851070a5c4a4cb16c827ecf3d150b37310c179a7c1aa4a00a29754d681f42ff2

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Size

168KB
MD5

c15ab7665b97b54ddc99d4b3bcf4506d
SHA1

eb560423542bdfa6ab5aad079014f124adaa0ad2
SHA256

851070a5c4a4cb16c827ecf3d150b37310c179a7c1aa4a00a29754d681f42ff2
SHA512

c55e6312657c1dbcb9984f8cfd0014c9e09b528a55d81013d066f8354af39e4a2596b27642d0cf08dea3a425d5f21d7fa437282c5868e37db21a5e2202a94ce0
SSDEEP

1536:1EGh0o9li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o9liOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000146fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014b18-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}\stubpath = "C:\\Windows\\{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe"	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}	{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49E0E9B-82B7-48be-94DC-61FCA9D52989}	{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D49E0E9B-82B7-48be-94DC-61FCA9D52989}\stubpath = "C:\\Windows\\{D49E0E9B-82B7-48be-94DC-61FCA9D52989}.exe"	{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D15B97DF-1687-4991-B197-77024A6B35C5}	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCB17809-2C5D-44ee-A82B-ED575D95594E}\stubpath = "C:\\Windows\\{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe"	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}\stubpath = "C:\\Windows\\{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe"	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BAB809D-AD4B-401f-B028-953724403AAA}	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB22C793-D705-4274-9712-B23A642C9BA1}	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A397FA4-2B76-43cc-9149-8071A889FDFB}	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D15B97DF-1687-4991-B197-77024A6B35C5}\stubpath = "C:\\Windows\\{D15B97DF-1687-4991-B197-77024A6B35C5}.exe"	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}	{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BAB809D-AD4B-401f-B028-953724403AAA}\stubpath = "C:\\Windows\\{5BAB809D-AD4B-401f-B028-953724403AAA}.exe"	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCB17809-2C5D-44ee-A82B-ED575D95594E}	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB22C793-D705-4274-9712-B23A642C9BA1}\stubpath = "C:\\Windows\\{BB22C793-D705-4274-9712-B23A642C9BA1}.exe"	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}\stubpath = "C:\\Windows\\{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe"	{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}\stubpath = "C:\\Windows\\{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe"	{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}\stubpath = "C:\\Windows\\{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe"	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A397FA4-2B76-43cc-9149-8071A889FDFB}\stubpath = "C:\\Windows\\{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe"	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe
2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe
1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe
1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe
1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe
1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe
2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe
1484	{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe
1996	{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe
592	{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe
2764	{D49E0E9B-82B7-48be-94DC-61FCA9D52989}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
File created	C:\Windows\{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe
File created	C:\Windows\{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe
File created	C:\Windows\{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe
File created	C:\Windows\{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe	{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe
File created	C:\Windows\{D49E0E9B-82B7-48be-94DC-61FCA9D52989}.exe	{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe
File created	C:\Windows\{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe
File created	C:\Windows\{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe
File created	C:\Windows\{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe
File created	C:\Windows\{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe
File created	C:\Windows\{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe	{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe
Token: SeIncBasePriorityPrivilege	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe
Token: SeIncBasePriorityPrivilege	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe
Token: SeIncBasePriorityPrivilege	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe
Token: SeIncBasePriorityPrivilege	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe
Token: SeIncBasePriorityPrivilege	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe
Token: SeIncBasePriorityPrivilege	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe
Token: SeIncBasePriorityPrivilege	1484	{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe
Token: SeIncBasePriorityPrivilege	1996	{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe
Token: SeIncBasePriorityPrivilege	592	{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2036	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	28
PID 2324 wrote to memory of 2036	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	28
PID 2324 wrote to memory of 2036	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	28
PID 2324 wrote to memory of 2036	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	28
PID 2324 wrote to memory of 2584	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	29
PID 2324 wrote to memory of 2584	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	29
PID 2324 wrote to memory of 2584	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	29
PID 2324 wrote to memory of 2584	2324	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	29
PID 2036 wrote to memory of 2552	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	30
PID 2036 wrote to memory of 2552	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	30
PID 2036 wrote to memory of 2552	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	30
PID 2036 wrote to memory of 2552	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	30
PID 2036 wrote to memory of 2640	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	31
PID 2036 wrote to memory of 2640	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	31
PID 2036 wrote to memory of 2640	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	31
PID 2036 wrote to memory of 2640	2036	{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe	31
PID 2552 wrote to memory of 1668	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	32
PID 2552 wrote to memory of 1668	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	32
PID 2552 wrote to memory of 1668	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	32
PID 2552 wrote to memory of 1668	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	32
PID 2552 wrote to memory of 2400	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	33
PID 2552 wrote to memory of 2400	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	33
PID 2552 wrote to memory of 2400	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	33
PID 2552 wrote to memory of 2400	2552	{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe	33
PID 1668 wrote to memory of 1520	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	36
PID 1668 wrote to memory of 1520	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	36
PID 1668 wrote to memory of 1520	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	36
PID 1668 wrote to memory of 1520	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	36
PID 1668 wrote to memory of 2364	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	37
PID 1668 wrote to memory of 2364	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	37
PID 1668 wrote to memory of 2364	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	37
PID 1668 wrote to memory of 2364	1668	{D15B97DF-1687-4991-B197-77024A6B35C5}.exe	37
PID 1520 wrote to memory of 1748	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	38
PID 1520 wrote to memory of 1748	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	38
PID 1520 wrote to memory of 1748	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	38
PID 1520 wrote to memory of 1748	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	38
PID 1520 wrote to memory of 1720	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	39
PID 1520 wrote to memory of 1720	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	39
PID 1520 wrote to memory of 1720	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	39
PID 1520 wrote to memory of 1720	1520	{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe	39
PID 1748 wrote to memory of 1976	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	40
PID 1748 wrote to memory of 1976	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	40
PID 1748 wrote to memory of 1976	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	40
PID 1748 wrote to memory of 1976	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	40
PID 1748 wrote to memory of 2144	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	41
PID 1748 wrote to memory of 2144	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	41
PID 1748 wrote to memory of 2144	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	41
PID 1748 wrote to memory of 2144	1748	{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe	41
PID 1976 wrote to memory of 2828	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	42
PID 1976 wrote to memory of 2828	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	42
PID 1976 wrote to memory of 2828	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	42
PID 1976 wrote to memory of 2828	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	42
PID 1976 wrote to memory of 544	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	43
PID 1976 wrote to memory of 544	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	43
PID 1976 wrote to memory of 544	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	43
PID 1976 wrote to memory of 544	1976	{5BAB809D-AD4B-401f-B028-953724403AAA}.exe	43
PID 2828 wrote to memory of 1484	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	44
PID 2828 wrote to memory of 1484	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	44
PID 2828 wrote to memory of 1484	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	44
PID 2828 wrote to memory of 1484	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	44
PID 2828 wrote to memory of 1696	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	45
PID 2828 wrote to memory of 1696	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	45
PID 2828 wrote to memory of 1696	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	45
PID 2828 wrote to memory of 1696	2828	{BB22C793-D705-4274-9712-B23A642C9BA1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe
  C:\Windows\{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe
    C:\Windows\{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\{D15B97DF-1687-4991-B197-77024A6B35C5}.exe
      C:\Windows\{D15B97DF-1687-4991-B197-77024A6B35C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe
        
        C:\Windows\{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe
        
        C:\Windows\{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{5BAB809D-AD4B-401f-B028-953724403AAA}.exe
        
        C:\Windows\{5BAB809D-AD4B-401f-B028-953724403AAA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{BB22C793-D705-4274-9712-B23A642C9BA1}.exe
        
        C:\Windows\{BB22C793-D705-4274-9712-B23A642C9BA1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe
        
        C:\Windows\{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe
        
        C:\Windows\{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe
        
        C:\Windows\{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{D49E0E9B-82B7-48be-94DC-61FCA9D52989}.exe
        
        C:\Windows\{D49E0E9B-82B7-48be-94DC-61FCA9D52989}.exe
        12⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EDD1~1.EXE > nul
        12⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CE9C~1.EXE > nul
        11⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9229~1.EXE > nul
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB22C~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BAB8~1.EXE > nul
        8⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C34E1~1.EXE > nul
        7⤵
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCB17~1.EXE > nul
        6⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D15B9~1.EXE > nul
        5⤵
        
        PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A397~1.EXE > nul
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F545~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EDD11FC-4870-4e8a-908F-B78D915E8FE6}.exe

Filesize
168KB

MD5
4a7925f85dc0081752793ddd6ccb1446

SHA1
33a33617805488f5be8f641be98eda702c757a8b

SHA256
018461204a6e63235b4419bf398000e74e1e21b0919e39800d4dafb21bfaa7af

SHA512
33e9acabee70d077a8925d67f8676cb7bf77a863c3af019d15b128ad30a3e6010ac3a33698116f8012b919a49a81fdd789d0e5a23704a4d7e0b2bece026cd5e6

Download Submit
C:\Windows\{5BAB809D-AD4B-401f-B028-953724403AAA}.exe

Filesize
168KB

MD5
d8512e6371874b0c22ab1ee288643b2f

SHA1
870f4225ac78685ea3563fe0c683affcbd65ab67

SHA256
a4bb5c22713ef676674fbf286c21e1445b05d66c0076a0f8efc7cce13014981f

SHA512
7cea7637c7e74674c2d65dffc0e3861c535f84b587fd5a3dd32a4b5a8feb46557ece34b5b828b6df321cd8288d030b919032da4a524cbb83afc5bc337dfefdec

Download Submit
C:\Windows\{5CE9C8FF-8A48-4809-8B56-7BEA580FF617}.exe

Filesize
168KB

MD5
5d6d3eca9a9fe1b9fef69653354436a6

SHA1
4a775f8cf65c2d4ebf95009737a06b9c25635479

SHA256
93453c14b15a7be9cafce271f672a0d8772713de2bd5095ae9af1011f43960e7

SHA512
1100b39921b9d448a6ff387023ac1b53696736071fa5529ec9cfc617711aa6e39865b0008b2bf2d7c996a5c7256e97224c00b3d72e09e5c0da47dea6e7b5c4bd

Download Submit
C:\Windows\{5F545A0A-E9C4-4328-970D-DDAF9B0F0336}.exe

Filesize
168KB

MD5
d4128c32fd1e129503a1bca11b093de7

SHA1
ef461d76b4840db73183bd9e52bba1719ac3689c

SHA256
7e420e3a516118738f8caf3da9c72376cdb982131a94f0ba27263d5ac0e48c45

SHA512
b2907c1448dcfc9af3c51f056e2b3b2da480275344ce562223062d411d699f68489242cd81e2467e20d52db11a1fc9e78189d2cb3b0bf0797a5c1890ce3c6776

Download Submit
C:\Windows\{9A397FA4-2B76-43cc-9149-8071A889FDFB}.exe

Filesize
168KB

MD5
a4bd0023013fd3f4302cead232f74270

SHA1
e716fa7749d39764372c7e30bd977ef135c33e96

SHA256
3423e4a3dc17083e4b2a121122de1adb156845cbefb3b1ac7dc2b6212881d001

SHA512
88633e5fda65119effe01ab41e4cc3ab6d61bf2178aa23562bcea550422e06868f2c63caa45b8f38b763f5a5d8c896c1592acbdbb99ed0e4b5320177dc521a44

Download Submit
C:\Windows\{BB22C793-D705-4274-9712-B23A642C9BA1}.exe

Filesize
168KB

MD5
55c959b41a6ff4d88bbd1cfefc97b209

SHA1
913c7ff1a2ea95d761945bdc23629b25ec6680d2

SHA256
12f1dca31ff16e6cfac64993b9bb2302604144d0c49f2620b20ae9aceccf898c

SHA512
53424925c9a9574a52b5971caebfdf0e12739aed3d9100274a55fb500f72f6c15b307d1ab08f7ae7bbed3cd4a67159dbd4b1ce7ce884b7435460587a22ede27e

Download Submit
C:\Windows\{C34E1C56-C7D9-4cb6-ADCE-2F8534F2A7A3}.exe

Filesize
168KB

MD5
9a473e0076b008aa68eaba5a505a3970

SHA1
a64406ee866a0c773a29d9b4abd934181fd380f9

SHA256
9e221df7afd9181552855e02a5999602f488dad1d70ed40c89eb4d888a0e2200

SHA512
e583df38a7404a20f426b9e3b232e124deb093044a0f8d5aa21f89edf70c29728858531662539459fdff39cd03cb10914c90e38557b1e14950d2c12ba5410de3

Download Submit
C:\Windows\{D15B97DF-1687-4991-B197-77024A6B35C5}.exe

Filesize
168KB

MD5
6763c67c524609b5d14521b459e839d0

SHA1
d2c9859328981d175af09cfe8e5b4e062dc5a687

SHA256
01d7320ef91abbf6a37eca9bdaba012c849851298480c08f16d1010eef5664c0

SHA512
20e43cbcf0efe26d535b4eee2699e819a4bf3cff98e7d2d3ca316bf0866b39c2eecc1083fc7370f8dbf57377ab2f24e10742b85c24ec108564bc2b1f6ccff10f

Download Submit
C:\Windows\{D49E0E9B-82B7-48be-94DC-61FCA9D52989}.exe

Filesize
168KB

MD5
04d39b9d2e72dcdbd76b4199a168cdb9

SHA1
f0be62e31d35357f176ab08fd4c03813bda32972

SHA256
7b91ca1976cfed548cfec9f7a39f87cfb0e90ef6ca55ccabd0649e4dc070394d

SHA512
30fe1d15254c0fe70967d2b35ce84221c4f1853b04c0c9da2c47051ed58817778f5f296319d5d13a64420877605170c6057d631d86381eced0ba965263d258c6

Download Submit
C:\Windows\{E922916F-9C18-4e58-8DCC-1BF04E3DFA95}.exe

Filesize
168KB

MD5
3252ddfe5adb0d063e4a3b6d4f746c71

SHA1
5a9ec65e5e2a30ab27f5090114dd553807837db6

SHA256
77232cfdf1b9e44ba9b4f2949e61463edfb73de0fdb056b48728d4bba1d75470

SHA512
d2ad58b73ea6798ed228630ca2820f8ff033a4340a90aeb4520d1c9b4272f801d3ae0aff62a3825f68b4a57a669eec0d20b91bf96a11cd6e8bbf0f2326ad3e3c

Download Submit
C:\Windows\{FCB17809-2C5D-44ee-A82B-ED575D95594E}.exe

Filesize
168KB

MD5
d8535b06ac79802c9772ece060a10540

SHA1
a2b88a87c147f58586db16ad226ba637a8da15e5

SHA256
396740125ba60aadab90737110047c4648ab83544cdae083d961960e77e7a6fb

SHA512
4d13cc8819c0dcd06840674600bb931e654cf0664d59ddca25c7c06ef5417b5df4f664c2db2c8d6ac689b2f1fe2079579c6c740e3197cc0fc28258b7ad82e517

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads