332c3deae86895dc3d6096686596c645afba2414f31f69ac022994da2a2a0f21

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Size

216KB
MD5

25a1894246c3759287116921baa4b1cd
SHA1

5d92e057ca228577fa32b424f96d5b5a3604fac2
SHA256

332c3deae86895dc3d6096686596c645afba2414f31f69ac022994da2a2a0f21
SHA512

abd3a93d9df861903ad18fbbfd8f3fdd7670b0e1b17dfc45ee9ed455b4c871ead077e78ceed0edfdf7cc532347c1a7fca5835ff19154cd3c767e902dd8b4c0ef
SSDEEP

3072:jEGh0ool+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGylEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000144e0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000001480e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000144e0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000149e1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000144e0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000144e0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000144e0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12EB664A-0251-46ae-ADBC-3FDA3138F463}\stubpath = "C:\\Windows\\{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe"	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}\stubpath = "C:\\Windows\\{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe"	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7295DE02-9406-4e40-B68D-F7AB1D1F433E}\stubpath = "C:\\Windows\\{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe"	{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}	{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}\stubpath = "C:\\Windows\\{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}.exe"	{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA539EEE-C384-4ebf-9B92-A004A720E56C}	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA539EEE-C384-4ebf-9B92-A004A720E56C}\stubpath = "C:\\Windows\\{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe"	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}\stubpath = "C:\\Windows\\{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe"	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB03F408-A036-40d4-B03D-131A77F996C6}\stubpath = "C:\\Windows\\{CB03F408-A036-40d4-B03D-131A77F996C6}.exe"	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}\stubpath = "C:\\Windows\\{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe"	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}	{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}\stubpath = "C:\\Windows\\{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe"	{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}\stubpath = "C:\\Windows\\{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe"	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7295DE02-9406-4e40-B68D-F7AB1D1F433E}	{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12EB664A-0251-46ae-ADBC-3FDA3138F463}	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB03F408-A036-40d4-B03D-131A77F996C6}	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}\stubpath = "C:\\Windows\\{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe"	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe
2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe
2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe
2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe
1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe
1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe
1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe
1380	{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe
1900	{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe
604	{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe
2860	{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe
File created	C:\Windows\{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe
File created	C:\Windows\{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe
File created	C:\Windows\{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}.exe	{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe
File created	C:\Windows\{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
File created	C:\Windows\{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe
File created	C:\Windows\{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe
File created	C:\Windows\{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe
File created	C:\Windows\{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe
File created	C:\Windows\{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe	{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe
File created	C:\Windows\{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe	{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe
Token: SeIncBasePriorityPrivilege	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe
Token: SeIncBasePriorityPrivilege	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe
Token: SeIncBasePriorityPrivilege	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe
Token: SeIncBasePriorityPrivilege	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe
Token: SeIncBasePriorityPrivilege	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe
Token: SeIncBasePriorityPrivilege	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe
Token: SeIncBasePriorityPrivilege	1380	{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe
Token: SeIncBasePriorityPrivilege	1900	{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe
Token: SeIncBasePriorityPrivilege	604	{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 3004	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	28
PID 2012 wrote to memory of 3004	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	28
PID 2012 wrote to memory of 3004	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	28
PID 2012 wrote to memory of 3004	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	28
PID 2012 wrote to memory of 2560	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	29
PID 2012 wrote to memory of 2560	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	29
PID 2012 wrote to memory of 2560	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	29
PID 2012 wrote to memory of 2560	2012	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	29
PID 3004 wrote to memory of 2520	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	30
PID 3004 wrote to memory of 2520	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	30
PID 3004 wrote to memory of 2520	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	30
PID 3004 wrote to memory of 2520	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	30
PID 3004 wrote to memory of 2440	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	31
PID 3004 wrote to memory of 2440	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	31
PID 3004 wrote to memory of 2440	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	31
PID 3004 wrote to memory of 2440	3004	{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe	31
PID 2520 wrote to memory of 2516	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	32
PID 2520 wrote to memory of 2516	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	32
PID 2520 wrote to memory of 2516	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	32
PID 2520 wrote to memory of 2516	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	32
PID 2520 wrote to memory of 2400	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	33
PID 2520 wrote to memory of 2400	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	33
PID 2520 wrote to memory of 2400	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	33
PID 2520 wrote to memory of 2400	2520	{CB03F408-A036-40d4-B03D-131A77F996C6}.exe	33
PID 2516 wrote to memory of 2664	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	36
PID 2516 wrote to memory of 2664	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	36
PID 2516 wrote to memory of 2664	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	36
PID 2516 wrote to memory of 2664	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	36
PID 2516 wrote to memory of 2660	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	37
PID 2516 wrote to memory of 2660	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	37
PID 2516 wrote to memory of 2660	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	37
PID 2516 wrote to memory of 2660	2516	{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe	37
PID 2664 wrote to memory of 1820	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	38
PID 2664 wrote to memory of 1820	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	38
PID 2664 wrote to memory of 1820	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	38
PID 2664 wrote to memory of 1820	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	38
PID 2664 wrote to memory of 2300	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	39
PID 2664 wrote to memory of 2300	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	39
PID 2664 wrote to memory of 2300	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	39
PID 2664 wrote to memory of 2300	2664	{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe	39
PID 1820 wrote to memory of 1600	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	40
PID 1820 wrote to memory of 1600	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	40
PID 1820 wrote to memory of 1600	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	40
PID 1820 wrote to memory of 1600	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	40
PID 1820 wrote to memory of 1592	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	41
PID 1820 wrote to memory of 1592	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	41
PID 1820 wrote to memory of 1592	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	41
PID 1820 wrote to memory of 1592	1820	{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe	41
PID 1600 wrote to memory of 1368	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	42
PID 1600 wrote to memory of 1368	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	42
PID 1600 wrote to memory of 1368	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	42
PID 1600 wrote to memory of 1368	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	42
PID 1600 wrote to memory of 1488	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	43
PID 1600 wrote to memory of 1488	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	43
PID 1600 wrote to memory of 1488	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	43
PID 1600 wrote to memory of 1488	1600	{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe	43
PID 1368 wrote to memory of 1380	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	44
PID 1368 wrote to memory of 1380	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	44
PID 1368 wrote to memory of 1380	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	44
PID 1368 wrote to memory of 1380	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	44
PID 1368 wrote to memory of 1708	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	45
PID 1368 wrote to memory of 1708	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	45
PID 1368 wrote to memory of 1708	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	45
PID 1368 wrote to memory of 1708	1368	{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe
  C:\Windows\{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{CB03F408-A036-40d4-B03D-131A77F996C6}.exe
    C:\Windows\{CB03F408-A036-40d4-B03D-131A77F996C6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe
      C:\Windows\{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe
        
        C:\Windows\{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe
        
        C:\Windows\{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe
        
        C:\Windows\{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe
        
        C:\Windows\{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe
        
        C:\Windows\{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe
        
        C:\Windows\{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe
        
        C:\Windows\{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}.exe
        
        C:\Windows\{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E2B6~1.EXE > nul
        12⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7295D~1.EXE > nul
        11⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{623C5~1.EXE > nul
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04251~1.EXE > nul
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE003~1.EXE > nul
        8⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C19D1~1.EXE > nul
        7⤵
        
        PID:1592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA539~1.EXE > nul
        6⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D670~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB03F~1.EXE > nul
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{12EB6~1.EXE > nul
    3⤵
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04251FA6-A1CA-4535-B2C0-B7E1F8EE7E4F}.exe

Filesize
216KB

MD5
e65b611ca58284220dde484ba27a38e8

SHA1
57d4e4b4a277330507b99bc356cbd1270fd7ec01

SHA256
033f5382ee04093345496ecaa41dbaa29cce8d7cc62b8b6f871cd001f2aac17a

SHA512
94cb75702cf48d2cc62dfd903b1c368541f652b590778acd67cb00cb4c693f2bfd5b4ce45f888795bf8018689d3e10bc2fb6da87997195a0de7a09690edb3c7f

Download Submit
C:\Windows\{12EB664A-0251-46ae-ADBC-3FDA3138F463}.exe

Filesize
216KB

MD5
94a35db5c78b497fca03ed464eefd594

SHA1
317fa9b25d78416d6bd0b57556873cf7c7d555b3

SHA256
bf12e6fef955ca0acc2b07ff9fe8e249ee2ac388bbf254a92b9c9c162eca919d

SHA512
4bf8128b14bfa5d7662ed9922213027de57c2eaf085391d0f1310a678b1a405be77613c8433d738e14d18a602b95d07ab251131705b1ad1c8529ee7455e7ee4b

Download Submit
C:\Windows\{2D6706A1-9F0F-4c3b-8D4C-E95C3F3CA1CA}.exe

Filesize
216KB

MD5
e0844b218d15a04bb3ed529d79b5fc48

SHA1
bf1430b5254670fa9eac85b23c966a84ef2bd3d5

SHA256
730c7c1a7ca5bfcc0c704805f05034858104e759bd8412b27cf175bfced94eb1

SHA512
05d2830b1632691310810982068e0f1da57a69fffb46a11402a3cda219633820efc8027c00b562a4f29d692cedc40f308598545cfa14caab8e7ed274e69b18e0

Download Submit
C:\Windows\{3DD0400B-15DF-4722-959C-3A0E3B0D61B9}.exe

Filesize
216KB

MD5
4f37a935a8207324e1f693c616a7b76b

SHA1
6e86ccec204ae9e92cada58ae4871a3a5fbcc417

SHA256
a588b2df02e5154edfb3a5e193a8e895af3dc27d0f2574ae61d35657e86a4a5c

SHA512
957500b44ca861df5cae4f9d724921953320c1ef80710be5ea41a203d1b338f050ec033c993117b0e1c91e43f1210aab884f39e2161649885d7280ceea926bc7

Download Submit
C:\Windows\{623C5C12-D87B-40b3-AA49-5C0CE9A6EBC2}.exe

Filesize
216KB

MD5
518f9772499fd2b70f5fa7e04470d72a

SHA1
3631c803ae356f28b9f262e038c114a86c6ad7fe

SHA256
b1c0983d18eef97005ef935fc3c05303502ab76403a747324504a144a206cd22

SHA512
6a8fd832f9823cd839d8ef67a5dc0d953fad5eb800d06cb5b3fbacd0cd093d1d4f4db529dff33d897cf9e05749b596f46e5ad6c48761af24c499fe42848c87e4

Download Submit
C:\Windows\{7295DE02-9406-4e40-B68D-F7AB1D1F433E}.exe

Filesize
216KB

MD5
c81f46ff8a73bbcf5f0cae1e53904e9b

SHA1
34c8e86358794549bd45bece60fe705e109b7c7b

SHA256
9114f75728bda8f7bf33e04d81ac923f16d23bdd2be8bdfbeba199fe5f174b68

SHA512
f70ad781dee3461476ed9bf5447b4299d384ebf5028ff70416d8a6ea041080a69857e1d21a7812b1eb3e2803be66c4129959c8bc52b7c7d7397628a5817d33ee

Download Submit
C:\Windows\{7E2B6F5F-20C0-42d6-B054-F80233AC93EB}.exe

Filesize
216KB

MD5
769ffe3f24a4f357daf1589217555d39

SHA1
53077c95c6a2d89e07c8872f6911a5f62b9198c6

SHA256
391093b0b3d590573b00bee6d2df7c65979ad6c8ca0bfd8aaf749a589e4e97f6

SHA512
d81b11353d87bc1318f61c4049bd968350e1530066acd870f1e770e46ded781106659a913b302e1d6d2bb879e25faaa8872aa3b18721b8d4efbdd28483a599f5

Download Submit
C:\Windows\{AE0039DD-EFAA-4e4b-83FA-0C46EF40C2CE}.exe

Filesize
216KB

MD5
d1a55e5ff740a1f440ec7f933815b5f7

SHA1
414d815bf9d988e2499f2cac8d01a20ace759670

SHA256
c34f29bfe4153c5655eaec3b354895295b3f930331f7457aed02416f72d08436

SHA512
3c65807c5552b23fe6ed733abdeed2d66df69d30bf3c14fc50ff2d1612d17e87274c288b714fed1d2effc6edd600cf13fea0a2f4ab2c0dc714b98eec24cf3ffa

Download Submit
C:\Windows\{C19D13B2-C6E2-42a1-AD18-02C2CDFFF2CD}.exe

Filesize
216KB

MD5
8e212be26b02f9dd39ca2e7f5e237590

SHA1
d0f2e9c56de5ecd62b1a5fa12e2b0ed790d1fcde

SHA256
30cf491c305ff73770fd56818719559f5f15148aa6d58e6da7de199272d6c865

SHA512
b334327e06aedc5b8f4202d23118c4e01e849e4d36e880b6f7df25e4f511bfb5bc80e86f61244dd923e30006552edfb13a729c3a4a087d46ef1cdc30d6e7d317

Download Submit
C:\Windows\{CB03F408-A036-40d4-B03D-131A77F996C6}.exe

Filesize
216KB

MD5
c155e1a266576611c889b4769c0361cf

SHA1
5590f9d9a73ca758effe30df13a2a228b031600d

SHA256
2ede752bf474d18e05502e8933d089bc1965f0c421526e0b61a9e7e77377bfc8

SHA512
600f63a1ec97cf187907f2e7259585256302c269923a277d3084eaa3a01dad2a9b007cbf37098a1c97c31926dcf11040c88564982ee480ec3ddc1c878dd438d7

Download Submit
C:\Windows\{EA539EEE-C384-4ebf-9B92-A004A720E56C}.exe

Filesize
216KB

MD5
595a29e1b59cb009fb41b097c8e7cded

SHA1
f4afa2d93c2d47208102c05ecfc63b80b72009b6

SHA256
e8810a88c2d55ef47115b5cf8e7a0661eea5f0fd7486b0131273f7789f706cb4

SHA512
d18c9af4517fc5b0efd8dbe247be4870bf7cab3b32ac033922f0a1999de15efc1be2f0d3d0a81c3c87753a873e53b70490caf48a1f66a88d3d2d3d9a62138cd4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads