000f03aac5a2cc884610d2b63248375cf6bb109fcc80e2a26ad1748248aefa39

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe
Size

372KB
MD5

c84dfd0d50a2556361eec842fcde25f0
SHA1

3a641302abee20fe1c02447c6fe454f6ef791744
SHA256

000f03aac5a2cc884610d2b63248375cf6bb109fcc80e2a26ad1748248aefa39
SHA512

f1fbe0692c034f4f239f304121ea120f6ddd0e83c9ccbf8d1f6cbe4e12341818e7a6c20e4543c6fe8624aa797f3860c7002fd553d70432dbac1d100bb5aa51bd
SSDEEP

3072:CEGh0o0lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGulkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012306-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001315b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012306-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001340c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012306-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012306-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012306-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0338E112-74BA-4729-9A5D-153DFE07266B}	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}\stubpath = "C:\\Windows\\{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe"	{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0338E112-74BA-4729-9A5D-153DFE07266B}\stubpath = "C:\\Windows\\{0338E112-74BA-4729-9A5D-153DFE07266B}.exe"	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814D44CE-1250-4427-9B46-E0994751A2CA}	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}\stubpath = "C:\\Windows\\{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe"	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}\stubpath = "C:\\Windows\\{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe"	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EAB023A-BD0A-4015-B1A9-67C4740B2772}	{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EAB023A-BD0A-4015-B1A9-67C4740B2772}\stubpath = "C:\\Windows\\{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe"	{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}	{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}\stubpath = "C:\\Windows\\{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe"	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814D44CE-1250-4427-9B46-E0994751A2CA}\stubpath = "C:\\Windows\\{814D44CE-1250-4427-9B46-E0994751A2CA}.exe"	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85155665-BFBE-408d-A454-CF10207AF9AA}	{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A9642D5-E164-4d24-AFC2-4A199223250C}\stubpath = "C:\\Windows\\{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe"	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}\stubpath = "C:\\Windows\\{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe"	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85155665-BFBE-408d-A454-CF10207AF9AA}\stubpath = "C:\\Windows\\{85155665-BFBE-408d-A454-CF10207AF9AA}.exe"	{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}\stubpath = "C:\\Windows\\{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe"	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A9642D5-E164-4d24-AFC2-4A199223250C}	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe
2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe
1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe
2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe
2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe
1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe
1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe
1268	{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe
2172	{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe
384	{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe
1720	{85155665-BFBE-408d-A454-CF10207AF9AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe	{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe
File created	C:\Windows\{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe
File created	C:\Windows\{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe
File created	C:\Windows\{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe
File created	C:\Windows\{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe	{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe
File created	C:\Windows\{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe
File created	C:\Windows\{85155665-BFBE-408d-A454-CF10207AF9AA}.exe	{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe
File created	C:\Windows\{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe
File created	C:\Windows\{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe
File created	C:\Windows\{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe
File created	C:\Windows\{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe
Token: SeIncBasePriorityPrivilege	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe
Token: SeIncBasePriorityPrivilege	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe
Token: SeIncBasePriorityPrivilege	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe
Token: SeIncBasePriorityPrivilege	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe
Token: SeIncBasePriorityPrivilege	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe
Token: SeIncBasePriorityPrivilege	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe
Token: SeIncBasePriorityPrivilege	1268	{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe
Token: SeIncBasePriorityPrivilege	2172	{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe
Token: SeIncBasePriorityPrivilege	384	{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2916	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	28
PID 2220 wrote to memory of 2916	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	28
PID 2220 wrote to memory of 2916	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	28
PID 2220 wrote to memory of 2916	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	28
PID 2220 wrote to memory of 2568	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	29
PID 2220 wrote to memory of 2568	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	29
PID 2220 wrote to memory of 2568	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	29
PID 2220 wrote to memory of 2568	2220	2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe	29
PID 2916 wrote to memory of 2920	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	30
PID 2916 wrote to memory of 2920	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	30
PID 2916 wrote to memory of 2920	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	30
PID 2916 wrote to memory of 2920	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	30
PID 2916 wrote to memory of 2412	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	31
PID 2916 wrote to memory of 2412	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	31
PID 2916 wrote to memory of 2412	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	31
PID 2916 wrote to memory of 2412	2916	{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe	31
PID 2920 wrote to memory of 1656	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	32
PID 2920 wrote to memory of 1656	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	32
PID 2920 wrote to memory of 1656	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	32
PID 2920 wrote to memory of 1656	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	32
PID 2920 wrote to memory of 2492	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	33
PID 2920 wrote to memory of 2492	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	33
PID 2920 wrote to memory of 2492	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	33
PID 2920 wrote to memory of 2492	2920	{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe	33
PID 1656 wrote to memory of 2108	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	36
PID 1656 wrote to memory of 2108	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	36
PID 1656 wrote to memory of 2108	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	36
PID 1656 wrote to memory of 2108	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	36
PID 1656 wrote to memory of 884	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	37
PID 1656 wrote to memory of 884	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	37
PID 1656 wrote to memory of 884	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	37
PID 1656 wrote to memory of 884	1656	{814D44CE-1250-4427-9B46-E0994751A2CA}.exe	37
PID 2108 wrote to memory of 2692	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	38
PID 2108 wrote to memory of 2692	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	38
PID 2108 wrote to memory of 2692	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	38
PID 2108 wrote to memory of 2692	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	38
PID 2108 wrote to memory of 1976	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	39
PID 2108 wrote to memory of 1976	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	39
PID 2108 wrote to memory of 1976	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	39
PID 2108 wrote to memory of 1976	2108	{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe	39
PID 2692 wrote to memory of 1580	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	40
PID 2692 wrote to memory of 1580	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	40
PID 2692 wrote to memory of 1580	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	40
PID 2692 wrote to memory of 1580	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	40
PID 2692 wrote to memory of 1576	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	41
PID 2692 wrote to memory of 1576	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	41
PID 2692 wrote to memory of 1576	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	41
PID 2692 wrote to memory of 1576	2692	{0338E112-74BA-4729-9A5D-153DFE07266B}.exe	41
PID 1580 wrote to memory of 1280	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	42
PID 1580 wrote to memory of 1280	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	42
PID 1580 wrote to memory of 1280	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	42
PID 1580 wrote to memory of 1280	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	42
PID 1580 wrote to memory of 1404	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	43
PID 1580 wrote to memory of 1404	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	43
PID 1580 wrote to memory of 1404	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	43
PID 1580 wrote to memory of 1404	1580	{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe	43
PID 1280 wrote to memory of 1268	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	44
PID 1280 wrote to memory of 1268	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	44
PID 1280 wrote to memory of 1268	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	44
PID 1280 wrote to memory of 1268	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	44
PID 1280 wrote to memory of 1688	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	45
PID 1280 wrote to memory of 1688	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	45
PID 1280 wrote to memory of 1688	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	45
PID 1280 wrote to memory of 1688	1280	{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_c84dfd0d50a2556361eec842fcde25f0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe
  C:\Windows\{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe
    C:\Windows\{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{814D44CE-1250-4427-9B46-E0994751A2CA}.exe
      C:\Windows\{814D44CE-1250-4427-9B46-E0994751A2CA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe
        
        C:\Windows\{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{0338E112-74BA-4729-9A5D-153DFE07266B}.exe
        
        C:\Windows\{0338E112-74BA-4729-9A5D-153DFE07266B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe
        
        C:\Windows\{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe
        
        C:\Windows\{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe
        
        C:\Windows\{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe
        
        C:\Windows\{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe
        
        C:\Windows\{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\{85155665-BFBE-408d-A454-CF10207AF9AA}.exe
        
        C:\Windows\{85155665-BFBE-408d-A454-CF10207AF9AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BDC1~1.EXE > nul
        12⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EAB0~1.EXE > nul
        11⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A20E~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A213~1.EXE > nul
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A964~1.EXE > nul
        8⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0338E~1.EXE > nul
        7⤵
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB90~1.EXE > nul
        6⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{814D4~1.EXE > nul
        5⤵
        
        PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1EB5E~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DE9D1~1.EXE > nul
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0338E112-74BA-4729-9A5D-153DFE07266B}.exe

Filesize
372KB

MD5
ee67c51858abb86022a9765b49a342fd

SHA1
dd8ff6ef30fb6d85113d13f57ce78285c2786aa0

SHA256
7d12a6687ffe8dfaf5bf5659c1769393f79c7bd98462b3280952d04f20a0a92c

SHA512
85105bb6ab193751c50bdbeff6edab73dd4d08b62e92e15a6ed7442531fbf2138a23f308515007f2293d9913a9b94492d45d98f09bb788d806f8d56806141e66

Download Submit
C:\Windows\{1EB5E01A-7B60-401a-90C5-E4EF23FFB87F}.exe

Filesize
372KB

MD5
674079462c8c3f5cdab8c0247b8c6a76

SHA1
2fc1fb95c0489a30dc2694685e6ec04765c42b0b

SHA256
06a3df3c43b53400375e80214315ef76bbee43b81cdc6f8a8f74567654a3e7ec

SHA512
139399ba04eadd6dcf515d9157834153ad831cf30243a348052b2e0051818f09f6d430a19452669828c21660c71835ca1739d5bc0d80947c297f5ccf24b220cc

Download Submit
C:\Windows\{2A21306C-2AC9-4142-BF94-E3EF1D130E2C}.exe

Filesize
372KB

MD5
6c27ae2617dd815aafae1b3d97b60333

SHA1
25069872488e0e7dd2969b11f768815c01521e9c

SHA256
8820d299002274f75952045236cb460baf3be5c8e3837033abca1ae04e6efe19

SHA512
b02368ef442eb4d952cd7da232fcff2c09e98c236d3c9f035a1bacbdb9ffac56afe8d95b6ea1f7a767efc7a07962db7cbb58599113bb5359e71a2322e6787de1

Download Submit
C:\Windows\{2A9642D5-E164-4d24-AFC2-4A199223250C}.exe

Filesize
372KB

MD5
1fc64e9db2d26fc8626578483e569150

SHA1
5487787dfb46e66a81ece6cd2ef7fed3635be626

SHA256
2b166c0ff66658f27a6bc7536d50dfdfeaff0a1b7b6d1a81449df99e3fc57d88

SHA512
387c3ee40b35b31f628144b662901beeb6310b35af74a899da46a2a7c81966be738963d845138a6601ceff0b3a5fefb47d083143229afed768ed4d685a1e0cb4

Download Submit
C:\Windows\{2DB900C9-BCE3-4ee8-8160-84A79E689EDB}.exe

Filesize
372KB

MD5
c9085c2ae0d2d079ae42a504c47c86fd

SHA1
b3822cef317009e312eaa2a5b6923309f127f18e

SHA256
acc9bd37b23b915aef5a637dd1c76a022852d374a84d5f2fc70fdccf007d0195

SHA512
77d1cfbb22323c048685fc758bfd3a7aa08ea7694769bbe8d62a4d772c2056b6f748ea74946233cf9599355c0ed06f60dc8f72c1d1cb1c5c09beee65369f270d

Download Submit
C:\Windows\{7A20E16A-66D6-4eca-8FF8-30D3A9AEBD66}.exe

Filesize
372KB

MD5
28236465f7a7253cef352b3d10c27d4c

SHA1
9e41abddf2eb6f8e502ea1ead1ec7249b9e549d0

SHA256
6438d0f3d59dd4f2bfbe425351d1c4d1ed279e97da0b93c1426460d3cfccc7de

SHA512
3a74ba1fa2d0dad9f60aef02f1d05e697574d0df2c0c792f2598b9ce720941617e8c931e2275b1db3b93865c3288a5f2e19e8e90d44f2357f8ec724553023a9a

Download Submit
C:\Windows\{7BDC1D9F-9B7F-4162-A7D1-7D8163F03274}.exe

Filesize
372KB

MD5
eb80dc6feb4f08183ce2d8af3a45308c

SHA1
399760160334922c44894adefb0550eb75a2aa80

SHA256
f2c44f7a4de25cc166ca2439ffbba476bc44f61641fda33a363a5ab92623cb16

SHA512
3682af3cbbfc9c610a743b7f391c031d56fa7a187ba877614db0b48a1459824eae1b747c6e0beb958db7fc9513a737713612ea5b99f221c46f4229f7e6f1a539

Download Submit
C:\Windows\{7EAB023A-BD0A-4015-B1A9-67C4740B2772}.exe

Filesize
372KB

MD5
3cb756860d1969152858d8ce6972e589

SHA1
4c5a2eb448b4ea7edb94b7fe63995ae2a0ee07f6

SHA256
c4738b5b8d18ffcb000daed780f60192630f190cd70e9b6820c3e305abfe1f04

SHA512
6ea6f0642ed7823974a28f610c40873732f1c89db1a65ff1e0744c8c56dd43600ddb77a586e35b990823dfdbbf12dfaa9f677b3815534dc2efefca81505dbca2

Download Submit
C:\Windows\{814D44CE-1250-4427-9B46-E0994751A2CA}.exe

Filesize
372KB

MD5
39cb0b31803dd709f76e055f79152d0a

SHA1
5db9aeaba45c3c72dc86ccd77bd3d48d7486d3ca

SHA256
cc86f0e098a09d10ee11b440fdcd756a6f5a7423a65cfd83b87a13ee39f9e4de

SHA512
0852c4a29846d5075d10d80b1f82506a3b3abc09f9b9fb808cd4570e3c71296c09e92e2d3eb43cdf255011ec9a8edf70ac251a5df80d7b865a22ac7ce04ecb93

Download Submit
C:\Windows\{85155665-BFBE-408d-A454-CF10207AF9AA}.exe

Filesize
372KB

MD5
4c3213dd119687ead1ce39927f753c7e

SHA1
fc31b6d0b10286f74ad141a24b858733263a9745

SHA256
b61b23c86f6feeb5e021d0c9c1ac8b4e4266ffc5fdbf004bc8bebeb0d5709caf

SHA512
ffb91c76d6cf1ab38fcdd64c7440383b5bc01fae23829cbccbad0dcb307447091cc7e9fbaad94d3277d17bfc41b51aab06f471a79711f90fa832bec38af98662

Download Submit
C:\Windows\{DE9D14BA-BB6E-438e-8187-BF090C4BBEEB}.exe

Filesize
372KB

MD5
8abd465dd46aa3c47a23c511b7cd65b8

SHA1
6a1f5668e57d6a4fe048c32cfd22111741e0cfdd

SHA256
9164a5a441f1b9c8efd940c6c608e78552009af8d0b2d2167f60323f7e8c16c9

SHA512
8f0e92e770b1d8cbff2ff3caa72ed6f2c226ee6648892aa91d2c38ab8e276c8cba162e3696c03407901144055d5f50924285fb2a5c76b27b0feb7845c60b1e98

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads