721e0894a2831853a8ce30e2f819910276cb7630f02bb9b22d2386d639343283

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 02:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe
Size

168KB
MD5

fc0fd48253c4977574d1a096bd537d0a
SHA1

8864bec9c0313206695fa0e604f36ca14c107921
SHA256

721e0894a2831853a8ce30e2f819910276cb7630f02bb9b22d2386d639343283
SHA512

8907c61fe5ece8c80b457ee131aa1e5cd2864b3cbefc6a27e168c9d0264f538f23711cf87d384829f03ba6528b7db1052822c1f42ffaac54156f37d9e393485a
SSDEEP

1536:1EGh0oali5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oaliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014284-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00350000000144e1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}\stubpath = "C:\\Windows\\{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe"	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E7F332-A0A2-410d-829E-8F48A5D85A5B}\stubpath = "C:\\Windows\\{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe"	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A48DE766-7118-46f2-A0C9-0612153236A7}	{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237920F8-7D32-4364-9BD0-766F6C0FC7F4}	{A48DE766-7118-46f2-A0C9-0612153236A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}	{7DC45111-F62F-483c-B227-397218561372}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A48DE766-7118-46f2-A0C9-0612153236A7}\stubpath = "C:\\Windows\\{A48DE766-7118-46f2-A0C9-0612153236A7}.exe"	{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}\stubpath = "C:\\Windows\\{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe"	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8718448-DFC1-4327-B04E-8FFD25269C25}\stubpath = "C:\\Windows\\{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe"	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168B73AB-0C6B-4edd-9576-00785974327D}\stubpath = "C:\\Windows\\{168B73AB-0C6B-4edd-9576-00785974327D}.exe"	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DC45111-F62F-483c-B227-397218561372}\stubpath = "C:\\Windows\\{7DC45111-F62F-483c-B227-397218561372}.exe"	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8BB5875-5511-4c18-A093-772CB0E38B02}	{168B73AB-0C6B-4edd-9576-00785974327D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237920F8-7D32-4364-9BD0-766F6C0FC7F4}\stubpath = "C:\\Windows\\{237920F8-7D32-4364-9BD0-766F6C0FC7F4}.exe"	{A48DE766-7118-46f2-A0C9-0612153236A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F444F8F-4228-4701-9CD8-FCEA92922F5C}	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F444F8F-4228-4701-9CD8-FCEA92922F5C}\stubpath = "C:\\Windows\\{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe"	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168B73AB-0C6B-4edd-9576-00785974327D}	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8BB5875-5511-4c18-A093-772CB0E38B02}\stubpath = "C:\\Windows\\{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe"	{168B73AB-0C6B-4edd-9576-00785974327D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8718448-DFC1-4327-B04E-8FFD25269C25}	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E7F332-A0A2-410d-829E-8F48A5D85A5B}	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DC45111-F62F-483c-B227-397218561372}	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}\stubpath = "C:\\Windows\\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe"	{7DC45111-F62F-483c-B227-397218561372}.exe

Deletes itself 1 IoCs

pid	Process
2120	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe
2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe
2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe
2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe
2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe
2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe
2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe
1624	{7DC45111-F62F-483c-B227-397218561372}.exe
1280	{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe
2228	{A48DE766-7118-46f2-A0C9-0612153236A7}.exe
324	{237920F8-7D32-4364-9BD0-766F6C0FC7F4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe
File created	C:\Windows\{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe
File created	C:\Windows\{168B73AB-0C6B-4edd-9576-00785974327D}.exe	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe
File created	C:\Windows\{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	{168B73AB-0C6B-4edd-9576-00785974327D}.exe
File created	C:\Windows\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe	{7DC45111-F62F-483c-B227-397218561372}.exe
File created	C:\Windows\{A48DE766-7118-46f2-A0C9-0612153236A7}.exe	{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe
File created	C:\Windows\{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe
File created	C:\Windows\{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe
File created	C:\Windows\{7DC45111-F62F-483c-B227-397218561372}.exe	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe
File created	C:\Windows\{237920F8-7D32-4364-9BD0-766F6C0FC7F4}.exe	{A48DE766-7118-46f2-A0C9-0612153236A7}.exe
File created	C:\Windows\{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe
Token: SeIncBasePriorityPrivilege	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe
Token: SeIncBasePriorityPrivilege	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe
Token: SeIncBasePriorityPrivilege	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe
Token: SeIncBasePriorityPrivilege	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe
Token: SeIncBasePriorityPrivilege	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe
Token: SeIncBasePriorityPrivilege	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe
Token: SeIncBasePriorityPrivilege	1624	{7DC45111-F62F-483c-B227-397218561372}.exe
Token: SeIncBasePriorityPrivilege	1280	{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe
Token: SeIncBasePriorityPrivilege	2228	{A48DE766-7118-46f2-A0C9-0612153236A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2788	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	28
PID 2512 wrote to memory of 2788	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	28
PID 2512 wrote to memory of 2788	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	28
PID 2512 wrote to memory of 2788	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	28
PID 2512 wrote to memory of 2120	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	29
PID 2512 wrote to memory of 2120	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	29
PID 2512 wrote to memory of 2120	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	29
PID 2512 wrote to memory of 2120	2512	2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe	29
PID 2788 wrote to memory of 2660	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	30
PID 2788 wrote to memory of 2660	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	30
PID 2788 wrote to memory of 2660	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	30
PID 2788 wrote to memory of 2660	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	30
PID 2788 wrote to memory of 2588	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	31
PID 2788 wrote to memory of 2588	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	31
PID 2788 wrote to memory of 2588	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	31
PID 2788 wrote to memory of 2588	2788	{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe	31
PID 2660 wrote to memory of 2712	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	32
PID 2660 wrote to memory of 2712	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	32
PID 2660 wrote to memory of 2712	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	32
PID 2660 wrote to memory of 2712	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	32
PID 2660 wrote to memory of 2700	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	33
PID 2660 wrote to memory of 2700	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	33
PID 2660 wrote to memory of 2700	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	33
PID 2660 wrote to memory of 2700	2660	{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe	33
PID 2712 wrote to memory of 2884	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	36
PID 2712 wrote to memory of 2884	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	36
PID 2712 wrote to memory of 2884	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	36
PID 2712 wrote to memory of 2884	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	36
PID 2712 wrote to memory of 1496	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	37
PID 2712 wrote to memory of 1496	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	37
PID 2712 wrote to memory of 1496	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	37
PID 2712 wrote to memory of 1496	2712	{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe	37
PID 2884 wrote to memory of 2520	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	38
PID 2884 wrote to memory of 2520	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	38
PID 2884 wrote to memory of 2520	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	38
PID 2884 wrote to memory of 2520	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	38
PID 2884 wrote to memory of 2752	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	39
PID 2884 wrote to memory of 2752	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	39
PID 2884 wrote to memory of 2752	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	39
PID 2884 wrote to memory of 2752	2884	{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe	39
PID 2520 wrote to memory of 2904	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	40
PID 2520 wrote to memory of 2904	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	40
PID 2520 wrote to memory of 2904	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	40
PID 2520 wrote to memory of 2904	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	40
PID 2520 wrote to memory of 320	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	41
PID 2520 wrote to memory of 320	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	41
PID 2520 wrote to memory of 320	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	41
PID 2520 wrote to memory of 320	2520	{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe	41
PID 2904 wrote to memory of 2156	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	42
PID 2904 wrote to memory of 2156	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	42
PID 2904 wrote to memory of 2156	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	42
PID 2904 wrote to memory of 2156	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	42
PID 2904 wrote to memory of 1268	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	43
PID 2904 wrote to memory of 1268	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	43
PID 2904 wrote to memory of 1268	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	43
PID 2904 wrote to memory of 1268	2904	{168B73AB-0C6B-4edd-9576-00785974327D}.exe	43
PID 2156 wrote to memory of 1624	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	44
PID 2156 wrote to memory of 1624	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	44
PID 2156 wrote to memory of 1624	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	44
PID 2156 wrote to memory of 1624	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	44
PID 2156 wrote to memory of 280	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	45
PID 2156 wrote to memory of 280	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	45
PID 2156 wrote to memory of 280	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	45
PID 2156 wrote to memory of 280	2156	{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_fc0fd48253c4977574d1a096bd537d0a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe
  C:\Windows\{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe
    C:\Windows\{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe
      C:\Windows\{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe
        
        C:\Windows\{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe
        
        C:\Windows\{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{168B73AB-0C6B-4edd-9576-00785974327D}.exe
        
        C:\Windows\{168B73AB-0C6B-4edd-9576-00785974327D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe
        
        C:\Windows\{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{7DC45111-F62F-483c-B227-397218561372}.exe
        
        C:\Windows\{7DC45111-F62F-483c-B227-397218561372}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe
        
        C:\Windows\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{A48DE766-7118-46f2-A0C9-0612153236A7}.exe
        
        C:\Windows\{A48DE766-7118-46f2-A0C9-0612153236A7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{237920F8-7D32-4364-9BD0-766F6C0FC7F4}.exe
        
        C:\Windows\{237920F8-7D32-4364-9BD0-766F6C0FC7F4}.exe
        12⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A48DE~1.EXE > nul
        12⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7B74~1.EXE > nul
        11⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC45~1.EXE > nul
        10⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8BB5~1.EXE > nul
        9⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{168B7~1.EXE > nul
        8⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F444~1.EXE > nul
        7⤵
        
        PID:320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64E7F~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8718~1.EXE > nul
        5⤵
        
        PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{99306~1.EXE > nul
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC6E~1.EXE > nul
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{168B73AB-0C6B-4edd-9576-00785974327D}.exe

Filesize
168KB

MD5
913d7de8d1e2278aff615c78f4c552eb

SHA1
98793512c1284e1fe054653cc0a9ac366262bac9

SHA256
5bf4c0d4b97859f16414e3b4dd1d1f918246504f824d1ae074cde784f32f8368

SHA512
c27d0e02f2742bd7ac55e44ed887ffda24c7b13152d72266b1d2f62b02a8ca70442ad5556131b47781d003d928eb4a40c0fc005bd71af9f5b112c58aad432d1e

Download Submit
C:\Windows\{237920F8-7D32-4364-9BD0-766F6C0FC7F4}.exe

Filesize
168KB

MD5
15b2d78ea2323f51b6a5be035fa9a68a

SHA1
785fb6a7bf7341a61f78834028f741005dd214ab

SHA256
59eb71fe7d4105eb78a1df51abc1010f76422ff2c735d05356c24f3027863adb

SHA512
40ebf19ffb3dc490ed02454e087bb1a68fc9a7a58ad1e2701e9c895396baeb8348a492ba3db3b7b3642bdaa053f3a844e9e7fe568e02582764d36b2d78356510

Download Submit
C:\Windows\{64E7F332-A0A2-410d-829E-8F48A5D85A5B}.exe

Filesize
168KB

MD5
aac34bc819c1988af2b14c4f35152ed4

SHA1
2e385c15e7f023ce2b8b57d209e991c8639ab319

SHA256
95915ae6de2bc80505619e9807e714615bd44a2ec2c672ca28118437add94309

SHA512
da090e64d082e20ce92af1e9bcb007da614bee4549710ddada541383966f33c5cf6f88b628956a42a1634cd9d65d0fc2258505725c9f30fac9e435dc6b89f5ef

Download Submit
C:\Windows\{7DC45111-F62F-483c-B227-397218561372}.exe

Filesize
168KB

MD5
c3a08e52c5fb81a5f9f5765c54a46a42

SHA1
bad43e73a53d7bd1487392665d71b05f5595de8f

SHA256
fddb6c6c2550808759440e0938c8cb7fd804032f7a74480fb2788f3e1439fae4

SHA512
59ddfc5febbab64852fa45ee68e58afb51620854fe426b0885290bba97c2c9e35ab47985ce527b5a6abc38f0d16e7988344a9114f91a184b222b036d40413e8a

Download Submit
C:\Windows\{7DC45111-F62F-483c-B227-397218561372}.exe

Filesize
92KB

MD5
623213cef202bd9bc1895f2a620894eb

SHA1
0dd7a8990b88532e9c1b16f74c609a5c8faa7dc0

SHA256
aedfbffddfd6f405e087c2a0b467712355a8dce44b261a11832bf95a2ae00543

SHA512
f287ee3ab58d4b7b1619611547a96efaefbdd568c77c1f8c7c4088c13490fde89f1fd2b3001fb29563d5aead78e9fa0959100cb72af68fe7a94584d322958362

Download Submit
C:\Windows\{7F444F8F-4228-4701-9CD8-FCEA92922F5C}.exe

Filesize
168KB

MD5
01896aca0674bca2ff642f2bea98ae5e

SHA1
d76a9d125d90ef481376b5c166b97ea9a52947bc

SHA256
fd7349a6c5edaf173a67782dacc7dbe46403809ec8953ef3e984e12c293fe831

SHA512
832c674aa293f003226ac0904912c6cbe67e4da886522e61d6cd44fdaa6f01caae6ef43be9390f20082e78ab70d8c17f43f6b4b102e939bbe18c3754c30abf16

Download Submit
C:\Windows\{993066F8-8C1F-4713-84F7-2CF0CE6BCC7C}.exe

Filesize
168KB

MD5
59766da25016908de4b8e10bbbf104ca

SHA1
37dca4cefccf5b057c4dc2807a81a214a7feb8ac

SHA256
5a6726adef91c60d68d5a0aa1dabd107b53ef8e8155bbb5504d685d57071ac61

SHA512
3564297bfd50cee62f95a3b79020e1a027f6f4c30112ce6a57ed66702c0ca931b5a3895bbde55a9d554adf19fb437aea8d196cb8e0dfaed149888f4f4fbebd9a

Download Submit
C:\Windows\{A48DE766-7118-46f2-A0C9-0612153236A7}.exe

Filesize
168KB

MD5
9b1b3bfa93fcb53605c2e756457d12a6

SHA1
4cbb0ad4e70997572b2c48926b7363d667861242

SHA256
97e00aa7ae7a2b11f5e5e12f2d7e44acc86769f7e7be00e07862edcda6345206

SHA512
7b55609c0202a17938f276ef77352e059fb2fa041188cc4d93ea4d4429c596d85c09fafac070ccf303cf6b1b2f719275203006b6eba0a84833fd0e64c91afb7a

Download Submit
C:\Windows\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe

Filesize
43KB

MD5
ce2a66ea06314b07d2611b0f21a159dd

SHA1
62949bbd6d550a81985ee10f0ed5688d5bccf232

SHA256
e0f230d90446af9ab1c790037c3d6b924b520e9e7f3b67ee7ceb8058487724f8

SHA512
d17a8e381489f0e10380344dfdbe409c9efeaa0208a0b4b7ea08d5ea6a3a2809b7e27dd5cb66e16e5d4c0ff393ce316d85861201427d2761cfd2a2423d7eb400

Download Submit
C:\Windows\{D7B74C45-D73E-4e58-80BA-CAE44138CCDA}.exe

Filesize
168KB

MD5
d29e02acc8a8c49bf19566b5234f31fc

SHA1
165daad106498c5d80b264578425db759150d048

SHA256
a17a904b90849b657d38f9458e888acbac981c8b3b5fd9f2435025513a84c001

SHA512
84559cf237647208da6eff4f3e0e04cac59a9cedc036ce820317dd78980e8d23048001fd65f1c17c57a3b6965744b0cecbdb4c84ed316be192059033f41063e6

Download Submit
C:\Windows\{D8718448-DFC1-4327-B04E-8FFD25269C25}.exe

Filesize
168KB

MD5
9f0731e3d27dddd513f8ea4d21843ab3

SHA1
15a7cf4ec8109c2310ec09678bb93f2db4e268c9

SHA256
66da0236823cf643139b1742dc16b4239bd6c052ca4fe32a8455137873dd0a12

SHA512
0b2c247593e94011cba467017995d2075c25874c7b9b84e3801a35e0af4400e1b6df38b4bf389121191d94b3406a2785ac7feb1f0d0eb920a9ba3b47aa7beff1

Download Submit
C:\Windows\{E8BB5875-5511-4c18-A093-772CB0E38B02}.exe

Filesize
168KB

MD5
5acafef7cf02cc40a507397386d48694

SHA1
4e57d7b364d469530e40dfa66adeffc2cea113bc

SHA256
92bca53abb9a7b8a7b0ed3dece0d3a43f849ad4cacf240e75a1e72ae262fe83f

SHA512
be8cd75103a85834affa6541f7ba51d80973da60f389d070777cad0910fea78944526087c61fea9cb0f61fa9bdf9f3b0ed4b8d6313655d2d896aa73ee0088f09

Download Submit
C:\Windows\{FAC6EE32-C0A9-4dc2-8F0E-77A9F75C6005}.exe

Filesize
168KB

MD5
893a80e7d243161e96279c2bb904e00b

SHA1
8ee779c4b080957495b72ccd4b656e03acc35c6c

SHA256
3c873dd24810af66e7848b97ef0536f26a710db06c0e630534836b0e850eb953

SHA512
10001f1cda7a823d4ee5e2df332709438f380dfb7c0276953e84c1e06bdb784e016ae841d6b6c50ebaee0239ab9a1ec2c1ed17381ec3bb5561124342be18c26e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads