8c7fb8d94ab0840ea0a5087f714e823678e2107e5d98274c2f08ba532fdd8935

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 07:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe
Size

204KB
MD5

fbfbb4a33a69f2ea24c8355883f8c81e
SHA1

64d2869e91417e56777764cb702386c4da9d9276
SHA256

8c7fb8d94ab0840ea0a5087f714e823678e2107e5d98274c2f08ba532fdd8935
SHA512

395ad2a4e91c09bdf3cc389ccd673ff6f25664d68146673806f6fc42086d63fcc9a2dd3299530d9cfb3ab965bf3038242f29f0548cf98b8fbe5c7ada540e8064
SSDEEP

1536:1EGh0oCl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oCl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001227e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000001507e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001227e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06B3995C-E812-4798-8DC5-43A5153FFF4F}\stubpath = "C:\\Windows\\{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe"	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}\stubpath = "C:\\Windows\\{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe"	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361FC163-B798-418e-9FCC-5F8FE61F32BE}\stubpath = "C:\\Windows\\{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe"	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{565DDF16-1DF6-4801-BE65-A16F3250CC1F}\stubpath = "C:\\Windows\\{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe"	{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}	{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06B3995C-E812-4798-8DC5-43A5153FFF4F}	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A9EB99E-176C-45b4-A19D-8160A1C89604}	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A9EB99E-176C-45b4-A19D-8160A1C89604}\stubpath = "C:\\Windows\\{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe"	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}	{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27F81E07-00E6-4a1c-925A-66013711257D}	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}	{27F81E07-00E6-4a1c-925A-66013711257D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{565DDF16-1DF6-4801-BE65-A16F3250CC1F}	{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}\stubpath = "C:\\Windows\\{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}.exe"	{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}\stubpath = "C:\\Windows\\{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe"	{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361FC163-B798-418e-9FCC-5F8FE61F32BE}	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}\stubpath = "C:\\Windows\\{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe"	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}\stubpath = "C:\\Windows\\{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe"	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27F81E07-00E6-4a1c-925A-66013711257D}\stubpath = "C:\\Windows\\{27F81E07-00E6-4a1c-925A-66013711257D}.exe"	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}\stubpath = "C:\\Windows\\{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe"	{27F81E07-00E6-4a1c-925A-66013711257D}.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe
2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe
2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe
2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe
2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe
1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe
528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe
992	{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe
1772	{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe
1168	{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe
2348	{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe	{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe
File created	C:\Windows\{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe	{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe
File created	C:\Windows\{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe
File created	C:\Windows\{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe
File created	C:\Windows\{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe
File created	C:\Windows\{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe
File created	C:\Windows\{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe
File created	C:\Windows\{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe
File created	C:\Windows\{27F81E07-00E6-4a1c-925A-66013711257D}.exe	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe
File created	C:\Windows\{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe	{27F81E07-00E6-4a1c-925A-66013711257D}.exe
File created	C:\Windows\{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}.exe	{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe
Token: SeIncBasePriorityPrivilege	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe
Token: SeIncBasePriorityPrivilege	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe
Token: SeIncBasePriorityPrivilege	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe
Token: SeIncBasePriorityPrivilege	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe
Token: SeIncBasePriorityPrivilege	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe
Token: SeIncBasePriorityPrivilege	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe
Token: SeIncBasePriorityPrivilege	992	{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe
Token: SeIncBasePriorityPrivilege	1772	{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe
Token: SeIncBasePriorityPrivilege	1168	{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2992	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	28
PID 2816 wrote to memory of 2992	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	28
PID 2816 wrote to memory of 2992	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	28
PID 2816 wrote to memory of 2992	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	28
PID 2816 wrote to memory of 2628	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	29
PID 2816 wrote to memory of 2628	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	29
PID 2816 wrote to memory of 2628	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	29
PID 2816 wrote to memory of 2628	2816	2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe	29
PID 2992 wrote to memory of 2608	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	30
PID 2992 wrote to memory of 2608	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	30
PID 2992 wrote to memory of 2608	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	30
PID 2992 wrote to memory of 2608	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	30
PID 2992 wrote to memory of 2836	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	31
PID 2992 wrote to memory of 2836	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	31
PID 2992 wrote to memory of 2836	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	31
PID 2992 wrote to memory of 2836	2992	{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe	31
PID 2608 wrote to memory of 2388	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	32
PID 2608 wrote to memory of 2388	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	32
PID 2608 wrote to memory of 2388	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	32
PID 2608 wrote to memory of 2388	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	32
PID 2608 wrote to memory of 2492	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	33
PID 2608 wrote to memory of 2492	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	33
PID 2608 wrote to memory of 2492	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	33
PID 2608 wrote to memory of 2492	2608	{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe	33
PID 2388 wrote to memory of 2740	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	36
PID 2388 wrote to memory of 2740	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	36
PID 2388 wrote to memory of 2740	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	36
PID 2388 wrote to memory of 2740	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	36
PID 2388 wrote to memory of 2764	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	37
PID 2388 wrote to memory of 2764	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	37
PID 2388 wrote to memory of 2764	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	37
PID 2388 wrote to memory of 2764	2388	{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe	37
PID 2740 wrote to memory of 2476	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	38
PID 2740 wrote to memory of 2476	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	38
PID 2740 wrote to memory of 2476	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	38
PID 2740 wrote to memory of 2476	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	38
PID 2740 wrote to memory of 1656	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	39
PID 2740 wrote to memory of 1656	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	39
PID 2740 wrote to memory of 1656	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	39
PID 2740 wrote to memory of 1656	2740	{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe	39
PID 2476 wrote to memory of 1840	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	40
PID 2476 wrote to memory of 1840	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	40
PID 2476 wrote to memory of 1840	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	40
PID 2476 wrote to memory of 1840	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	40
PID 2476 wrote to memory of 1504	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	41
PID 2476 wrote to memory of 1504	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	41
PID 2476 wrote to memory of 1504	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	41
PID 2476 wrote to memory of 1504	2476	{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe	41
PID 1840 wrote to memory of 528	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	42
PID 1840 wrote to memory of 528	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	42
PID 1840 wrote to memory of 528	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	42
PID 1840 wrote to memory of 528	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	42
PID 1840 wrote to memory of 696	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	43
PID 1840 wrote to memory of 696	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	43
PID 1840 wrote to memory of 696	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	43
PID 1840 wrote to memory of 696	1840	{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe	43
PID 528 wrote to memory of 992	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	44
PID 528 wrote to memory of 992	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	44
PID 528 wrote to memory of 992	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	44
PID 528 wrote to memory of 992	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	44
PID 528 wrote to memory of 1536	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	45
PID 528 wrote to memory of 1536	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	45
PID 528 wrote to memory of 1536	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	45
PID 528 wrote to memory of 1536	528	{27F81E07-00E6-4a1c-925A-66013711257D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_fbfbb4a33a69f2ea24c8355883f8c81e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe
  C:\Windows\{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe
    C:\Windows\{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe
      C:\Windows\{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe
        
        C:\Windows\{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe
        
        C:\Windows\{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe
        
        C:\Windows\{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{27F81E07-00E6-4a1c-925A-66013711257D}.exe
        
        C:\Windows\{27F81E07-00E6-4a1c-925A-66013711257D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe
        
        C:\Windows\{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe
        
        C:\Windows\{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe
        
        C:\Windows\{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}.exe
        
        C:\Windows\{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}.exe
        12⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{565DD~1.EXE > nul
        12⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{893B5~1.EXE > nul
        11⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BB65~1.EXE > nul
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27F81~1.EXE > nul
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E238F~1.EXE > nul
        8⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F879~1.EXE > nul
        7⤵
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A9EB~1.EXE > nul
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{361FC~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67FB6~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06B39~1.EXE > nul
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06B3995C-E812-4798-8DC5-43A5153FFF4F}.exe

Filesize
204KB

MD5
4326e3d19688aac3c5ed7c19ee866313

SHA1
0552cb711e244e2dc5da6148de35837102a98865

SHA256
7a78f6cf15a377253fe0e40cdb17521335e7218bedb28ce2764829b9c91d05c0

SHA512
a280835a74e9fed9c2c8f9c8b2a9ec1ab7e4757100d775800eaa8d77ca91f2cf59033a2fdf27f7912f992278d0a480a3b53b1c9c99ea4dc3ef4aeb356329dffa

Download Submit
C:\Windows\{0A9EB99E-176C-45b4-A19D-8160A1C89604}.exe

Filesize
204KB

MD5
07fae50c675d839322aaf06d7486f472

SHA1
63831f6ee9229358241650f2c453db4a8068e1be

SHA256
8aac3d33891bbd41af73051de149481f3e8247f95fcbe0c78a3deb268e3b3363

SHA512
2ffbe3efaa98ea1a586dcbac4f71cd08bdac0a0cd4c5e5a0bdfd5943a76feb805e84c346b858be8d04c9ff411db620aea9091992f27372a491497473110767e2

Download Submit
C:\Windows\{1BB65DDD-E50C-4cf7-8882-A5D11EB9E6BE}.exe

Filesize
204KB

MD5
213ebe9590a5717db6fd25c16b02c77a

SHA1
0e9a76344e5556848df32897070bb6829fe12592

SHA256
1313ee0fbe35359703393c81f73fdb01cb111e80847f19c5e8c846314bdc9ce8

SHA512
dece997dba7a179f0f797ec270d145cd0bec8f63b702676637fd9679212c6493d7f7db64d0cada4b4f7029cf53b119be56bc1b515239b1f14e9b83e1b3407b38

Download Submit
C:\Windows\{27F81E07-00E6-4a1c-925A-66013711257D}.exe

Filesize
204KB

MD5
e484dc72cabe3a405977d42b0e1d0dba

SHA1
65c05a694ca00e1460f193d41dfc315e3d529214

SHA256
8e34a9db928587c03f4bddae28ff96f36669596e085d2efb3ba5b291cc787778

SHA512
ce9de9ca6842d21dce79c344c032ff3e5e1fac94a049056ab271e069f669bddfc06d7defa4388c3151433e0ca4bebcd63be271c78c1b7d19c128c1319ac5b61c

Download Submit
C:\Windows\{361FC163-B798-418e-9FCC-5F8FE61F32BE}.exe

Filesize
204KB

MD5
c4ac43b5f94d3cd36bd26f1c47d74c95

SHA1
d9b20f42ada195c003065cc1497506185ae3f71e

SHA256
efd00f56126556b24d91953b929bf06b8c82bedaede10686fa2dc25b3d6d6266

SHA512
1b25bf43cbe711b88a1a4f243637e629eb3bd20c273c1aedac8d9037c5d6796103b43e41d5a44c8d69271a4c2a638cdc4503f9a9fa2a3076af67e96ac3508d50

Download Submit
C:\Windows\{565DDF16-1DF6-4801-BE65-A16F3250CC1F}.exe

Filesize
204KB

MD5
f2f0dfe09ee135b371378ecfd6cc5827

SHA1
8570a19c3f2dd1449850df9b42d69b73f00b047f

SHA256
f4436d6e61f62b8f6922dd505e813a57722aa946bbf10b5de380eefc9a5d006d

SHA512
62bd4709273ce6dcd979b0f4747c0f6096e593f9b70efa4289afcb30984cf05d2a39c3295670984e33eeef1d4e66e8585c919e0797fc631e71c44ac9a514e23c

Download Submit
C:\Windows\{5F8799E8-545C-4f27-ACD8-B4EC5AA921C0}.exe

Filesize
204KB

MD5
60ea34ecb618975effc6a5c412b317c7

SHA1
e7fb65ef667b2d210949470745f90c82b751f4e4

SHA256
1c506043ec2f14bad106cfdf8e77c5de48fb2f1c81c09e8cfa103daa69a8e197

SHA512
158cf429e1d818e311d0e6106ac37bd7bbb7b3ef1acc94fe19234f4dfb3d7c00b0562ba5c75c327ea66ade9459ec2d245e8fdcd744979b0eb3bd0b9872edfc7e

Download Submit
C:\Windows\{67FB6F21-F89A-488e-9EEE-09EAEAE3E5B2}.exe

Filesize
204KB

MD5
363ca64265dd9503327edc0ef8b1cdbe

SHA1
c6cedee19978cd968a5f506c2d62e505a72ab7f6

SHA256
aa7e5233c73a849e347b1427975b6c1bb1bc28fc20e482c3f3bd0349aeed8921

SHA512
1412626dff42f0d64c61d697c4264745da187535c751d74b1f5f69fa6ca21eedb40ec07e58aa7dd5a3b93e461dd87e83668b87394fbd4077e8aebe3c92bc2963

Download Submit
C:\Windows\{893B5F5F-CF0E-4e7c-8900-9403A4AC4AD0}.exe

Filesize
204KB

MD5
3c3829a01d3a9a6a52e747bfa158bc1a

SHA1
98e91fb519cbb04ccd00c8e29c8a81e5d790bc0f

SHA256
d94ea65f566776e286a6aa66519c1f3d043abbd1ef2fe779271890030cf818c6

SHA512
76be00789d5a91e049c1be12de1d33b930446e65fe297472399325d95266c6766c6705dd03e9e9f98558ed47d2a169569f9c8f6bf2e40fb2184ae7f268e892ae

Download Submit
C:\Windows\{ADCAA3C2-7B11-4e38-BB1E-147084ED5098}.exe

Filesize
204KB

MD5
f569d50c6f3ee8ea06eca766ecb78f73

SHA1
82fefc6a1ff926ba63666c2b4aa5246f06b40f1d

SHA256
4285282567de39f4c0b0ddf96c6e31927e0e3629748801a141e9fa05299f647e

SHA512
b87a5572ae266ff5a3dbbe553c4fccc05add38b80757341f40a217ec7aca5245e4509096b07097de7b93f53e4143e9f2bb0982b5c76e918a91433fc54f68892b

Download Submit
C:\Windows\{E238F0D3-A8F5-4250-B7C8-CED0B0F7C4A7}.exe

Filesize
204KB

MD5
14e8f61b986b08795ea7ce6f30957595

SHA1
37b997dab8f6db4be358653cff6448d50fceb4eb

SHA256
70d576a931ab7c6fcd40584641476ea491d1cf054a4b8eb34d54a45a9a39777f

SHA512
c96db53da44d71568c64ec492042d3c5aa8cc3bd2df7502f6598839989de8753925a40081a8d880a2c7bf3636bbfc0f5847931bbfee95f12cca44f512e438672

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads