729407bdcfbbc32ad3da78450143536afe71de12cdf5fb0f57c4306bab2aa8b6

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Size

408KB
MD5

020679600730217abb99bb7ce00127ce
SHA1

590028c90c3944a213c05bf676ccaa5fabbceada
SHA256

729407bdcfbbc32ad3da78450143536afe71de12cdf5fb0f57c4306bab2aa8b6
SHA512

e6193d219271acbf9e6d3a2fe37e263a1cb36ffd59e80d203a898d2812be4e03656bce53039a5b4a9eb87eb731bf4cba7f4db82589aa74601ff1bb8b49bd0d6e
SSDEEP

3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGDldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a71-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000141c0-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a71-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000143ec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a71-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a71-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a71-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447463C9-1489-47f7-8C1C-111A44A5CD53}	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BC3D307-D47B-4af8-9889-0450E8183212}\stubpath = "C:\\Windows\\{2BC3D307-D47B-4af8-9889-0450E8183212}.exe"	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEABA883-B715-48de-B6D6-76916161B81C}\stubpath = "C:\\Windows\\{BEABA883-B715-48de-B6D6-76916161B81C}.exe"	{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}\stubpath = "C:\\Windows\\{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe"	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}\stubpath = "C:\\Windows\\{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe"	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447463C9-1489-47f7-8C1C-111A44A5CD53}\stubpath = "C:\\Windows\\{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe"	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BC3D307-D47B-4af8-9889-0450E8183212}	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}\stubpath = "C:\\Windows\\{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe"	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEABA883-B715-48de-B6D6-76916161B81C}	{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}	{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}\stubpath = "C:\\Windows\\{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe"	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}\stubpath = "C:\\Windows\\{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe"	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}\stubpath = "C:\\Windows\\{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}.exe"	{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE069770-24F3-4cf8-8447-DB0F5FAC220C}	{BEABA883-B715-48de-B6D6-76916161B81C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE069770-24F3-4cf8-8447-DB0F5FAC220C}\stubpath = "C:\\Windows\\{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe"	{BEABA883-B715-48de-B6D6-76916161B81C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}\stubpath = "C:\\Windows\\{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe"	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe

Deletes itself 1 IoCs

pid	Process
2196	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe
2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe
2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe
1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe
2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe
2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe
2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe
1688	{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe
1748	{BEABA883-B715-48de-B6D6-76916161B81C}.exe
2852	{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe
636	{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BEABA883-B715-48de-B6D6-76916161B81C}.exe	{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe
File created	C:\Windows\{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe	{BEABA883-B715-48de-B6D6-76916161B81C}.exe
File created	C:\Windows\{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}.exe	{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe
File created	C:\Windows\{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe
File created	C:\Windows\{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe
File created	C:\Windows\{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe
File created	C:\Windows\{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe
File created	C:\Windows\{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe
File created	C:\Windows\{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
File created	C:\Windows\{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe
File created	C:\Windows\{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe
Token: SeIncBasePriorityPrivilege	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe
Token: SeIncBasePriorityPrivilege	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe
Token: SeIncBasePriorityPrivilege	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe
Token: SeIncBasePriorityPrivilege	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe
Token: SeIncBasePriorityPrivilege	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe
Token: SeIncBasePriorityPrivilege	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe
Token: SeIncBasePriorityPrivilege	1688	{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe
Token: SeIncBasePriorityPrivilege	1748	{BEABA883-B715-48de-B6D6-76916161B81C}.exe
Token: SeIncBasePriorityPrivilege	2852	{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2984	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	28
PID 2916 wrote to memory of 2984	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	28
PID 2916 wrote to memory of 2984	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	28
PID 2916 wrote to memory of 2984	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	28
PID 2916 wrote to memory of 2196	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	29
PID 2916 wrote to memory of 2196	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	29
PID 2916 wrote to memory of 2196	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	29
PID 2916 wrote to memory of 2196	2916	2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe	29
PID 2984 wrote to memory of 2656	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	30
PID 2984 wrote to memory of 2656	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	30
PID 2984 wrote to memory of 2656	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	30
PID 2984 wrote to memory of 2656	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	30
PID 2984 wrote to memory of 2744	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	31
PID 2984 wrote to memory of 2744	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	31
PID 2984 wrote to memory of 2744	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	31
PID 2984 wrote to memory of 2744	2984	{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe	31
PID 2656 wrote to memory of 2620	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	32
PID 2656 wrote to memory of 2620	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	32
PID 2656 wrote to memory of 2620	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	32
PID 2656 wrote to memory of 2620	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	32
PID 2656 wrote to memory of 2792	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	33
PID 2656 wrote to memory of 2792	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	33
PID 2656 wrote to memory of 2792	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	33
PID 2656 wrote to memory of 2792	2656	{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe	33
PID 2620 wrote to memory of 1908	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	36
PID 2620 wrote to memory of 1908	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	36
PID 2620 wrote to memory of 1908	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	36
PID 2620 wrote to memory of 1908	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	36
PID 2620 wrote to memory of 2944	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	37
PID 2620 wrote to memory of 2944	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	37
PID 2620 wrote to memory of 2944	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	37
PID 2620 wrote to memory of 2944	2620	{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe	37
PID 1908 wrote to memory of 2964	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	38
PID 1908 wrote to memory of 2964	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	38
PID 1908 wrote to memory of 2964	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	38
PID 1908 wrote to memory of 2964	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	38
PID 1908 wrote to memory of 2548	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	39
PID 1908 wrote to memory of 2548	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	39
PID 1908 wrote to memory of 2548	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	39
PID 1908 wrote to memory of 2548	1908	{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe	39
PID 2964 wrote to memory of 2644	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	40
PID 2964 wrote to memory of 2644	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	40
PID 2964 wrote to memory of 2644	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	40
PID 2964 wrote to memory of 2644	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	40
PID 2964 wrote to memory of 2812	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	41
PID 2964 wrote to memory of 2812	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	41
PID 2964 wrote to memory of 2812	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	41
PID 2964 wrote to memory of 2812	2964	{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe	41
PID 2644 wrote to memory of 2816	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	42
PID 2644 wrote to memory of 2816	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	42
PID 2644 wrote to memory of 2816	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	42
PID 2644 wrote to memory of 2816	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	42
PID 2644 wrote to memory of 2968	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	43
PID 2644 wrote to memory of 2968	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	43
PID 2644 wrote to memory of 2968	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	43
PID 2644 wrote to memory of 2968	2644	{2BC3D307-D47B-4af8-9889-0450E8183212}.exe	43
PID 2816 wrote to memory of 1688	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	44
PID 2816 wrote to memory of 1688	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	44
PID 2816 wrote to memory of 1688	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	44
PID 2816 wrote to memory of 1688	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	44
PID 2816 wrote to memory of 1616	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	45
PID 2816 wrote to memory of 1616	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	45
PID 2816 wrote to memory of 1616	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	45
PID 2816 wrote to memory of 1616	2816	{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_020679600730217abb99bb7ce00127ce_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe
  C:\Windows\{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe
    C:\Windows\{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe
      C:\Windows\{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe
        
        C:\Windows\{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe
        
        C:\Windows\{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{2BC3D307-D47B-4af8-9889-0450E8183212}.exe
        
        C:\Windows\{2BC3D307-D47B-4af8-9889-0450E8183212}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe
        
        C:\Windows\{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe
        
        C:\Windows\{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\{BEABA883-B715-48de-B6D6-76916161B81C}.exe
        
        C:\Windows\{BEABA883-B715-48de-B6D6-76916161B81C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe
        
        C:\Windows\{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}.exe
        
        C:\Windows\{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}.exe
        12⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE069~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEABA~1.EXE > nul
        11⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFC4~1.EXE > nul
        10⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BD86~1.EXE > nul
        9⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BC3D~1.EXE > nul
        8⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44746~1.EXE > nul
        7⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{163F7~1.EXE > nul
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC1D6~1.EXE > nul
        5⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B592D~1.EXE > nul
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D3DA~1.EXE > nul
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{163F7DC4-A167-4c20-AF5F-3F4DD9AEFC2D}.exe

Filesize
408KB

MD5
b6625e262f6139391cf402f09889dc0f

SHA1
eb3d452d40377939f3925e8612a88e4309b04a27

SHA256
53f89a34fc92beeb83792d76c1622b4bb01f0f74d42d0c35fb5adad7f1e8b56b

SHA512
42b7d28f3329062df81cb7afc0b44345588e382d1c405ae9826bb681aaf68591189866ee03a6b818e0d6754a05dfbec53dcfa1e51ffa73315c8f5ec0bfe5a48c

Download Submit
C:\Windows\{2BC3D307-D47B-4af8-9889-0450E8183212}.exe

Filesize
408KB

MD5
fb047ce5b50a7498992eb613b84c2d0f

SHA1
a0c61b809105a26f749a021df95a86f79638c0f3

SHA256
4c87b7d9d9315429e672844230db10601eef41757960f1ab1ab54046be9d181e

SHA512
4dd11f5df8ccb45732ba32d0429ba58f797ed6dd8bcd837cada0f2fb7008ba90c571b8b07b66fb175696be4ffa6c207b28556e59b1f53f586af2582b07dfbda6

Download Submit
C:\Windows\{3BD8609A-D3BE-4e94-9C4E-92D219B680A2}.exe

Filesize
408KB

MD5
b74274be8a16081f74a812ff3b217852

SHA1
ec981ca1321ebaeda7c8feeb829a307a53eb5484

SHA256
6f1fbe11b0d56f9f1a20292a554cbadaf318b2bb36051dfed39c7941df39fe01

SHA512
93548a480d44b92741fc28f4a9c33c7697e3f6fa1b525d056f9c9c9946649a5fdfa4bffa7bdcac487cf07760e27182a855efb5c87c937d4e3d5b3dbc0ad381b3

Download Submit
C:\Windows\{447463C9-1489-47f7-8C1C-111A44A5CD53}.exe

Filesize
408KB

MD5
7e0efe12ba6bdac657a7b6d049e881e2

SHA1
edbb615344021b19d0d1853151df447f0522d16e

SHA256
b3100922d876d6fad9c0b6a967337b2f6c8f66483d1484be5c50359afd08b230

SHA512
e017250ef189d19253874442450b43572892eb305a6354dfc593e065ca3f202c8c0ae2786954c5f2e1375b32ba3694e02ca596b0bfaf3c28be9d0592202c39ae

Download Submit
C:\Windows\{5D3DA6D6-1D68-42b9-A7CF-501FAEBE9D50}.exe

Filesize
408KB

MD5
df92427b353bf277ecf3da6b5e3463d1

SHA1
22c6e6cb50fb13c062dcdab76cb5c816d6ec5155

SHA256
836e72f4da95f9958d81084b1d52f2c68b9b97d95195a2e17880f1045eab03d1

SHA512
1ac0c68f9d90c1677cc4840fbc79bffac873183139de17748bef9022f860b08a0a6a864d39f57a23cddade24afe030eac299b1490b303907158b3aeb7d689c43

Download Submit
C:\Windows\{9DFC4948-1566-4ad2-93A3-F28AC5ADDEE0}.exe

Filesize
408KB

MD5
76b11a03972974b56d4570dd92686703

SHA1
b9fea3c14545f98d05958113e69b88584d8380dc

SHA256
891c7abc64989eaf6c78a9e8bf9114d6fe4615b0c724efbcfeed4c8dd5287ea4

SHA512
b884635731a99e4ccabd74f0d7b3d9f5cb0266796fabdecc4a2e1296e9d1808c91c00a317f2b5b6fa3bc8126cdcce7a783386626a4e1faf86ab87df8771ec672

Download Submit
C:\Windows\{B592DC2D-E46C-4303-8E4C-9B542EDB1FFB}.exe

Filesize
408KB

MD5
e81bde6555cd3ad720118f88275364fb

SHA1
bebbb275e3f565b04b66e0b247b87b305b47bdcc

SHA256
cbe5e9131ff28d7842a0ad13e2f53044ef17451a9498d388d7a9639934510378

SHA512
063c68fb19b2049977a998c642deee4392f7bb7f456b7c49906e1038482fe6b605b8375b6d21977d17a1a840f6b57de2b5d212fc7751ce9926f5603fdff40a48

Download Submit
C:\Windows\{BE069770-24F3-4cf8-8447-DB0F5FAC220C}.exe

Filesize
408KB

MD5
567412aac982b2c5962b742d7669d17a

SHA1
10c984eda80c2394b3b6b61fe199c3ed0c838e5e

SHA256
17431f2187fe50c64a5c6fc525b67c994803211005a6b9c1028526fbe82981bd

SHA512
ebd4c5a505b7587a6076e83647a609b40dbe1bbceb66ffdde7ffa380ba9c01c803fb2ee4c11e6f92ab03e8fa11e01b5d4e4776cb541969ad2b6bdf5293d3cede

Download Submit
C:\Windows\{BEABA883-B715-48de-B6D6-76916161B81C}.exe

Filesize
408KB

MD5
e706d0f2af3e3f8ead2a7757a97ab27a

SHA1
c53255bb8b7537f43daf99644ba72e30f49ed551

SHA256
75d25643613217668f7bd8b98f6af97cd45ea88d6d3817e369684c4797f0fdda

SHA512
61387434665447e2c59f8db2ee5a8eae9ee898c2d09af8be8328fd1ef91b2d1c6aa181d4db4b3662e61aa31c6c24b0053e9a56c6026bc866407609003f309f29

Download Submit
C:\Windows\{E2D728A9-66FB-4b00-833E-FE7B461FC3D9}.exe

Filesize
408KB

MD5
5da37075641e8ce0c52e197eacb99be3

SHA1
f09a7d593faa921bcab0094d8cc7c4c9bfa49bf1

SHA256
a896c3ed77304a9cf717ddcc6e1243a9024833a640e2a5a9bad3674db92b3286

SHA512
0f4dc05785f19b34ce65fe3dc973f6093d151d15221ea7bfa0db5c3ae072b71961e682a25959c0b363b701fe80ef60335e6d53364f2022f8e5f07fd1dd8ef452

Download Submit
C:\Windows\{FC1D6CF8-1A64-48fb-A7AE-5187AB32B25C}.exe

Filesize
408KB

MD5
2570238f5ac1525ee82cc13e26537f8a

SHA1
65837b59a636253774d32454e4185b9735bbc755

SHA256
1aeebb34304f932a75b2a022798ac4bb39539ba528e2947b93180a49ea3f07bc

SHA512
0a5a770fb1848b13ac8e08a025fd5b51469bc2919b13aad21c0a09e5387014b5aad4c34f01b60510006bc2389bf953e3da4f3744c2e006769d5ade8a0cd9fbad

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads