82e4172d3d032100b31657771201da46c0dd5ff390724c8286a624bdb0a120c0

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe
Size

408KB
MD5

5b5a48428b3da14ea2e0b487d9d8ba37
SHA1

1ceefb6a3e228018629f93330e8047e13378b104
SHA256

82e4172d3d032100b31657771201da46c0dd5ff390724c8286a624bdb0a120c0
SHA512

29e1fdd00580fcd28e374914d3fbfd995e18602c87c437e8196b59b6a2461ffc7fadbf0fb0b6ed4d98169a497494a6e75f321a5c2d0a6810a11cfde0a3eab408
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGDldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122cd-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d79-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122cd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122cd-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122cd-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015f6d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015f6d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D18AAB6-2E55-4c58-8E97-D79342105B32}\stubpath = "C:\\Windows\\{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe"	{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D192931-9D7D-43a4-80C3-0217DFAB65B0}\stubpath = "C:\\Windows\\{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe"	{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}\stubpath = "C:\\Windows\\{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe"	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}\stubpath = "C:\\Windows\\{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe"	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B2F2763-82C3-4841-83AB-9A2506F10BDD}	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B2F2763-82C3-4841-83AB-9A2506F10BDD}\stubpath = "C:\\Windows\\{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe"	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D192931-9D7D-43a4-80C3-0217DFAB65B0}	{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}\stubpath = "C:\\Windows\\{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe"	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5340686-00E2-4c36-A026-A683E0C07EF0}\stubpath = "C:\\Windows\\{B5340686-00E2-4c36-A026-A683E0C07EF0}.exe"	{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}\stubpath = "C:\\Windows\\{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe"	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F20FA40-FFFB-4656-B91D-3D7F55B31055}	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79711738-24D5-4f05-8AD0-ED8F4E848525}\stubpath = "C:\\Windows\\{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe"	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D18AAB6-2E55-4c58-8E97-D79342105B32}	{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5340686-00E2-4c36-A026-A683E0C07EF0}	{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}\stubpath = "C:\\Windows\\{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe"	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F20FA40-FFFB-4656-B91D-3D7F55B31055}\stubpath = "C:\\Windows\\{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe"	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79711738-24D5-4f05-8AD0-ED8F4E848525}	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe
2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe
2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe
804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe
1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe
2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe
540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe
1544	{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe
2372	{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe
1936	{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe
588	{B5340686-00E2-4c36-A026-A683E0C07EF0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe
File created	C:\Windows\{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe	{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe
File created	C:\Windows\{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe
File created	C:\Windows\{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe
File created	C:\Windows\{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe
File created	C:\Windows\{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe
File created	C:\Windows\{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe
File created	C:\Windows\{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe	{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe
File created	C:\Windows\{B5340686-00E2-4c36-A026-A683E0C07EF0}.exe	{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe
File created	C:\Windows\{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe
File created	C:\Windows\{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe
Token: SeIncBasePriorityPrivilege	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe
Token: SeIncBasePriorityPrivilege	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe
Token: SeIncBasePriorityPrivilege	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe
Token: SeIncBasePriorityPrivilege	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe
Token: SeIncBasePriorityPrivilege	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe
Token: SeIncBasePriorityPrivilege	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe
Token: SeIncBasePriorityPrivilege	1544	{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe
Token: SeIncBasePriorityPrivilege	2372	{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe
Token: SeIncBasePriorityPrivilege	1936	{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2440	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	28
PID 2664 wrote to memory of 2440	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	28
PID 2664 wrote to memory of 2440	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	28
PID 2664 wrote to memory of 2440	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	28
PID 2664 wrote to memory of 2532	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	29
PID 2664 wrote to memory of 2532	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	29
PID 2664 wrote to memory of 2532	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	29
PID 2664 wrote to memory of 2532	2664	2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe	29
PID 2440 wrote to memory of 2496	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	30
PID 2440 wrote to memory of 2496	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	30
PID 2440 wrote to memory of 2496	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	30
PID 2440 wrote to memory of 2496	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	30
PID 2440 wrote to memory of 2604	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	31
PID 2440 wrote to memory of 2604	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	31
PID 2440 wrote to memory of 2604	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	31
PID 2440 wrote to memory of 2604	2440	{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe	31
PID 2496 wrote to memory of 2388	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	32
PID 2496 wrote to memory of 2388	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	32
PID 2496 wrote to memory of 2388	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	32
PID 2496 wrote to memory of 2388	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	32
PID 2496 wrote to memory of 2328	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	33
PID 2496 wrote to memory of 2328	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	33
PID 2496 wrote to memory of 2328	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	33
PID 2496 wrote to memory of 2328	2496	{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe	33
PID 2388 wrote to memory of 804	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	36
PID 2388 wrote to memory of 804	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	36
PID 2388 wrote to memory of 804	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	36
PID 2388 wrote to memory of 804	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	36
PID 2388 wrote to memory of 1524	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	37
PID 2388 wrote to memory of 1524	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	37
PID 2388 wrote to memory of 1524	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	37
PID 2388 wrote to memory of 1524	2388	{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe	37
PID 804 wrote to memory of 1560	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	38
PID 804 wrote to memory of 1560	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	38
PID 804 wrote to memory of 1560	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	38
PID 804 wrote to memory of 1560	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	38
PID 804 wrote to memory of 2060	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	39
PID 804 wrote to memory of 2060	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	39
PID 804 wrote to memory of 2060	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	39
PID 804 wrote to memory of 2060	804	{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe	39
PID 1560 wrote to memory of 2108	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	40
PID 1560 wrote to memory of 2108	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	40
PID 1560 wrote to memory of 2108	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	40
PID 1560 wrote to memory of 2108	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	40
PID 1560 wrote to memory of 1968	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	41
PID 1560 wrote to memory of 1968	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	41
PID 1560 wrote to memory of 1968	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	41
PID 1560 wrote to memory of 1968	1560	{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe	41
PID 2108 wrote to memory of 540	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	42
PID 2108 wrote to memory of 540	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	42
PID 2108 wrote to memory of 540	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	42
PID 2108 wrote to memory of 540	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	42
PID 2108 wrote to memory of 1296	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	43
PID 2108 wrote to memory of 1296	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	43
PID 2108 wrote to memory of 1296	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	43
PID 2108 wrote to memory of 1296	2108	{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe	43
PID 540 wrote to memory of 1544	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	44
PID 540 wrote to memory of 1544	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	44
PID 540 wrote to memory of 1544	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	44
PID 540 wrote to memory of 1544	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	44
PID 540 wrote to memory of 2276	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	45
PID 540 wrote to memory of 2276	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	45
PID 540 wrote to memory of 2276	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	45
PID 540 wrote to memory of 2276	540	{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_5b5a48428b3da14ea2e0b487d9d8ba37_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe
  C:\Windows\{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe
    C:\Windows\{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe
      C:\Windows\{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe
        
        C:\Windows\{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
      - C:\Windows\{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe
        
        C:\Windows\{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe
        
        C:\Windows\{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe
        
        C:\Windows\{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe
        
        C:\Windows\{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe
        
        C:\Windows\{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe
        
        C:\Windows\{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\{B5340686-00E2-4c36-A026-A683E0C07EF0}.exe
        
        C:\Windows\{B5340686-00E2-4c36-A026-A683E0C07EF0}.exe
        12⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D192~1.EXE > nul
        12⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D18A~1.EXE > nul
        11⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B2F2~1.EXE > nul
        10⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6230~1.EXE > nul
        9⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79711~1.EXE > nul
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F20F~1.EXE > nul
        7⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8274E~1.EXE > nul
        6⤵
        
        PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E03FF~1.EXE > nul
        5⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC465~1.EXE > nul
      4⤵
      PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FE10D~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D18AAB6-2E55-4c58-8E97-D79342105B32}.exe

Filesize
408KB

MD5
7ecec659191be3f6d3245c7e61643d80

SHA1
acd614210555397248d76a291c5b430d51a30588

SHA256
dad6f6abb92be65c9d87e1260ebefbf1ae41b41ac0d46682860e6bbedf7b3ea8

SHA512
f585a056497eebf2078b27dd487dd269eb60caa6399ab5f79d5ad9c2161fb01d1de6f80e9239ddc5bdd34aff9ed5f3a6b8777050d18288d3abdb6cdf20125014

Download Submit
C:\Windows\{4D192931-9D7D-43a4-80C3-0217DFAB65B0}.exe

Filesize
408KB

MD5
dc6f7b02942c66ec43d35ab2ab693e6e

SHA1
53520591fbb5eace4a2a303497b4618e604afc0c

SHA256
0dc447af9566e146b791afd74ddd24b16468817320923e16645c16a523777080

SHA512
fd24f68479ef8246c5bbe5d8f079ae92520ceba26f072148e4bd8ecf57ab621e12f85008814df4cf3abb453b1ebf2e698c3b14318ea4ba4a829d315005686628

Download Submit
C:\Windows\{79711738-24D5-4f05-8AD0-ED8F4E848525}.exe

Filesize
408KB

MD5
880b845fba381b85d606047d41ba6f26

SHA1
234ae0b50bf5fff7f6e15b4a89b0465506373194

SHA256
418951fb602bc5d88d3ec083f5c0501907a41f9ddbd8afe5ccb92f6f9f12d3dc

SHA512
9b6b71df76ebdec653810509bb3f73723481aa49d23d4f95aadc9745cd9c6133a0ccb76a68f58703cf2e8faffbf24f0d3d0985ee46484fa4528050422583e695

Download Submit
C:\Windows\{7F20FA40-FFFB-4656-B91D-3D7F55B31055}.exe

Filesize
408KB

MD5
5b4b5effad0b187784b04acab4fa6286

SHA1
08f9549be6c735cae4121a53338c5e06941023ae

SHA256
c203d1e56eb9fbff1c9e59035329af7a39294113a2631ffa61045ac57a6ddffc

SHA512
f65aca45fbec8159b30b1e6782f8a0ce5ff6efcb427fb02dbd4c71c9b6dc002cbea222b86690338088a1ffc4480dd173bdf7cda48401625b227e2f3082ab3b1d

Download Submit
C:\Windows\{8274E7CF-AADE-4b07-BB80-CB67D865FFD4}.exe

Filesize
408KB

MD5
51281e3afc00aa13977e7858eed6dc97

SHA1
fe6caa1a9c74951f1831dd675545b1e3164cd710

SHA256
11917b8156bd876aef80ed30c5a3a72f6e17088fad12f95f136c20388754e294

SHA512
07564ccf70fac522fbfcd005f8ae60eb984fb09ea7e529c9695cb0dc723c6bbce3b696978b2cbfd0a254a4ba380c3506e3ea838a6ac4267f451ff5c9f19db9dc

Download Submit
C:\Windows\{9B2F2763-82C3-4841-83AB-9A2506F10BDD}.exe

Filesize
408KB

MD5
5c7acb07589881824eaa21739f9bb42a

SHA1
b266e2002902a4abc1e8aed2d73f4e9769227f66

SHA256
b0996dbf60af542a1b26aaf5f07f401b70735b15a9daf24e584283993f8df90f

SHA512
5a388b07d5ae62a760de58b30f482dd6184eac51d7f4e971647d8afe5ff86463d1b8586f6e3e477eaf0f9d845ada017e906f702d351b2237b852a1bdf12a766d

Download Submit
C:\Windows\{A6230DE7-DF14-4636-A7E0-A33F38E66E0E}.exe

Filesize
408KB

MD5
5694dcb737d6aff1fb831c4c41c51b03

SHA1
e200e5059c1b03cacd70b819a5dff5cbc40765af

SHA256
bb9ab4e211486613b27e7719b9ce2d62a5230c331963ab017262a31de5088571

SHA512
733cf073e63ba22ac1e275f352f3368a56b51f26503c58cae1ab9ea7f99f314d52879fb10aa421a6f6669090d1a7495c3f8ef4bf738b2feb8b8798e3dd5f40cb

Download Submit
C:\Windows\{B5340686-00E2-4c36-A026-A683E0C07EF0}.exe

Filesize
408KB

MD5
5ae11ce258d491581d4181d0060d825c

SHA1
ebd2f9b467705fa850c3f43207b52c49d371deb1

SHA256
cd1381a72a8bf4a3065cfef415f9ea621ecd3490d2649155a46637ea7be9bddf

SHA512
65c028fdc75aaf7a6203eef850788f7ba46c7051f9e15e44c3079319ea117cdd652f160f79accdbc19066d66b10d70b6c77857ce7f77f33c4dd7e7f308537ab6

Download Submit
C:\Windows\{E03FF1CB-496D-4d53-AEF0-D5D24EAC81F2}.exe

Filesize
408KB

MD5
cbbf295858580ae593b18b4c8757707a

SHA1
6661334d6c73ca7211dfa37bf759c5e5f96fd708

SHA256
eb19a0006d75fb6b2456127af3e968d08701bd9cfff5ec1b68050b8f6d1600b4

SHA512
86668a20f6a0a15abe5f674d9c2d63ab9e0c6379e8fba52bf3b2ffcdb7afad1cb3a9eb238bec1a02f407485c5d711c0ae5875148ad5a61877b87769cac29f7da

Download Submit
C:\Windows\{EC465994-E550-4f4b-A0A9-8AE8BA2954AC}.exe

Filesize
408KB

MD5
046c91ab11f7a4155b215c9169bb67ed

SHA1
31f5a95a07c45d714894cb82e91e6e77fd607d1a

SHA256
88b7e78fa116b3180e77e9d3f09bc9fe0a31a3397d76d6ef4c86434657454ff3

SHA512
a77baee8b0dc13e25105fb815c7b864f9ed3eca1825da5eb6c19fcc02f0bfc41d4eded0522d53302d06d10e44c388b18050758ce12e45844a4a3944c5a147f72

Download Submit
C:\Windows\{FE10DB87-F94E-4f14-B0AB-D029D7F25AB2}.exe

Filesize
408KB

MD5
f96d3b947016eeed2c761f9bce02b459

SHA1
4bac490a99f212a04969af9a50e1685cf3c81fa1

SHA256
7d7c36678985e0944e48041515408de3b7240afbe05aaada2d83c7ff6a1f1d11

SHA512
a6fc0ea6df0b7106d87344f946c75f73b9a5241569b1305eb2ef091dd6fed7e41b2e9341589698e066c47faafc18fc9a7108840ed3413489aef4c74abba806ce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads