f0313164c9cbd172785b3c96ed1e66e2e02d4765b5558f3141220c5262afe954

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Size

197KB
MD5

eea3384f9600956db4f54a28ee66253c
SHA1

797a10e122a280ef8e8aee7d9fb38bc93d149fb7
SHA256

f0313164c9cbd172785b3c96ed1e66e2e02d4765b5558f3141220c5262afe954
SHA512

e4cc37a38f8b361eaa54a485dfc6e8847e9d5e46f7eee763e240679ede2f0ca1583effc79fcb34c8083ac17c359990cc8c2856e62224416cc373396ef8ccdb94
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGklEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001231c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000143a8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001231c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014588-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001231c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001231c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001231c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}\stubpath = "C:\\Windows\\{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe"	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{430244C4-0778-4742-92A5-A2AE1001649F}	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{430244C4-0778-4742-92A5-A2AE1001649F}\stubpath = "C:\\Windows\\{430244C4-0778-4742-92A5-A2AE1001649F}.exe"	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}\stubpath = "C:\\Windows\\{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}.exe"	{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA45003-EBDF-4b36-91DA-B2D914951117}	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A2F3E7-1464-4e50-B720-30FD55912DB2}	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}\stubpath = "C:\\Windows\\{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe"	{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}	{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA45003-EBDF-4b36-91DA-B2D914951117}\stubpath = "C:\\Windows\\{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe"	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}\stubpath = "C:\\Windows\\{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe"	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A2F3E7-1464-4e50-B720-30FD55912DB2}\stubpath = "C:\\Windows\\{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe"	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}	{430244C4-0778-4742-92A5-A2AE1001649F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}\stubpath = "C:\\Windows\\{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe"	{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}	{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{108312AF-CCBE-48e8-A606-E425817ED0FB}	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{108312AF-CCBE-48e8-A606-E425817ED0FB}\stubpath = "C:\\Windows\\{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe"	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}\stubpath = "C:\\Windows\\{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe"	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}\stubpath = "C:\\Windows\\{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe"	{430244C4-0778-4742-92A5-A2AE1001649F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}	{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe
2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe
2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe
2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe
1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe
1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe
1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe
1116	{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe
2032	{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe
788	{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe
1812	{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{430244C4-0778-4742-92A5-A2AE1001649F}.exe	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe
File created	C:\Windows\{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe	{430244C4-0778-4742-92A5-A2AE1001649F}.exe
File created	C:\Windows\{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe	{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe
File created	C:\Windows\{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}.exe	{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe
File created	C:\Windows\{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe
File created	C:\Windows\{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe
File created	C:\Windows\{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe
File created	C:\Windows\{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe
File created	C:\Windows\{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe	{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe
File created	C:\Windows\{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
File created	C:\Windows\{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe
Token: SeIncBasePriorityPrivilege	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe
Token: SeIncBasePriorityPrivilege	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe
Token: SeIncBasePriorityPrivilege	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe
Token: SeIncBasePriorityPrivilege	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe
Token: SeIncBasePriorityPrivilege	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe
Token: SeIncBasePriorityPrivilege	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe
Token: SeIncBasePriorityPrivilege	1116	{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe
Token: SeIncBasePriorityPrivilege	2032	{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe
Token: SeIncBasePriorityPrivilege	788	{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3040	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	28
PID 2356 wrote to memory of 3040	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	28
PID 2356 wrote to memory of 3040	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	28
PID 2356 wrote to memory of 3040	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	28
PID 2356 wrote to memory of 2648	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	29
PID 2356 wrote to memory of 2648	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	29
PID 2356 wrote to memory of 2648	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	29
PID 2356 wrote to memory of 2648	2356	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	29
PID 3040 wrote to memory of 2628	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	30
PID 3040 wrote to memory of 2628	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	30
PID 3040 wrote to memory of 2628	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	30
PID 3040 wrote to memory of 2628	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	30
PID 3040 wrote to memory of 2596	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	31
PID 3040 wrote to memory of 2596	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	31
PID 3040 wrote to memory of 2596	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	31
PID 3040 wrote to memory of 2596	3040	{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe	31
PID 2628 wrote to memory of 2396	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	32
PID 2628 wrote to memory of 2396	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	32
PID 2628 wrote to memory of 2396	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	32
PID 2628 wrote to memory of 2396	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	32
PID 2628 wrote to memory of 2440	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	33
PID 2628 wrote to memory of 2440	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	33
PID 2628 wrote to memory of 2440	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	33
PID 2628 wrote to memory of 2440	2628	{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe	33
PID 2396 wrote to memory of 2700	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	36
PID 2396 wrote to memory of 2700	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	36
PID 2396 wrote to memory of 2700	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	36
PID 2396 wrote to memory of 2700	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	36
PID 2396 wrote to memory of 2760	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	37
PID 2396 wrote to memory of 2760	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	37
PID 2396 wrote to memory of 2760	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	37
PID 2396 wrote to memory of 2760	2396	{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe	37
PID 2700 wrote to memory of 1500	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	38
PID 2700 wrote to memory of 1500	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	38
PID 2700 wrote to memory of 1500	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	38
PID 2700 wrote to memory of 1500	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	38
PID 2700 wrote to memory of 824	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	39
PID 2700 wrote to memory of 824	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	39
PID 2700 wrote to memory of 824	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	39
PID 2700 wrote to memory of 824	2700	{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe	39
PID 1500 wrote to memory of 1880	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	40
PID 1500 wrote to memory of 1880	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	40
PID 1500 wrote to memory of 1880	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	40
PID 1500 wrote to memory of 1880	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	40
PID 1500 wrote to memory of 1480	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	41
PID 1500 wrote to memory of 1480	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	41
PID 1500 wrote to memory of 1480	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	41
PID 1500 wrote to memory of 1480	1500	{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe	41
PID 1880 wrote to memory of 1368	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	42
PID 1880 wrote to memory of 1368	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	42
PID 1880 wrote to memory of 1368	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	42
PID 1880 wrote to memory of 1368	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	42
PID 1880 wrote to memory of 1688	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	43
PID 1880 wrote to memory of 1688	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	43
PID 1880 wrote to memory of 1688	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	43
PID 1880 wrote to memory of 1688	1880	{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe	43
PID 1368 wrote to memory of 1116	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	44
PID 1368 wrote to memory of 1116	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	44
PID 1368 wrote to memory of 1116	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	44
PID 1368 wrote to memory of 1116	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	44
PID 1368 wrote to memory of 1956	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	45
PID 1368 wrote to memory of 1956	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	45
PID 1368 wrote to memory of 1956	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	45
PID 1368 wrote to memory of 1956	1368	{430244C4-0778-4742-92A5-A2AE1001649F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe
  C:\Windows\{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe
    C:\Windows\{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe
      C:\Windows\{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe
        
        C:\Windows\{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe
        
        C:\Windows\{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe
        
        C:\Windows\{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{430244C4-0778-4742-92A5-A2AE1001649F}.exe
        
        C:\Windows\{430244C4-0778-4742-92A5-A2AE1001649F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe
        
        C:\Windows\{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe
        
        C:\Windows\{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe
        
        C:\Windows\{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}.exe
        
        C:\Windows\{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC353~1.EXE > nul
        12⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C526~1.EXE > nul
        11⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6EFE~1.EXE > nul
        10⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43024~1.EXE > nul
        9⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51A2F~1.EXE > nul
        8⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BFBA~1.EXE > nul
        7⤵
        
        PID:1480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF327~1.EXE > nul
        6⤵
        
        PID:824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA45~1.EXE > nul
        5⤵
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4BAA3~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10831~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{108312AF-CCBE-48e8-A606-E425817ED0FB}.exe

Filesize
197KB

MD5
1568f3d10255826ec79949799417a076

SHA1
68f5c2b39fc73dfb55d8f2d3da90458015ca04e4

SHA256
567cfebdd4cb2ba768895a4961882899479b0d6cf0b907296b3c6a7330ae97bb

SHA512
183f01c35c7cce431bc4dcd87016b622e58c8e8b29296c4abe593163be8a1d6c8ac11d31129728b4f848b09c031fde1a127cbf2c8973c2eca30b96ad9e8df699

Download Submit
C:\Windows\{3B4034EB-8D50-4033-B6BA-7649DBBDBEC1}.exe

Filesize
197KB

MD5
2575c292e4bdbfd87920e66b71583265

SHA1
6156badf6293aa5833a66a1ed85345f45d369373

SHA256
bc8ec1bff9d0850fc7b526d959afbcf2788b0374c56e9dbae2df0f9d70356421

SHA512
80929046ebe2b2ddf48e3a34472e0ecba34bd57dbe48cec8cf395c7cc807e1abdb5d3bbb07ce12e9f0f032e9a01143310d23081060e40174695cbc24382d51e1

Download Submit
C:\Windows\{430244C4-0778-4742-92A5-A2AE1001649F}.exe

Filesize
197KB

MD5
d34fb8d4cf42e38b4f335cc54b450d91

SHA1
cd685c1347c189662b7d8ed18ea9620ab921bce0

SHA256
64ab0cc7b9c22cc0680c80d857dfb91425fd46420ebcd34cb29425fc23fd6fed

SHA512
97e9f37742ebd2aee2232fcd109e319fb6b1593d14b1143b2e7530805d43cf28937e12d1944f786622f92d720e8e985335a6552bbfb5c8a02cc693008b6882a6

Download Submit
C:\Windows\{4BAA343A-6EA5-4c04-A461-5F580F24BEDC}.exe

Filesize
197KB

MD5
7433c985ed56796675d443c842b93769

SHA1
7622c584b42dca41dbe37af518d735c6c4b5c23e

SHA256
20866fd0eea7bfac2c5b1f71db452058f00e4d47289f7bb91681223e345bdb2b

SHA512
a185077dfacb0f6fc0f0c5adeb2ec4de37f6f9ef5fac949cb9055035996426ae69efc6d7c9464e7b906ee6a22ff10a6db1109d7de59633c773be41d63cae6515

Download Submit
C:\Windows\{51A2F3E7-1464-4e50-B720-30FD55912DB2}.exe

Filesize
197KB

MD5
a5611cde58f79404b7ed4d9e0b794529

SHA1
cdd6dc8cbcbd532ebf19e607a3cdf69ca5f26c65

SHA256
17d898a4118568c6215248a88aef914d598711ee513f570cf6629fbf25fce7f2

SHA512
21e7a66ce3299e99f09ce60b6c937326110a76a167c72e65f246f44591b8659eec11203fb1cae50bdb460e0c264fbf9d54d9f479df7cf2aa1efc009075270808

Download Submit
C:\Windows\{8C5263D5-9E2C-41a1-8EC5-79A4A823CFB3}.exe

Filesize
197KB

MD5
36d4b105a4cb8d32a5cd71810c989b7a

SHA1
9484a5f54ccd940f10343266aa5792cc897efcd8

SHA256
18e0000e46c1af131ad475d0670836b40cdc4f4ad8d1b4f0f5de9c4acfc111ec

SHA512
f9f554ee38d29101338011c3cfb42bb6632c1d8161683621051658558b382ca4d86ef0f81d12ce31820ba6063aedb531a24b3355748f81da56b61534f2d345d5

Download Submit
C:\Windows\{9BFBAF57-96B8-433a-9481-8B5A7F5A7755}.exe

Filesize
197KB

MD5
ced0e539bf4924b6d270544df1b26b12

SHA1
d3fa152a2526844445381796a2011704dcae2659

SHA256
7a05258c3edc061518dda5080c625b609bac327fdeb27f9b3dc5e06e1f7fdbd4

SHA512
1338612b6d176ecfe221c229d4c6c60b6ef4369bf6e8f6c09c192542c5711decbfa9276d16f3f7c28eed058ea8a5df25f8ef411647a3b293599d4a2b5569829a

Download Submit
C:\Windows\{A6EFEF45-2F7C-4258-8EB6-CF27A43F9307}.exe

Filesize
197KB

MD5
dea029f7d7b2e390bd54372d4e82f739

SHA1
d006b1aaa176b2b948631cbcd1ea987869bcc642

SHA256
c63c906ebae6afc48dbd914d9c4d49c7291c01c32dffdcee85ff8fd04bfa0eed

SHA512
cd77c2cb564b51122c169c612211d389625151b33705df08bb36d1cf9943bb6754699dbeac0187dab58108d38e50ce37a7b8bad2ea458937c0d0b9b9e60d8338

Download Submit
C:\Windows\{DC3533FF-AA5D-4dda-B5E5-2C0E8F4C6DD6}.exe

Filesize
197KB

MD5
d240edbab94a74956446b427e029c867

SHA1
64facfb90481aa238b583c430ff2cf54e18bd90a

SHA256
15e442e4ab102c453a1e42211da77d93697300f8e8132afaf06cf68f82e5260f

SHA512
f590a0df78ce380e61f54663509406022cee52422deeec8dbe7eda05b10fa7be6e2cfb7b4f22ed41e57a08c6fdf58d5b80b587c886dc9ebe43d82c828a1a2e5f

Download Submit
C:\Windows\{EBA45003-EBDF-4b36-91DA-B2D914951117}.exe

Filesize
197KB

MD5
40126b6899c6b941c9083bc7bbf9fa35

SHA1
72d10a0038f31667dbe74039cb6e6bfad951d244

SHA256
691b71c26003185a6c4d1439961657bfb4a945f92db3750845397660bb1d3b2a

SHA512
47b4e1b40eccdf0c9b6ccf52e8fd965a5e5b62ea83be9376af62c308e2c26f5e058b7019cf88b0ff6782ae9a1619a6f159e0f149e51825df948b8d917cd920ee

Download Submit
C:\Windows\{EF327ACE-4A48-45b0-89E6-D8E3C33BC280}.exe

Filesize
197KB

MD5
25f4566a833e23e953cfa23b8e35c067

SHA1
c8783ad304bb337994bc1aecb96ed090c4d36320

SHA256
3ee2b42929f84050667b9496031d116f536397b00db8dfa8842c2eecfd618716

SHA512
3afe3f6d5ec45b8a4bf9a88481dc3df92fe8575deda1b8015879194cc972873953d07ffbb4f00f6ffd7500537c8019ac6c9fa65c32b44f2f74633c1b84aa19c8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads