dd279f0043983caccba4329ddf58bb78c3c4a458c90dc52bf3bb47aef489e235

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Size

408KB
MD5

f8d93471c325600b7af6c5beeebedba3
SHA1

de9b87164f5590b892ddff9a8ea1bb84977c0556
SHA256

dd279f0043983caccba4329ddf58bb78c3c4a458c90dc52bf3bb47aef489e235
SHA512

23e23434f59c01bd8f5715971fcd3dfbaa6ece3fa97628848fa9664da08923f0d3e3b01e2a348c5d7cbcdbdbded8fe9444d16c583b96831e83b071b0954f9aba
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGtldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001472f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014f57-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012253-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012253-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA127033-2C51-4a0e-8FC5-91A05C69B341}	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84A0C20-662C-4e70-9216-51C5B0E01748}	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0FB1F34-5EA8-45c3-BD60-45262517F34F}\stubpath = "C:\\Windows\\{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe"	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D806BBB-D170-4cee-B551-91AA18395C80}	{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A691E1C-8932-4686-80EF-DF35A2A0A483}\stubpath = "C:\\Windows\\{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe"	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24FC171C-45CD-4040-B447-BDB52C7A5B7C}	{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24FC171C-45CD-4040-B447-BDB52C7A5B7C}\stubpath = "C:\\Windows\\{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe"	{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987E8B13-8874-4aae-A3D9-AF30CCCA4172}\stubpath = "C:\\Windows\\{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe"	{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA127033-2C51-4a0e-8FC5-91A05C69B341}\stubpath = "C:\\Windows\\{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe"	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}\stubpath = "C:\\Windows\\{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe"	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84A0C20-662C-4e70-9216-51C5B0E01748}\stubpath = "C:\\Windows\\{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe"	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D806BBB-D170-4cee-B551-91AA18395C80}\stubpath = "C:\\Windows\\{7D806BBB-D170-4cee-B551-91AA18395C80}.exe"	{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A691E1C-8932-4686-80EF-DF35A2A0A483}	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987E8B13-8874-4aae-A3D9-AF30CCCA4172}	{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}\stubpath = "C:\\Windows\\{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe"	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}\stubpath = "C:\\Windows\\{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe"	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A373552-F485-4690-A16A-5DBF25D0DC30}	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A373552-F485-4690-A16A-5DBF25D0DC30}\stubpath = "C:\\Windows\\{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe"	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0FB1F34-5EA8-45c3-BD60-45262517F34F}	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe

Executes dropped EXE 11 IoCs

pid	Process
2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe
2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe
2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe
2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe
320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe
2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe
2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe
2040	{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe
1992	{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe
692	{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe
352	{7D806BBB-D170-4cee-B551-91AA18395C80}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe
File created	C:\Windows\{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe
File created	C:\Windows\{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe	{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe
File created	C:\Windows\{7D806BBB-D170-4cee-B551-91AA18395C80}.exe	{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe
File created	C:\Windows\{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe
File created	C:\Windows\{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe
File created	C:\Windows\{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe	{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe
File created	C:\Windows\{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
File created	C:\Windows\{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe
File created	C:\Windows\{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe
File created	C:\Windows\{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe
Token: SeIncBasePriorityPrivilege	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe
Token: SeIncBasePriorityPrivilege	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe
Token: SeIncBasePriorityPrivilege	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe
Token: SeIncBasePriorityPrivilege	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe
Token: SeIncBasePriorityPrivilege	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe
Token: SeIncBasePriorityPrivilege	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe
Token: SeIncBasePriorityPrivilege	2040	{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe
Token: SeIncBasePriorityPrivilege	1992	{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe
Token: SeIncBasePriorityPrivilege	692	{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2512	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	28
PID 2784 wrote to memory of 2512	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	28
PID 2784 wrote to memory of 2512	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	28
PID 2784 wrote to memory of 2512	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	28
PID 2784 wrote to memory of 2580	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	29
PID 2784 wrote to memory of 2580	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	29
PID 2784 wrote to memory of 2580	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	29
PID 2784 wrote to memory of 2580	2784	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	29
PID 2512 wrote to memory of 2608	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	30
PID 2512 wrote to memory of 2608	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	30
PID 2512 wrote to memory of 2608	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	30
PID 2512 wrote to memory of 2608	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	30
PID 2512 wrote to memory of 2396	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	31
PID 2512 wrote to memory of 2396	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	31
PID 2512 wrote to memory of 2396	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	31
PID 2512 wrote to memory of 2396	2512	{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe	31
PID 2608 wrote to memory of 2600	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	32
PID 2608 wrote to memory of 2600	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	32
PID 2608 wrote to memory of 2600	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	32
PID 2608 wrote to memory of 2600	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	32
PID 2608 wrote to memory of 2384	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	33
PID 2608 wrote to memory of 2384	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	33
PID 2608 wrote to memory of 2384	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	33
PID 2608 wrote to memory of 2384	2608	{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe	33
PID 2600 wrote to memory of 2668	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	36
PID 2600 wrote to memory of 2668	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	36
PID 2600 wrote to memory of 2668	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	36
PID 2600 wrote to memory of 2668	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	36
PID 2600 wrote to memory of 2672	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	37
PID 2600 wrote to memory of 2672	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	37
PID 2600 wrote to memory of 2672	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	37
PID 2600 wrote to memory of 2672	2600	{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe	37
PID 2668 wrote to memory of 320	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	38
PID 2668 wrote to memory of 320	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	38
PID 2668 wrote to memory of 320	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	38
PID 2668 wrote to memory of 320	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	38
PID 2668 wrote to memory of 2284	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	39
PID 2668 wrote to memory of 2284	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	39
PID 2668 wrote to memory of 2284	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	39
PID 2668 wrote to memory of 2284	2668	{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe	39
PID 320 wrote to memory of 2292	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	40
PID 320 wrote to memory of 2292	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	40
PID 320 wrote to memory of 2292	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	40
PID 320 wrote to memory of 2292	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	40
PID 320 wrote to memory of 1556	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	41
PID 320 wrote to memory of 1556	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	41
PID 320 wrote to memory of 1556	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	41
PID 320 wrote to memory of 1556	320	{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe	41
PID 2292 wrote to memory of 2208	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	42
PID 2292 wrote to memory of 2208	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	42
PID 2292 wrote to memory of 2208	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	42
PID 2292 wrote to memory of 2208	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	42
PID 2292 wrote to memory of 2428	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	43
PID 2292 wrote to memory of 2428	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	43
PID 2292 wrote to memory of 2428	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	43
PID 2292 wrote to memory of 2428	2292	{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe	43
PID 2208 wrote to memory of 2040	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	44
PID 2208 wrote to memory of 2040	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	44
PID 2208 wrote to memory of 2040	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	44
PID 2208 wrote to memory of 2040	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	44
PID 2208 wrote to memory of 1968	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	45
PID 2208 wrote to memory of 1968	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	45
PID 2208 wrote to memory of 1968	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	45
PID 2208 wrote to memory of 1968	2208	{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe
  C:\Windows\{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe
    C:\Windows\{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe
      C:\Windows\{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe
        
        C:\Windows\{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe
        
        C:\Windows\{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe
        
        C:\Windows\{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe
        
        C:\Windows\{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe
        
        C:\Windows\{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe
        
        C:\Windows\{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe
        
        C:\Windows\{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{7D806BBB-D170-4cee-B551-91AA18395C80}.exe
        
        C:\Windows\{7D806BBB-D170-4cee-B551-91AA18395C80}.exe
        12⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{987E8~1.EXE > nul
        12⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24FC1~1.EXE > nul
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AEE7~1.EXE > nul
        10⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0FB1~1.EXE > nul
        9⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A691~1.EXE > nul
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A373~1.EXE > nul
        7⤵
        
        PID:1556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C84A0~1.EXE > nul
        6⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29F23~1.EXE > nul
        5⤵
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB92B~1.EXE > nul
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DA127~1.EXE > nul
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24FC171C-45CD-4040-B447-BDB52C7A5B7C}.exe

Filesize
408KB

MD5
69bec4aa30cbdd9ca1a60d0e99d4fcdb

SHA1
c54fac776a8fb2b43815fdaf157289e805bf8aa8

SHA256
eff151943150ceb70fdfda4a4eb6eaa2b3fd7442d1ab31e5d44b898c78d82401

SHA512
5d1acf81566178814cd081f1bf476bfa2736dbf06c78be6dcf9a3f059aa39f9e9592b332a1fb8efc5f4abb551720fb243fad563380431d9242344b781fb3a139

Download Submit
C:\Windows\{29F230C7-7D74-4b46-889B-DCFC5D6AA14F}.exe

Filesize
408KB

MD5
4c8cfa7c8e6ce87fb562afdb4e1ae742

SHA1
cdeea8f642ad7d4b2a92141b6fa7d27798c85c70

SHA256
26fcb74b641a523ed161e815226131569a69c24a2ab9f3d8f4895646fd937fcb

SHA512
b38a3bca3fedcc66b23e77d9c0833f666a7de2331451e6fdedd60b6734f7e785b3c3d202bfa65b63fed4925a110e8906148f7a8247771caa3df3b9dd9f59f508

Download Submit
C:\Windows\{2A373552-F485-4690-A16A-5DBF25D0DC30}.exe

Filesize
408KB

MD5
7cf66af7429bc77fbc87ea965bfc7d7b

SHA1
94650f1a142784bad2384bc34a7cc76660699023

SHA256
97738d1090a9b5147bcadcd667534f931f90cb725daa255c5ba2f5590ae7a828

SHA512
67397f0134e62cca8b6bc9748c323a445b5ca6ca3b5e7f537da9d48059a1c8cf096776b244e44d0f41f9ae49667c76c98787c453d00256b8ba9868fe2b03d91a

Download Submit
C:\Windows\{3AEE7184-D6C2-4031-8C6B-2BC4FC6EFCA0}.exe

Filesize
408KB

MD5
ddee3643966b397f59a5f943e9513c3d

SHA1
51aeb7b9610f732b19092997cce47a09e1222e15

SHA256
f0ba02a09f8d1bee0e14587e6dd7cbdda02eba9a04b50396fd3036add4542712

SHA512
c8d8d115350d0ae998ba24e04433c013657f27ccdedbc1f2608c31a5de48f16bd8ec8930b1aee889ef26cee5b587b5b34b6025c6c519f6fbddf2b124039ee839

Download Submit
C:\Windows\{5A691E1C-8932-4686-80EF-DF35A2A0A483}.exe

Filesize
408KB

MD5
3d94d6f42c44ece8fcda392627e0670f

SHA1
8806a0d55466695299c98bbc9d63a093d3538bd6

SHA256
1ec3dfd7d7236c060d4439b5888f35db9e7756d91c9e59efe2563d542b53d666

SHA512
e1a420ddafb48ff6cd2c7baa6fe624a249077b15912cef48c834ef497ce579c2ff4af607cacaaefacd6781701b3328eacbe6c9add18f0b261e567918b6f02769

Download Submit
C:\Windows\{7D806BBB-D170-4cee-B551-91AA18395C80}.exe

Filesize
408KB

MD5
e6fc8bc31d5be7c24e76f5b69692d1df

SHA1
a12d40cc10705b0da9388fb29dda6a284a586afc

SHA256
9e7c0b59efca8ef9d3ae153617282b298db353862c1b2a6dca900a4c6b93cf42

SHA512
fb377ec199fa4cc5037d4323c4e45fe0d2f836b81e216d962c873508faa4a681584cdf3978d998fd2f672799228fbe0262afeb53c6d152dcb9db3fde4259adb6

Download Submit
C:\Windows\{987E8B13-8874-4aae-A3D9-AF30CCCA4172}.exe

Filesize
408KB

MD5
2889fc558a651837f6df77d2d8415851

SHA1
6f247fb244382d9c471281b9d4e3e30cf4cc1e51

SHA256
0892dac5ee96a4a6c9a589436a48f0b24374e16354781389ab346ae4d107972a

SHA512
625a3d2d6bc958b1cdda4fdeb9a2f2cf9beebbf21f8cb8a165394c7bb3358e74d501bfea9d6a33fb5a4838b70e0d8c5a4affd12cfb5afee9d6573649ef75dcad

Download Submit
C:\Windows\{AB92BA8C-50F8-44ac-8B2E-B1697FC0C9E0}.exe

Filesize
408KB

MD5
bded8b51543b364b827aaca14b7bb685

SHA1
ead14824775f338d59cc570c022b79eb3c4fddf8

SHA256
72a6320bdbf07dc90274a3094541c2e99ac9d6a419436e964b5e670954496c9a

SHA512
afdde0b0b0fe6e2697b458a733ca9ca1a92e0523d0aac4e12066bb03e0d9cd5c7be039a5d89b69234b94cfc81ae64b2a61e50161397fc7caefba045d98ffc728

Download Submit
C:\Windows\{C0FB1F34-5EA8-45c3-BD60-45262517F34F}.exe

Filesize
408KB

MD5
324be18e16a16dd021d24abfe6849075

SHA1
8de0197550234964baf522cb9865133241991c8d

SHA256
fa801232204fe166381de954255cf1b33dec84bb57cac62a0e7ca66b4d5a5ed5

SHA512
26cc901265e8fc534b73c1af9bd02fd0f69761db003b00ca6f74f52bb04aca7f16439593d27cd3f86d7c69401accfb0db89a9ae3ac6f4218e629437c95926762

Download Submit
C:\Windows\{C84A0C20-662C-4e70-9216-51C5B0E01748}.exe

Filesize
408KB

MD5
7ec3e3dab3d172e6e0ec98ec022fba11

SHA1
240d928d78761619c0e8fa148d7cfd1cbda43ecc

SHA256
59e5b730e419c1b4ba1a1c1857e5258bda1a2148a4bafa17fe964f0041f53c8a

SHA512
e95b461ff748c17f7549348c214f4787614ad86ffe4d6b783da32ff87da5a5faff69ece6898e63037ad23591422a9d2372f2928528bae830c09458f9f9f4c60b

Download Submit
C:\Windows\{DA127033-2C51-4a0e-8FC5-91A05C69B341}.exe

Filesize
408KB

MD5
baecba6887c5366847605c9bac3fc309

SHA1
8df0c0d6dfd8131f759e8944be04d646dec11382

SHA256
0ac1d381eb27f64dacfe4364c9c73c56db8a589fc7b7d09f4ab8c7f9cff4b25f

SHA512
36598455027192c47711558f19df02e9ae9094fc9fce0ae05263d9f5c9f8812cf24f728626a232c510aaf75d86efd8a7f9827eeda35fdcacf37fad5cb0575b65

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads