541e80f3404e2463c32d1f70ce674b7a6b18538e86f2e19e3c84de8c317e6b09

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Size

168KB
MD5

21b267991b6bdae6c8c135b96bbf717c
SHA1

a0de5c63f2eca243da4cc4867b03866b1c6af4a1
SHA256

541e80f3404e2463c32d1f70ce674b7a6b18538e86f2e19e3c84de8c317e6b09
SHA512

5b47290570525273f0e49a0ed7ecf75fe55a156c2704e37bbbbe04fe15919b1f4309f5ec64dcd40a1bb0eeeb3a820178536c02ebbd0993872d32c17451520d84
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000014a94-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014fe1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014fe1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014fe1-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014fe1-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014fe1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}	{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}\stubpath = "C:\\Windows\\{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe"	{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}\stubpath = "C:\\Windows\\{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}.exe"	{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C0326B-A4FA-464c-8B45-D29007DCE603}	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}\stubpath = "C:\\Windows\\{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe"	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28265AD-B8FA-4e69-9302-027DB68EA349}	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}\stubpath = "C:\\Windows\\{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe"	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C710BE-F3B6-4683-8473-85A21910E8C5}	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C710BE-F3B6-4683-8473-85A21910E8C5}\stubpath = "C:\\Windows\\{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe"	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}\stubpath = "C:\\Windows\\{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe"	{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28265AD-B8FA-4e69-9302-027DB68EA349}\stubpath = "C:\\Windows\\{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe"	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}	{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}	{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}\stubpath = "C:\\Windows\\{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe"	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C0326B-A4FA-464c-8B45-D29007DCE603}\stubpath = "C:\\Windows\\{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe"	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}\stubpath = "C:\\Windows\\{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe"	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}\stubpath = "C:\\Windows\\{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe"	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe
2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe
2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe
2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe
1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe
572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe
1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe
1960	{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe
940	{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe
2584	{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe
2252	{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe
File created	C:\Windows\{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe
File created	C:\Windows\{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe
File created	C:\Windows\{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe	{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe
File created	C:\Windows\{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe	{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe
File created	C:\Windows\{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
File created	C:\Windows\{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe
File created	C:\Windows\{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe
File created	C:\Windows\{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe
File created	C:\Windows\{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}.exe	{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe
File created	C:\Windows\{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe
Token: SeIncBasePriorityPrivilege	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe
Token: SeIncBasePriorityPrivilege	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe
Token: SeIncBasePriorityPrivilege	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe
Token: SeIncBasePriorityPrivilege	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe
Token: SeIncBasePriorityPrivilege	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe
Token: SeIncBasePriorityPrivilege	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe
Token: SeIncBasePriorityPrivilege	1960	{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe
Token: SeIncBasePriorityPrivilege	940	{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe
Token: SeIncBasePriorityPrivilege	2584	{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1392	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	28
PID 2812 wrote to memory of 1392	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	28
PID 2812 wrote to memory of 1392	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	28
PID 2812 wrote to memory of 1392	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	28
PID 2812 wrote to memory of 2228	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	29
PID 2812 wrote to memory of 2228	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	29
PID 2812 wrote to memory of 2228	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	29
PID 2812 wrote to memory of 2228	2812	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	29
PID 1392 wrote to memory of 2488	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	30
PID 1392 wrote to memory of 2488	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	30
PID 1392 wrote to memory of 2488	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	30
PID 1392 wrote to memory of 2488	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	30
PID 1392 wrote to memory of 2608	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	31
PID 1392 wrote to memory of 2608	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	31
PID 1392 wrote to memory of 2608	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	31
PID 1392 wrote to memory of 2608	1392	{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe	31
PID 2488 wrote to memory of 2380	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	34
PID 2488 wrote to memory of 2380	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	34
PID 2488 wrote to memory of 2380	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	34
PID 2488 wrote to memory of 2380	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	34
PID 2488 wrote to memory of 2336	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	35
PID 2488 wrote to memory of 2336	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	35
PID 2488 wrote to memory of 2336	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	35
PID 2488 wrote to memory of 2336	2488	{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe	35
PID 2380 wrote to memory of 2772	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	36
PID 2380 wrote to memory of 2772	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	36
PID 2380 wrote to memory of 2772	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	36
PID 2380 wrote to memory of 2772	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	36
PID 2380 wrote to memory of 1856	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	37
PID 2380 wrote to memory of 1856	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	37
PID 2380 wrote to memory of 1856	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	37
PID 2380 wrote to memory of 1856	2380	{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe	37
PID 2772 wrote to memory of 1660	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	38
PID 2772 wrote to memory of 1660	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	38
PID 2772 wrote to memory of 1660	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	38
PID 2772 wrote to memory of 1660	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	38
PID 2772 wrote to memory of 812	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	39
PID 2772 wrote to memory of 812	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	39
PID 2772 wrote to memory of 812	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	39
PID 2772 wrote to memory of 812	2772	{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe	39
PID 1660 wrote to memory of 572	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	40
PID 1660 wrote to memory of 572	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	40
PID 1660 wrote to memory of 572	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	40
PID 1660 wrote to memory of 572	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	40
PID 1660 wrote to memory of 696	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	41
PID 1660 wrote to memory of 696	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	41
PID 1660 wrote to memory of 696	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	41
PID 1660 wrote to memory of 696	1660	{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe	41
PID 572 wrote to memory of 1704	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	42
PID 572 wrote to memory of 1704	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	42
PID 572 wrote to memory of 1704	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	42
PID 572 wrote to memory of 1704	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	42
PID 572 wrote to memory of 1936	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	43
PID 572 wrote to memory of 1936	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	43
PID 572 wrote to memory of 1936	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	43
PID 572 wrote to memory of 1936	572	{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe	43
PID 1704 wrote to memory of 1960	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	44
PID 1704 wrote to memory of 1960	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	44
PID 1704 wrote to memory of 1960	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	44
PID 1704 wrote to memory of 1960	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	44
PID 1704 wrote to memory of 1648	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	45
PID 1704 wrote to memory of 1648	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	45
PID 1704 wrote to memory of 1648	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	45
PID 1704 wrote to memory of 1648	1704	{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe
  C:\Windows\{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe
    C:\Windows\{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe
      C:\Windows\{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe
        
        C:\Windows\{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe
        
        C:\Windows\{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe
        
        C:\Windows\{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe
        
        C:\Windows\{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe
        
        C:\Windows\{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe
        
        C:\Windows\{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe
        
        C:\Windows\{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}.exe
        
        C:\Windows\{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}.exe
        12⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EA2B~1.EXE > nul
        12⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{978D4~1.EXE > nul
        11⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4EBC~1.EXE > nul
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2826~1.EXE > nul
        9⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E846E~1.EXE > nul
        8⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F390E~1.EXE > nul
        7⤵
        
        PID:696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2CC4~1.EXE > nul
        6⤵
        
        PID:812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84C71~1.EXE > nul
        5⤵
        
        PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64C03~1.EXE > nul
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC702~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EA2B19A-CD33-4234-B781-1CE5B6089C9C}.exe

Filesize
168KB

MD5
87c6316bee95561db4dc989c49243252

SHA1
020897c0d6775042098391a67441c936b8a72fb8

SHA256
4f8988293ae4a562f6119f09d53a3432d1b37164ebeb1c1e64efbf6cc51e1684

SHA512
8af1ed605f4a7373faf13b2851f5ab6c43d56dff3a5c5841d8e02c004662b09579526063781bc0b3608d2c89598984b490e5b82abc69242dc7e13f3399a18aee

Download Submit
C:\Windows\{64C0326B-A4FA-464c-8B45-D29007DCE603}.exe

Filesize
168KB

MD5
f9a2103088ba804a2b1d4e8491583e8c

SHA1
a540b4de49eb895e8e4fcb8ea99327fda7d6b9f1

SHA256
5eb8dc9744dbca8e5b36366547bd330def4b2ddbd9590fc78434bb434b2471b6

SHA512
17643922d2bd8d815b34fdf14b144ca840b4409e1118bc736ce5811d54b7eb01787032551b91854dbc79bb65da8c083ba9e9685dc8a6b0a38a30de906687f697

Download Submit
C:\Windows\{84C710BE-F3B6-4683-8473-85A21910E8C5}.exe

Filesize
168KB

MD5
419164cf3dc0b95ec54afedfb74bde34

SHA1
f0270b34d70d66174783b97f7f1b26a76307874d

SHA256
330663cf754497e516e7c35dff7bb3ec3f220a83e2ef1a0160eb014b25a3da6c

SHA512
17e8996322f4249a49409f4a3012027da80ffae4b0509cfb73c1dd399d704c427d023e7709511f57721201aae5a62251cb016741568bc8a937ff656c9b939f70

Download Submit
C:\Windows\{978D4B71-CDB8-4cab-A8D1-3A4CB1164F5C}.exe

Filesize
168KB

MD5
20b059be7acb279caeb2d3d4a2929474

SHA1
c9c6dcdaf95b735d43884b2bc4a3fe9cbb284d78

SHA256
f62e96b6156042e20314cb682129e84985ec40b6facb11e67685b652b0956c7f

SHA512
52c500a71a1ab18d5e669f73fef684a9a4c89f1479cc0c024699ad8daee4a1465ac1ff51f3094f4c21e16c63ccf7335b228b55ec5865da70ad67223cec1267ac

Download Submit
C:\Windows\{B4EBCCC2-CBCA-4bb3-88AF-28F6F7B5AD2E}.exe

Filesize
168KB

MD5
08241d367c2c04fa0a2976b8fed483df

SHA1
f839e0e312a4255f8295423e9ceed52cc58b2c92

SHA256
a599b79d3b8f57ca7feed6ef990eb14dacdcc74e65c6d622883427872cee5d22

SHA512
f98f76c026cdc8d9e0482e0beec52e9f7d1a7f3f54c48da1d619d681e0a1ad58abe77f9c5502827ded79fd1324ce9c0b4f442237c3b77aa51d8ec89c1d91193c

Download Submit
C:\Windows\{BC702CEC-B1F8-42a7-A2C4-3EB5D1185749}.exe

Filesize
168KB

MD5
01581e7f743d9fda85e39082db4f2929

SHA1
948c1f26222db657904f11ae652cfe064b1d8adb

SHA256
f6aed8aaeb0494cd30a2fefe672ec86d940e8d1e830137602bd539a43b9d92d3

SHA512
bd8b5310d1e029734ae5d6a8aa003fa61b90dd7720787de018cb4215c9f83842bef93ec3472ac5714238978022472ee56a7af9a2fa3e2dc21800b886192da4a2

Download Submit
C:\Windows\{C28265AD-B8FA-4e69-9302-027DB68EA349}.exe

Filesize
168KB

MD5
0763eb95ef0a24aa87cf99536ce9b5c2

SHA1
af192c3acbb77a4a1f5a9e42a670ec484ee2d3b1

SHA256
2f7d2b14e8f58161bb7e2caac1e559654279e717c90676e0cb985528d24ad663

SHA512
36e7e0a9e15f3704dc46eed36e09a5a783ed8fc67e5d1d4d420fa0ba989c8e2cb76f701ebaaf999b5e68a657053578dab272c1c727a9cbba8174920f7b65e312

Download Submit
C:\Windows\{D2CC4A19-ED62-4e5e-8B42-2F6AD4914D7F}.exe

Filesize
168KB

MD5
215dbf7232fdd17066cdcc63aa10a5bc

SHA1
226b1eae6565498293f18d4f44366d009dd889c6

SHA256
c299d5b0ee8b395c6950a465721c3ceedf10bc32e4107329410367a52742eab3

SHA512
703dd7229141566776dc1b3d8721a4be730a10fa8769ddd22040fd5495aee7dd61ea6b8c5287a1bb234f6ee867986e97d9208c90c17a53f26ba63e03774ff845

Download Submit
C:\Windows\{E846ED7B-BFD5-49ef-9A24-3D6D05F7731F}.exe

Filesize
168KB

MD5
fce3d7afee54eacd6e0ed947bdb4e06c

SHA1
6096ce661d2374b0fc8ec0f910352c87a503a217

SHA256
812d97c9cc3e27d0cbb8f0e5f8c6791e4d0c5c79b7548418e53b8a94db4b67ec

SHA512
c4e4820ee403f7ccf85b9b117859daf1804eaf0e8c4581c25fa5479d7776ccc75c0322e79557a7de7db5ac22a35cf3aa57ce860a9fa41794b0a0601880acd960

Download Submit
C:\Windows\{EC1EC042-42EE-4859-BFC0-2C62CD1F7632}.exe

Filesize
168KB

MD5
c3a9227fc39ce7c5b69329d045941dda

SHA1
03325e94bf53fefc2cac1978fe904b26bb50237c

SHA256
1557671d86ec932bf0a094d2bb97440cd4df3aa82edef7139ea636dbc3714f56

SHA512
2292e84f815af58c40d165eee78e04034268a0bf58c0bd6b0c01e17cb4aa17dcdd41fb650ee091ea6e365601e4171c5c48166444b3a5be38881c7a59072242ce

Download Submit
C:\Windows\{F390E933-DC26-4fe1-ADF1-70A87F09AAFD}.exe

Filesize
168KB

MD5
e18ce353f7383e9d9ccad129dab3cee6

SHA1
db284d64bffe0ebf4e0bef0f94c3962a52865b9a

SHA256
834057776a9571b777bf6e3045a07697a0413d51dff54738c659a578cf7bbeb0

SHA512
e9352fae2e0086d88106d1dcae723e1369902484ee6c5047370248458e2f7abedda114a33f89af2d0cb9c2d7d4a847615d7cbe4fcc17d5954973af1425dee5c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads