ee6e1c1d79b1b823d786467ac8eaf644205add573d0a153435ead491cda49c4c

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Size

180KB
MD5

35441146baac583464095846cc559c5e
SHA1

e36ea8375bf745b52cf5a7b20a3a9e8703c4fcaa
SHA256

ee6e1c1d79b1b823d786467ac8eaf644205add573d0a153435ead491cda49c4c
SHA512

97463538126d0b76dfd6478d9b69d23fbe46227d2442e136fa1e420b3da9b206d12063d51d578059376f381147ba73a66564dd5e12c8599bdd6e1251ed4f0e3c
SSDEEP

3072:jEGh0oZlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGzl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000126ab-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015605-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000126ab-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c78-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000126ab-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126ab-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000126ab-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C61E29-6FCE-4194-82CF-30AF8D00307A}	{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1896189B-C753-47cb-AA5E-496823D1D9B3}	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1896189B-C753-47cb-AA5E-496823D1D9B3}\stubpath = "C:\\Windows\\{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe"	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}	{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}\stubpath = "C:\\Windows\\{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe"	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}\stubpath = "C:\\Windows\\{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe"	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13128914-FC39-4316-9C53-90B0D8EDA543}	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D6F6792-187D-4114-8738-4DD6CC87BBA4}\stubpath = "C:\\Windows\\{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe"	{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}\stubpath = "C:\\Windows\\{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe"	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}\stubpath = "C:\\Windows\\{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe"	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C61E29-6FCE-4194-82CF-30AF8D00307A}\stubpath = "C:\\Windows\\{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe"	{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D6F6792-187D-4114-8738-4DD6CC87BBA4}	{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}\stubpath = "C:\\Windows\\{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}.exe"	{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}\stubpath = "C:\\Windows\\{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe"	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13128914-FC39-4316-9C53-90B0D8EDA543}\stubpath = "C:\\Windows\\{13128914-FC39-4316-9C53-90B0D8EDA543}.exe"	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}\stubpath = "C:\\Windows\\{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe"	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe
2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe
2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe
2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe
1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe
1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe
2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe
1852	{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe
2968	{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe
648	{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe
1668	{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe	{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe
File created	C:\Windows\{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
File created	C:\Windows\{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe
File created	C:\Windows\{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe
File created	C:\Windows\{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe
File created	C:\Windows\{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe
File created	C:\Windows\{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe	{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe
File created	C:\Windows\{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}.exe	{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe
File created	C:\Windows\{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe
File created	C:\Windows\{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe
File created	C:\Windows\{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe
Token: SeIncBasePriorityPrivilege	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe
Token: SeIncBasePriorityPrivilege	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe
Token: SeIncBasePriorityPrivilege	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe
Token: SeIncBasePriorityPrivilege	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe
Token: SeIncBasePriorityPrivilege	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe
Token: SeIncBasePriorityPrivilege	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe
Token: SeIncBasePriorityPrivilege	1852	{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe
Token: SeIncBasePriorityPrivilege	2968	{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe
Token: SeIncBasePriorityPrivilege	648	{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2780	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	28
PID 2216 wrote to memory of 2780	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	28
PID 2216 wrote to memory of 2780	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	28
PID 2216 wrote to memory of 2780	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	28
PID 2216 wrote to memory of 3056	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	29
PID 2216 wrote to memory of 3056	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	29
PID 2216 wrote to memory of 3056	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	29
PID 2216 wrote to memory of 3056	2216	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	29
PID 2780 wrote to memory of 2656	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	30
PID 2780 wrote to memory of 2656	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	30
PID 2780 wrote to memory of 2656	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	30
PID 2780 wrote to memory of 2656	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	30
PID 2780 wrote to memory of 2724	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	31
PID 2780 wrote to memory of 2724	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	31
PID 2780 wrote to memory of 2724	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	31
PID 2780 wrote to memory of 2724	2780	{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe	31
PID 2656 wrote to memory of 2624	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	32
PID 2656 wrote to memory of 2624	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	32
PID 2656 wrote to memory of 2624	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	32
PID 2656 wrote to memory of 2624	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	32
PID 2656 wrote to memory of 2800	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	33
PID 2656 wrote to memory of 2800	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	33
PID 2656 wrote to memory of 2800	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	33
PID 2656 wrote to memory of 2800	2656	{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe	33
PID 2624 wrote to memory of 2752	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	36
PID 2624 wrote to memory of 2752	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	36
PID 2624 wrote to memory of 2752	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	36
PID 2624 wrote to memory of 2752	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	36
PID 2624 wrote to memory of 3020	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	37
PID 2624 wrote to memory of 3020	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	37
PID 2624 wrote to memory of 3020	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	37
PID 2624 wrote to memory of 3020	2624	{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe	37
PID 2752 wrote to memory of 1908	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	38
PID 2752 wrote to memory of 1908	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	38
PID 2752 wrote to memory of 1908	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	38
PID 2752 wrote to memory of 1908	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	38
PID 2752 wrote to memory of 2964	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	39
PID 2752 wrote to memory of 2964	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	39
PID 2752 wrote to memory of 2964	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	39
PID 2752 wrote to memory of 2964	2752	{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe	39
PID 1908 wrote to memory of 1924	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	40
PID 1908 wrote to memory of 1924	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	40
PID 1908 wrote to memory of 1924	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	40
PID 1908 wrote to memory of 1924	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	40
PID 1908 wrote to memory of 1884	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	41
PID 1908 wrote to memory of 1884	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	41
PID 1908 wrote to memory of 1884	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	41
PID 1908 wrote to memory of 1884	1908	{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe	41
PID 1924 wrote to memory of 2524	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	42
PID 1924 wrote to memory of 2524	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	42
PID 1924 wrote to memory of 2524	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	42
PID 1924 wrote to memory of 2524	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	42
PID 1924 wrote to memory of 2936	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	43
PID 1924 wrote to memory of 2936	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	43
PID 1924 wrote to memory of 2936	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	43
PID 1924 wrote to memory of 2936	1924	{13128914-FC39-4316-9C53-90B0D8EDA543}.exe	43
PID 2524 wrote to memory of 1852	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	44
PID 2524 wrote to memory of 1852	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	44
PID 2524 wrote to memory of 1852	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	44
PID 2524 wrote to memory of 1852	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	44
PID 2524 wrote to memory of 1128	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	45
PID 2524 wrote to memory of 1128	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	45
PID 2524 wrote to memory of 1128	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	45
PID 2524 wrote to memory of 1128	2524	{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe
  C:\Windows\{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe
    C:\Windows\{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe
      C:\Windows\{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe
        
        C:\Windows\{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe
        
        C:\Windows\{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{13128914-FC39-4316-9C53-90B0D8EDA543}.exe
        
        C:\Windows\{13128914-FC39-4316-9C53-90B0D8EDA543}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe
        
        C:\Windows\{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe
        
        C:\Windows\{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe
        
        C:\Windows\{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe
        
        C:\Windows\{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}.exe
        
        C:\Windows\{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}.exe
        12⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D6F6~1.EXE > nul
        12⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97C61~1.EXE > nul
        11⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79FF4~1.EXE > nul
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B172~1.EXE > nul
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13128~1.EXE > nul
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D0CA~1.EXE > nul
        7⤵
        
        PID:1884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AF9B~1.EXE > nul
        6⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D80C1~1.EXE > nul
        5⤵
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D8E3~1.EXE > nul
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18961~1.EXE > nul
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13128914-FC39-4316-9C53-90B0D8EDA543}.exe

Filesize
180KB

MD5
225a2caddea65948efa9a766f6a9e7b3

SHA1
a55f8733e7cc2b9e85f7fcc755fbe2a5e625bb78

SHA256
28e55c16f6fd4fa1f0e324b2d3e73865d60fdb70f2aabd4c6d1311265398c986

SHA512
1f8dd38b8a2676b0378547b5d2e40f8f2e4d49d27383af113177e65ea3f33144e40f96732dae901c5c42340fe9032b9db38b1a86bc7773fe0c4ba019c67edbdd

Download Submit
C:\Windows\{1896189B-C753-47cb-AA5E-496823D1D9B3}.exe

Filesize
180KB

MD5
c39f1a7dbb8f8343965d1850340a7fdf

SHA1
7fe0fb655d3cf2b7dd66722a38811ed31ae6b84c

SHA256
dead51a9657aa1c9dafc5149b3046823604527fdf3c1b55724c50751f312fb16

SHA512
3498243bc047c88233a3dd3809567771849f4a168ccdf2c5af72b7cdd76e7b48296266f1f7fc78bf01ebd132e843ba7eb8324ed0375256c2d037c89e6fd3c06d

Download Submit
C:\Windows\{1D0CA18C-58E6-40a8-A38A-4A1EA2236EAC}.exe

Filesize
180KB

MD5
2f911a5d18962bfae62b7fe2558c9135

SHA1
51f36d6a501127435f748b06932f93231bf95b50

SHA256
2087749646a49e0e71cffcd155f5ccd2ba9b7ef4fc592df716b118240cfcd32f

SHA512
0de8413852be0ca6051d4c32ff09b325ba8a0f11fbdc556d8231d04762bd05882d57138c2151b0fae455e5ac1452c27441f3a988a21071b77bbb2fe598a8e1d2

Download Submit
C:\Windows\{2D8E3A21-5758-42a4-BB4C-77E43F1D6654}.exe

Filesize
180KB

MD5
74c6d3da47b424a38c6fa877ec112a78

SHA1
4721d784b13fe70ac498141abc3e27c08f2ce786

SHA256
30c3aab1e61a5a0a03047c60b02f3d5da2021cb62de19b50c8f792a1dc6876ed

SHA512
56aa92e130ee05eb1009193ec78b1c53232ceb2dab12c5d8833d292d0c4397a69bf8725f2199fb0449c840776f23237aaa681f00bbc408fd90e9aee9d67937ec

Download Submit
C:\Windows\{3B1727A8-5B65-47b2-95B3-C3977DCF0DD0}.exe

Filesize
180KB

MD5
aa15979f9e470bd1dcd196e6b5e21d0a

SHA1
268663c64802116ac33f8c2a0a163c98035e5f79

SHA256
8222f7ad9ce77bb66c7b2a45343d97d443808ccea9bc49d6ffae2fd20cd263ac

SHA512
1c75a3f43a931e49003bb21666481b9619dcd19937a713c96d6b6c3f8137f9057f3700b333cfcad8b511143f8fce6fee8c6901386e77e3a0c34d73f556af1bc5

Download Submit
C:\Windows\{4FB86141-ED60-4f8a-B9EC-C51C292B71D2}.exe

Filesize
180KB

MD5
6397b3cbacc87531ca82ad652ed3c4e7

SHA1
332ddc6f95ecb8ad2870258e9ce1f996a9fd1916

SHA256
f7fb4e3a2a67d952c8902b0e67422fa1491f95de9b34382828e5e2776676d444

SHA512
d165d1568052297eb85e0d44f2541f6500134660dd4fb54959c11a9b15abffad7d6060a2b68587ad4fe94a3ba805486a39fcfa54739c1d30f7e0a314150fac02

Download Submit
C:\Windows\{79FF464B-4DA4-48a8-9816-9EA4F5A81C6C}.exe

Filesize
180KB

MD5
0605f9b5094a862e749078650c0f18db

SHA1
0de0503dcd049b74963418cacd8a2405f587af24

SHA256
a37e7863f717be324d29efb0400e5c721025b532e1442907ae6ee766114f84e7

SHA512
4eb68ae5cc85e6766a1665f4902cc58bc6cb488d26e489316205ded3f57c2ab0ad481db225394af7e5d7eea9a03432bce60d0e23d4b78df0ec491322c3be7cbc

Download Submit
C:\Windows\{7D6F6792-187D-4114-8738-4DD6CC87BBA4}.exe

Filesize
180KB

MD5
3751bd3df546b2fe7ad4197c0e3b4780

SHA1
721cbb489b6d95434d3328be26d724efba54ee45

SHA256
222694bd8fbdb08b672a2f45d1f528fc76c092aebb0c51dfb12a27fd09de182f

SHA512
f880aaad880030d35004b4e94c858314dbc1a2826f50b634ab8d67ed8548a3cfa2f1794b41affc672b7023aca42f062b1918af92886118ee47d26359c3799236

Download Submit
C:\Windows\{97C61E29-6FCE-4194-82CF-30AF8D00307A}.exe

Filesize
180KB

MD5
1b3a3bc3a4027142243431f8b21ed08a

SHA1
fe14b08a89d175c8b940174d27bb24c72cdc571b

SHA256
50c32e309fbe03058ffa740c0b5b1f713fb89aa31107cc24733caee11db3b3c2

SHA512
4e419df1d7fb9445613b03f04ea1b46bdf579861070de54444e958792d346c44544f818a9d6ec3ec09cde13ffcceef06f784384283c228c297698853c11e6e3b

Download Submit
C:\Windows\{9AF9B12F-FA3C-4d20-B28B-426289BBCC8D}.exe

Filesize
180KB

MD5
58f14d3a1b16af6aef592d66bf73359c

SHA1
b808bd22346a51229c72dc9484e180c2956370cb

SHA256
45017f1b2c32bdb4a3f3605cc5aa74453647b402b10a1b16d94268c70ea3f490

SHA512
5a08b86a12f885d7c84955edecf457bc99a94c4de0bace59c3f429bab0b30bf462bc5bfa6d3ff5277c4d8bf75f713ecb4c9098c9acdbf7c03757aab79286cfc8

Download Submit
C:\Windows\{D80C10D7-DFEF-4906-9C2F-8357504F9DC4}.exe

Filesize
180KB

MD5
ff9fe19b081fd22ae4ffb818efe1d5be

SHA1
500d01d69791d783dde0a4dc0e0662b4b4b24919

SHA256
5fff7448294f8d11c258279076df4d3e0826ac5d3aa2afc5c2c41b2640edb5cd

SHA512
119fab95b8a59c17f115660c91ed2cf54bbcc842af314504c76e1e05338bcb0dde26bbfbbd0654386a9ddd463466711e1be4a0d90c44ed3664a7b3aa4e1aecda

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads