b74de38c7c02b56a04becd4c31030926fad626b8efaba14a725057205a8dca13

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe
Size

380KB
MD5

2f56c9b604caff8ef8e5514b4e8757f7
SHA1

c4657f987eef36a5aeb8fff0cebba49237aec336
SHA256

b74de38c7c02b56a04becd4c31030926fad626b8efaba14a725057205a8dca13
SHA512

48218c5b01517ef66d76f6b3b50a874523652301e99ab2e50acdd90a686eb3b6a92ad5583d3d2c920d95b4852e7f50038ef06dbcba05174c75e4c9cb3c3f7b58
SSDEEP

3072:mEGh0ovlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGFl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014457-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014709-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012253-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012253-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9593675-DBA9-4c80-A843-378784B72E6C}	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9593675-DBA9-4c80-A843-378784B72E6C}\stubpath = "C:\\Windows\\{C9593675-DBA9-4c80-A843-378784B72E6C}.exe"	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBC16529-77EF-4a14-A9F0-FA151099FCA6}\stubpath = "C:\\Windows\\{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe"	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}	{0563EB29-149D-4502-AD22-D732E8D99624}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}\stubpath = "C:\\Windows\\{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe"	{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBC16529-77EF-4a14-A9F0-FA151099FCA6}	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F7F2C2-1285-4980-9082-A8A1B5588DDA}	{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F7F2C2-1285-4980-9082-A8A1B5588DDA}\stubpath = "C:\\Windows\\{60F7F2C2-1285-4980-9082-A8A1B5588DDA}.exe"	{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}\stubpath = "C:\\Windows\\{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe"	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C30B886B-F352-4903-BF81-182F4ECCB8C2}\stubpath = "C:\\Windows\\{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe"	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA35132E-6416-4303-A78D-CF35EAD5541D}	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA35132E-6416-4303-A78D-CF35EAD5541D}\stubpath = "C:\\Windows\\{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe"	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{190FF6DA-E69B-4339-B00D-FE907C917AE0}\stubpath = "C:\\Windows\\{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe"	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}\stubpath = "C:\\Windows\\{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe"	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}\stubpath = "C:\\Windows\\{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe"	{0563EB29-149D-4502-AD22-D732E8D99624}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C30B886B-F352-4903-BF81-182F4ECCB8C2}	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{190FF6DA-E69B-4339-B00D-FE907C917AE0}	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0563EB29-149D-4502-AD22-D732E8D99624}	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0563EB29-149D-4502-AD22-D732E8D99624}\stubpath = "C:\\Windows\\{0563EB29-149D-4502-AD22-D732E8D99624}.exe"	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}	{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe
2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe
2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe
2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe
1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe
300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe
1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe
1224	{0563EB29-149D-4502-AD22-D732E8D99624}.exe
2700	{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe
2692	{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe
1624	{60F7F2C2-1285-4980-9082-A8A1B5588DDA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe	{0563EB29-149D-4502-AD22-D732E8D99624}.exe
File created	C:\Windows\{60F7F2C2-1285-4980-9082-A8A1B5588DDA}.exe	{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe
File created	C:\Windows\{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe
File created	C:\Windows\{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe
File created	C:\Windows\{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe
File created	C:\Windows\{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe
File created	C:\Windows\{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe	{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe
File created	C:\Windows\{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe
File created	C:\Windows\{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe
File created	C:\Windows\{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe
File created	C:\Windows\{0563EB29-149D-4502-AD22-D732E8D99624}.exe	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe
Token: SeIncBasePriorityPrivilege	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe
Token: SeIncBasePriorityPrivilege	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe
Token: SeIncBasePriorityPrivilege	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe
Token: SeIncBasePriorityPrivilege	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe
Token: SeIncBasePriorityPrivilege	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe
Token: SeIncBasePriorityPrivilege	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe
Token: SeIncBasePriorityPrivilege	1224	{0563EB29-149D-4502-AD22-D732E8D99624}.exe
Token: SeIncBasePriorityPrivilege	2700	{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe
Token: SeIncBasePriorityPrivilege	2692	{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2668	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	28
PID 2924 wrote to memory of 2668	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	28
PID 2924 wrote to memory of 2668	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	28
PID 2924 wrote to memory of 2668	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	28
PID 2924 wrote to memory of 2448	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	29
PID 2924 wrote to memory of 2448	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	29
PID 2924 wrote to memory of 2448	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	29
PID 2924 wrote to memory of 2448	2924	2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe	29
PID 2668 wrote to memory of 2484	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	30
PID 2668 wrote to memory of 2484	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	30
PID 2668 wrote to memory of 2484	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	30
PID 2668 wrote to memory of 2484	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	30
PID 2668 wrote to memory of 2680	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	31
PID 2668 wrote to memory of 2680	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	31
PID 2668 wrote to memory of 2680	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	31
PID 2668 wrote to memory of 2680	2668	{C9593675-DBA9-4c80-A843-378784B72E6C}.exe	31
PID 2484 wrote to memory of 2576	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	32
PID 2484 wrote to memory of 2576	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	32
PID 2484 wrote to memory of 2576	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	32
PID 2484 wrote to memory of 2576	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	32
PID 2484 wrote to memory of 2476	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	33
PID 2484 wrote to memory of 2476	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	33
PID 2484 wrote to memory of 2476	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	33
PID 2484 wrote to memory of 2476	2484	{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe	33
PID 2576 wrote to memory of 2808	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	36
PID 2576 wrote to memory of 2808	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	36
PID 2576 wrote to memory of 2808	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	36
PID 2576 wrote to memory of 2808	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	36
PID 2576 wrote to memory of 1920	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	37
PID 2576 wrote to memory of 1920	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	37
PID 2576 wrote to memory of 1920	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	37
PID 2576 wrote to memory of 1920	2576	{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe	37
PID 2808 wrote to memory of 1452	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	38
PID 2808 wrote to memory of 1452	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	38
PID 2808 wrote to memory of 1452	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	38
PID 2808 wrote to memory of 1452	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	38
PID 2808 wrote to memory of 1260	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	39
PID 2808 wrote to memory of 1260	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	39
PID 2808 wrote to memory of 1260	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	39
PID 2808 wrote to memory of 1260	2808	{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe	39
PID 1452 wrote to memory of 300	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	40
PID 1452 wrote to memory of 300	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	40
PID 1452 wrote to memory of 300	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	40
PID 1452 wrote to memory of 300	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	40
PID 1452 wrote to memory of 1696	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	41
PID 1452 wrote to memory of 1696	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	41
PID 1452 wrote to memory of 1696	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	41
PID 1452 wrote to memory of 1696	1452	{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe	41
PID 300 wrote to memory of 1736	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	42
PID 300 wrote to memory of 1736	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	42
PID 300 wrote to memory of 1736	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	42
PID 300 wrote to memory of 1736	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	42
PID 300 wrote to memory of 2608	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	43
PID 300 wrote to memory of 2608	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	43
PID 300 wrote to memory of 2608	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	43
PID 300 wrote to memory of 2608	300	{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe	43
PID 1736 wrote to memory of 1224	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	44
PID 1736 wrote to memory of 1224	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	44
PID 1736 wrote to memory of 1224	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	44
PID 1736 wrote to memory of 1224	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	44
PID 1736 wrote to memory of 852	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	45
PID 1736 wrote to memory of 852	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	45
PID 1736 wrote to memory of 852	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	45
PID 1736 wrote to memory of 852	1736	{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_2f56c9b604caff8ef8e5514b4e8757f7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\{C9593675-DBA9-4c80-A843-378784B72E6C}.exe
  C:\Windows\{C9593675-DBA9-4c80-A843-378784B72E6C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe
    C:\Windows\{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe
      C:\Windows\{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe
        
        C:\Windows\{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe
        
        C:\Windows\{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe
        
        C:\Windows\{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe
        
        C:\Windows\{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{0563EB29-149D-4502-AD22-D732E8D99624}.exe
        
        C:\Windows\{0563EB29-149D-4502-AD22-D732E8D99624}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe
        
        C:\Windows\{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe
        
        C:\Windows\{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{60F7F2C2-1285-4980-9082-A8A1B5588DDA}.exe
        
        C:\Windows\{60F7F2C2-1285-4980-9082-A8A1B5588DDA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01AD7~1.EXE > nul
        12⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE54~1.EXE > nul
        11⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0563E~1.EXE > nul
        10⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18646~1.EXE > nul
        9⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{190FF~1.EXE > nul
        8⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA351~1.EXE > nul
        7⤵
        
        PID:1696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBC16~1.EXE > nul
        6⤵
        
        PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C30B8~1.EXE > nul
        5⤵
        
        PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C8081~1.EXE > nul
      4⤵
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C9593~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01AD7D1E-6E63-4b7e-9A0F-09B991864C8F}.exe

Filesize
380KB

MD5
c7623a12c72e3f08a59a3b4a39bc800d

SHA1
172c367d01201192f34bc8f5f3939f5eed39030f

SHA256
285be2dfd671a34c5cdebe9e1fb1a52b2b73bebd55f452fb766681340841cedc

SHA512
6a2d49d40d4d7f8a488199159bbb2d38c47c49be2db09db541c00845a196769be8d8cc8f4077f2231b612030cc31908cf0edb428f49fc60b2b064a9679404cd2

Download Submit
C:\Windows\{0563EB29-149D-4502-AD22-D732E8D99624}.exe

Filesize
380KB

MD5
47fe7a27927632976d8b2b56bdef41a6

SHA1
eb75660ef8b5055364e18222e6a8475d4ea2a89a

SHA256
a19241fe9d8d947b54feca465d379a83b008f24eb85b1e0fe094d5fceb100b40

SHA512
e7ef0c12a321c5e65608808b366e9fe755ad1f309332e1d4d66ea3ca11d6fc9a728eb981e0973108838ab53a6c8d4b3b9d549a5c8a97f2d9dfcd6c2aff345527

Download Submit
C:\Windows\{186466A9-A821-4fcf-8385-EEA0E7FB7BA4}.exe

Filesize
380KB

MD5
951a56c34a65d775f889015e90d22ac8

SHA1
d99bfa5392b8fdb627d129a7bc72bda046fd3852

SHA256
02da7d7599b749c68527f146e19013701787c19463fe969761cc3c8a06717a6a

SHA512
7565f8ca2454917b326b9f4e7f3a9dd11efe1cfbc2e2709886ae096dcb919782236eddfcd040bef163d2a1086de83b046ad9c0f6767d22aad6af3585aff79bdc

Download Submit
C:\Windows\{190FF6DA-E69B-4339-B00D-FE907C917AE0}.exe

Filesize
380KB

MD5
876a9e4521efd45b41c56f1ac140d2ea

SHA1
cf876dfd7d856dc18cc2e090efda198c7d3d7b59

SHA256
655fcbcaf0bc2c741d9f3b751fdc3e34431d2d795e3865b9793f20850d67e513

SHA512
adc036b0e763f5ae7d2e8bf5e349619e3ccde15e470d79ca268c3ca40a21dc7e874f8917bfb015ca8e9712cd94de92d84198042c855f939a9f249e1d6986a220

Download Submit
C:\Windows\{60F7F2C2-1285-4980-9082-A8A1B5588DDA}.exe

Filesize
380KB

MD5
3e0be54e2e25d11fbfefda287684558b

SHA1
468ba75f00b13eba592ca617c263dee5d0acd5ca

SHA256
e3c8e8edf0747192f5f146307378db74cef9ef2a7fc7734bb149adae8f94bbec

SHA512
27578f0db7f548ef647d9e4fec25a76edf702c05cd4b09879a0cb60eb7b3a61beb95d425f7ec6ed3e1e5c4336851cb7c657542d689b15dc3bebf14b72ace1911

Download Submit
C:\Windows\{C30B886B-F352-4903-BF81-182F4ECCB8C2}.exe

Filesize
380KB

MD5
f2f836c1046134001a67b67a36bbf5db

SHA1
a10501ac2751ce5c53c2d88717b48103f2bd249a

SHA256
cc6868bf460e70501226a757d320ec6ca1cd1f3398bda1904aedd6ac13577cf3

SHA512
073246dc61bab1198f9f3be1b693b143f496962cd477b102fcc61fc160fd62e38b49963b5213a884f5e4137ac6ae3eddd33ace1ce90d57aac6cbb5c1f5ad2b5e

Download Submit
C:\Windows\{C8081CBB-066E-4f59-9AFB-4B86FE2BABB7}.exe

Filesize
380KB

MD5
4713c22dc80af992a13caac8e7d1130e

SHA1
9f0faf5715ac2f901c2b7b1837bd402668934fa7

SHA256
4d983ce21755a1704f212cc77356383815dade11e510e0a4cbd2bf2ec08364ee

SHA512
5939f57842a541c93c3818c1703b159c304f2f99eae71fd71b4443fbc8ced20e10d1c59677ffbccb5ca20cc7a3e4ffe55eec9d28711772bd505db02bd5db027a

Download Submit
C:\Windows\{C9593675-DBA9-4c80-A843-378784B72E6C}.exe

Filesize
380KB

MD5
6a536985e43b5a5fee26ac662a8e48e5

SHA1
d166812215ae5c49b0dd0f2c74edf46371261f2d

SHA256
cf6775e8d605b73dac76af851568fdb291bbb8e7d84d6d72f4af38653c7f0857

SHA512
53cd806b108a4d1f58ccec412f7e51d112a0191957e87c088fb8d2a93cd68ce58551b18b54b01d53d47b8ff2f4c7b5c3e4561bc614d19ef063bb08744ac5e7a2

Download Submit
C:\Windows\{FA35132E-6416-4303-A78D-CF35EAD5541D}.exe

Filesize
380KB

MD5
98e97480d8d9857ce77f51a686362567

SHA1
eaa46a1703b7596211b9acef94c40adf559995c2

SHA256
4b9b668eea2547acb917fe705e17e361ac6245fa4942375cfd026d79f3a15620

SHA512
818ae0a9e0cfccf79c5f42477d1234ccd6dd875a302bcb213b4ac7f2c531b1debae6bc749527b33ccbb50e3be17b0c2314ab027fa2d863aa454f2049c8bdab42

Download Submit
C:\Windows\{FBC16529-77EF-4a14-A9F0-FA151099FCA6}.exe

Filesize
380KB

MD5
00e26af2fb3352aa9fe7beac1b02269c

SHA1
ff5c75275d4fed979fdc9ae5ce01d3cddfbdbbbd

SHA256
897b6cc4443f2ffe651c9ebc56a2e1958aa1db22bf5f142d00d9bca9dfd5eac8

SHA512
e244ebcacb99da66e15179680084d1e8519075a7346dfffcca8e183e9706b1e7a1fa9b4177a65e2197f8ccecfe63e9a99d77914cc1b0759d153c680bd24f172f

Download Submit
C:\Windows\{FBE54DB9-8617-4d87-80E4-6C91E4C44A82}.exe

Filesize
380KB

MD5
985dc8d91603fa0968c9d485d59f5ffd

SHA1
8ba222e75a9f0ef757147fb71297920c5366440d

SHA256
3f159bb3ad971d81b2311ad41ec252ec65610a427687c92687a90049d75c7342

SHA512
feafc6961cbac741a0a9d60627d97e811f4c1fc2d50768465db78ca38923b9a5cb539c81c5440cc97a71a5873d209c3cf491b2745d5f2e860ab6eb19820f5321

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads