48b98791455a8ab063992a86fb34dcc66aae1ae689f60c2ac0079f8d7be6ae38

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe
Size

408KB
MD5

3e12ceb3b4c42a693159562cf68f3470
SHA1

1110cef0f6bafa3c719b487e13b944cfe8d45163
SHA256

48b98791455a8ab063992a86fb34dcc66aae1ae689f60c2ac0079f8d7be6ae38
SHA512

76b202110f5ffd9d419520f878fcda70781624b404afe549416b5dd9dd7cf9761aebef11ffe41f84282283e5feb94003b86f60f7356855a34078d1bf89019ac9
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGjldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012257-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014230-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012257-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012257-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012257-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012257-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012257-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}\stubpath = "C:\\Windows\\{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe"	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69C900E6-C855-46da-8CB1-EF062A6BD381}	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}\stubpath = "C:\\Windows\\{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe"	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83FA110B-6DE5-436d-B153-E6BB2ADB317F}	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE3E83A-F576-4876-B930-CC1E654345A4}\stubpath = "C:\\Windows\\{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe"	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}\stubpath = "C:\\Windows\\{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe"	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69C900E6-C855-46da-8CB1-EF062A6BD381}\stubpath = "C:\\Windows\\{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe"	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}\stubpath = "C:\\Windows\\{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe"	{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EE2508-02A9-475b-8E8D-DF754E5A1481}	{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}\stubpath = "C:\\Windows\\{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe"	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE3E83A-F576-4876-B930-CC1E654345A4}	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}\stubpath = "C:\\Windows\\{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe"	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}	{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EE2508-02A9-475b-8E8D-DF754E5A1481}\stubpath = "C:\\Windows\\{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe"	{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}	{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}\stubpath = "C:\\Windows\\{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}.exe"	{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83FA110B-6DE5-436d-B153-E6BB2ADB317F}\stubpath = "C:\\Windows\\{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe"	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe
2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe
2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe
2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe
2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe
1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe
1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe
556	{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe
2944	{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe
2924	{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe
2296	{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe
File created	C:\Windows\{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe
File created	C:\Windows\{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe
File created	C:\Windows\{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe
File created	C:\Windows\{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe	{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe
File created	C:\Windows\{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe
File created	C:\Windows\{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe
File created	C:\Windows\{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe
File created	C:\Windows\{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe
File created	C:\Windows\{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe	{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe
File created	C:\Windows\{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}.exe	{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe
Token: SeIncBasePriorityPrivilege	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe
Token: SeIncBasePriorityPrivilege	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe
Token: SeIncBasePriorityPrivilege	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe
Token: SeIncBasePriorityPrivilege	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe
Token: SeIncBasePriorityPrivilege	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe
Token: SeIncBasePriorityPrivilege	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe
Token: SeIncBasePriorityPrivilege	556	{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe
Token: SeIncBasePriorityPrivilege	2944	{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe
Token: SeIncBasePriorityPrivilege	2924	{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1988	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	28
PID 2676 wrote to memory of 1988	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	28
PID 2676 wrote to memory of 1988	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	28
PID 2676 wrote to memory of 1988	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	28
PID 2676 wrote to memory of 3008	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	29
PID 2676 wrote to memory of 3008	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	29
PID 2676 wrote to memory of 3008	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	29
PID 2676 wrote to memory of 3008	2676	2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe	29
PID 1988 wrote to memory of 2640	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	30
PID 1988 wrote to memory of 2640	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	30
PID 1988 wrote to memory of 2640	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	30
PID 1988 wrote to memory of 2640	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	30
PID 1988 wrote to memory of 2568	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	31
PID 1988 wrote to memory of 2568	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	31
PID 1988 wrote to memory of 2568	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	31
PID 1988 wrote to memory of 2568	1988	{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe	31
PID 2640 wrote to memory of 2072	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	32
PID 2640 wrote to memory of 2072	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	32
PID 2640 wrote to memory of 2072	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	32
PID 2640 wrote to memory of 2072	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	32
PID 2640 wrote to memory of 2748	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	33
PID 2640 wrote to memory of 2748	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	33
PID 2640 wrote to memory of 2748	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	33
PID 2640 wrote to memory of 2748	2640	{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe	33
PID 2072 wrote to memory of 2144	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	36
PID 2072 wrote to memory of 2144	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	36
PID 2072 wrote to memory of 2144	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	36
PID 2072 wrote to memory of 2144	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	36
PID 2072 wrote to memory of 2020	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	37
PID 2072 wrote to memory of 2020	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	37
PID 2072 wrote to memory of 2020	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	37
PID 2072 wrote to memory of 2020	2072	{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe	37
PID 2144 wrote to memory of 2760	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	38
PID 2144 wrote to memory of 2760	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	38
PID 2144 wrote to memory of 2760	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	38
PID 2144 wrote to memory of 2760	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	38
PID 2144 wrote to memory of 2776	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	39
PID 2144 wrote to memory of 2776	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	39
PID 2144 wrote to memory of 2776	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	39
PID 2144 wrote to memory of 2776	2144	{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe	39
PID 2760 wrote to memory of 1808	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	40
PID 2760 wrote to memory of 1808	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	40
PID 2760 wrote to memory of 1808	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	40
PID 2760 wrote to memory of 1808	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	40
PID 2760 wrote to memory of 2012	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	41
PID 2760 wrote to memory of 2012	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	41
PID 2760 wrote to memory of 2012	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	41
PID 2760 wrote to memory of 2012	2760	{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe	41
PID 1808 wrote to memory of 1060	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	42
PID 1808 wrote to memory of 1060	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	42
PID 1808 wrote to memory of 1060	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	42
PID 1808 wrote to memory of 1060	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	42
PID 1808 wrote to memory of 1752	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	43
PID 1808 wrote to memory of 1752	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	43
PID 1808 wrote to memory of 1752	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	43
PID 1808 wrote to memory of 1752	1808	{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe	43
PID 1060 wrote to memory of 556	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	44
PID 1060 wrote to memory of 556	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	44
PID 1060 wrote to memory of 556	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	44
PID 1060 wrote to memory of 556	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	44
PID 1060 wrote to memory of 2884	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	45
PID 1060 wrote to memory of 2884	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	45
PID 1060 wrote to memory of 2884	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	45
PID 1060 wrote to memory of 2884	1060	{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_3e12ceb3b4c42a693159562cf68f3470_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe
  C:\Windows\{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe
    C:\Windows\{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe
      C:\Windows\{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe
        
        C:\Windows\{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe
        
        C:\Windows\{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe
        
        C:\Windows\{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe
        
        C:\Windows\{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe
        
        C:\Windows\{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe
        
        C:\Windows\{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe
        
        C:\Windows\{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}.exe
        
        C:\Windows\{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}.exe
        12⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7EE2~1.EXE > nul
        12⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6205B~1.EXE > nul
        11⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53FEF~1.EXE > nul
        10⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFE3E~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69C90~1.EXE > nul
        8⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38F78~1.EXE > nul
        7⤵
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83FA1~1.EXE > nul
        6⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E7C5~1.EXE > nul
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73D64~1.EXE > nul
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0F2~1.EXE > nul
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E7C5BB1-BF38-4bcc-8E5C-D22C9446B0D1}.exe

Filesize
408KB

MD5
763275b4d25db08fe1cb2222f70b24ac

SHA1
83d4aec51e29bdb35ed4d444e90ccb030f3efa75

SHA256
4d22b147e316b6ddc539c72c0a39bbaaef0b5b1304aefddba499a1f1d5557274

SHA512
2e8c24ee1a95cc694af1bd400f036c59a2b602573d4bda6a23b89accaeaa1e52ac4214ef80c90771b20a0d1bda941527fe6dfb87445f45665f265e7f6bfb4879

Download Submit
C:\Windows\{38F787C2-8D56-43fb-BF76-ECD0E85D5E53}.exe

Filesize
408KB

MD5
621d560ecac411e1cb8c7ba0569ce093

SHA1
e9b632b718dc7bd36b4216263300e55e97487084

SHA256
ae56c680bce89c5c4cedbb89f7680e31a1afc66146cd5000ef53f26aafca20f7

SHA512
a78be39ba86aba15727aba073ffcd3c9147a2eefc94f9dd4cde57dbf1e9ca2693a6c6793ab85ed2e98cdb3cca5e3947a9b58446b826e59f05b7894778588b259

Download Submit
C:\Windows\{3C0F27D3-787F-49ad-A8B6-B713402FE5F6}.exe

Filesize
408KB

MD5
35da1b3c240504add2974ededbba85fa

SHA1
0c969cb2fa19f93b9fc89980723b9d3d2d194b15

SHA256
0d76b8531138845cc3ee6c54ba2095657f0def557ac03693a3afdf3af230f961

SHA512
15db823f61414aae9b272702dc0e77129954c500e80e04bbc24e1a5c50de00ba7bab2e0f3b9834fda2701388bd7b662bcb4ba1f9350d68206fe1e241a2fc3e4e

Download Submit
C:\Windows\{53FEF917-A3C9-457b-9D9B-ABC60005F8DE}.exe

Filesize
408KB

MD5
6f75a9bca2b0aeb0b2875c34fe48464e

SHA1
ee40fbaacd01d787725b6477a7410c9a4441b646

SHA256
01ff201cf9c639ba13ec809377c661e9f3c947f433ad74be008b75e2c20791ad

SHA512
abad89ee2c88e604dd00a81e0bfab1b20d44007ca06618b65890a4fa35717239766d3701a98c3c84cc2e111e5fa2784e807c74c34bcaf64748676db60e7fae97

Download Submit
C:\Windows\{6205B6FB-7241-4b23-9DA7-4B217A6BBCAC}.exe

Filesize
408KB

MD5
04d3ac83a0a528d73c0a960bbafa6188

SHA1
953982141154a7a0576f55cae0f1bb010484ff84

SHA256
04fdf605f4ef4167ae64e0bb8ac89f4c0397d42e02e49a917d5385de1f95e0f5

SHA512
1a88d42d6b43abfb36f918fc01de0c04381e80578cc7e44507bf95eeda5ff97c0e84a19057f39ae36c3f1216a6bdadf0156e0b898bb83525a155de3a635df7d3

Download Submit
C:\Windows\{69C900E6-C855-46da-8CB1-EF062A6BD381}.exe

Filesize
408KB

MD5
7158265438240f50899403f12e3aabd8

SHA1
e628d5041b10ceec89584355045d3624ed9ca729

SHA256
6146c8c8711ed8907d0b16bad919d17dce701b48d965a2ff975a68294ce328e0

SHA512
ed45e13ce91fdc3c2b918e9e79fd17f33cd7d46668400574002e87aed49bad44edb581e90cb6d110c7fe97391c3063c0930c62f6c3c498176a11f354aa410f26

Download Submit
C:\Windows\{73D643C0-EB9F-4c7d-BDD2-B23C91A3C8A5}.exe

Filesize
408KB

MD5
231013e2f26002f3078953bde073a4ce

SHA1
7b03d8a2831a6198067c0731b94a0ab87d492141

SHA256
0b7ccac7354eb104fd675b2763188458a819d6995ea94d4666840bd0544bd138

SHA512
0c346f59298623d155fd0b623c32dbc4cc65d494aaf00e8ef9df5f9d4e052af7cf50ed3cfa3e52f768ff0a182a6cf474c3ef32c7331777d344c4cc690f7cb66a

Download Submit
C:\Windows\{83FA110B-6DE5-436d-B153-E6BB2ADB317F}.exe

Filesize
408KB

MD5
3bd6b84810eb45241e58d666c1d6bd50

SHA1
4b129e6f50dfeddb52f28179f164425e81b5b599

SHA256
df83a77898e1b84f6d9625c67505d763398a723c2f4f14ea9cee06265d7ff163

SHA512
6d8e2eb1bed20d74d4304ff382eeaabc70889b0998db21137e7c1fa9d0fd20d89db4926667ea08009c70b114bc98c911f7824d4d42b6fc6d537e8303b4eab098

Download Submit
C:\Windows\{A8CC416A-5F67-46a1-BD08-7C4EAF6EBBC3}.exe

Filesize
408KB

MD5
f4c3e79acf4a22f42d55d343b19fd04d

SHA1
0d348289841a1f3602a03560897f6e6cd5e655b0

SHA256
9daac19ff1975d871f7cd55087177cc20c8b836e344cc370cc2dbf797002758b

SHA512
a84ef05e85f07b7da60bc8b14accb161736d9e3b7102e200d0f12ab13c91f1dc58a5a20ba9330ebd71fe8e693bad7607b01e436cf21d89dafed672f78deabeb8

Download Submit
C:\Windows\{F7EE2508-02A9-475b-8E8D-DF754E5A1481}.exe

Filesize
408KB

MD5
b34616677eb8d7944cceb36c49d81a1e

SHA1
2a00cdf0ce7294bc0a1e58222663df79b8baba19

SHA256
10cd8c18878d1f40829f68cb0107cd76ce3ee81b8013add4e4d70707185a8d0b

SHA512
24634207b135d284a2887841f77792f7ce1c5e61249a34ab296a3be8779e12885291104a10d1819a09c16fc53eef756b5e14b28f6e1117141a757b0451b86fdf

Download Submit
C:\Windows\{FFE3E83A-F576-4876-B930-CC1E654345A4}.exe

Filesize
408KB

MD5
8ecbabcbc5908ab05de5f364288638d5

SHA1
d07785f1e541345292bd700f4c9b34c70091dd3b

SHA256
27683b1b6ffe4129adde1852376b369e848802f0cd5d356609eb7d984df0beab

SHA512
60bbe57e41cdd8bc9b9168921ac571d2f63c7b9876a0e5b52bcec0695770c9f7272bb26a3bb494dd49ddc28a218c1f2c1c5fec23bb41fa2a95de373128a74334

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads