22dbce52e908097a2be5622b9a82dcaa0b63fea5a3921f8fe642c726518c8d1f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Size

344KB
MD5

6af43a5f2ce142a75703da365acb32a8
SHA1

3ac041723f68fbdf094fdb376165ead8c3899dbe
SHA256

22dbce52e908097a2be5622b9a82dcaa0b63fea5a3921f8fe642c726518c8d1f
SHA512

b0665b635a7d6cfc5a7139367d83fb742e21420d33b7b9301319ebebcaf56f8a3c7057dabc45a5bfc462d9c360638dfecc42409dbc48bf46c0ae9c28d6654eba
SSDEEP

3072:mEGh0oFlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013ab9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001654a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68A24166-A621-4684-BB87-F80D7FA71A10}	{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0952612-C21D-4f72-BC3A-C143CB7607FB}\stubpath = "C:\\Windows\\{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe"	{68A24166-A621-4684-BB87-F80D7FA71A10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D778F20F-0885-474d-87C9-10162F50D55C}	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}	{D778F20F-0885-474d-87C9-10162F50D55C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}\stubpath = "C:\\Windows\\{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe"	{D778F20F-0885-474d-87C9-10162F50D55C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209023BF-8107-4e49-A4F4-94F585C2D4CB}\stubpath = "C:\\Windows\\{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe"	{76546806-DE46-4b8f-9604-126547C78D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}\stubpath = "C:\\Windows\\{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe"	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0802DA39-7582-44e3-B595-DBEF47410AC0}	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}	{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}\stubpath = "C:\\Windows\\{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}.exe"	{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE3C2CA-6544-4371-8E1B-D6F07153033D}\stubpath = "C:\\Windows\\{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe"	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76546806-DE46-4b8f-9604-126547C78D89}	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76546806-DE46-4b8f-9604-126547C78D89}\stubpath = "C:\\Windows\\{76546806-DE46-4b8f-9604-126547C78D89}.exe"	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68A24166-A621-4684-BB87-F80D7FA71A10}\stubpath = "C:\\Windows\\{68A24166-A621-4684-BB87-F80D7FA71A10}.exe"	{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0952612-C21D-4f72-BC3A-C143CB7607FB}	{68A24166-A621-4684-BB87-F80D7FA71A10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE3C2CA-6544-4371-8E1B-D6F07153033D}	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D778F20F-0885-474d-87C9-10162F50D55C}\stubpath = "C:\\Windows\\{D778F20F-0885-474d-87C9-10162F50D55C}.exe"	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209023BF-8107-4e49-A4F4-94F585C2D4CB}	{76546806-DE46-4b8f-9604-126547C78D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}\stubpath = "C:\\Windows\\{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe"	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0802DA39-7582-44e3-B595-DBEF47410AC0}\stubpath = "C:\\Windows\\{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe"	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe
2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe
2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe
1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe
2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe
1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe
1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe
2944	{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe
2236	{68A24166-A621-4684-BB87-F80D7FA71A10}.exe
604	{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe
972	{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	{D778F20F-0885-474d-87C9-10162F50D55C}.exe
File created	C:\Windows\{76546806-DE46-4b8f-9604-126547C78D89}.exe	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe
File created	C:\Windows\{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe
File created	C:\Windows\{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe	{68A24166-A621-4684-BB87-F80D7FA71A10}.exe
File created	C:\Windows\{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}.exe	{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe
File created	C:\Windows\{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
File created	C:\Windows\{D778F20F-0885-474d-87C9-10162F50D55C}.exe	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe
File created	C:\Windows\{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	{76546806-DE46-4b8f-9604-126547C78D89}.exe
File created	C:\Windows\{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe
File created	C:\Windows\{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe
File created	C:\Windows\{68A24166-A621-4684-BB87-F80D7FA71A10}.exe	{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe
Token: SeIncBasePriorityPrivilege	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe
Token: SeIncBasePriorityPrivilege	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe
Token: SeIncBasePriorityPrivilege	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe
Token: SeIncBasePriorityPrivilege	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe
Token: SeIncBasePriorityPrivilege	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe
Token: SeIncBasePriorityPrivilege	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe
Token: SeIncBasePriorityPrivilege	2944	{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe
Token: SeIncBasePriorityPrivilege	2236	{68A24166-A621-4684-BB87-F80D7FA71A10}.exe
Token: SeIncBasePriorityPrivilege	604	{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1960	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	28
PID 2488 wrote to memory of 1960	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	28
PID 2488 wrote to memory of 1960	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	28
PID 2488 wrote to memory of 1960	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	28
PID 2488 wrote to memory of 2544	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	29
PID 2488 wrote to memory of 2544	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	29
PID 2488 wrote to memory of 2544	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	29
PID 2488 wrote to memory of 2544	2488	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	29
PID 1960 wrote to memory of 2268	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	30
PID 1960 wrote to memory of 2268	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	30
PID 1960 wrote to memory of 2268	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	30
PID 1960 wrote to memory of 2268	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	30
PID 1960 wrote to memory of 2564	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	31
PID 1960 wrote to memory of 2564	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	31
PID 1960 wrote to memory of 2564	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	31
PID 1960 wrote to memory of 2564	1960	{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe	31
PID 2268 wrote to memory of 2540	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	32
PID 2268 wrote to memory of 2540	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	32
PID 2268 wrote to memory of 2540	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	32
PID 2268 wrote to memory of 2540	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	32
PID 2268 wrote to memory of 2464	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	33
PID 2268 wrote to memory of 2464	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	33
PID 2268 wrote to memory of 2464	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	33
PID 2268 wrote to memory of 2464	2268	{D778F20F-0885-474d-87C9-10162F50D55C}.exe	33
PID 2540 wrote to memory of 1820	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	36
PID 2540 wrote to memory of 1820	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	36
PID 2540 wrote to memory of 1820	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	36
PID 2540 wrote to memory of 1820	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	36
PID 2540 wrote to memory of 2640	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	37
PID 2540 wrote to memory of 2640	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	37
PID 2540 wrote to memory of 2640	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	37
PID 2540 wrote to memory of 2640	2540	{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe	37
PID 1820 wrote to memory of 2772	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	38
PID 1820 wrote to memory of 2772	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	38
PID 1820 wrote to memory of 2772	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	38
PID 1820 wrote to memory of 2772	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	38
PID 1820 wrote to memory of 1620	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	39
PID 1820 wrote to memory of 1620	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	39
PID 1820 wrote to memory of 1620	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	39
PID 1820 wrote to memory of 1620	1820	{76546806-DE46-4b8f-9604-126547C78D89}.exe	39
PID 2772 wrote to memory of 1532	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	40
PID 2772 wrote to memory of 1532	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	40
PID 2772 wrote to memory of 1532	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	40
PID 2772 wrote to memory of 1532	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	40
PID 2772 wrote to memory of 1452	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	41
PID 2772 wrote to memory of 1452	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	41
PID 2772 wrote to memory of 1452	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	41
PID 2772 wrote to memory of 1452	2772	{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe	41
PID 1532 wrote to memory of 1436	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	42
PID 1532 wrote to memory of 1436	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	42
PID 1532 wrote to memory of 1436	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	42
PID 1532 wrote to memory of 1436	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	42
PID 1532 wrote to memory of 1336	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	43
PID 1532 wrote to memory of 1336	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	43
PID 1532 wrote to memory of 1336	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	43
PID 1532 wrote to memory of 1336	1532	{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe	43
PID 1436 wrote to memory of 2944	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	44
PID 1436 wrote to memory of 2944	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	44
PID 1436 wrote to memory of 2944	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	44
PID 1436 wrote to memory of 2944	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	44
PID 1436 wrote to memory of 2036	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	45
PID 1436 wrote to memory of 2036	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	45
PID 1436 wrote to memory of 2036	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	45
PID 1436 wrote to memory of 2036	1436	{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe
  C:\Windows\{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\{D778F20F-0885-474d-87C9-10162F50D55C}.exe
    C:\Windows\{D778F20F-0885-474d-87C9-10162F50D55C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe
      C:\Windows\{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{76546806-DE46-4b8f-9604-126547C78D89}.exe
        
        C:\Windows\{76546806-DE46-4b8f-9604-126547C78D89}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe
        
        C:\Windows\{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe
        
        C:\Windows\{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe
        
        C:\Windows\{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe
        
        C:\Windows\{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{68A24166-A621-4684-BB87-F80D7FA71A10}.exe
        
        C:\Windows\{68A24166-A621-4684-BB87-F80D7FA71A10}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe
        
        C:\Windows\{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}.exe
        
        C:\Windows\{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}.exe
        12⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0952~1.EXE > nul
        12⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68A24~1.EXE > nul
        11⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0802D~1.EXE > nul
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF7E~1.EXE > nul
        9⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95C2B~1.EXE > nul
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20902~1.EXE > nul
        7⤵
        
        PID:1452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76546~1.EXE > nul
        6⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA1B3~1.EXE > nul
        5⤵
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D778F~1.EXE > nul
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FAE3C~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0802DA39-7582-44e3-B595-DBEF47410AC0}.exe

Filesize
344KB

MD5
3789dbcaef6ed3a67397409837619b30

SHA1
110f95ecacdde67d0a3eeee3e787b260be903288

SHA256
c8508dc1e3e09b6ccf45110a99fef40eac138f651c0aa9f10ca3faa4a9344ecd

SHA512
2afc6be68b6bde1d3f2adb51ece30ce8dd54ec4bef71ca9ebd1f550513c0222ddee06cfb718650c3127d6827d1830e56adf751d71bf14e9d365e8241633ec243

Download Submit
C:\Windows\{209023BF-8107-4e49-A4F4-94F585C2D4CB}.exe

Filesize
344KB

MD5
808ef76c4bb6f6d91890c74fc95d6b13

SHA1
5580533688407e7e24292b29516e1b162509da08

SHA256
6cb8e30e79d87878bfafbe078d6f649d4c0b738a7b4a6483e172265ebbbe49aa

SHA512
02165c2b557c600c3341d3c820f5908d23bb7a7bbac66de5ee8f071155c26ef60c7b2cfbb05f1a51732456151bcc2da227dc3f45e7b9b8a6d539d8d75ab02506

Download Submit
C:\Windows\{68A24166-A621-4684-BB87-F80D7FA71A10}.exe

Filesize
344KB

MD5
3132bde7f7471356aeeb6fed41e02310

SHA1
659833aa3b947078500df4dc1c6c734c44aefb1f

SHA256
4acaecdc808a7d061014dd870cc53b7fda362ed25df7b11d4a91e7f2b6956bbf

SHA512
618f6c398f475d8553bade32c1077303723e2b1e5b6eb3fb7c4ddc76733195b4061b9d8b59b2ec71df5d86dec9772e75df10b5f1e4354481e68028d04dd1d71f

Download Submit
C:\Windows\{6C4BD64B-BA9E-446a-81B5-AF2A5180260D}.exe

Filesize
344KB

MD5
a95cc626e6b83dea88409e9e9aeafad6

SHA1
f5dfeed8854e9d39a58d04eac644d9bf95f815ca

SHA256
48eef316947e2e01b10095bd76dc56cefa8c8f20d5142223a5324fc95296bee3

SHA512
58601e43409bec36388cb3c160a4561ed868bdaa3f8c98c37243edbf449f3f842d7010eabce7f385587a0524a4e087bbb6d28ce42761069d8d0837b9f5e0b83d

Download Submit
C:\Windows\{76546806-DE46-4b8f-9604-126547C78D89}.exe

Filesize
344KB

MD5
2e79f0e1b33b7572996a602830f69d39

SHA1
9e057fbfb67f2f520b921f8ec773a63f461cf9e0

SHA256
5288d704b577020a4d56a90638fa0fd3ba6d109f02b7243eb37663263bd0e4af

SHA512
7c17ab3e486a2abeea807bf822ed5519d97e412063d724c5b5fed59f4a6a60570fc04f19f6138c0327e719819dae95bf1d9040e2eeff9f20b82cda10b592e62d

Download Submit
C:\Windows\{95C2B1E9-A841-4f4e-A4C3-6D15AAE1236E}.exe

Filesize
344KB

MD5
e387fce8cca80aac086cde092c628e34

SHA1
539950ce401baeb727e96ad8c3a26bfa89b7def2

SHA256
31b656f8abd1ff00569525431a8f4486dc0b700a7b85a8acd44bb7731a8f328e

SHA512
6536775f090c9513e4845647410e9f796db05776ba8c9e840ec2c13f5a094796a8ee074ab0d95a653b3c5006edd11577163ffefb784a1382b98567087109f6fd

Download Submit
C:\Windows\{AA1B3ECE-B118-46b3-BACB-4CCB5ED5618B}.exe

Filesize
344KB

MD5
07bd56105981bcc37055052c8c68cc79

SHA1
67cda7d2b1b309fe3631aac2bc81ca17a80081ee

SHA256
fe2f8c42a7f9d996e03482cf74f62e74a7299a6d57892f7f58b1d63749564b1e

SHA512
0574ef0037941f1a43c1f9919d60495ac85150e21aac9a506eb4df6131444ed322b977b58b5bf6bc15f4258f1a176bba2780bb17eb6f944d031e60349e96e45d

Download Submit
C:\Windows\{D778F20F-0885-474d-87C9-10162F50D55C}.exe

Filesize
344KB

MD5
27af4e068994612d57cfb94c043c9880

SHA1
a597c27d90d94af5d5fecb6761db2940cc578691

SHA256
0575e8776d637fe15205b13cd725fbae86d590823147d741d5797cc5c4f48555

SHA512
ef61ccabeefdce45fcac1c58ca96a6d553e3e7226363349b1f3dd2bd3cab5a4fabf1af16fcd875bab521cb2ea0120f89366b74531b0cc2080bfe55d88105796d

Download Submit
C:\Windows\{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe

Filesize
229KB

MD5
79f1beecfa8d6920dc8cde8a1d95ae37

SHA1
bee70f918d49e34ce68e8a4850b523dad76d3639

SHA256
0a76e70afdd5c99b0211449557661628a3d2d638a12b75e3835094633a99c239

SHA512
6d0e18a76c21de11d117626c7a005282185c8d97d72b774bdcb2ae79dd64349d8cf5cb706da128ba0baef89f400de36ee5668a7d3ad7b914e6b222ef67b85090

Download Submit
C:\Windows\{F0952612-C21D-4f72-BC3A-C143CB7607FB}.exe

Filesize
344KB

MD5
a9c27f9f95905ad74269ca5d3bc12a23

SHA1
2d3bb23461206647e85b553ba366abe8695b5ea3

SHA256
587759b825f618d3f89f8d1cf567e908ea8f07e25f86d426ac969022a6e82f25

SHA512
b50035d25d69ffcc2bbab7441be4d0fa562e71d298e1d5aab9a1c2db9fe4899efd79354e4d417c2de061b703575348b0f769157fbab2dd00f4a7265a1e032229

Download Submit
C:\Windows\{FAE3C2CA-6544-4371-8E1B-D6F07153033D}.exe

Filesize
344KB

MD5
6801d3e85e2fb236ef9f479160c6bf6f

SHA1
0576106d47c3a1397003b33c5d6407d5fec6f1e0

SHA256
2d7f49692c7de40e78a4b23c5e9883218eaf41f76ee60145a96953c42ef0ac30

SHA512
cebe87bfce8bd286c9646259bd6fde13cf104dbecb38f70c4635a6e348b69ea225037172ade4407342f1ad10885a9f52bab2f964840864c61b283536c0d28d35

Download Submit
C:\Windows\{FDF7E13A-FA2B-4bef-BB35-69F31AD25855}.exe

Filesize
344KB

MD5
9c44d8dd013676e144595fecf135c037

SHA1
b23376d4f3c95e7c7105465f656019fd05e6cc36

SHA256
3c1618e29c5f9dde51ff954d4dbdfac403e6e42f283f97be1ea374e23e93c8f1

SHA512
f698f346d2bb788c434dedd342a84a9e137573c437ff62feadfb3dede221075efa9007d20b04cb02f328e7926adb133174a51880edcbd03dc76d7625a5ee4569

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads