19ebbfbc12b19ac420e6fe662d8942d9f55a53e1ebcac21c813480c25c8a8362

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 01:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Size

344KB
MD5

cf00cb6dcdec71c0319f95ce18f251de
SHA1

9bebe76ff0f7318a95f7f0aa12d2a95bdc214038
SHA256

19ebbfbc12b19ac420e6fe662d8942d9f55a53e1ebcac21c813480c25c8a8362
SHA512

c63f9e0dbf2c5cb9880f185a48ba1e75b83ca1d2505d0a17f285aa3843725c56ecc86552b7f78041ccad05cd9b168749c861c3e895a2afcf89a518c5ef832e6d
SSDEEP

3072:mEGh0oBlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGLlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000016c0e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016cde-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016ced-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016cde-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016ced-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016cf4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016ced-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d10-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d20-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26FC74AC-8914-4b5b-B1C2-D423508F881B}	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26FC74AC-8914-4b5b-B1C2-D423508F881B}\stubpath = "C:\\Windows\\{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe"	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B6BB9C-731E-4d7b-829F-452681D2E7B9}	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D06B74-372C-44b8-8C75-FC36BD8F8296}\stubpath = "C:\\Windows\\{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe"	{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}\stubpath = "C:\\Windows\\{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}.exe"	{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}	{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}\stubpath = "C:\\Windows\\{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe"	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C47719A-FF8E-437b-A605-B2E6398F2344}\stubpath = "C:\\Windows\\{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe"	{08E0414E-3C95-4885-A106-639972E4B721}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D06B74-372C-44b8-8C75-FC36BD8F8296}	{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17C1905-7724-4eaf-8128-C804ED88349D}	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17C1905-7724-4eaf-8128-C804ED88349D}\stubpath = "C:\\Windows\\{E17C1905-7724-4eaf-8128-C804ED88349D}.exe"	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}\stubpath = "C:\\Windows\\{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe"	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A384241-AC0E-44f6-A98E-526318F56A1E}	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08E0414E-3C95-4885-A106-639972E4B721}\stubpath = "C:\\Windows\\{08E0414E-3C95-4885-A106-639972E4B721}.exe"	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C47719A-FF8E-437b-A605-B2E6398F2344}	{08E0414E-3C95-4885-A106-639972E4B721}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}\stubpath = "C:\\Windows\\{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe"	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A384241-AC0E-44f6-A98E-526318F56A1E}\stubpath = "C:\\Windows\\{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe"	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B6BB9C-731E-4d7b-829F-452681D2E7B9}\stubpath = "C:\\Windows\\{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe"	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08E0414E-3C95-4885-A106-639972E4B721}	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe
2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe
2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe
1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe
1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe
2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe
932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe
1628	{08E0414E-3C95-4885-A106-639972E4B721}.exe
1316	{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe
1340	{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe
2956	{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe
File created	C:\Windows\{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe
File created	C:\Windows\{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe
File created	C:\Windows\{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe
File created	C:\Windows\{08E0414E-3C95-4885-A106-639972E4B721}.exe	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe
File created	C:\Windows\{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}.exe	{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe
File created	C:\Windows\{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe
File created	C:\Windows\{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe
File created	C:\Windows\{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe	{08E0414E-3C95-4885-A106-639972E4B721}.exe
File created	C:\Windows\{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe	{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe
File created	C:\Windows\{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe
Token: SeIncBasePriorityPrivilege	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe
Token: SeIncBasePriorityPrivilege	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe
Token: SeIncBasePriorityPrivilege	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe
Token: SeIncBasePriorityPrivilege	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe
Token: SeIncBasePriorityPrivilege	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe
Token: SeIncBasePriorityPrivilege	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe
Token: SeIncBasePriorityPrivilege	1628	{08E0414E-3C95-4885-A106-639972E4B721}.exe
Token: SeIncBasePriorityPrivilege	1316	{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe
Token: SeIncBasePriorityPrivilege	1340	{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2548	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	28
PID 744 wrote to memory of 2548	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	28
PID 744 wrote to memory of 2548	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	28
PID 744 wrote to memory of 2548	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	28
PID 744 wrote to memory of 2652	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	29
PID 744 wrote to memory of 2652	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	29
PID 744 wrote to memory of 2652	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	29
PID 744 wrote to memory of 2652	744	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	29
PID 2548 wrote to memory of 2608	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	30
PID 2548 wrote to memory of 2608	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	30
PID 2548 wrote to memory of 2608	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	30
PID 2548 wrote to memory of 2608	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	30
PID 2548 wrote to memory of 2668	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	31
PID 2548 wrote to memory of 2668	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	31
PID 2548 wrote to memory of 2668	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	31
PID 2548 wrote to memory of 2668	2548	{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe	31
PID 2608 wrote to memory of 2228	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	34
PID 2608 wrote to memory of 2228	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	34
PID 2608 wrote to memory of 2228	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	34
PID 2608 wrote to memory of 2228	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	34
PID 2608 wrote to memory of 2856	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	35
PID 2608 wrote to memory of 2856	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	35
PID 2608 wrote to memory of 2856	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	35
PID 2608 wrote to memory of 2856	2608	{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe	35
PID 2228 wrote to memory of 1796	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	36
PID 2228 wrote to memory of 1796	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	36
PID 2228 wrote to memory of 1796	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	36
PID 2228 wrote to memory of 1796	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	36
PID 2228 wrote to memory of 336	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	37
PID 2228 wrote to memory of 336	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	37
PID 2228 wrote to memory of 336	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	37
PID 2228 wrote to memory of 336	2228	{E17C1905-7724-4eaf-8128-C804ED88349D}.exe	37
PID 1796 wrote to memory of 1156	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	38
PID 1796 wrote to memory of 1156	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	38
PID 1796 wrote to memory of 1156	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	38
PID 1796 wrote to memory of 1156	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	38
PID 1796 wrote to memory of 2464	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	39
PID 1796 wrote to memory of 2464	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	39
PID 1796 wrote to memory of 2464	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	39
PID 1796 wrote to memory of 2464	1796	{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe	39
PID 1156 wrote to memory of 2716	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	40
PID 1156 wrote to memory of 2716	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	40
PID 1156 wrote to memory of 2716	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	40
PID 1156 wrote to memory of 2716	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	40
PID 1156 wrote to memory of 2848	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	41
PID 1156 wrote to memory of 2848	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	41
PID 1156 wrote to memory of 2848	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	41
PID 1156 wrote to memory of 2848	1156	{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe	41
PID 2716 wrote to memory of 932	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	42
PID 2716 wrote to memory of 932	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	42
PID 2716 wrote to memory of 932	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	42
PID 2716 wrote to memory of 932	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	42
PID 2716 wrote to memory of 1756	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	43
PID 2716 wrote to memory of 1756	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	43
PID 2716 wrote to memory of 1756	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	43
PID 2716 wrote to memory of 1756	2716	{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe	43
PID 932 wrote to memory of 1628	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	44
PID 932 wrote to memory of 1628	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	44
PID 932 wrote to memory of 1628	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	44
PID 932 wrote to memory of 1628	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	44
PID 932 wrote to memory of 1640	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	45
PID 932 wrote to memory of 1640	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	45
PID 932 wrote to memory of 1640	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	45
PID 932 wrote to memory of 1640	932	{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe
  C:\Windows\{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe
    C:\Windows\{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{E17C1905-7724-4eaf-8128-C804ED88349D}.exe
      C:\Windows\{E17C1905-7724-4eaf-8128-C804ED88349D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe
        
        C:\Windows\{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe
        
        C:\Windows\{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe
        
        C:\Windows\{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe
        
        C:\Windows\{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\{08E0414E-3C95-4885-A106-639972E4B721}.exe
        
        C:\Windows\{08E0414E-3C95-4885-A106-639972E4B721}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe
        
        C:\Windows\{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe
        
        C:\Windows\{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}.exe
        
        C:\Windows\{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D06~1.EXE > nul
        12⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C477~1.EXE > nul
        11⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08E04~1.EXE > nul
        10⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B6B~1.EXE > nul
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A384~1.EXE > nul
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C3AB~1.EXE > nul
        7⤵
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A3FD~1.EXE > nul
        6⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E17C1~1.EXE > nul
        5⤵
        
        PID:336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CCDEE~1.EXE > nul
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26FC7~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08E0414E-3C95-4885-A106-639972E4B721}.exe

Filesize
344KB

MD5
ae26624dee68276a3752f3b91f5c6720

SHA1
7f106cdf8e6b2927628788a540d2f645dc51b8db

SHA256
c4ae769196c555ed80d381be4692ff8d3b0e4a56ffa7b8e69f30891a94be0955

SHA512
280bbb23599124d7b8e2398e6eca04a2ddf1939689f278f7855748001ba901b546586f855eb5670ea4e742e4a2abbfb21e477cf49667efb0080ee432d968756e

Download Submit
C:\Windows\{26FC74AC-8914-4b5b-B1C2-D423508F881B}.exe

Filesize
344KB

MD5
35cd2082b1a6fdf52bf444bbe41ceeae

SHA1
9cd13b99b61cecd09c4fc29671e5487e38399d00

SHA256
c4fca8f591d5fdf02737144d531f672e7f810e784b3b8fe8c0b53a2a6fa39681

SHA512
a3ad3b5ca7232ff4338c1bb83da8323108285b5c0227aa4f0242f720bca44fa16041dba647ea2e7f791eecbdddab6140678cfa1487f37b4839bfb4049eb65fec

Download Submit
C:\Windows\{2C3ABD92-42DD-4575-99A4-F2DB897FB4C7}.exe

Filesize
344KB

MD5
db8c37a708f55bea65752e2e33569189

SHA1
9b97722aafb36da58228b502799d09bc9a2b4cb3

SHA256
038fd3c7e01a530f1f0feeaa3e7c254c7191de16adbe8ed92463f75cd0438700

SHA512
76f04f16b4c37979fe417c890a82311d47787e59b7f41e5c7176d5b63c17fea4eb9659731d08fdcea2df79317b6bcf6a4837f36de825290e49618f7bbd79ea74

Download Submit
C:\Windows\{4A384241-AC0E-44f6-A98E-526318F56A1E}.exe

Filesize
344KB

MD5
08a8377b05fe5c59828456121b5ff997

SHA1
1ba9e2c22e52a944e495498fcee48672bdd313bd

SHA256
57e1d05bb70eb68d6c3ee23e0ebb28ceee64b14c57e579f66af9b8c4c73e5541

SHA512
774e8b2d01a9907634bcc7c51ecec892744f4b3ef2400e390f0d976b3af8cdc2094ef55a1461c16a06e04c690709ad4e8e4af3c64a476cd3028dcb5e0f294b62

Download Submit
C:\Windows\{5C47719A-FF8E-437b-A605-B2E6398F2344}.exe

Filesize
344KB

MD5
785a952e60fe4f0b99760d806d4ad309

SHA1
8b738915d5f0e6365a49f25b4764b4ffec193151

SHA256
cd0930605d91ce920512b03bca102a4d5d873a4dc85146fb1388931bf56f1cc6

SHA512
a08e1628e8da2a6db44f68f8ce90d77a92eaa4b59fa3fcca91a9d23bbdec18398ff4af3a7b5b5babc38e7b02b7ddaa84392504ed325320c749b25b47fc1034ef

Download Submit
C:\Windows\{6A3FD123-C0D0-4840-AFCE-F0E010B08D78}.exe

Filesize
344KB

MD5
e1a39d039ac1b6dbe2ce6f954ce8b074

SHA1
23287c53b5057802ecafac182ef9bfe3acf34608

SHA256
80419c7b0bad3a3c9ac15ce228163468940decb41c5a870586896a5e8b8475bb

SHA512
4c87bdf95c304bf39be8f604f776b3ec4b3710e55746c43896d5e3e4b7f6091a4b776cb6690a43c28bac9cd6e160903bc9a1de1ee1ebc1d0349cbfb98fe0a797

Download Submit
C:\Windows\{8AB0AD93-EFA9-4252-A4A4-40A74B3480A4}.exe

Filesize
344KB

MD5
26df2a293618d6fa54067688e8b02f90

SHA1
30d647a627cbb4edc9a8256c6df59a0756b5fbf5

SHA256
a862be298a93651558129b9cd01747a7d73c4b8bcffae271153f54d99d030214

SHA512
9695e6ce845148a5435b919e315c30a7adda5b686deef5cd0c9751744ad94de4407810aaf8b0b03410cfae7934faa4670a4f5daf04e304a8f7a5655698705ea3

Download Submit
C:\Windows\{92B6BB9C-731E-4d7b-829F-452681D2E7B9}.exe

Filesize
344KB

MD5
cbda4514c6f64cbaa0a14f0ac5f0f136

SHA1
8448b65946a84cdf153edad0cdb935e376cda7fc

SHA256
302ba8b289cb12ed856754347768d57523ed3606be339140d01289fcfed4d15d

SHA512
33114cc18247f7f19d491f1436a48aa60e42da8c3e4bbd11b83ccc2244c832446e3497bb32180b227620bf9c92440e027eb53de641adcebffa571be1f312f085

Download Submit
C:\Windows\{CCDEEAA0-F83B-4b9a-8453-1AFBD95C4525}.exe

Filesize
344KB

MD5
33b15aea0f0d2171e5c4ea14fa1cddab

SHA1
f840d48762b61163c38b1723894666635eb4e195

SHA256
da3a1ecf2ffd23ded2fb0d9c7439312c2e330139bed6c2cbe0cab55aac872870

SHA512
7ecbdb5811366b6f9bfc33444896522e617ee41dc31af6101f8799e9d4a484f1ff96533b9cc989f11e43778407e43aad8745d2396c1263f492b9b5c32d3a553e

Download Submit
C:\Windows\{E0D06B74-372C-44b8-8C75-FC36BD8F8296}.exe

Filesize
344KB

MD5
44ea1598f93f3c795abac7422d10dc2a

SHA1
1f4b8db713d01bad2a0e837165c5a73c7b515699

SHA256
4e2b2fcd94fa0c4916b65d1539b8bc553501380479d1e5981ca7fb692d37d863

SHA512
15b30428dc57abddbb22659fe8cb4f262e8669ea20d12d0da54f15a2e986e29c44c60402656117a8034ce1059d232a8dce48f566146e66c2f3c47eb320f69f35

Download Submit
C:\Windows\{E17C1905-7724-4eaf-8128-C804ED88349D}.exe

Filesize
344KB

MD5
5e0fa202144cef1f9416b792f83b76bf

SHA1
aaa2360e9a6d5508e9277277aa9b95c3e0b7e97e

SHA256
d791937b57c68c7a7250ca2788e96a8de6a8299da1fdfbbe3f8f814873b62d00

SHA512
f7ff81f9df14691caa9bdbd8024428706233436bf7c3b12f403526499f3547ee665c61a6173f2577e5e0b715f23837b43c0dc186885bdd3db1c26c436aef504a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads