ab6b310086f1d741532aea2d30a2ee90a71002b2f7ead8e8ae3ff6d81851e4e2

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Size

168KB
MD5

4ecfa6e51a1dab8dbdd70cc429eead73
SHA1

1fd7a2f28be6264bbc271bd4814958ae06a7c2df
SHA256

ab6b310086f1d741532aea2d30a2ee90a71002b2f7ead8e8ae3ff6d81851e4e2
SHA512

36c9d4fbe2a7ac33abf5bd00c9251943173fbc8597c62f60600d1cc1c5beea21fe7c9184e61a67fef4838e187d3335eb9c026923f5199ee47764c6665c283527
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012252-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122bf-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012252-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014b10-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012252-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012252-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012252-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D854C68-937C-4c95-ACC0-E680C6C90AE2}\stubpath = "C:\\Windows\\{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe"	{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278EA016-6645-4a8e-A930-F12BC829E6B1}	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948910BD-8CAA-4083-80C6-8D46517F46C9}\stubpath = "C:\\Windows\\{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe"	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077DD9C6-4A63-4684-948A-7A831B37E545}\stubpath = "C:\\Windows\\{077DD9C6-4A63-4684-948A-7A831B37E545}.exe"	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EACDE532-E463-4cc4-9FF2-7EB2559A3540}\stubpath = "C:\\Windows\\{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe"	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948910BD-8CAA-4083-80C6-8D46517F46C9}	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{659BF444-72FD-4bb0-AD88-39E979BA6590}	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077DD9C6-4A63-4684-948A-7A831B37E545}	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52F3527E-69B0-463d-A4AD-A675BA0BB31B}	{077DD9C6-4A63-4684-948A-7A831B37E545}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52F3527E-69B0-463d-A4AD-A675BA0BB31B}\stubpath = "C:\\Windows\\{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe"	{077DD9C6-4A63-4684-948A-7A831B37E545}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EACDE532-E463-4cc4-9FF2-7EB2559A3540}	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278EA016-6645-4a8e-A930-F12BC829E6B1}\stubpath = "C:\\Windows\\{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe"	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}\stubpath = "C:\\Windows\\{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe"	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D854C68-937C-4c95-ACC0-E680C6C90AE2}	{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{659BF444-72FD-4bb0-AD88-39E979BA6590}\stubpath = "C:\\Windows\\{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe"	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC34E455-D31E-45f6-A35C-DE959641532E}	{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC34E455-D31E-45f6-A35C-DE959641532E}\stubpath = "C:\\Windows\\{BC34E455-D31E-45f6-A35C-DE959641532E}.exe"	{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}\stubpath = "C:\\Windows\\{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe"	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}\stubpath = "C:\\Windows\\{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe"	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe
2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe
2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe
1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe
2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe
380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe
2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe
1376	{077DD9C6-4A63-4684-948A-7A831B37E545}.exe
2508	{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe
600	{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe
1812	{BC34E455-D31E-45f6-A35C-DE959641532E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe
File created	C:\Windows\{BC34E455-D31E-45f6-A35C-DE959641532E}.exe	{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe
File created	C:\Windows\{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
File created	C:\Windows\{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe
File created	C:\Windows\{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe
File created	C:\Windows\{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe
File created	C:\Windows\{077DD9C6-4A63-4684-948A-7A831B37E545}.exe	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe
File created	C:\Windows\{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe	{077DD9C6-4A63-4684-948A-7A831B37E545}.exe
File created	C:\Windows\{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe	{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe
File created	C:\Windows\{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe
File created	C:\Windows\{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe
Token: SeIncBasePriorityPrivilege	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe
Token: SeIncBasePriorityPrivilege	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe
Token: SeIncBasePriorityPrivilege	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe
Token: SeIncBasePriorityPrivilege	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe
Token: SeIncBasePriorityPrivilege	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe
Token: SeIncBasePriorityPrivilege	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe
Token: SeIncBasePriorityPrivilege	1376	{077DD9C6-4A63-4684-948A-7A831B37E545}.exe
Token: SeIncBasePriorityPrivilege	2508	{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe
Token: SeIncBasePriorityPrivilege	600	{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2520	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	28
PID 1888 wrote to memory of 2520	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	28
PID 1888 wrote to memory of 2520	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	28
PID 1888 wrote to memory of 2520	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	28
PID 1888 wrote to memory of 2568	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	29
PID 1888 wrote to memory of 2568	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	29
PID 1888 wrote to memory of 2568	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	29
PID 1888 wrote to memory of 2568	1888	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	29
PID 2520 wrote to memory of 2756	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	30
PID 2520 wrote to memory of 2756	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	30
PID 2520 wrote to memory of 2756	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	30
PID 2520 wrote to memory of 2756	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	30
PID 2520 wrote to memory of 2648	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	31
PID 2520 wrote to memory of 2648	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	31
PID 2520 wrote to memory of 2648	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	31
PID 2520 wrote to memory of 2648	2520	{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe	31
PID 2756 wrote to memory of 2524	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	32
PID 2756 wrote to memory of 2524	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	32
PID 2756 wrote to memory of 2524	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	32
PID 2756 wrote to memory of 2524	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	32
PID 2756 wrote to memory of 2412	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	33
PID 2756 wrote to memory of 2412	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	33
PID 2756 wrote to memory of 2412	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	33
PID 2756 wrote to memory of 2412	2756	{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe	33
PID 2524 wrote to memory of 1564	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	36
PID 2524 wrote to memory of 1564	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	36
PID 2524 wrote to memory of 1564	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	36
PID 2524 wrote to memory of 1564	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	36
PID 2524 wrote to memory of 1536	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	37
PID 2524 wrote to memory of 1536	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	37
PID 2524 wrote to memory of 1536	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	37
PID 2524 wrote to memory of 1536	2524	{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe	37
PID 1564 wrote to memory of 2316	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	38
PID 1564 wrote to memory of 2316	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	38
PID 1564 wrote to memory of 2316	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	38
PID 1564 wrote to memory of 2316	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	38
PID 1564 wrote to memory of 2332	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	39
PID 1564 wrote to memory of 2332	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	39
PID 1564 wrote to memory of 2332	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	39
PID 1564 wrote to memory of 2332	1564	{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe	39
PID 2316 wrote to memory of 380	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	40
PID 2316 wrote to memory of 380	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	40
PID 2316 wrote to memory of 380	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	40
PID 2316 wrote to memory of 380	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	40
PID 2316 wrote to memory of 1084	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	41
PID 2316 wrote to memory of 1084	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	41
PID 2316 wrote to memory of 1084	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	41
PID 2316 wrote to memory of 1084	2316	{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe	41
PID 380 wrote to memory of 2292	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	42
PID 380 wrote to memory of 2292	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	42
PID 380 wrote to memory of 2292	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	42
PID 380 wrote to memory of 2292	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	42
PID 380 wrote to memory of 1676	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	43
PID 380 wrote to memory of 1676	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	43
PID 380 wrote to memory of 1676	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	43
PID 380 wrote to memory of 1676	380	{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe	43
PID 2292 wrote to memory of 1376	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	44
PID 2292 wrote to memory of 1376	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	44
PID 2292 wrote to memory of 1376	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	44
PID 2292 wrote to memory of 1376	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	44
PID 2292 wrote to memory of 1708	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	45
PID 2292 wrote to memory of 1708	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	45
PID 2292 wrote to memory of 1708	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	45
PID 2292 wrote to memory of 1708	2292	{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe
  C:\Windows\{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe
    C:\Windows\{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe
      C:\Windows\{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe
        
        C:\Windows\{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe
        
        C:\Windows\{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe
        
        C:\Windows\{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe
        
        C:\Windows\{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{077DD9C6-4A63-4684-948A-7A831B37E545}.exe
        
        C:\Windows\{077DD9C6-4A63-4684-948A-7A831B37E545}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe
        
        C:\Windows\{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe
        
        C:\Windows\{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\{BC34E455-D31E-45f6-A35C-DE959641532E}.exe
        
        C:\Windows\{BC34E455-D31E-45f6-A35C-DE959641532E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D854~1.EXE > nul
        12⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52F35~1.EXE > nul
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{077DD~1.EXE > nul
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{659BF~1.EXE > nul
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F625C~1.EXE > nul
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94891~1.EXE > nul
        7⤵
        
        PID:1084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF296~1.EXE > nul
        6⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3184~1.EXE > nul
        5⤵
        
        PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{278EA~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EACDE~1.EXE > nul
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{077DD9C6-4A63-4684-948A-7A831B37E545}.exe

Filesize
168KB

MD5
fa432bf2b17a2f45765f96124f8bbbdf

SHA1
e7116f2641f317c775e54b092a774bf8ebf7098e

SHA256
4fb35501ea43a91dc08f564922d865a854ad4f4bae45fa6f2b048e0369a108ed

SHA512
646bd68bd41113edadfb88a265bca76b3e3271148404c5c67620ca3a5c966b3be5fa236b07ba8001fe042ad6b8b17c484807577d2e1db2ae8c8ffcd9d2a9d654

Download Submit
C:\Windows\{278EA016-6645-4a8e-A930-F12BC829E6B1}.exe

Filesize
168KB

MD5
7ff680716782d26a1ef3093913f9bd32

SHA1
7f3ccb33da6aeaa41e6f5ca82b40d1e4aecaca6e

SHA256
854f21370c9734d9def019965187d3cd375f60b8aff981ee16cfcd689fce6295

SHA512
c0e21d99ed5feda92c0005d71a71da6b8d4800561106679f6c689f4bdadb56aa3f7231fa3c78659382cd737c1daf75decbd3330517c06ec6e9e88ed1663e35c8

Download Submit
C:\Windows\{2D854C68-937C-4c95-ACC0-E680C6C90AE2}.exe

Filesize
168KB

MD5
064175d71dd38021d05ea29798f712a1

SHA1
7f97fe7416f7b0d5421a8c860cacb597ec736375

SHA256
d9f64f58ce6dbda9d4a3b7a4ae0fea20b8cf74d254c0280c78ba6114a72fe448

SHA512
7ca48e93dca767d25326f2c85d6d0e856841fe5e965d221887f88f5c8dd7a81ea6008ee64fd16d1f7d67fa20c053be55426ed56335f1cbba31f5fcde04fb9057

Download Submit
C:\Windows\{52F3527E-69B0-463d-A4AD-A675BA0BB31B}.exe

Filesize
168KB

MD5
09ba98f598aa34beab50d9f8d8b6826c

SHA1
f7224dc089427f6e05d3b489d61ff77329cdf777

SHA256
d8762c9263bee848e80d68144a12492ad2cbc02a9ff9e737c175689cfeeb70e5

SHA512
233b321b501896807643a024e6b14c2d6befd3c92f78390550b580ea138c4bb1806b8eed910fd40949364847a191603cdd7519e5c76d79350791616df0e5393d

Download Submit
C:\Windows\{659BF444-72FD-4bb0-AD88-39E979BA6590}.exe

Filesize
168KB

MD5
8bb34ad91417cf5b0bef9bb93818918a

SHA1
2b9af0464ec376b28c1bada06cd81dadba02425a

SHA256
216d2216d73c8e6a653285fb5c7946fc42b90475f2b334388f8e9adf2554c731

SHA512
37d54ea58a439f60bfe72c5de43f880d713edcc96d1c850c1c3612d7f16fee6dcce90539e84470328f62366f9d8bad3cecd2006684af982b5f01b17ceac99f1d

Download Submit
C:\Windows\{948910BD-8CAA-4083-80C6-8D46517F46C9}.exe

Filesize
168KB

MD5
b5897036921db7ef84dc6504a57339a7

SHA1
e47845ae8989b843542c8cb0111201d3f298e0e1

SHA256
5fca221ca29f182c6e07467ea6d89377390275a66a54516de23f6b45861102e9

SHA512
29bd3b4850601492017781a7a8f270f32fd8371a4c90ad21ac1230c8da991300df689b09daa8cb0cf1d0f3994ed43f82f8203189878557d1696b7d8c5c05099f

Download Submit
C:\Windows\{BC34E455-D31E-45f6-A35C-DE959641532E}.exe

Filesize
168KB

MD5
014af516cf0abb86203b3daf74d2f2cf

SHA1
d25c0a3f245d654b16f759daa62fa0aa91e0831e

SHA256
da33c4ae348e710ae603cbace2f506bd77f747ad740d0e39171d0bec3e526766

SHA512
e30112c6ac5fb02c30e0a986cba5487c1ed0b926cb29d98ec0660df47a9b9a8fed5b79c16ebd99fb088250a9b085d4f0aad0e9222c2178da904258a2769e29b6

Download Submit
C:\Windows\{CF296076-D7DA-4a31-943B-4C3F7F7DE42C}.exe

Filesize
168KB

MD5
bb472a5b64d5cf5462ec6e354f629d56

SHA1
65e08707f868a791c005b7c973efe8e46a21cc2b

SHA256
394cd464136820fb508ad6945948e9c5686eafc5564a3b235db97a3ddf7ac99a

SHA512
156fed229fb83ac154a7e54bff8ad798d1631c159ec268083c1cd2ba102fbe6f5674e1fe4cce2805980948e47412a342d753d75aab163c6747ac2292292ed9dc

Download Submit
C:\Windows\{E31846D7-D9CA-4d0b-849F-4D7255D1BEAA}.exe

Filesize
168KB

MD5
9982d1423d89426a5d4db08e77103b8d

SHA1
ba6cdbca733cc3c2a7aa69b4530196dd175cfae8

SHA256
f765cc6cb749e9330b6007e14c439ad1855a01fa87e842f64f5f7c034e5d2e2a

SHA512
28c26edaa7e7d1cf95bd5fcbe0e7df4f06ab2da2aa6ef4e83e63ae9fd118d884cb8bdfa4f659bcfc3d00dc5536ab712e4aaf48c013aba012ca86a6a9a23da72c

Download Submit
C:\Windows\{EACDE532-E463-4cc4-9FF2-7EB2559A3540}.exe

Filesize
168KB

MD5
1bed185e2c7867888e9a2cbdc2fb4c14

SHA1
c98198773214a33a9e09aecfb914695475112ac1

SHA256
ff927083598178f9180b14727c3c721838dc1caee702cd676aff0acdb003e82c

SHA512
93a1ecc9a7d99e68fa8e9ca2068d847054f70794f03cccbfac9da40c0082b68751ae4db62d5afd1b1aed2e2988965703b6f13c6332250b40a51bc3e85483c3f6

Download Submit
C:\Windows\{F625CEFA-2F7F-4070-976E-3A22BCAD87DC}.exe

Filesize
168KB

MD5
dbef176ad9fb8b1f428c78b1c40ec2b0

SHA1
1081a6bedbfd8272d4dbd2f061f8bb2ebbcf5eb0

SHA256
3a9b1dbf75677c1c0506964a475bae876a83678574ab65be3ed0120573cbd7e6

SHA512
ad7987ace46b6b0184a03ea6118318c159009ed8a1819be4355d9e7be58d7c8cbaeddb310d604d2881eb41eb1525b30bcc7fdfb98048f8b2e4aaf7aa9c16d4ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads