE5A66D-8E69-402f-AF93-567C7D765C09}	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BE5A66D-8E69-402f-AF93-567C7D765C09}\stubpath = "C:\\Windows\\{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe"	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}\stubpath = "C:\\Windows\\{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe"	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50968DCB-44F0-41f3-9746-131911E98A51}\stubpath = "C:\\Windows\\{50968DCB-44F0-41f3-9746-131911E98A51}.exe"	{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}\stubpath = "C:\\Windows\\{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe"	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}	{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}\stubpath = "C:\\Windows\\{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}.exe"	{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}\stubpath = "C:\\Windows\\{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe"	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462D58C1-038D-4325-A1EA-2065D48AA4AE}	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462D58C1-038D-4325-A1EA-2065D48AA4AE}\stubpath = "C:\\Windows\\{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe"	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}\stubpath = "C:\\Windows\\{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe"	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50968DCB-44F0-41f3-9746-131911E98A51}	{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}\stubpath = "C:\\Windows\\{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe"	{50968DCB-44F0-41f3-9746-131911E98A51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}\stubpath = "C:\\Windows\\{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe"	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe
2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe
2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe
1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe
908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe
2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe
2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe
1856	{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe
1436	{50968DCB-44F0-41f3-9746-131911E98A51}.exe
2104	{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe
2972	{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe
File created	C:\Windows\{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe	{50968DCB-44F0-41f3-9746-131911E98A51}.exe
File created	C:\Windows\{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe
File created	C:\Windows\{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe
File created	C:\Windows\{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe
File created	C:\Windows\{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe
File created	C:\Windows\{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe
File created	C:\Windows\{50968DCB-44F0-41f3-9746-131911E98A51}.exe	{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe
File created	C:\Windows\{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}.exe	{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe
File created	C:\Windows\{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
File created	C:\Windows\{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe
Token: SeIncBasePriorityPrivilege	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe
Token: SeIncBasePriorityPrivilege	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe
Token: SeIncBasePriorityPrivilege	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe
Token: SeIncBasePriorityPrivilege	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe
Token: SeIncBasePriorityPrivilege	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe
Token: SeIncBasePriorityPrivilege	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe
Token: SeIncBasePriorityPrivilege	1856	{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe
Token: SeIncBasePriorityPrivilege	1436	{50968DCB-44F0-41f3-9746-131911E98A51}.exe
Token: SeIncBasePriorityPrivilege	2104	{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2548	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	28
PID 744 wrote to memory of 2548	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	28
PID 744 wrote to memory of 2548	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	28
PID 744 wrote to memory of 2548	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	28
PID 744 wrote to memory of 2652	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	29
PID 744 wrote to memory of 2652	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	29
PID 744 wrote to memory of 2652	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	29
PID 744 wrote to memory of 2652	744	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	29
PID 2548 wrote to memory of 2604	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	30
PID 2548 wrote to memory of 2604	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	30
PID 2548 wrote to memory of 2604	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	30
PID 2548 wrote to memory of 2604	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	30
PID 2548 wrote to memory of 2768	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	31
PID 2548 wrote to memory of 2768	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	31
PID 2548 wrote to memory of 2768	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	31
PID 2548 wrote to memory of 2768	2548	{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe	31
PID 2604 wrote to memory of 2476	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	34
PID 2604 wrote to memory of 2476	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	34
PID 2604 wrote to memory of 2476	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	34
PID 2604 wrote to memory of 2476	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	34
PID 2604 wrote to memory of 2884	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	35
PID 2604 wrote to memory of 2884	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	35
PID 2604 wrote to memory of 2884	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	35
PID 2604 wrote to memory of 2884	2604	{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe	35
PID 2476 wrote to memory of 1656	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	36
PID 2476 wrote to memory of 1656	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	36
PID 2476 wrote to memory of 1656	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	36
PID 2476 wrote to memory of 1656	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	36
PID 2476 wrote to memory of 692	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	37
PID 2476 wrote to memory of 692	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	37
PID 2476 wrote to memory of 692	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	37
PID 2476 wrote to memory of 692	2476	{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe	37
PID 1656 wrote to memory of 908	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	38
PID 1656 wrote to memory of 908	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	38
PID 1656 wrote to memory of 908	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	38
PID 1656 wrote to memory of 908	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	38
PID 1656 wrote to memory of 624	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	39
PID 1656 wrote to memory of 624	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	39
PID 1656 wrote to memory of 624	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	39
PID 1656 wrote to memory of 624	1656	{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe	39
PID 908 wrote to memory of 2504	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	40
PID 908 wrote to memory of 2504	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	40
PID 908 wrote to memory of 2504	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	40
PID 908 wrote to memory of 2504	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	40
PID 908 wrote to memory of 1800	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	41
PID 908 wrote to memory of 1800	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	41
PID 908 wrote to memory of 1800	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	41
PID 908 wrote to memory of 1800	908	{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe	41
PID 2504 wrote to memory of 2324	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	42
PID 2504 wrote to memory of 2324	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	42
PID 2504 wrote to memory of 2324	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	42
PID 2504 wrote to memory of 2324	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	42
PID 2504 wrote to memory of 1952	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	43
PID 2504 wrote to memory of 1952	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	43
PID 2504 wrote to memory of 1952	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	43
PID 2504 wrote to memory of 1952	2504	{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe	43
PID 2324 wrote to memory of 1856	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	44
PID 2324 wrote to memory of 1856	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	44
PID 2324 wrote to memory of 1856	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	44
PID 2324 wrote to memory of 1856	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	44
PID 2324 wrote to memory of 1636	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	45
PID 2324 wrote to memory of 1636	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	45
PID 2324 wrote to memory of 1636	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	45
PID 2324 wrote to memory of 1636	2324	{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe
  C:\Windows\{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe
    C:\Windows\{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe
      C:\Windows\{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe
        
        C:\Windows\{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe
        
        C:\Windows\{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe
        
        C:\Windows\{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe
        
        C:\Windows\{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe
        
        C:\Windows\{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{50968DCB-44F0-41f3-9746-131911E98A51}.exe
        
        C:\Windows\{50968DCB-44F0-41f3-9746-131911E98A51}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe
        
        C:\Windows\{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}.exe
        
        C:\Windows\{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA8FF~1.EXE > nul
        12⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50968~1.EXE > nul
        11⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB6B~1.EXE > nul
        10⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92D65~1.EXE > nul
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAABF~1.EXE > nul
        8⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{828AF~1.EXE > nul
        7⤵
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F6A1~1.EXE > nul
        6⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{462D5~1.EXE > nul
        5⤵
        
        PID:692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C2E9~1.EXE > nul
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3BE5A~1.EXE > nul
    3⤵
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F6A1C5C-7630-42ef-8D56-3238C3B45006}.exe

Filesize
380KB

MD5
d0f59c54175c3bdea7d281b90e479f2b

SHA1
0274260b9b1ebc667801bfbde3111c436e40f351

SHA256
2f635204ed197030e1302ee01d9f2c8fd59c29b0bce6d3b4f83255529fab0358

SHA512
7ff90cf1604fdbcd8c865a52fba4ece21370a8e7164cf1018cde07bb83ef07db21539298aef3fc2fba1c310efe629d34db24a72a634159101040f8991c61fa94

Download Submit
C:\Windows\{1A53B4D7-9671-4ed2-8F3D-2AFBEF060B1F}.exe

Filesize
380KB

MD5
eba93cbb6ca39d5e9a5ef0bf2d13caaf

SHA1
657cfd1dc3ada0cb6fb8b539722fea9b244b6eff

SHA256
ee47300edfe943d14a7200bbc275c4529bd98ed275274b2b16c39682b6a3710f

SHA512
e92a26fbaa19379b077de05dc7a1a876558e2746b7355cdc5296f89dc84daadd4a6595e427cbf79c00ae56ec7168ee5c6da20b271658b50a71a58dffa3ee1ea8

Download Submit
C:\Windows\{3BE5A66D-8E69-402f-AF93-567C7D765C09}.exe

Filesize
380KB

MD5
3d24d61022c7d7762b0d792bef18889e

SHA1
ad9dd9909b75c90ed099d3d89f82b9d7e585dd06

SHA256
aba76d1fe8a6361c709c3f236b1793f7ad46cd31d684e7ad0697ef22829ac49f

SHA512
13fba281b944c858289c2395bb0c1e5e853840e6a588d626f80ba3c23e0c474b8359f8261c39cc4321ae0a2de2673e169510f238d00eea75368fa750dc72617c

Download Submit
C:\Windows\{3EB6B647-8B5F-40c8-8532-1B52F7476BCC}.exe

Filesize
380KB

MD5
326e817bd24978b04ec3705f82fa1ab8

SHA1
80c2eff92f479575d75f5d6dde86a3ef02565f68

SHA256
5a85423e9572c78d1d9040434356389d7c16c24171c01763869730fcb9cc08f1

SHA512
66e6ec1c589c1dbaca942d9ffabd10483c50f820c1679de846876db89041b31e80e2955f482edc87d80a23f03009ef46174dfca2e873d6ff0f460a2a73549a05

Download Submit
C:\Windows\{462D58C1-038D-4325-A1EA-2065D48AA4AE}.exe

Filesize
380KB

MD5
42a1e43cb040961893583b1b2bc6460a

SHA1
44159854cc05dd51dedc09377d387252ebca4e52

SHA256
49a4749b42f6ee02d0e2c209cd9620425342ff9be120ee2527095c56cff49b01

SHA512
635cc518732b1b8e3eb68e78a75ce6e2e3d709e62dd99a2a8510d5d508a514c03fd97391df934cd9ab6f0445894fce99a48fec3b0180b0d68e8a35c2b3a30bc7

Download Submit
C:\Windows\{50968DCB-44F0-41f3-9746-131911E98A51}.exe

Filesize
380KB

MD5
a17e4d2c52369b94ff1c8cb4b052d848

SHA1
f4fb322e8648146cea6f4a87aa27a6c33e12eee9

SHA256
9aeba2e6e170b2e0a80bcf8a6b9b199aef5059bba346ca55ffd18a823668be3a

SHA512
8f2343186cda9366febb9b3640818ff42b7a2d130c3be199170b992904a18e6cb0c4025408791ff380a5208b7a32c6ae52b21e54c076ebfba6bdb9b642d60c2c

Download Submit
C:\Windows\{7C2E92A4-9FEA-4d3c-AA99-64CEBF69D7B9}.exe

Filesize
380KB

MD5
afa37d3a61d0db07b3e84c0808b7509a

SHA1
c89a837d0ba28e36dbc044154872026096bfe11e

SHA256
07650d2c9befa1e05cf2fe7764263f9fb1d7dc3f20660f78fb1e90898524a831

SHA512
21b2b0a1b8731e7f11f3cf869c1abad3cdb890323163c014c185648732df721eaf2a713210adcd42d92d7ee66af7c74a3101a09a7f8b4cf8ab0cdebfbcfa521c

Download Submit
C:\Windows\{828AF003-C8E1-4e9b-8D19-684A0CAE6D2C}.exe

Filesize
380KB

MD5
da16f4bd4e5fa02ce6a92941ebd4b3ec

SHA1
a5d824b86d68cc86645c29104a74040587af4df3

SHA256
ae5f7433b5557881364065f3c88e7fb35815ead0f469f932854bd237f87431bb

SHA512
39fc7e553132664f486623a107da0020136a61179584caba493a96d1512121c7ce3cd1725dd9c9bf29708bbebe2a6a270a7d6faf3837be746d00f0b54c895e3e

Download Submit
C:\Windows\{92D6562A-AAC7-4c2a-9815-30AF4FB8246D}.exe

Filesize
380KB

MD5
a0d0d7ff90b714f246f0e11120060c93

SHA1
e70919ee611e467237e4bce03bd4830c2e3a179a

SHA256
27ddb8cea20d38b74b08ead6fa801a952ad5097b3d72439c3bb4f8c1fcef57b1

SHA512
f9b6b988c8eedc7758ce5f9a7425afeb392cfb961d7e2584ab2aa88e4940c3cf32cf911899c7b76715135de6432a65abfe6bc3e52cd11022b25e9dd9843db51f

Download Submit
C:\Windows\{BA8FFFFA-23C2-49cf-B8DC-27183A6A1F71}.exe

Filesize
380KB

MD5
d3dbe5af54b90491d4c68c009f5fe8ff

SHA1
3ffd27245c2ec3fa779e3edfe06f200254c47854

SHA256
9e37253763ccddc740fe249589d489e97e382513feb6cbadcc96767fa6432587

SHA512
25577914fbf76e9963167336d99294f2b016e923e10fe10805e15a5df64b2cfd8b115604dbde43315947b9b398ee915663808269b7a5f70fc5cbced4b20248b1

Download Submit
C:\Windows\{DAABFB1B-5845-4ed0-920A-9325FDFD1C1D}.exe

Filesize
380KB

MD5
a4b467ad17c5b0fa86904a59ca585d38

SHA1
1c5c25cf4b89f112884bf3d7b1874f736f116c17

SHA256
48be260e2984949ae3041379bb815b0c6d5bc0b12ab3bd5fe6310be4b8c465eb

SHA512
940bce66f6fce9647e1a6d44e88346ed28123a37078df0b4b72d87a0a356d374b3df15c909038c4b03762f6445f24655c481f700b999c38f1a654c5fc1979039

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads