688fea79f6e54fc55965fdf379c7046e60ed1cd38de1a615263c35f96994e258

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe
Size

168KB
MD5

1f4f47f0e24d20794d3f079b1c796c25
SHA1

d6d292b592adccefe10ef9b066e23eb5bc9f6fab
SHA256

688fea79f6e54fc55965fdf379c7046e60ed1cd38de1a615263c35f96994e258
SHA512

725088d1d8c1f4c5d260f6b857ef8bece22d6d629ed72b2a559c851435d3c6dd8ee278623586803afa7c13689d39b4b0cbd755e210e2dcfc4ec9c78b2572e353
SSDEEP

1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014267-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001441e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001441e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001441e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001441e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001441e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BCB4799-09F2-48eb-85CE-64E363C80F1F}\stubpath = "C:\\Windows\\{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe"	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7EDD701-ED6C-4391-81B7-BCA338439C17}	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DA7A024-4CF9-4284-9EE7-A95931035C34}\stubpath = "C:\\Windows\\{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe"	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622E088D-DD01-4da6-AAD3-EDCFB1A34608}	{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407DA0D7-E479-431f-98D9-76A7B3C74A3D}	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63BEFD00-17E3-49eb-9838-D82A6D472DA1}	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}\stubpath = "C:\\Windows\\{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe"	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DA7A024-4CF9-4284-9EE7-A95931035C34}	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}\stubpath = "C:\\Windows\\{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe"	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{407DA0D7-E479-431f-98D9-76A7B3C74A3D}\stubpath = "C:\\Windows\\{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe"	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28A79BF5-1CFC-4560-A7C4-F6457281E223}	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF9E920-F522-45b7-8E6F-4566B960F1A3}	{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF9E920-F522-45b7-8E6F-4566B960F1A3}\stubpath = "C:\\Windows\\{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe"	{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}	{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}\stubpath = "C:\\Windows\\{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe"	{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7EDD701-ED6C-4391-81B7-BCA338439C17}\stubpath = "C:\\Windows\\{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe"	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BCB4799-09F2-48eb-85CE-64E363C80F1F}	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28A79BF5-1CFC-4560-A7C4-F6457281E223}\stubpath = "C:\\Windows\\{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe"	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{622E088D-DD01-4da6-AAD3-EDCFB1A34608}\stubpath = "C:\\Windows\\{622E088D-DD01-4da6-AAD3-EDCFB1A34608}.exe"	{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63BEFD00-17E3-49eb-9838-D82A6D472DA1}\stubpath = "C:\\Windows\\{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe"	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe
2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe
2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe
2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe
2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe
1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe
1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe
1368	{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe
1620	{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe
1636	{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe
2996	{622E088D-DD01-4da6-AAD3-EDCFB1A34608}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe
File created	C:\Windows\{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe
File created	C:\Windows\{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe
File created	C:\Windows\{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe	{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe
File created	C:\Windows\{622E088D-DD01-4da6-AAD3-EDCFB1A34608}.exe	{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe
File created	C:\Windows\{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe
File created	C:\Windows\{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe
File created	C:\Windows\{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe
File created	C:\Windows\{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe	{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe
File created	C:\Windows\{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe
File created	C:\Windows\{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe
Token: SeIncBasePriorityPrivilege	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe
Token: SeIncBasePriorityPrivilege	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe
Token: SeIncBasePriorityPrivilege	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe
Token: SeIncBasePriorityPrivilege	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe
Token: SeIncBasePriorityPrivilege	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe
Token: SeIncBasePriorityPrivilege	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe
Token: SeIncBasePriorityPrivilege	1368	{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe
Token: SeIncBasePriorityPrivilege	1620	{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe
Token: SeIncBasePriorityPrivilege	1636	{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1056	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	28
PID 2076 wrote to memory of 1056	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	28
PID 2076 wrote to memory of 1056	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	28
PID 2076 wrote to memory of 1056	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	28
PID 2076 wrote to memory of 2152	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	29
PID 2076 wrote to memory of 2152	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	29
PID 2076 wrote to memory of 2152	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	29
PID 2076 wrote to memory of 2152	2076	2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe	29
PID 1056 wrote to memory of 2900	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	30
PID 1056 wrote to memory of 2900	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	30
PID 1056 wrote to memory of 2900	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	30
PID 1056 wrote to memory of 2900	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	30
PID 1056 wrote to memory of 2516	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	31
PID 1056 wrote to memory of 2516	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	31
PID 1056 wrote to memory of 2516	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	31
PID 1056 wrote to memory of 2516	1056	{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe	31
PID 2900 wrote to memory of 2812	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	34
PID 2900 wrote to memory of 2812	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	34
PID 2900 wrote to memory of 2812	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	34
PID 2900 wrote to memory of 2812	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	34
PID 2900 wrote to memory of 2604	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	35
PID 2900 wrote to memory of 2604	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	35
PID 2900 wrote to memory of 2604	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	35
PID 2900 wrote to memory of 2604	2900	{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe	35
PID 2812 wrote to memory of 2420	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	36
PID 2812 wrote to memory of 2420	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	36
PID 2812 wrote to memory of 2420	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	36
PID 2812 wrote to memory of 2420	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	36
PID 2812 wrote to memory of 2168	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	37
PID 2812 wrote to memory of 2168	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	37
PID 2812 wrote to memory of 2168	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	37
PID 2812 wrote to memory of 2168	2812	{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe	37
PID 2420 wrote to memory of 2360	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	38
PID 2420 wrote to memory of 2360	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	38
PID 2420 wrote to memory of 2360	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	38
PID 2420 wrote to memory of 2360	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	38
PID 2420 wrote to memory of 920	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	39
PID 2420 wrote to memory of 920	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	39
PID 2420 wrote to memory of 920	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	39
PID 2420 wrote to memory of 920	2420	{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe	39
PID 2360 wrote to memory of 1344	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	40
PID 2360 wrote to memory of 1344	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	40
PID 2360 wrote to memory of 1344	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	40
PID 2360 wrote to memory of 1344	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	40
PID 2360 wrote to memory of 1372	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	41
PID 2360 wrote to memory of 1372	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	41
PID 2360 wrote to memory of 1372	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	41
PID 2360 wrote to memory of 1372	2360	{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe	41
PID 1344 wrote to memory of 1780	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	42
PID 1344 wrote to memory of 1780	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	42
PID 1344 wrote to memory of 1780	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	42
PID 1344 wrote to memory of 1780	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	42
PID 1344 wrote to memory of 748	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	43
PID 1344 wrote to memory of 748	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	43
PID 1344 wrote to memory of 748	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	43
PID 1344 wrote to memory of 748	1344	{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe	43
PID 1780 wrote to memory of 1368	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	44
PID 1780 wrote to memory of 1368	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	44
PID 1780 wrote to memory of 1368	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	44
PID 1780 wrote to memory of 1368	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	44
PID 1780 wrote to memory of 2336	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	45
PID 1780 wrote to memory of 2336	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	45
PID 1780 wrote to memory of 2336	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	45
PID 1780 wrote to memory of 2336	1780	{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_1f4f47f0e24d20794d3f079b1c796c25_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe
  C:\Windows\{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe
    C:\Windows\{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe
      C:\Windows\{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe
        
        C:\Windows\{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe
        
        C:\Windows\{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe
        
        C:\Windows\{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe
        
        C:\Windows\{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe
        
        C:\Windows\{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe
        
        C:\Windows\{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe
        
        C:\Windows\{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{622E088D-DD01-4da6-AAD3-EDCFB1A34608}.exe
        
        C:\Windows\{622E088D-DD01-4da6-AAD3-EDCFB1A34608}.exe
        12⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89FFB~1.EXE > nul
        12⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF9E~1.EXE > nul
        11⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B7D~1.EXE > nul
        10⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DA7A~1.EXE > nul
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28A79~1.EXE > nul
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7EDD~1.EXE > nul
        7⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D29~1.EXE > nul
        6⤵
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BCB4~1.EXE > nul
        5⤵
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63BEF~1.EXE > nul
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{407DA~1.EXE > nul
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28A79BF5-1CFC-4560-A7C4-F6457281E223}.exe

Filesize
168KB

MD5
8cc2a121e23195983c73450f82c9f89e

SHA1
f01219f34eb26398b80b6c4c60c103b6be91b859

SHA256
df5c085cf3de23daa3f38ea043c8a4cccdc86e4abb41738b575a6234955ab493

SHA512
0f60315972f67f59d13b25bb8e2bdb4922d8c7a61a37144f287f7be9c95e4abe95548c8ac8fa8c4bbab131b14a92fc66fd7181c3327b509f7e4e1332997c3b01

Download Submit
C:\Windows\{2BCB4799-09F2-48eb-85CE-64E363C80F1F}.exe

Filesize
168KB

MD5
484c7c81bb1135778ef6359b43e00ae9

SHA1
5caa05ac1a40aebbcbfc80d8cb6ce6bdfeae33de

SHA256
e2a6dbb2d5ebf0f025aa5174d9723d8586b6c38c56d49d9e26f287cd20938900

SHA512
1cbb204bc29aa6ca294ebadba719f3b546a1ba8b2ba1154208e98df0fb0e7e6d3e3bb6241516b451f6d7adb152d91e11b472d4552bf32036fcd08723340bef58

Download Submit
C:\Windows\{3DA7A024-4CF9-4284-9EE7-A95931035C34}.exe

Filesize
168KB

MD5
32bab3661acafe1526c4f39071a95a0f

SHA1
399f64cba60fa35785878c4f19e50e407ee81d8a

SHA256
1c57a735b33028efd21c2c51cf93bd5de3d7891de928f3ce245f06f49cfbe05b

SHA512
f3e9d21ef0b752ec21d62bc101a32da58aa2d40a1834b8e1abd0e30e7630e3721b7cf62391636b78c80bae83c7ec69a438290fc34b088c6dba90477b483edb79

Download Submit
C:\Windows\{407DA0D7-E479-431f-98D9-76A7B3C74A3D}.exe

Filesize
168KB

MD5
64c7bf70514f8d9d92b2a196ea6384b8

SHA1
3d40e5d1c36be922e6eda70abc9cce2eb7bbbda7

SHA256
701d85be9bde4c1636dfc5573b9959b54f0ab5267c3c10c27b75cbabb0d2bd65

SHA512
e8cc2c57cbcbcdd813010a8ffd262056ec4e06f497d8caa6608e6174d2ef984a7231cc98a7e9bad3958ac0533cf757d41906751b773f1bcbdddac744f8d48831

Download Submit
C:\Windows\{622E088D-DD01-4da6-AAD3-EDCFB1A34608}.exe

Filesize
168KB

MD5
9bee3878e24d25cd3e4f9f5a5e529f6d

SHA1
a51937dedcb33f298d96b529ed208d62b6b48f94

SHA256
15e6d0dbe61bf21b7f109c213c5e2d47c8a6d0145b040c310d2669440a78a9c4

SHA512
14218f17f906a3935f8789cedde47c07504fc341ef5de8a142c46afb264bd0a90d1d9c6ce2b6b391548b9616275e8f4f4d72246516f5f68bd5666587c3aa94f5

Download Submit
C:\Windows\{63BEFD00-17E3-49eb-9838-D82A6D472DA1}.exe

Filesize
168KB

MD5
d650ed9ec50a4f5f501e5a0dbcfa83f1

SHA1
d369bbdbe17bd737825d5059c7d5a3da3bf814d2

SHA256
0c6ef460a9fb9ee2d48643d8b27e6a69965d4cabbc9e0f38d0f45aa45968c605

SHA512
961c7b54a29a33130d99e96f699fec98b9423a5d3332f0e3e929d723d2156999126792424916462dfe67a624368e9e7dbe5543556b8b59feba288df222e3de42

Download Submit
C:\Windows\{7EF9E920-F522-45b7-8E6F-4566B960F1A3}.exe

Filesize
168KB

MD5
e69df87da5d03e930f6209b0f5449de4

SHA1
8b075b54905867b4e5c2107410dc8abbd08e2be5

SHA256
4acc211148d986fbab29d1e890c79791f3c3e58c4905e69cca87bb223471fc95

SHA512
b4bfc79a7d49ece27485fc7f3bfc290fcb075024b9a8444f45ded52b1d3a1bedbdfa4aa8af69faccc279ce704d4c1af6bc74c9463117b085a791c13156e74ceb

Download Submit
C:\Windows\{89FFB3B1-CD22-4210-A59C-1795C2B4DC4F}.exe

Filesize
168KB

MD5
b443e0a6fab3fa25f5231ec3b17d8885

SHA1
266cd9e15c9a406f09002530e3fa5ddcca73e707

SHA256
6aab9fd67a42fbcc00cb9616aebb0793860a85afd86ae05fae5e20b57b977176

SHA512
25e1ef8b07d84095e8c8b540514ad47adcc15231d2ea988d2ec5a335336c5ff9204ba801bab9d194538133c7de7d604904861c46a04efdcf1b03f91d68c55927

Download Submit
C:\Windows\{B7EDD701-ED6C-4391-81B7-BCA338439C17}.exe

Filesize
168KB

MD5
acc7e33f5cb1820b8faa4f1e71794c82

SHA1
652e196b7f30d3895962c6275df6281687eaf4fe

SHA256
e2043deb1c1c398a35f988daca9cdcdb6f19f7921ec46fc11b2db1aca916e5bb

SHA512
3daf86330c32d207ba89552ac6e4df9453e495b865f87f7ae1d74df5285366494c9e3cd1457df9839906efe27f194e8a32c41e925d095c017b3675263f1cc067

Download Submit
C:\Windows\{F5D29E36-5486-4d47-AAA2-CFE3084D2D82}.exe

Filesize
168KB

MD5
c05129300fd19c08b6b16b403d9b29be

SHA1
6ab0fb49653687db3d14b8b0855bb308c0bb3f0a

SHA256
df3a9d43d8b58090596ff27df413ffe9d66a1ee60d2e9714d6a30c3af49c1422

SHA512
3fd5b032f5bcede5a32680f47596748c8695cabdf45b376001ab7a6357b891dc08467a0ec60bc3fcee732b98d5253fdbe0e5601aee420c7438c1422a98776575

Download Submit
C:\Windows\{F9B7DF52-6AF6-4fab-AE50-E3AFC3821F89}.exe

Filesize
168KB

MD5
e320dc427eda2754e43e406a11d3b2c9

SHA1
04853ab9fdc9c4a50ec8a478ebd9d1eec8caec83

SHA256
fc211a2c538b9c551e8b234614c2896d3af409ce01fcdaf00ff5660f59e18708

SHA512
60fd6620b1ab196ff035d5ddee212327d1ce69c940ba2f812ad5aa4f1d510090d5528e30ebdfc4ac7e26d172c8819eef332a209d1e737a8ac1e7ede76275fe85

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads