454ae04bef06f2201227f29b53c5f1fa9bbf6c4c2412347e801a9b25fe63dd2f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Size

408KB
MD5

31cdad6f6ca6b31819b235b0d62adfc2
SHA1

e9d4940c2d418cfd9a3119dcadc9f1b5aba8fa4f
SHA256

454ae04bef06f2201227f29b53c5f1fa9bbf6c4c2412347e801a9b25fe63dd2f
SHA512

04c2ce725f159df0586e90fbca36a7265f3dc5c304bd72a76f75cbfdeb7dae85e63496489cea1fa9277a63bb84bcde251bf1c93849437477ea401c2ebf71bb6c
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015cb6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000015d4e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}\stubpath = "C:\\Windows\\{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe"	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD19F0D-310F-44f8-9E52-EBF767596353}\stubpath = "C:\\Windows\\{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe"	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C68C771D-E768-4602-8412-BDC9A32C55A9}\stubpath = "C:\\Windows\\{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe"	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}\stubpath = "C:\\Windows\\{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe"	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}\stubpath = "C:\\Windows\\{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe"	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}\stubpath = "C:\\Windows\\{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe"	{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}	{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}\stubpath = "C:\\Windows\\{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}.exe"	{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}\stubpath = "C:\\Windows\\{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe"	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}\stubpath = "C:\\Windows\\{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe"	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C68C771D-E768-4602-8412-BDC9A32C55A9}	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99AEE8A-4CC2-462e-BEE0-759977A51C43}	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}	{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD19F0D-310F-44f8-9E52-EBF767596353}	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99AEE8A-4CC2-462e-BEE0-759977A51C43}\stubpath = "C:\\Windows\\{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe"	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}	{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}\stubpath = "C:\\Windows\\{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe"	{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe

Deletes itself 1 IoCs

pid	Process
2172	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe
2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe
2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe
2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe
2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe
1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe
1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe
1520	{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe
2920	{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe
2828	{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe
1472	{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe
File created	C:\Windows\{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe
File created	C:\Windows\{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe	{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe
File created	C:\Windows\{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe	{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe
File created	C:\Windows\{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe
File created	C:\Windows\{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe
File created	C:\Windows\{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe
File created	C:\Windows\{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}.exe	{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe
File created	C:\Windows\{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
File created	C:\Windows\{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe
File created	C:\Windows\{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe
Token: SeIncBasePriorityPrivilege	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe
Token: SeIncBasePriorityPrivilege	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe
Token: SeIncBasePriorityPrivilege	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe
Token: SeIncBasePriorityPrivilege	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe
Token: SeIncBasePriorityPrivilege	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe
Token: SeIncBasePriorityPrivilege	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe
Token: SeIncBasePriorityPrivilege	1520	{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe
Token: SeIncBasePriorityPrivilege	2920	{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe
Token: SeIncBasePriorityPrivilege	2828	{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2964	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	28
PID 2956 wrote to memory of 2964	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	28
PID 2956 wrote to memory of 2964	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	28
PID 2956 wrote to memory of 2964	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	28
PID 2956 wrote to memory of 2172	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	29
PID 2956 wrote to memory of 2172	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	29
PID 2956 wrote to memory of 2172	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	29
PID 2956 wrote to memory of 2172	2956	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	29
PID 2964 wrote to memory of 2624	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	30
PID 2964 wrote to memory of 2624	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	30
PID 2964 wrote to memory of 2624	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	30
PID 2964 wrote to memory of 2624	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	30
PID 2964 wrote to memory of 2672	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	31
PID 2964 wrote to memory of 2672	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	31
PID 2964 wrote to memory of 2672	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	31
PID 2964 wrote to memory of 2672	2964	{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe	31
PID 2624 wrote to memory of 2248	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	32
PID 2624 wrote to memory of 2248	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	32
PID 2624 wrote to memory of 2248	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	32
PID 2624 wrote to memory of 2248	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	32
PID 2624 wrote to memory of 2580	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	33
PID 2624 wrote to memory of 2580	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	33
PID 2624 wrote to memory of 2580	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	33
PID 2624 wrote to memory of 2580	2624	{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe	33
PID 2248 wrote to memory of 2540	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	36
PID 2248 wrote to memory of 2540	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	36
PID 2248 wrote to memory of 2540	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	36
PID 2248 wrote to memory of 2540	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	36
PID 2248 wrote to memory of 2896	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	37
PID 2248 wrote to memory of 2896	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	37
PID 2248 wrote to memory of 2896	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	37
PID 2248 wrote to memory of 2896	2248	{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe	37
PID 2540 wrote to memory of 2480	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	38
PID 2540 wrote to memory of 2480	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	38
PID 2540 wrote to memory of 2480	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	38
PID 2540 wrote to memory of 2480	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	38
PID 2540 wrote to memory of 2508	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	39
PID 2540 wrote to memory of 2508	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	39
PID 2540 wrote to memory of 2508	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	39
PID 2540 wrote to memory of 2508	2540	{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe	39
PID 2480 wrote to memory of 1772	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	40
PID 2480 wrote to memory of 1772	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	40
PID 2480 wrote to memory of 1772	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	40
PID 2480 wrote to memory of 1772	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	40
PID 2480 wrote to memory of 608	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	41
PID 2480 wrote to memory of 608	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	41
PID 2480 wrote to memory of 608	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	41
PID 2480 wrote to memory of 608	2480	{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe	41
PID 1772 wrote to memory of 1672	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	42
PID 1772 wrote to memory of 1672	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	42
PID 1772 wrote to memory of 1672	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	42
PID 1772 wrote to memory of 1672	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	42
PID 1772 wrote to memory of 1956	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	43
PID 1772 wrote to memory of 1956	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	43
PID 1772 wrote to memory of 1956	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	43
PID 1772 wrote to memory of 1956	1772	{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe	43
PID 1672 wrote to memory of 1520	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	44
PID 1672 wrote to memory of 1520	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	44
PID 1672 wrote to memory of 1520	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	44
PID 1672 wrote to memory of 1520	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	44
PID 1672 wrote to memory of 2344	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	45
PID 1672 wrote to memory of 2344	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	45
PID 1672 wrote to memory of 2344	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	45
PID 1672 wrote to memory of 2344	1672	{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe
  C:\Windows\{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe
    C:\Windows\{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe
      C:\Windows\{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe
        
        C:\Windows\{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe
        
        C:\Windows\{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe
        
        C:\Windows\{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe
        
        C:\Windows\{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe
        
        C:\Windows\{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe
        
        C:\Windows\{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe
        
        C:\Windows\{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}.exe
        
        C:\Windows\{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE4A1~1.EXE > nul
        12⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFAD4~1.EXE > nul
        11⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28F8E~1.EXE > nul
        10⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E99AE~1.EXE > nul
        9⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3C5~1.EXE > nul
        8⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C68C7~1.EXE > nul
        7⤵
        
        PID:608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C5F3~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AD19~1.EXE > nul
        5⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1EEA8~1.EXE > nul
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B61FD~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EEA8708-D180-4c3c-BD60-C1B65D6A8510}.exe

Filesize
408KB

MD5
1413307b11b19775242748a862e06edd

SHA1
a75f5b00c876e621197ebb8f84784baca90cfcb4

SHA256
315ee4c982dd6ff364b94e354dd673136a744197b0d65418ab434db18022f081

SHA512
03d3ed72146c73665c74bcf7381b5da0d68cc9b1f4fc3f09fde75a698eea4fee0681b43b04f74824e6975e66bba11e2218141c34fefee0dd65d2b7fdc2ab3844

Download Submit
C:\Windows\{28F8EDC9-DA46-4ca1-9516-880C6FCFF4E9}.exe

Filesize
408KB

MD5
733a353455b4aaf31dde569248d33fd9

SHA1
72fad5871d914cd268f7b930208b813b99cf4d58

SHA256
55545b2efae3249c82607271bd246218802d5b6ee2b2f80b8725bad8cf8e379c

SHA512
c637d3200832053e5b14394b35b20fbb380e0ddd08dcec65677f185a526ea2d9a7e360f200656abf1b28301008dcef8f5bafccfe1c10ccba4908baa1ae0cf73f

Download Submit
C:\Windows\{5C5F3A06-2F21-4fd5-8E57-450AFFB92B5A}.exe

Filesize
408KB

MD5
f1874f737f905ddad074be89bf635637

SHA1
9e0beba8338495b1997102599440f8837533069a

SHA256
db189b22b9a15d24e7937df541cb63285923ba99f0a345eb292bb57ea4ab6097

SHA512
ce5dab9c35282bbd85899850f7773fc49dff30b224bf1bb84753914ebc008b5f765c2bf35bea234f5f015abfad029e52df92df4721fba2ab18134ce120c2e0fb

Download Submit
C:\Windows\{7AD19F0D-310F-44f8-9E52-EBF767596353}.exe

Filesize
408KB

MD5
5626b8fcbfb2433000d764842e2f0a98

SHA1
61daa4d59b5082b839d10e3ba5cf78d9ba885e04

SHA256
fc8c9656c26214755381e0046c80a0f67cd4e86f9b258403c73451edddf8fd38

SHA512
be8fdbe0a0de0066b9355e8213a32bc9fff0d630db755ad0bfdca277bc711fef25ba820f7fd27ae7470c2c95b50ca3e05f83f963b930e2776e8863e0570eecf9

Download Submit
C:\Windows\{B61FDF39-B0C2-40f1-B717-5E19CD1CC7AC}.exe

Filesize
408KB

MD5
a98573fb46139140cfdcfc292e79c8ce

SHA1
f38cc083c70b2f535ba86d206a552bd73de86ef5

SHA256
1244194cdab6ed24d4b267cd7d7eba6e8abdcad05dfbba7ea25081c1e7638806

SHA512
d4d76057e03f1306e82939efc1967072fc0ffb04c13b452637284e7133a51ae15cdb8bc0cefaef12ecf7d898fac81b4357b924dfb2b140b81d543a3c3a6ee99d

Download Submit
C:\Windows\{BE4A1F15-825B-467b-B5E3-B44F3CCB0048}.exe

Filesize
408KB

MD5
7a915c771735c76a72a4a98d55014b5c

SHA1
34eb0ce66820caca337cd2de966d0e86a93597b3

SHA256
7766759899464f80c18debdd40be61eb350090b22294d718404dff5b0b571f7e

SHA512
6cfdd7fbbc9c26996efa1e75a8af5acf4c7c7184dc97f60b6c0912fabe0415b9885a3f4181b632af334aba0f1a65ecff628a6794a9e8e9fa05b1fce27a7af635

Download Submit
C:\Windows\{C34AAABF-6BAB-41c1-B1C7-5FD584ED5FD0}.exe

Filesize
408KB

MD5
c5d741798d2bde1f3cd10caa2cb0831d

SHA1
d68f6423d7a06ca061585d5832978dd41af73149

SHA256
3f479ee896481b7e4f9319bfa5585fa28b99282488e5377f40f4895309434b38

SHA512
c82700e13c56b2f301ba7eb0b9cd7c84d7c30febc0e71f4d2a62a27e1710cc430a0bc47069779150c6c8baf2925a3dd60ab55e823cfceeb15044ae076ae42482

Download Submit
C:\Windows\{C68C771D-E768-4602-8412-BDC9A32C55A9}.exe

Filesize
408KB

MD5
4cb015f90c74d4961120d473a2504015

SHA1
90fa78e137131e363f7ceef4d755f39ffbd503d1

SHA256
bebc3f3995462134299ec021508d29b3d473643592fc13b985ec2904b9fa13e1

SHA512
6f50f759a90be0b9d2cc808347268abe76ebfb1e6106a245c33380652377b041e7fac6bfa81a6595f8b8a429804792c5e3449ac29334a7bac58e967cb3458d8c

Download Submit
C:\Windows\{E99AEE8A-4CC2-462e-BEE0-759977A51C43}.exe

Filesize
408KB

MD5
18717637aeae3f89086e88ccec314cc3

SHA1
1cb7868b5308062e077e1799fddb24d0c9821fa8

SHA256
3f2a98eda2562b52e3178cc6d9261f260ef88f1b182159527e62bf7f0a43dde8

SHA512
70a218e8afcfbec77dd27f1c593694ed0d9c27f15ff8f01d3eafa6c68e7ea0feed7f682d85078825557270135f6b7233043131e51ae791e8aa6afee916438461

Download Submit
C:\Windows\{EB3C558C-8BC8-4fe1-8113-D03B4AD1933F}.exe

Filesize
408KB

MD5
04722d9e1a7977fd7ae3bf8a4f83d3bb

SHA1
4f09c7e63731e91dad4eeb7f9ba5512631e5dba6

SHA256
ab9470995fd332d91b5679ba45ec9f1335e736683db66a827b97e2f4167b80df

SHA512
19f2997c092b0bf7849ea5878d12f75a9fba2102c345b9cf65234dd85b7bf52ba682c393a332b7e615b1d36d2509e8a5d546c422476071778e825fdee48843ef

Download Submit
C:\Windows\{FFAD45ED-0D11-47db-95AB-3F58E5E057E8}.exe

Filesize
408KB

MD5
6fb8c22cf59ca60ae17efa79b922bcd1

SHA1
0f7273c559434df22e523cbe66f4aeb851375ac7

SHA256
f1e66ea86b11429a994df48925eb448a50cbf7bb559d1460427be9f8324b4b0a

SHA512
ce8f3c8c2ca01fc59b07e8cacc0786f7e9609f2c0abee9908622d27f3e98447f80d548dc9026f6e84e7613efd6d4b4ead2217128d92fc2686c7923d2fe860025

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads