1bd2c6b1b4ee5b08cf3b78587a42c2071ca725f51e717b90d97a7adeaaae8900

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe
Size

344KB
MD5

c3e7409a069a2e184e48530ae94b8bcf
SHA1

464a7e027be0ceabdae8d72abef746f63b43c1ce
SHA256

1bd2c6b1b4ee5b08cf3b78587a42c2071ca725f51e717b90d97a7adeaaae8900
SHA512

27be1731f27b1151edcce3bcbcce2aecf63aca8e6764e596da0ec3e14a4e89e441caa25df5811aa06b0582bf787adc43338dd893aa84378734b44e9de5c99406
SSDEEP

3072:mEGh0oslEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGClqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d59-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f0000000161ee-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012253-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00300000000161ee-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012253-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00310000000161ee-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012253-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C270D86-898D-4bb2-ABAC-0B028AD30C41}\stubpath = "C:\\Windows\\{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe"	{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}	{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B522344-7303-459b-8DBA-60172987AF42}\stubpath = "C:\\Windows\\{1B522344-7303-459b-8DBA-60172987AF42}.exe"	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C42F8F2-C394-4c25-9A9A-70107220FC06}	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C42F8F2-C394-4c25-9A9A-70107220FC06}\stubpath = "C:\\Windows\\{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe"	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A487C1EF-4390-4aca-9F0C-5001BDE8A141}\stubpath = "C:\\Windows\\{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe"	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C270D86-898D-4bb2-ABAC-0B028AD30C41}	{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}	{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B522344-7303-459b-8DBA-60172987AF42}	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62A70EF6-15EE-4d38-9AFB-3622C91236AF}\stubpath = "C:\\Windows\\{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe"	{1B522344-7303-459b-8DBA-60172987AF42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}\stubpath = "C:\\Windows\\{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe"	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}\stubpath = "C:\\Windows\\{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}.exe"	{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}\stubpath = "C:\\Windows\\{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe"	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A487C1EF-4390-4aca-9F0C-5001BDE8A141}	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00973941-E5BE-4c41-889B-C8D4A980DEE0}	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00973941-E5BE-4c41-889B-C8D4A980DEE0}\stubpath = "C:\\Windows\\{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe"	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62A70EF6-15EE-4d38-9AFB-3622C91236AF}	{1B522344-7303-459b-8DBA-60172987AF42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}\stubpath = "C:\\Windows\\{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe"	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}\stubpath = "C:\\Windows\\{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe"	{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe
2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe
2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe
1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe
2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe
2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe
1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe
580	{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe
2804	{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe
2772	{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe
2104	{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe
File created	C:\Windows\{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe	{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe
File created	C:\Windows\{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe	{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe
File created	C:\Windows\{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}.exe	{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe
File created	C:\Windows\{1B522344-7303-459b-8DBA-60172987AF42}.exe	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe
File created	C:\Windows\{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	{1B522344-7303-459b-8DBA-60172987AF42}.exe
File created	C:\Windows\{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe
File created	C:\Windows\{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe
File created	C:\Windows\{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe
File created	C:\Windows\{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe
File created	C:\Windows\{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe
Token: SeIncBasePriorityPrivilege	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe
Token: SeIncBasePriorityPrivilege	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe
Token: SeIncBasePriorityPrivilege	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe
Token: SeIncBasePriorityPrivilege	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe
Token: SeIncBasePriorityPrivilege	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe
Token: SeIncBasePriorityPrivilege	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe
Token: SeIncBasePriorityPrivilege	580	{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe
Token: SeIncBasePriorityPrivilege	2804	{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe
Token: SeIncBasePriorityPrivilege	2772	{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2904	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	28
PID 2872 wrote to memory of 2904	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	28
PID 2872 wrote to memory of 2904	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	28
PID 2872 wrote to memory of 2904	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	28
PID 2872 wrote to memory of 2636	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	29
PID 2872 wrote to memory of 2636	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	29
PID 2872 wrote to memory of 2636	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	29
PID 2872 wrote to memory of 2636	2872	2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe	29
PID 2904 wrote to memory of 2660	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	30
PID 2904 wrote to memory of 2660	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	30
PID 2904 wrote to memory of 2660	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	30
PID 2904 wrote to memory of 2660	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	30
PID 2904 wrote to memory of 2448	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	31
PID 2904 wrote to memory of 2448	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	31
PID 2904 wrote to memory of 2448	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	31
PID 2904 wrote to memory of 2448	2904	{1B522344-7303-459b-8DBA-60172987AF42}.exe	31
PID 2660 wrote to memory of 2652	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	32
PID 2660 wrote to memory of 2652	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	32
PID 2660 wrote to memory of 2652	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	32
PID 2660 wrote to memory of 2652	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	32
PID 2660 wrote to memory of 2424	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	33
PID 2660 wrote to memory of 2424	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	33
PID 2660 wrote to memory of 2424	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	33
PID 2660 wrote to memory of 2424	2660	{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe	33
PID 2652 wrote to memory of 1724	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	36
PID 2652 wrote to memory of 1724	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	36
PID 2652 wrote to memory of 1724	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	36
PID 2652 wrote to memory of 1724	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	36
PID 2652 wrote to memory of 112	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	37
PID 2652 wrote to memory of 112	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	37
PID 2652 wrote to memory of 112	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	37
PID 2652 wrote to memory of 112	2652	{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe	37
PID 1724 wrote to memory of 2196	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	38
PID 1724 wrote to memory of 2196	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	38
PID 1724 wrote to memory of 2196	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	38
PID 1724 wrote to memory of 2196	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	38
PID 1724 wrote to memory of 340	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	39
PID 1724 wrote to memory of 340	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	39
PID 1724 wrote to memory of 340	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	39
PID 1724 wrote to memory of 340	1724	{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe	39
PID 2196 wrote to memory of 2308	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	40
PID 2196 wrote to memory of 2308	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	40
PID 2196 wrote to memory of 2308	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	40
PID 2196 wrote to memory of 2308	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	40
PID 2196 wrote to memory of 776	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	41
PID 2196 wrote to memory of 776	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	41
PID 2196 wrote to memory of 776	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	41
PID 2196 wrote to memory of 776	2196	{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe	41
PID 2308 wrote to memory of 1752	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	42
PID 2308 wrote to memory of 1752	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	42
PID 2308 wrote to memory of 1752	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	42
PID 2308 wrote to memory of 1752	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	42
PID 2308 wrote to memory of 536	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	43
PID 2308 wrote to memory of 536	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	43
PID 2308 wrote to memory of 536	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	43
PID 2308 wrote to memory of 536	2308	{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe	43
PID 1752 wrote to memory of 580	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	44
PID 1752 wrote to memory of 580	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	44
PID 1752 wrote to memory of 580	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	44
PID 1752 wrote to memory of 580	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	44
PID 1752 wrote to memory of 1292	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	45
PID 1752 wrote to memory of 1292	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	45
PID 1752 wrote to memory of 1292	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	45
PID 1752 wrote to memory of 1292	1752	{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_c3e7409a069a2e184e48530ae94b8bcf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\{1B522344-7303-459b-8DBA-60172987AF42}.exe
  C:\Windows\{1B522344-7303-459b-8DBA-60172987AF42}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe
    C:\Windows\{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe
      C:\Windows\{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe
        
        C:\Windows\{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe
        
        C:\Windows\{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe
        
        C:\Windows\{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe
        
        C:\Windows\{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe
        
        C:\Windows\{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe
        
        C:\Windows\{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe
        
        C:\Windows\{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}.exe
        
        C:\Windows\{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA753~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C270~1.EXE > nul
        11⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00973~1.EXE > nul
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECB5D~1.EXE > nul
        9⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A487C~1.EXE > nul
        8⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69A11~1.EXE > nul
        7⤵
        
        PID:776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C42F~1.EXE > nul
        6⤵
        
        PID:340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AB4B~1.EXE > nul
        5⤵
        
        PID:112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{62A70~1.EXE > nul
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1B522~1.EXE > nul
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00973941-E5BE-4c41-889B-C8D4A980DEE0}.exe

Filesize
344KB

MD5
50e8bf39bdd03fe3cdb9f5eeae2bcfeb

SHA1
834ab00b64b8e94be8b3e5e19791c5657333711c

SHA256
30a0bf3090ebb516ef2b0c06b344ebeb143db5b036002a2ce8d37af07b0180eb

SHA512
85f919f2b0d45bd19ef88bee1c943f170b15e5264d1a911ac3ed6b7c5ae13bd6a3b0f391484d457ce3dbb50b23a18fe3d48873076061823c1d19fc9800f274fc

Download Submit
C:\Windows\{0C42F8F2-C394-4c25-9A9A-70107220FC06}.exe

Filesize
344KB

MD5
a5ec7994e388d5707639575a25ed8656

SHA1
68ea0d82eef17ae47836d5c6f830d27b1e22fe02

SHA256
f30321b7f1ad919b26280d1434e8989ad5d76bae1acb243dc90911efd47bd3ba

SHA512
cf04b58222ea71aba79b6a4e213490bc777a7f05446d2de3c6f5d47cc090d30cd308fffc8ef2b5d2cf2253c8b3a04c08caa5a4199e720361e9d5a99b28f1f2d9

Download Submit
C:\Windows\{1B522344-7303-459b-8DBA-60172987AF42}.exe

Filesize
344KB

MD5
ba9602763366584ffcf0d5a257346d92

SHA1
74513144ede578b446019ce42d2c41297e922df1

SHA256
63e08e2a7a4e611e70e38e55fb3ebee57fa3b487dc27b829951ed9b5d4c6a9f1

SHA512
79f4e865257e5ff5e4fa774ae1102731113db9b67cd111ee3e2658647013abd2227bba287070bf77c620d57cd176cdb53072dc05f9a8638c36dd4749228969f5

Download Submit
C:\Windows\{4AB4BA22-E01F-4c19-AD90-AFB78A9B3B84}.exe

Filesize
344KB

MD5
9910a0ffd4090a811b90cc2f273fe3a0

SHA1
cb213c3085fbfa58454faf4f578fde573bb3b1d0

SHA256
fdfc23070e67721fc322c57dc4e8601ce33dcda6d0df165500236d99b11cbcf5

SHA512
b5b8db99968d558ce26aa7bce293787940e7e8c12f2452b563dd7e58465d3b08253b400a5d289e0dfeaf107143b68a5147e1be2786dc44893be0ba10ed2b38df

Download Submit
C:\Windows\{62A70EF6-15EE-4d38-9AFB-3622C91236AF}.exe

Filesize
344KB

MD5
35ae2d6fa709a7e7afdbb8400d8c195a

SHA1
3e83e6932f7da86a5acae481d24cbcfba366d401

SHA256
b3fe2ad69f6b2726fe3b02c80d31623c058314cafa4b94a131ce8a446592290f

SHA512
eca5a2e3a4c646276d5fd0add35f2cb77ff215424e635d338718371b34490fec6d155016d1abf2702e28244d194352c5985bc8a8868a8df9e718fa2ba29a9e17

Download Submit
C:\Windows\{69A110ED-6CA7-4cc5-BEDC-DAF826E426F9}.exe

Filesize
344KB

MD5
70cc079dcc857abb5fbe6790b7d7dff0

SHA1
21fa28fbc87f868ae53fab0326490caf04b4a1b3

SHA256
8ef598b9d10cb976cb7f69015056c63d836c51d6dc79c28b8a014ed29dcd766d

SHA512
d32d9f4c79d99047579e68325ad7a97f6dee659048dc18871baecde4371a26b0f39105cf54d80d787a041cca55c914313109a751a65159672b92dc0c473ba8a1

Download Submit
C:\Windows\{8314348C-2EF5-4a72-83BC-8E00E0E63E7B}.exe

Filesize
344KB

MD5
6d2c27f62ec0880183502ca306e51264

SHA1
ea0c8da692864e84f59b6d99c183d31c724a56a5

SHA256
2ff007bfadfb2b1a6062c541e1dbfa7b61124913d0bfd1d33bde6d6ebd68834c

SHA512
d336094c3dc602b7faf85c9710b1bfc9526c4a23b89c745191190820e5847874c6ab68763bf033768a5a999b9e2a1e559a7592d41ded426124a08d9298954b45

Download Submit
C:\Windows\{9C270D86-898D-4bb2-ABAC-0B028AD30C41}.exe

Filesize
344KB

MD5
f19b6e8b222ed8ab7570f475738d3e3f

SHA1
d77a1d12170e0ed9edec6759f67a0d75d2dfb448

SHA256
798fcacdaa601b25361db125dd1ac64c01707c169277179c54b7c4e8dfd3baaa

SHA512
0d71c54e858df0dd9611524ec3a15e849d77460136eb75d8d1f43e196b8e38b4089a43a4332e9724c923f28a2242c1f5a075e97f2b95ed72b828b2b426c564c9

Download Submit
C:\Windows\{A487C1EF-4390-4aca-9F0C-5001BDE8A141}.exe

Filesize
344KB

MD5
0f0abaa7e49e8b0350da3f5618aa7db6

SHA1
a278d46ab35fec91d6afdd5c8e3f9f9c6dbc6d5f

SHA256
9f4d3a6bbfa09a0353b4f2c3b2ad81b1ba38624c82e5176b750e5c3d8f1da4d7

SHA512
ee3bfe25c9ad238a1ce51a0b54888ec4766c451fc4e79d94f499f980d878a1d113025178b132a72dc62d24af25a2dbf7baa99ce039c17418aa57b85a57eaf649

Download Submit
C:\Windows\{DA75334C-12B2-45b9-B4FA-1B7CFC583B41}.exe

Filesize
344KB

MD5
f04faf0be8b03e6116bbe4ce9e48dfa0

SHA1
ca7df4ce2661ab96bd434605030c3793de710842

SHA256
c95e5b78efb2200dbff587846c8ae6315b680937b5d0a15ba7de0c0e6abab37e

SHA512
aa04d035a944bdf169125f55d510f450c45154bdbda768284bacd091b9f533a0a0b2a79decf1f09cc2830a595d9c36df51e527ea2ffa8d313f834ff13a890421

Download Submit
C:\Windows\{ECB5D9DE-8B93-417f-9302-E3AF9D4123F4}.exe

Filesize
344KB

MD5
27bca2186c54d5e0b998ec4f8a39af5d

SHA1
b13a5482793b24a49938784046247f02ca760979

SHA256
d5206c9c8cbfd5ad048e68765c5409f81976c0b790b203b425b1c1f4b29fbd26

SHA512
384a2de3b39b1b0c228d049b7e436e0e6fdbf449ca9638be19e729c4228d8e0e6921dd3e7fc0b49502f17a01ca8eb5c1c293da093091c0bacc31970df753c340

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads