a2ffab01f12a47baa5496bb2802b9e9d8ddd9faf7bdd6615c0930798ef9d3d45

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe
Size

408KB
MD5

cc50656a5e5184477338c9d3fadacbb9
SHA1

9ce808117d63e68d4988755c6f02ea6565873942
SHA256

a2ffab01f12a47baa5496bb2802b9e9d8ddd9faf7bdd6615c0930798ef9d3d45
SHA512

9154595b62d97814de3fa82ba0b7911e1250c2d88d01594bb22042d1157b33742b28a1b1de2b72372cad19010b402b744eb81d4e08c3cfe58c04d113433d2d2e
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG3ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120e4-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0029000000015c52-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000015c52-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000015c52-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000015c52-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000015c52-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D71A6E36-8108-42f3-8181-D3CD809269BE}	{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}\stubpath = "C:\\Windows\\{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe"	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00B30023-10B3-4807-9304-9716A3773B79}\stubpath = "C:\\Windows\\{00B30023-10B3-4807-9304-9716A3773B79}.exe"	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EA4AC37-996C-4042-B23E-41A9BCB017F9}	{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}\stubpath = "C:\\Windows\\{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe"	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE12B9F-318C-4461-AF03-30E58B2F568F}	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00B30023-10B3-4807-9304-9716A3773B79}	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}	{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{686BFA68-93C4-466e-AF41-860CE5E81BDA}	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}\stubpath = "C:\\Windows\\{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe"	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}\stubpath = "C:\\Windows\\{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe"	{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE32A5BB-6C86-4c96-A24E-93A9F1418932}	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F669253D-95C3-4ae3-B044-24F1D03291D5}\stubpath = "C:\\Windows\\{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe"	{00B30023-10B3-4807-9304-9716A3773B79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EA4AC37-996C-4042-B23E-41A9BCB017F9}\stubpath = "C:\\Windows\\{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe"	{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D71A6E36-8108-42f3-8181-D3CD809269BE}\stubpath = "C:\\Windows\\{D71A6E36-8108-42f3-8181-D3CD809269BE}.exe"	{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{686BFA68-93C4-466e-AF41-860CE5E81BDA}\stubpath = "C:\\Windows\\{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe"	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE32A5BB-6C86-4c96-A24E-93A9F1418932}\stubpath = "C:\\Windows\\{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe"	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE12B9F-318C-4461-AF03-30E58B2F568F}\stubpath = "C:\\Windows\\{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe"	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F669253D-95C3-4ae3-B044-24F1D03291D5}	{00B30023-10B3-4807-9304-9716A3773B79}.exe

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe
2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe
2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe
2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe
792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe
2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe
1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe
2100	{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe
1516	{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe
2260	{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe
1784	{D71A6E36-8108-42f3-8181-D3CD809269BE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe
File created	C:\Windows\{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe
File created	C:\Windows\{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe
File created	C:\Windows\{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe
File created	C:\Windows\{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe
File created	C:\Windows\{00B30023-10B3-4807-9304-9716A3773B79}.exe	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe
File created	C:\Windows\{D71A6E36-8108-42f3-8181-D3CD809269BE}.exe	{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe
File created	C:\Windows\{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe
File created	C:\Windows\{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe	{00B30023-10B3-4807-9304-9716A3773B79}.exe
File created	C:\Windows\{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe	{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe
File created	C:\Windows\{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe	{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe
Token: SeIncBasePriorityPrivilege	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe
Token: SeIncBasePriorityPrivilege	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe
Token: SeIncBasePriorityPrivilege	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe
Token: SeIncBasePriorityPrivilege	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe
Token: SeIncBasePriorityPrivilege	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe
Token: SeIncBasePriorityPrivilege	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe
Token: SeIncBasePriorityPrivilege	2100	{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe
Token: SeIncBasePriorityPrivilege	1516	{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe
Token: SeIncBasePriorityPrivilege	2260	{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2844	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	28
PID 1708 wrote to memory of 2844	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	28
PID 1708 wrote to memory of 2844	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	28
PID 1708 wrote to memory of 2844	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	28
PID 1708 wrote to memory of 2880	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	29
PID 1708 wrote to memory of 2880	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	29
PID 1708 wrote to memory of 2880	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	29
PID 1708 wrote to memory of 2880	1708	2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe	29
PID 2844 wrote to memory of 2536	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	32
PID 2844 wrote to memory of 2536	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	32
PID 2844 wrote to memory of 2536	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	32
PID 2844 wrote to memory of 2536	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	32
PID 2844 wrote to memory of 2668	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	33
PID 2844 wrote to memory of 2668	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	33
PID 2844 wrote to memory of 2668	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	33
PID 2844 wrote to memory of 2668	2844	{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe	33
PID 2536 wrote to memory of 2368	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	34
PID 2536 wrote to memory of 2368	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	34
PID 2536 wrote to memory of 2368	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	34
PID 2536 wrote to memory of 2368	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	34
PID 2536 wrote to memory of 2404	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	35
PID 2536 wrote to memory of 2404	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	35
PID 2536 wrote to memory of 2404	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	35
PID 2536 wrote to memory of 2404	2536	{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe	35
PID 2368 wrote to memory of 2796	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	36
PID 2368 wrote to memory of 2796	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	36
PID 2368 wrote to memory of 2796	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	36
PID 2368 wrote to memory of 2796	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	36
PID 2368 wrote to memory of 804	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	37
PID 2368 wrote to memory of 804	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	37
PID 2368 wrote to memory of 804	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	37
PID 2368 wrote to memory of 804	2368	{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe	37
PID 2796 wrote to memory of 792	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	38
PID 2796 wrote to memory of 792	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	38
PID 2796 wrote to memory of 792	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	38
PID 2796 wrote to memory of 792	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	38
PID 2796 wrote to memory of 1856	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	39
PID 2796 wrote to memory of 1856	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	39
PID 2796 wrote to memory of 1856	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	39
PID 2796 wrote to memory of 1856	2796	{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe	39
PID 792 wrote to memory of 2680	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	40
PID 792 wrote to memory of 2680	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	40
PID 792 wrote to memory of 2680	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	40
PID 792 wrote to memory of 2680	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	40
PID 792 wrote to memory of 2804	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	41
PID 792 wrote to memory of 2804	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	41
PID 792 wrote to memory of 2804	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	41
PID 792 wrote to memory of 2804	792	{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe	41
PID 2680 wrote to memory of 1804	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	42
PID 2680 wrote to memory of 1804	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	42
PID 2680 wrote to memory of 1804	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	42
PID 2680 wrote to memory of 1804	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	42
PID 2680 wrote to memory of 2300	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	43
PID 2680 wrote to memory of 2300	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	43
PID 2680 wrote to memory of 2300	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	43
PID 2680 wrote to memory of 2300	2680	{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe	43
PID 1804 wrote to memory of 2100	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	44
PID 1804 wrote to memory of 2100	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	44
PID 1804 wrote to memory of 2100	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	44
PID 1804 wrote to memory of 2100	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	44
PID 1804 wrote to memory of 1680	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	45
PID 1804 wrote to memory of 1680	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	45
PID 1804 wrote to memory of 1680	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	45
PID 1804 wrote to memory of 1680	1804	{00B30023-10B3-4807-9304-9716A3773B79}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_cc50656a5e5184477338c9d3fadacbb9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe
  C:\Windows\{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe
    C:\Windows\{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe
      C:\Windows\{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe
        
        C:\Windows\{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe
        
        C:\Windows\{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe
        
        C:\Windows\{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{00B30023-10B3-4807-9304-9716A3773B79}.exe
        
        C:\Windows\{00B30023-10B3-4807-9304-9716A3773B79}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe
        
        C:\Windows\{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe
        
        C:\Windows\{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe
        
        C:\Windows\{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{D71A6E36-8108-42f3-8181-D3CD809269BE}.exe
        
        C:\Windows\{D71A6E36-8108-42f3-8181-D3CD809269BE}.exe
        12⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ED95~1.EXE > nul
        12⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EA4A~1.EXE > nul
        11⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6692~1.EXE > nul
        10⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00B30~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FE12~1.EXE > nul
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60CFD~1.EXE > nul
        7⤵
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54DF5~1.EXE > nul
        6⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42AE2~1.EXE > nul
        5⤵
        
        PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DE32A~1.EXE > nul
      4⤵
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{686BF~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00B30023-10B3-4807-9304-9716A3773B79}.exe

Filesize
408KB

MD5
a0e1db154dd6b05d1a047a65c1d6b32f

SHA1
57dfd943fd4029a75ddfdb0b22cb687315638530

SHA256
d7ec44e77cb4b98e996041fd6cb87f5679ca20a0204484e6a10e1efaad92dd8b

SHA512
ff6e7bcf2ab1703fc2d98790b391fb7f126ae3fc1e2c56e86623a96c7610d495c880942786d376e8e682ad86dc38e2d0e2892fab8fee8bb6f121df4e93e40b50

Download Submit
C:\Windows\{0ED958C1-B91F-4b64-84D3-3CC837CB12BE}.exe

Filesize
408KB

MD5
54bffcd27b998e22b6605e6f0a51b41f

SHA1
b7aac4ad5af48e868795c6e03baa8c80ac1865fc

SHA256
b60b8e80870ca2207e3b93bbdb00297d4ae85abd209e793b8d210224e34ac5fa

SHA512
2d6e23c23f0367c71c8313c6e16ea7f3ed4d03e0a4281bd18680d60e24c63fb887660366d2b7bd8094edced1329c16016008d139a05a0e4f850a7ba8dcec9afa

Download Submit
C:\Windows\{2EA4AC37-996C-4042-B23E-41A9BCB017F9}.exe

Filesize
408KB

MD5
ec40c37e01c547dec3834778cf656d06

SHA1
d40078caad3721d171d393f44dce0a8713df23d8

SHA256
a78de14119f84d0908fbd8327eb0c576e95aac989d4f975dd843959bc81e37e1

SHA512
9376102b4ed648c47b76932668644325a5b0fb8af57c4d5b4a981766d019c7c695428449e45dc6d50a6f654173f642dd3732b9a65c76b476c5cc80c93e017a40

Download Submit
C:\Windows\{42AE2177-1CCF-4c0d-A70C-90FCA3E47382}.exe

Filesize
408KB

MD5
8d523d0838f7fcb7e37aece070789673

SHA1
8a911b2b7e127c23e25c3bdcba1dbfef3dbb9bdf

SHA256
6926c778b4f1cd713c598ef95af800f126aa35cd6fd8f7a6687278410f32bc33

SHA512
d30c5980ce330d6016394e80fa6f2e6f756562af29b9783f5f4d2a3b07668feaa9dfc56ebb69018cd744d902a720f75cfd57a3d6322394d34d1cb61552742362

Download Submit
C:\Windows\{54DF59D1-FC0F-4c1e-A1CB-7351A7C69DB2}.exe

Filesize
408KB

MD5
b9481821417707639727d5c3f0a68efd

SHA1
a1c93ba1411eb851431c6c4e21c4f80884f98376

SHA256
4516e18878dd8d67bbe148a4022d85a6a3869a3f5078ec8e1f55f12131d20778

SHA512
c63ed5137c4bfb7f1c9c12ca19c48557c91738c03f6648d0fb52445565933875f7282b50b0ce4d2f4d138dc79734b19133dab331ff59b53f07577c3bb5495ab3

Download Submit
C:\Windows\{60CFDA12-279D-4507-8DD0-C53DAC3B0A97}.exe

Filesize
408KB

MD5
4bdaaf08a4bd3662baa480c063c69a48

SHA1
59c50a1c8189bda898a059dee3a371409286fada

SHA256
c8059150e10914fa768c080286263e82249a769efd89f8160952a310b8b765de

SHA512
7884233afb5f1e06321a8f4448611a170712a95653d8c9524be2bf20ffe4b2dab15392f6bd6f184d97d0c76363a84d2157c942e5624ce367f17bc9da0aeae926

Download Submit
C:\Windows\{686BFA68-93C4-466e-AF41-860CE5E81BDA}.exe

Filesize
408KB

MD5
81b81a71d6246d1a0b7d0ca9ea48942e

SHA1
b6cab6e4301b7bf073b2472a385a6d07eed79cfd

SHA256
caabeb5281cdeb992dfac22adac1ec96f8ce998673c8ff05a6b1490c0f6cf6db

SHA512
ea3897b7b698a37dfe93915e4e91b63d9b7325fed6769063648afbc056065ad0192cd7d67da5ce50e7d8d9b6da61ff77174109c6d04fc6dc3306d2f155dbb4e1

Download Submit
C:\Windows\{6FE12B9F-318C-4461-AF03-30E58B2F568F}.exe

Filesize
408KB

MD5
95a4a6c5a230ccee60fe27ae1e35e4da

SHA1
2710c0a084c487192d96f4adb2d3039e4babc9c4

SHA256
3f67630b69e21990e8f74975e4b31bd756d4d7a4a2ef684dfc8f8d2582f6c870

SHA512
611ba14b3f2c2d822aef8acde9a20b1e64033784af2fc87080a462661837dcdb905111eccca060d39a05e717774d6f3627a8d228e105750f416ffc93d8ea63b4

Download Submit
C:\Windows\{D71A6E36-8108-42f3-8181-D3CD809269BE}.exe

Filesize
408KB

MD5
ce91da864b79a766855e0b72ca653cee

SHA1
92e1fae9ce560e32c3d7cbfbd9b0416150392e8a

SHA256
fca09e4ca0af278dc709e56dde90b6a73b70b3907e99ba58bfadff84618e1d0d

SHA512
6d025aad47ef57dcfaa06d9905185368f776e811961b572242162bf42e018fe44d7b842b17d36a00022e898e264f46cb220d81ffe2eb0d55bcce076be4482b12

Download Submit
C:\Windows\{DE32A5BB-6C86-4c96-A24E-93A9F1418932}.exe

Filesize
408KB

MD5
8c203496e3461fe928e479e4e47675de

SHA1
83660f364762a3d801b3f9a55dab6ccf2f0bf131

SHA256
591dc62a634bb938f11092c5746e6c89f13e5e0d10fbce8756f131814bff17ad

SHA512
b645cd21184c024328e6421c49c4b4fd072e3f9be14be5a4eb32cae1a98cefa98916a3bc69f83eed7cbc7e4a1245172088e9325ad38d086dbe1d7cb5d66b4ae8

Download Submit
C:\Windows\{F669253D-95C3-4ae3-B044-24F1D03291D5}.exe

Filesize
408KB

MD5
1bbc0cd3756757153ca3c43f2b1d66e4

SHA1
ea6b323c5933bd68844e81049d92fe70319394b4

SHA256
7f30e9a3b449ccb2da197f3a4d48418599f7fa9030397def6bf84d3e3ef19e20

SHA512
4f0770181065f6dfb1a878599a02ff21d1119ee64859e141cba2bce58d67175c48d0485ffd168812b54fbd7ff8b485c1f885f861d2d946010bc05a3dd83c4620

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads