84b1445750574bc4c5aff2a40f5c88cd953b66fabec1321f8ed08b46f1768fc0

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe
Size

344KB
MD5

e27a0a0b1ba49079e57afae075de9c57
SHA1

34d24e9511f097743831fd29e939a29700f81375
SHA256

84b1445750574bc4c5aff2a40f5c88cd953b66fabec1321f8ed08b46f1768fc0
SHA512

6957c89c48b366447a8a8d3dbafeeacd2342ee40b0b6f34ad38e6f5e24f4f1118c44000ed505d28d2cb37d499b9c0502f7ca7a727df78901295f451b0c44f3f3
SSDEEP

3072:mEGh0ovlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGJlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012254-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001269e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001566b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001567f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001567f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001568c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015cba-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015ce1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015ceb-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}\stubpath = "C:\\Windows\\{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe"	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF73A099-3F64-4d33-BC94-5B6390837D02}	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}\stubpath = "C:\\Windows\\{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe"	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}	{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}\stubpath = "C:\\Windows\\{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe"	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF73A099-3F64-4d33-BC94-5B6390837D02}\stubpath = "C:\\Windows\\{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe"	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{524E8DCE-C701-4281-8079-786CE9664713}\stubpath = "C:\\Windows\\{524E8DCE-C701-4281-8079-786CE9664713}.exe"	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}\stubpath = "C:\\Windows\\{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe"	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779FC65B-87A5-4bdc-824C-4CF1996FF14A}	{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}\stubpath = "C:\\Windows\\{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe"	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}	{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}\stubpath = "C:\\Windows\\{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe"	{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}\stubpath = "C:\\Windows\\{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe"	{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779FC65B-87A5-4bdc-824C-4CF1996FF14A}\stubpath = "C:\\Windows\\{779FC65B-87A5-4bdc-824C-4CF1996FF14A}.exe"	{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{524E8DCE-C701-4281-8079-786CE9664713}	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}	{524E8DCE-C701-4281-8079-786CE9664713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}\stubpath = "C:\\Windows\\{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe"	{524E8DCE-C701-4281-8079-786CE9664713}.exe

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe
2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe
2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe
112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe
2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe
1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe
624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe
592	{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe
2864	{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe
1948	{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe
2788	{779FC65B-87A5-4bdc-824C-4CF1996FF14A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe	{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe
File created	C:\Windows\{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe
File created	C:\Windows\{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe
File created	C:\Windows\{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe
File created	C:\Windows\{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe
File created	C:\Windows\{524E8DCE-C701-4281-8079-786CE9664713}.exe	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe
File created	C:\Windows\{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe
File created	C:\Windows\{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe	{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe
File created	C:\Windows\{779FC65B-87A5-4bdc-824C-4CF1996FF14A}.exe	{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe
File created	C:\Windows\{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe
File created	C:\Windows\{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	{524E8DCE-C701-4281-8079-786CE9664713}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe
Token: SeIncBasePriorityPrivilege	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe
Token: SeIncBasePriorityPrivilege	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe
Token: SeIncBasePriorityPrivilege	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe
Token: SeIncBasePriorityPrivilege	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe
Token: SeIncBasePriorityPrivilege	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe
Token: SeIncBasePriorityPrivilege	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe
Token: SeIncBasePriorityPrivilege	592	{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe
Token: SeIncBasePriorityPrivilege	2864	{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe
Token: SeIncBasePriorityPrivilege	1948	{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 3012	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	28
PID 2856 wrote to memory of 3012	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	28
PID 2856 wrote to memory of 3012	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	28
PID 2856 wrote to memory of 3012	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	28
PID 2856 wrote to memory of 1980	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	29
PID 2856 wrote to memory of 1980	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	29
PID 2856 wrote to memory of 1980	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	29
PID 2856 wrote to memory of 1980	2856	2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe	29
PID 3012 wrote to memory of 2496	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	30
PID 3012 wrote to memory of 2496	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	30
PID 3012 wrote to memory of 2496	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	30
PID 3012 wrote to memory of 2496	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	30
PID 3012 wrote to memory of 2680	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	31
PID 3012 wrote to memory of 2680	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	31
PID 3012 wrote to memory of 2680	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	31
PID 3012 wrote to memory of 2680	3012	{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe	31
PID 2496 wrote to memory of 2460	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	32
PID 2496 wrote to memory of 2460	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	32
PID 2496 wrote to memory of 2460	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	32
PID 2496 wrote to memory of 2460	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	32
PID 2496 wrote to memory of 2664	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	33
PID 2496 wrote to memory of 2664	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	33
PID 2496 wrote to memory of 2664	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	33
PID 2496 wrote to memory of 2664	2496	{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe	33
PID 2460 wrote to memory of 112	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	36
PID 2460 wrote to memory of 112	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	36
PID 2460 wrote to memory of 112	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	36
PID 2460 wrote to memory of 112	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	36
PID 2460 wrote to memory of 2704	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	37
PID 2460 wrote to memory of 2704	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	37
PID 2460 wrote to memory of 2704	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	37
PID 2460 wrote to memory of 2704	2460	{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe	37
PID 112 wrote to memory of 2764	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	38
PID 112 wrote to memory of 2764	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	38
PID 112 wrote to memory of 2764	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	38
PID 112 wrote to memory of 2764	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	38
PID 112 wrote to memory of 2768	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	39
PID 112 wrote to memory of 2768	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	39
PID 112 wrote to memory of 2768	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	39
PID 112 wrote to memory of 2768	112	{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe	39
PID 2764 wrote to memory of 1616	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	40
PID 2764 wrote to memory of 1616	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	40
PID 2764 wrote to memory of 1616	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	40
PID 2764 wrote to memory of 1616	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	40
PID 2764 wrote to memory of 2120	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	41
PID 2764 wrote to memory of 2120	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	41
PID 2764 wrote to memory of 2120	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	41
PID 2764 wrote to memory of 2120	2764	{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe	41
PID 1616 wrote to memory of 624	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	42
PID 1616 wrote to memory of 624	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	42
PID 1616 wrote to memory of 624	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	42
PID 1616 wrote to memory of 624	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	42
PID 1616 wrote to memory of 2660	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	43
PID 1616 wrote to memory of 2660	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	43
PID 1616 wrote to memory of 2660	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	43
PID 1616 wrote to memory of 2660	1616	{524E8DCE-C701-4281-8079-786CE9664713}.exe	43
PID 624 wrote to memory of 592	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	44
PID 624 wrote to memory of 592	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	44
PID 624 wrote to memory of 592	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	44
PID 624 wrote to memory of 592	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	44
PID 624 wrote to memory of 1720	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	45
PID 624 wrote to memory of 1720	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	45
PID 624 wrote to memory of 1720	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	45
PID 624 wrote to memory of 1720	624	{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe
  C:\Windows\{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe
    C:\Windows\{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe
      C:\Windows\{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe
        
        C:\Windows\{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:112
      - C:\Windows\{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe
        
        C:\Windows\{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{524E8DCE-C701-4281-8079-786CE9664713}.exe
        
        C:\Windows\{524E8DCE-C701-4281-8079-786CE9664713}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe
        
        C:\Windows\{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe
        
        C:\Windows\{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe
        
        C:\Windows\{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe
        
        C:\Windows\{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{779FC65B-87A5-4bdc-824C-4CF1996FF14A}.exe
        
        C:\Windows\{779FC65B-87A5-4bdc-824C-4CF1996FF14A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F1BA~1.EXE > nul
        12⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE935~1.EXE > nul
        11⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35B5E~1.EXE > nul
        10⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCAB9~1.EXE > nul
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{524E8~1.EXE > nul
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF73A~1.EXE > nul
        7⤵
        
        PID:2120
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B7A6~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{467BC~1.EXE > nul
        5⤵
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ADFDA~1.EXE > nul
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D7A8~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B7A640E-330C-4ea7-A0D0-C10EE3F28C9B}.exe

Filesize
344KB

MD5
0a853f81e611550316368a9cdb1a5805

SHA1
9e74f62114d125d3afcdfee857c6c1682cf9c57a

SHA256
9ae6a0127a507c68cf719c04594e780e8f9e598a243809f188d39ce44037bf3c

SHA512
7f01c5bbe6fd869f706a7e7883460be8dfc01982c518e35e6afcba93efcd5a7f15a9531a40ebf161c55be186b7fca0ae5b868f4d806f93c4fbf87c72e3921668

Download Submit
C:\Windows\{35B5EAF2-D8ED-4f26-90D3-0F2BE1DC4BE0}.exe

Filesize
344KB

MD5
e8164b854ebe3ad68bfc471fba2e85ee

SHA1
cc9f0edccb32c0b3364b8ab45255dda7ce22970a

SHA256
af2c6ea57debcc186a81d9974675d58549252b622adf17a5eac97a8d51558a5f

SHA512
a34a2440c31fed8a4a50bbb43aeec1c6fca8e015f69aa453b856556dedd0795734a76acb58c76454c011083884ab6e4002cd4015301eb336e7beb2a4aa9576f1

Download Submit
C:\Windows\{467BCB8C-6225-4ae4-9C4D-FD19A9EC4801}.exe

Filesize
344KB

MD5
da23b730b443b22d287268f69416a663

SHA1
536505e0871b7775952ddcd20cf7d438c2633ad8

SHA256
8a09fe47f0a6c1c0613a599a9f598088fc46d2b581de71c5b117847f337fbf5a

SHA512
6a7d8dc7e7780daf154bfe8ee5ba8a2f1be9295399ad6492b47b526f7631093de17d251f86279e34bfce2bca0c570410c739b90f8d8b08b545b187ed1bd05e21

Download Submit
C:\Windows\{524E8DCE-C701-4281-8079-786CE9664713}.exe

Filesize
344KB

MD5
9246b8a01d8f23e161bef026d182ac48

SHA1
465584041c7c310db7cb4768b90af45c20a56677

SHA256
d4d99125caaa0b238a766d322ffe3ec55d083fe861fd59fe95a0d9e1559e9caa

SHA512
f9627058d88f6702e88e23c65ae91cc66a487705b329f4046ec3edb89e7d4926b81e9b78a91f1a7d7ddefe0f099e6919e7208c9ba2ea20e658c1da8f915b3ad4

Download Submit
C:\Windows\{5D7A826C-D45E-46a9-ADD4-8DC28BF427ED}.exe

Filesize
344KB

MD5
87bbf98af98d55bf756016fcc902fd37

SHA1
83ce809fffc79145e1fe7192062316952b61421c

SHA256
d1911f8c1d29b100989c777faf771a7b4f182018bb3af44a29e3993518c85416

SHA512
9a322829434c318199a18ccac1bc26486aa34e4c98cde52292eaec9e6268e0671b8a5477daf6da7d643307e3c48ea89830653749702a7390d3debc461776a339

Download Submit
C:\Windows\{6F1BA2E0-ADD2-458d-828A-74CE4DE21AB8}.exe

Filesize
344KB

MD5
30db6373d2c4ddefc6bda970569fc6fd

SHA1
c3dec372302d8e5104fed04e5e19066ecbf77268

SHA256
0537611d68a54774699fdbc2d4d2e9d667a08101ba242993a4f538ee9a429ba7

SHA512
bfe32e41c6e7ac346399010ddbef79c0f8f9fdc5e1f17f460d297a3de4c31785fa5090c02b7a2e1c9d1e292bf720cce61faca04592176fa8fd900f950af8c716

Download Submit
C:\Windows\{779FC65B-87A5-4bdc-824C-4CF1996FF14A}.exe

Filesize
344KB

MD5
f29cb07e4c4a65989c16fe65410b17bb

SHA1
fc65bf93394d72669263a3bd23a2114907a086f0

SHA256
117a90b0083eee44cdc0f8840f4c3a0b77748068e9f1637e398098ccbd66f7c1

SHA512
dfbf281eca9d90020c3b43941375d6bcf6e2107c1aa070efb1af7ad925ca819377094662f53c82b6ca918b112b2b48a6a087c07a4cbe8b0b43508d0ffe389dd9

Download Submit
C:\Windows\{ADFDA4F1-E32B-41fb-A24A-923270D3B1BE}.exe

Filesize
344KB

MD5
136ea50c1d3fd937ff68cb06dcb486d0

SHA1
946839c619798b692b67bfc46a53c62d93662c7d

SHA256
2672060f87cf858923e56a575dd1fea67f6ac7b5bb4b996865c649a1db0fe155

SHA512
7e18a3929e69137ccaeec7d172c235f08f2b5c51943932aafecc0fd3e7139b7bfea047d4f37a33602e0372feac46efbe3dde13a39a6c87269cc3fd766a8eba55

Download Submit
C:\Windows\{CCAB9C09-E69D-40c5-BCF7-7A59CC2389D0}.exe

Filesize
344KB

MD5
4ca83455e092c46e45062e60b78589db

SHA1
b7e8a6717653d81f395726d07bec6a00f722571b

SHA256
d3a4b82c5d7be2c6757394c9a7ac0ec1196dd2ef1f9fb3fc001648855a649bb9

SHA512
ac67b2902b1a6e618d0b24b6b2298529a819888fa6a723782485856c3a5935a1f74b8f5e69d0cbae1f47a787aaf894bdd5c61e43126871ae26ff4534058cf9dc

Download Submit
C:\Windows\{DE9356A5-8B2A-45e4-8EE7-D22E202A8719}.exe

Filesize
344KB

MD5
f8d2344bd7304cc389d79b84e91d303f

SHA1
894575ac5ea81d1260bc0b6058366509f0c86a84

SHA256
bf2a618d6eb90fd0d413caa2ad8bfe29c69346d11f27e79968f20c8c59033827

SHA512
0653b52037a5d970a996dae0dba2400a8a77cbb45677689356bbc00b6af57a6f72e3804cda6c9c21d27fd8821e6e1044d2555977db089656c5c16e619f26ccaa

Download Submit
C:\Windows\{FF73A099-3F64-4d33-BC94-5B6390837D02}.exe

Filesize
344KB

MD5
96fd329072ed4a8a65d0dd04c7c83cf9

SHA1
74c2fb5087b8da95e2bcb61c55bbf8e67cf2ebfb

SHA256
2eff376db66aad55a7dc8eeac66732867136656fc5411154ed473eb5a38c6fff

SHA512
b002d797d7b39d57eb42e7057be6f4b3d2aece9f2f9ad61e764ff81debc8571ca75e30e1136845b474856e43edc4c629bbfbb7ebdd0748c122f4a7753064801c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads