8dc285437443f7230148981a2f7d866060b56e514f027e376fea66ae4e6e70d3

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe
Size

372KB
MD5

be88e9f3659ed88417a027d48a80c7c4
SHA1

21b78812b075d8cd235a9fe48c23d9bc5ed4d5b2
SHA256

8dc285437443f7230148981a2f7d866060b56e514f027e376fea66ae4e6e70d3
SHA512

75ad84997565917dad634015531ca3eb848f861cad5b93a50c5de9312841db605f01a0cfa3310ae861939451316a76a0e1854ce7a5aadc2ff7e70aa78086f2d1
SSDEEP

3072:CEGh0oNlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG7lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015cb6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000015d42-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015d42-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d56-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015d7f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015d87-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d7f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d87-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015d7f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}\stubpath = "C:\\Windows\\{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe"	{C955A74E-0D22-485c-96B7-35591FABF920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598DA865-1D18-4db6-B81F-DE8BC847E436}	{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}	{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}\stubpath = "C:\\Windows\\{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe"	{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCABAD76-B394-45cd-AE5F-1C92C494C126}	{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C955A74E-0D22-485c-96B7-35591FABF920}\stubpath = "C:\\Windows\\{C955A74E-0D22-485c-96B7-35591FABF920}.exe"	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69E5C600-8C80-4bdf-8110-1F7657803C23}	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}\stubpath = "C:\\Windows\\{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe"	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}\stubpath = "C:\\Windows\\{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe"	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFB5297-86FF-4263-8C05-376F7CF98F8D}\stubpath = "C:\\Windows\\{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe"	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}\stubpath = "C:\\Windows\\{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe"	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C955A74E-0D22-485c-96B7-35591FABF920}	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69E5C600-8C80-4bdf-8110-1F7657803C23}\stubpath = "C:\\Windows\\{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe"	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFB5297-86FF-4263-8C05-376F7CF98F8D}	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}\stubpath = "C:\\Windows\\{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe"	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598DA865-1D18-4db6-B81F-DE8BC847E436}\stubpath = "C:\\Windows\\{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe"	{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCABAD76-B394-45cd-AE5F-1C92C494C126}\stubpath = "C:\\Windows\\{DCABAD76-B394-45cd-AE5F-1C92C494C126}.exe"	{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}	{C955A74E-0D22-485c-96B7-35591FABF920}.exe

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe
2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe
2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe
2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe
2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe
2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe
2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe
1552	{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe
2912	{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe
2276	{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe
492	{DCABAD76-B394-45cd-AE5F-1C92C494C126}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C955A74E-0D22-485c-96B7-35591FABF920}.exe	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe
File created	C:\Windows\{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe
File created	C:\Windows\{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe
File created	C:\Windows\{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe	{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe
File created	C:\Windows\{DCABAD76-B394-45cd-AE5F-1C92C494C126}.exe	{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe
File created	C:\Windows\{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	{C955A74E-0D22-485c-96B7-35591FABF920}.exe
File created	C:\Windows\{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe
File created	C:\Windows\{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe
File created	C:\Windows\{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe
File created	C:\Windows\{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe
File created	C:\Windows\{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe	{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe
Token: SeIncBasePriorityPrivilege	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe
Token: SeIncBasePriorityPrivilege	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe
Token: SeIncBasePriorityPrivilege	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe
Token: SeIncBasePriorityPrivilege	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe
Token: SeIncBasePriorityPrivilege	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe
Token: SeIncBasePriorityPrivilege	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe
Token: SeIncBasePriorityPrivilege	1552	{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe
Token: SeIncBasePriorityPrivilege	2912	{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe
Token: SeIncBasePriorityPrivilege	2276	{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2132	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	28
PID 2968 wrote to memory of 2132	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	28
PID 2968 wrote to memory of 2132	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	28
PID 2968 wrote to memory of 2132	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	28
PID 2968 wrote to memory of 2984	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	29
PID 2968 wrote to memory of 2984	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	29
PID 2968 wrote to memory of 2984	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	29
PID 2968 wrote to memory of 2984	2968	2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe	29
PID 2132 wrote to memory of 2632	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	30
PID 2132 wrote to memory of 2632	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	30
PID 2132 wrote to memory of 2632	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	30
PID 2132 wrote to memory of 2632	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	30
PID 2132 wrote to memory of 2704	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	31
PID 2132 wrote to memory of 2704	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	31
PID 2132 wrote to memory of 2704	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	31
PID 2132 wrote to memory of 2704	2132	{C955A74E-0D22-485c-96B7-35591FABF920}.exe	31
PID 2632 wrote to memory of 2808	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	32
PID 2632 wrote to memory of 2808	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	32
PID 2632 wrote to memory of 2808	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	32
PID 2632 wrote to memory of 2808	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	32
PID 2632 wrote to memory of 2696	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	33
PID 2632 wrote to memory of 2696	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	33
PID 2632 wrote to memory of 2696	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	33
PID 2632 wrote to memory of 2696	2632	{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe	33
PID 2808 wrote to memory of 2892	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	36
PID 2808 wrote to memory of 2892	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	36
PID 2808 wrote to memory of 2892	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	36
PID 2808 wrote to memory of 2892	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	36
PID 2808 wrote to memory of 2112	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	37
PID 2808 wrote to memory of 2112	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	37
PID 2808 wrote to memory of 2112	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	37
PID 2808 wrote to memory of 2112	2808	{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe	37
PID 2892 wrote to memory of 2488	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	38
PID 2892 wrote to memory of 2488	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	38
PID 2892 wrote to memory of 2488	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	38
PID 2892 wrote to memory of 2488	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	38
PID 2892 wrote to memory of 2520	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	39
PID 2892 wrote to memory of 2520	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	39
PID 2892 wrote to memory of 2520	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	39
PID 2892 wrote to memory of 2520	2892	{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe	39
PID 2488 wrote to memory of 2332	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	40
PID 2488 wrote to memory of 2332	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	40
PID 2488 wrote to memory of 2332	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	40
PID 2488 wrote to memory of 2332	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	40
PID 2488 wrote to memory of 1816	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	41
PID 2488 wrote to memory of 1816	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	41
PID 2488 wrote to memory of 1816	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	41
PID 2488 wrote to memory of 1816	2488	{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe	41
PID 2332 wrote to memory of 2312	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	42
PID 2332 wrote to memory of 2312	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	42
PID 2332 wrote to memory of 2312	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	42
PID 2332 wrote to memory of 2312	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	42
PID 2332 wrote to memory of 1568	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	43
PID 2332 wrote to memory of 1568	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	43
PID 2332 wrote to memory of 1568	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	43
PID 2332 wrote to memory of 1568	2332	{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe	43
PID 2312 wrote to memory of 1552	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	44
PID 2312 wrote to memory of 1552	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	44
PID 2312 wrote to memory of 1552	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	44
PID 2312 wrote to memory of 1552	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	44
PID 2312 wrote to memory of 1304	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	45
PID 2312 wrote to memory of 1304	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	45
PID 2312 wrote to memory of 1304	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	45
PID 2312 wrote to memory of 1304	2312	{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_be88e9f3659ed88417a027d48a80c7c4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{C955A74E-0D22-485c-96B7-35591FABF920}.exe
  C:\Windows\{C955A74E-0D22-485c-96B7-35591FABF920}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe
    C:\Windows\{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe
      C:\Windows\{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe
        
        C:\Windows\{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe
        
        C:\Windows\{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe
        
        C:\Windows\{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe
        
        C:\Windows\{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe
        
        C:\Windows\{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe
        
        C:\Windows\{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe
        
        C:\Windows\{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{DCABAD76-B394-45cd-AE5F-1C92C494C126}.exe
        
        C:\Windows\{DCABAD76-B394-45cd-AE5F-1C92C494C126}.exe
        12⤵
        Executes dropped EXE
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F07B1~1.EXE > nul
        12⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{598DA~1.EXE > nul
        11⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6505F~1.EXE > nul
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FC51~1.EXE > nul
        9⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6C59~1.EXE > nul
        8⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FFB5~1.EXE > nul
        7⤵
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69E5C~1.EXE > nul
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B66E~1.EXE > nul
        5⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E8EFE~1.EXE > nul
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C955A~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4FFB5297-86FF-4263-8C05-376F7CF98F8D}.exe

Filesize
372KB

MD5
a56df848b2f4a71cb30e35c7c1593bcf

SHA1
11a78b355d4b77d76b64eaec9c7abbe36b1f623b

SHA256
33d2ce68b740a40d2ee368af41cfedba25d77762b47a8b5f045699a87a2ecd4f

SHA512
799f1a8c6edddb24810e11887a885ef21c9e547618090fa4b780fa5feced994a46b28eb0f1337a15d6b58de17ecc4b585b63eb1b7ed0be6609fafbd8aed6c657

Download Submit
C:\Windows\{598DA865-1D18-4db6-B81F-DE8BC847E436}.exe

Filesize
372KB

MD5
dfdd407b1c5b4b12f14e96b233593ba3

SHA1
3ef9ebb7258cbcf290907d9172812990aa11924a

SHA256
c8b6fc70f4d24ab480fc78a6bfd287131a1a191eb6984f035e6204375127346d

SHA512
6e7be2a706b1f13b726c24e7501c5f73efe8fe95ec5b69f72ad30d5033dd1788ed4089d66d467c4be27fc4ff7bb2116feea6ac6102f807ed59085d283b79bfe9

Download Submit
C:\Windows\{6505FEFD-F9D3-4996-8FF7-5115168BF6DE}.exe

Filesize
372KB

MD5
dc71c365a9f50fe11cc79dee02a09b68

SHA1
e0596edc0f43581161b5eef1c4880d3c199858da

SHA256
de716b0c994fe14221e213071cdee449e065e8b147ec2c3032d7c764b3040813

SHA512
34f96ddacf98f538ad5c56f9891daa925cf77af737acce5116a5904ba571e6bb5a509c837990ab277931492b7292204db5adb5a3de0dab9b7456680914d1f154

Download Submit
C:\Windows\{69E5C600-8C80-4bdf-8110-1F7657803C23}.exe

Filesize
372KB

MD5
df1ece34ea5f716ac623656d4d397957

SHA1
8908ec7e15e409aa1f38c5425ccdb1c0fc6063f4

SHA256
2b1e1fab4114fe9b610cb5b8242e16bf864083fc1f7db4e75b186886b893ecf9

SHA512
6e927042f1a6bd93ee0cbd64fb46a01a4ce1c34ac1939d04f03550d38d7db6894f2a3b2835916787bb98942f734021eaa430b1f0c427f9fdf19274f6f2eda686

Download Submit
C:\Windows\{7FC51354-A9BF-4598-906F-FDEBF1E0D91B}.exe

Filesize
372KB

MD5
ec910b864d7b739ca0a9ec2b9975488d

SHA1
733fc3f4cbec6633339aa4ba4407a6fc1bbd3524

SHA256
d2499ca01d501c9fa43ec94885eb4f98b94e2bdaaee0c7a91129fddb8ebc7893

SHA512
f652a8ac41ea5db6870ff36746ef99e3ec4abb071e2a630573f6647a9f87a46dc522bbd3e824eaefdd840e0ec96a49f64c6cd41ff004fe60376c47428f999832

Download Submit
C:\Windows\{9B66EA4D-274B-44dc-80F1-FF19A8A3FB5F}.exe

Filesize
372KB

MD5
b7c59cf959a8c809103773b6d2839bf7

SHA1
76bc5aabe8fa77de10acdac5c74f73d4b72aab71

SHA256
e98afa8f6fd3c8b0b260f1fc6ec0fa0ae118185b4fc265cb94dd6de651f4ff95

SHA512
e1ec73033ab17e9c516f727c54f21b54924dfa953b293d0327d7ddc3705b7f564e2bed87637698508c0101119737ac1f8d7147b93a4bde611875b32d81e94819

Download Submit
C:\Windows\{C955A74E-0D22-485c-96B7-35591FABF920}.exe

Filesize
372KB

MD5
21e02277929e1d29d739d195cfd089b9

SHA1
744920b49af665f7a53354ba89f836cce095f212

SHA256
539d7d8d3a2c8715822bf00c4950a8fa10ea87a7c51c99d7628f9d6745150750

SHA512
e873c11a359e5e3b9422669d43a2f1e6c50a1285d91992dee8f01efc5bf9287d51f06807d0ff106684593e3dc25b5c8b5b2eb5cbde7f7364ca05d45fd89e4272

Download Submit
C:\Windows\{DCABAD76-B394-45cd-AE5F-1C92C494C126}.exe

Filesize
372KB

MD5
a314cc332c0b6fb1bf00f9a5829e61e9

SHA1
70f8d3eaaf9616e46c431730483a369a58ebf1cb

SHA256
bcd3854b271dfda11ea63f57a95336a04a65e9cd743eda4c6eae8cd07eb438ff

SHA512
098be66723881f8edd3c9ab853f0cc5abe7d5096c1754561a4ef63edacbb9baabb9887df81055821b4ae74a3c4645a21e9415a93c0ea5f5c598addb5cd3279e4

Download Submit
C:\Windows\{E8EFE3EB-4CAA-4a7b-80D6-D7F8D90C8EEC}.exe

Filesize
372KB

MD5
b6bc47fd85cb3bec9d2a1d998b794385

SHA1
da02540b35a3c2cba315ca0cad65a743ff74d1bb

SHA256
c8338bc68417aae5a0c9f22121c2877295806238827596d7a1daa558312bba56

SHA512
e413f04c0fe0be3c5a41ddc3a3f45e3fc1df5ad88a9ddc0adae225c7935fe50b6c943176eedb18f73fa5d7fe2941770401b316b9aaad1d9bfcb28cc4a6538927

Download Submit
C:\Windows\{F07B1AC7-9F22-411b-83BC-F47F8CCFCF21}.exe

Filesize
372KB

MD5
7c01ca2311305deb1d80947d84bb52a5

SHA1
de40b565364b09230b40c5e36e8958090f4f5e19

SHA256
fd30ca9fe4bfac4745fbb33bf3818c219877ed4929c7714ad2987a5c3a31e998

SHA512
7b466f2ce5d3968d529c03599941a0e407c79d21dd4d0c03d6d2bc59110ec956af08bd343699e5bdaf5431a1b533bb4a16049afd6ff2d517295694742b197c39

Download Submit
C:\Windows\{F6C59B62-59BA-4143-B8FC-71CB226C8CE3}.exe

Filesize
372KB

MD5
46eb46401ba190aa2aaf0ce222100550

SHA1
4265a97d5561b3a4281ef62082b3cc2fc547d0a8

SHA256
f3f7f35ad891b422bb0a7dffc4c440bb47caa0f84f254b9f6c65df81b0d336a4

SHA512
992dba58347e4b48b26521d8207058b12f7b56ce0639a9eec482c493e8a03a82a4454f4e493a473fa671319ebb7ef1c6a21b851801a554da45bdd4999a899dc5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads