ecb1a0f7b625253d9a0f6f6515650b3766585a377d2eb557366aefb9043d70fd

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe
Size

216KB
MD5

7b0faeb819c6603a689e99255dfc5f59
SHA1

a7df8e6747cebd19e14c4ae115653b1738f96932
SHA256

ecb1a0f7b625253d9a0f6f6515650b3766585a377d2eb557366aefb9043d70fd
SHA512

3dc3456913154c0d8da337292cd9072d91b053f81eb4985866b77164622690bee73974168a9a4b9d20ee01f74c40407f4d070c3bad08d0336b0f85abac4f5aec
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGJlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001447e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014539-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001447e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000149f5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001447e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001447e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001447e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{532435DD-6A45-47be-A9C5-25B7F42EC2E6}\stubpath = "C:\\Windows\\{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe"	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}\stubpath = "C:\\Windows\\{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe"	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}	{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{532435DD-6A45-47be-A9C5-25B7F42EC2E6}	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112F2E06-0652-43b3-B1A2-4D92720078FD}\stubpath = "C:\\Windows\\{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe"	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{918E41F0-727A-4846-9BDC-C00F356625AC}\stubpath = "C:\\Windows\\{918E41F0-727A-4846-9BDC-C00F356625AC}.exe"	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}\stubpath = "C:\\Windows\\{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}.exe"	{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112F2E06-0652-43b3-B1A2-4D92720078FD}	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7020B336-9D60-49cc-AEB5-8F1840AAA795}	{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7020B336-9D60-49cc-AEB5-8F1840AAA795}\stubpath = "C:\\Windows\\{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe"	{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{918E41F0-727A-4846-9BDC-C00F356625AC}	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CA335E-4065-4812-917F-77ABE2AA1440}\stubpath = "C:\\Windows\\{39CA335E-4065-4812-917F-77ABE2AA1440}.exe"	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D23EC38A-B749-4199-8D28-47126BC7FD5C}	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D23EC38A-B749-4199-8D28-47126BC7FD5C}\stubpath = "C:\\Windows\\{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe"	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}\stubpath = "C:\\Windows\\{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe"	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}\stubpath = "C:\\Windows\\{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe"	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}\stubpath = "C:\\Windows\\{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe"	{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}	{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CA335E-4065-4812-917F-77ABE2AA1440}	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe
2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe
2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe
2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe
2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe
2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe
2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe
1720	{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe
1900	{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe
692	{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe
2988	{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe
File created	C:\Windows\{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe
File created	C:\Windows\{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe
File created	C:\Windows\{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe
File created	C:\Windows\{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe	{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe
File created	C:\Windows\{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}.exe	{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe
File created	C:\Windows\{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe
File created	C:\Windows\{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe
File created	C:\Windows\{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe
File created	C:\Windows\{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe
File created	C:\Windows\{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe	{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe
Token: SeIncBasePriorityPrivilege	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe
Token: SeIncBasePriorityPrivilege	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe
Token: SeIncBasePriorityPrivilege	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe
Token: SeIncBasePriorityPrivilege	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe
Token: SeIncBasePriorityPrivilege	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe
Token: SeIncBasePriorityPrivilege	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe
Token: SeIncBasePriorityPrivilege	1720	{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe
Token: SeIncBasePriorityPrivilege	1900	{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe
Token: SeIncBasePriorityPrivilege	692	{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2284	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	28
PID 780 wrote to memory of 2284	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	28
PID 780 wrote to memory of 2284	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	28
PID 780 wrote to memory of 2284	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	28
PID 780 wrote to memory of 2548	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	29
PID 780 wrote to memory of 2548	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	29
PID 780 wrote to memory of 2548	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	29
PID 780 wrote to memory of 2548	780	2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe	29
PID 2284 wrote to memory of 2672	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	30
PID 2284 wrote to memory of 2672	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	30
PID 2284 wrote to memory of 2672	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	30
PID 2284 wrote to memory of 2672	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	30
PID 2284 wrote to memory of 2756	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	31
PID 2284 wrote to memory of 2756	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	31
PID 2284 wrote to memory of 2756	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	31
PID 2284 wrote to memory of 2756	2284	{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe	31
PID 2672 wrote to memory of 2160	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	32
PID 2672 wrote to memory of 2160	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	32
PID 2672 wrote to memory of 2160	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	32
PID 2672 wrote to memory of 2160	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	32
PID 2672 wrote to memory of 2504	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	33
PID 2672 wrote to memory of 2504	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	33
PID 2672 wrote to memory of 2504	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	33
PID 2672 wrote to memory of 2504	2672	{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe	33
PID 2160 wrote to memory of 2944	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	36
PID 2160 wrote to memory of 2944	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	36
PID 2160 wrote to memory of 2944	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	36
PID 2160 wrote to memory of 2944	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	36
PID 2160 wrote to memory of 3060	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	37
PID 2160 wrote to memory of 3060	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	37
PID 2160 wrote to memory of 3060	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	37
PID 2160 wrote to memory of 3060	2160	{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe	37
PID 2944 wrote to memory of 2644	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	38
PID 2944 wrote to memory of 2644	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	38
PID 2944 wrote to memory of 2644	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	38
PID 2944 wrote to memory of 2644	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	38
PID 2944 wrote to memory of 2652	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	39
PID 2944 wrote to memory of 2652	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	39
PID 2944 wrote to memory of 2652	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	39
PID 2944 wrote to memory of 2652	2944	{39CA335E-4065-4812-917F-77ABE2AA1440}.exe	39
PID 2644 wrote to memory of 2892	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	40
PID 2644 wrote to memory of 2892	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	40
PID 2644 wrote to memory of 2892	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	40
PID 2644 wrote to memory of 2892	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	40
PID 2644 wrote to memory of 2180	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	41
PID 2644 wrote to memory of 2180	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	41
PID 2644 wrote to memory of 2180	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	41
PID 2644 wrote to memory of 2180	2644	{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe	41
PID 2892 wrote to memory of 2928	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	42
PID 2892 wrote to memory of 2928	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	42
PID 2892 wrote to memory of 2928	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	42
PID 2892 wrote to memory of 2928	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	42
PID 2892 wrote to memory of 2932	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	43
PID 2892 wrote to memory of 2932	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	43
PID 2892 wrote to memory of 2932	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	43
PID 2892 wrote to memory of 2932	2892	{918E41F0-727A-4846-9BDC-C00F356625AC}.exe	43
PID 2928 wrote to memory of 1720	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	44
PID 2928 wrote to memory of 1720	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	44
PID 2928 wrote to memory of 1720	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	44
PID 2928 wrote to memory of 1720	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	44
PID 2928 wrote to memory of 2332	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	45
PID 2928 wrote to memory of 2332	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	45
PID 2928 wrote to memory of 2332	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	45
PID 2928 wrote to memory of 2332	2928	{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_7b0faeb819c6603a689e99255dfc5f59_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe
  C:\Windows\{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe
    C:\Windows\{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe
      C:\Windows\{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\{39CA335E-4065-4812-917F-77ABE2AA1440}.exe
        
        C:\Windows\{39CA335E-4065-4812-917F-77ABE2AA1440}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe
        
        C:\Windows\{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{918E41F0-727A-4846-9BDC-C00F356625AC}.exe
        
        C:\Windows\{918E41F0-727A-4846-9BDC-C00F356625AC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe
        
        C:\Windows\{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe
        
        C:\Windows\{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe
        
        C:\Windows\{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe
        
        C:\Windows\{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}.exe
        
        C:\Windows\{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B455F~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7020B~1.EXE > nul
        11⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E752B~1.EXE > nul
        10⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4BB2~1.EXE > nul
        9⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{918E4~1.EXE > nul
        8⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D23EC~1.EXE > nul
        7⤵
        
        PID:2180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39CA3~1.EXE > nul
        6⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8699D~1.EXE > nul
        5⤵
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53243~1.EXE > nul
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{112F2~1.EXE > nul
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{112F2E06-0652-43b3-B1A2-4D92720078FD}.exe

Filesize
216KB

MD5
4493a34de0e3a2ec1361878b3598b6e7

SHA1
c5abeaf331c87f3372c99b724a5edae9daa3ac9f

SHA256
eef93835df844618bb246bf6468d713b63536af1f7778f0cf723f0e9d5bd0977

SHA512
54acb46db74c756f018b1a1a8046370a99c3493555d158f46fa6d588ad3129e45c9a838dd25e1ceb68393668e40d7a72bdea56412787c54cab2249a7a8641df8

Download Submit
C:\Windows\{39CA335E-4065-4812-917F-77ABE2AA1440}.exe

Filesize
216KB

MD5
ab87b438e245dd6da7beb6287e0b6670

SHA1
b0b448a480c867cfe60553f583031f7424bd44a4

SHA256
ec96937690ef4cad50ba2b019d33e073e1a36fc748297f2b1d3203603b16348b

SHA512
93e8d2506b32c71c80376138c4207486e85dedd56320a5a3ac8c5d5d564644c5b01dd8e61c8d9ab1f36cd3923b610024f75530bd1d7a94ab1606adf70d7e7e03

Download Submit
C:\Windows\{532435DD-6A45-47be-A9C5-25B7F42EC2E6}.exe

Filesize
216KB

MD5
84fa707efdb81eca24f8a0dbca9d8c44

SHA1
ea36ceb52001419f14de6d93fd76d35242d93a46

SHA256
a59088bf858bc0b1f8eb94ec29abb51cd5726e96f9f2248c23de6161585c9f1d

SHA512
272e419417db60ec9388d285e8c6124ef9e22cf1a337d52da1fa0ea93a8ecffb75a5e01aa795b9533ffc22b7db85ab2b5944f2105fa2f16afd514f24fb3443ba

Download Submit
C:\Windows\{7020B336-9D60-49cc-AEB5-8F1840AAA795}.exe

Filesize
216KB

MD5
2ab29da11863001ae253834d7d1671e7

SHA1
96a0925ddf27640062c1a746d2e060983dc076f6

SHA256
6cbf30ff80179b5825f78c6e1625acc51f7fbea6b17172e7c4f884ff0b112380

SHA512
552694ad72ee1885015474e29d548a3ed020d0554990c12e6a01e4fa42eede89985d706710c186366f9beee23ffe952bc7f514a95a124a7951a13993acbf9757

Download Submit
C:\Windows\{8699D196-3FE1-4c7b-B01F-71EDDC6E86FD}.exe

Filesize
216KB

MD5
8ad39e418341d0fd054a4b08488b9923

SHA1
5d1dbabed84e057d1d1da86db38f933adca8b3eb

SHA256
d8eb1251061dfdd9f7e2a65fede562815f454f83c35255cdcf8a30e7867e12e5

SHA512
d74fc088cf00e025425355b77f8820745003c486a99a4472bfeb585b72a95214f3cf98a2bf5d6c94dc1ca9145fdc29d273871bc4f9a8578f9848e6aa0134e867

Download Submit
C:\Windows\{918E41F0-727A-4846-9BDC-C00F356625AC}.exe

Filesize
216KB

MD5
481d60861db53abd363de722c69b0dc4

SHA1
5dc70d38bf2f514811f88c845e07d02359a0dbe2

SHA256
d4678da1b0d3b3afc3820e24292c1441436dab059f3951c356a5484aa8703620

SHA512
ce576696fec4c30626d75c7cb6fd9183cb410e8ba105254bf414e9e7b195594464f260c995fd5d53097aee3e2180bc0d1d52d80da6a4ceba58ffd5af9349be09

Download Submit
C:\Windows\{B455F98A-E06A-4ffb-8F7B-6176EFAACFB4}.exe

Filesize
216KB

MD5
ff8782327726b79e1ba74981fe6b5769

SHA1
bd62d639291fc25fc2637d57899674d59fd5c9dd

SHA256
f88cea5014a83117e2f15f003d3ae4a295772dd51812b734a2d9353e2d343819

SHA512
3843b67a64d23e9485a161de3a8fe04e09a1348ded48dabee6f0c725ef75384c4d79e4092fe8ba5780534839c17c5a8af774e6f24a40218446f7f362bbcfac4f

Download Submit
C:\Windows\{D23EC38A-B749-4199-8D28-47126BC7FD5C}.exe

Filesize
216KB

MD5
4eef2170de87e705fab09371522c626c

SHA1
0fd29c3866224160a052eeba9ed587e4a4bc3602

SHA256
8297191d9c19472c80b0e79a357dbb330230a3199699a48ecc16909049776af1

SHA512
9818e5bd8869dfdd10da9ccf20e6be518685ec9b339c63f25ea10d4b45b979ee98956aa5fefd959034ec009728840d504ee8108646c0f333d0563a7ebd3cdb8f

Download Submit
C:\Windows\{D2BA4ADF-D6D9-4591-A60E-B9632D6C8EFC}.exe

Filesize
216KB

MD5
5d76a1a126712c7e687559ddf36a0f6e

SHA1
5c7bb10dd3623aca8822143dd86de42385e52de8

SHA256
153039f75a34e2c5b30ac6b67aca448dec449d0e1c8dfe24de637a7d66c65b42

SHA512
f44f2d77d73a905c4ef9eedaecba1646641ca8b6d9d59475c554ff8996755de45b0acb2d12dee8555d4fb4bf94c0661da303a223e229e94efd5e736c9d7252e5

Download Submit
C:\Windows\{E4BB2321-06C0-47c8-BB1F-D7F2AD5D34CF}.exe

Filesize
216KB

MD5
031495c4d9784b71a75631fe5ca714fc

SHA1
20edbb292f6476340f736c6e9f4181b1b873ceb3

SHA256
b4ad19c7b091f385d29f91293d2b1d4a72899fe33049a74f918e19a221e93baa

SHA512
f957990d58cf0732c09ee2b3b1467f6f343d652fb9d83d462edfa66ccd12841deedb8e303b461e816f247ce21cc94cda6c70d1a131aae21a2baed9f559839dbe

Download Submit
C:\Windows\{E752BDA6-DB22-4dbf-A1DB-5F9ED26F910F}.exe

Filesize
216KB

MD5
9136021a2cd1620394638b0aeb58c7a5

SHA1
1a5ba29fa373b10552d405716310169410290a73

SHA256
0098dbebf7944080660e702aa0454580809e0b681df0601d3d9b6eeb764bdfef

SHA512
72283de186c16cac4445ee066ffb1b33656bded491459b02e32da448b07479f798976d89c8057d816cffacb757d8dcdf6c8f55d7bb31a2b21afa96ba5643b0f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads