046959b9ec5e6b1b209aaad25cc7b0ce72569d57c3a39189235574ffe063b75d

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe
Size

168KB
MD5

b9014062b13cd8396c19b0678b1242e3
SHA1

e7e211df5efc1643ff3433cd051ba0948f4e9e9b
SHA256

046959b9ec5e6b1b209aaad25cc7b0ce72569d57c3a39189235574ffe063b75d
SHA512

0a0a9f2b11e2916c571eff3027dfbc45424cf6e03044319dd6abd41072692af0cb9a855c248870fd620287f442179814490160455f5cd6f8659f9f4273c77a88
SSDEEP

1536:1EGh0orli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}\stubpath = "C:\\Windows\\{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe"	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}\stubpath = "C:\\Windows\\{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe"	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}\stubpath = "C:\\Windows\\{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe"	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D854AE4B-F204-4ae5-AE0F-408802485115}	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75423B39-62CC-4141-B5BD-DFC777B9BC41}	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}\stubpath = "C:\\Windows\\{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}.exe"	{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B86451-E4DE-4327-A07E-049D8265FE1E}\stubpath = "C:\\Windows\\{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe"	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}	{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}\stubpath = "C:\\Windows\\{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe"	{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}	{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}\stubpath = "C:\\Windows\\{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe"	{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B86451-E4DE-4327-A07E-049D8265FE1E}	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75423B39-62CC-4141-B5BD-DFC777B9BC41}\stubpath = "C:\\Windows\\{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe"	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}	{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}\stubpath = "C:\\Windows\\{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe"	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D854AE4B-F204-4ae5-AE0F-408802485115}\stubpath = "C:\\Windows\\{D854AE4B-F204-4ae5-AE0F-408802485115}.exe"	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}\stubpath = "C:\\Windows\\{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe"	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe

Deletes itself 1 IoCs

pid	Process
2244	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe
2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe
2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe
2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe
2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe
2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe
2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe
1736	{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe
564	{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe
780	{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe
2088	{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe
File created	C:\Windows\{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe
File created	C:\Windows\{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe	{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe
File created	C:\Windows\{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe
File created	C:\Windows\{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe	{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe
File created	C:\Windows\{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}.exe	{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe
File created	C:\Windows\{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe
File created	C:\Windows\{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe
File created	C:\Windows\{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe
File created	C:\Windows\{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe
File created	C:\Windows\{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe
Token: SeIncBasePriorityPrivilege	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe
Token: SeIncBasePriorityPrivilege	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe
Token: SeIncBasePriorityPrivilege	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe
Token: SeIncBasePriorityPrivilege	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe
Token: SeIncBasePriorityPrivilege	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe
Token: SeIncBasePriorityPrivilege	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe
Token: SeIncBasePriorityPrivilege	1736	{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe
Token: SeIncBasePriorityPrivilege	564	{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe
Token: SeIncBasePriorityPrivilege	780	{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2308	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	28
PID 1152 wrote to memory of 2308	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	28
PID 1152 wrote to memory of 2308	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	28
PID 1152 wrote to memory of 2308	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	28
PID 1152 wrote to memory of 2244	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	29
PID 1152 wrote to memory of 2244	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	29
PID 1152 wrote to memory of 2244	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	29
PID 1152 wrote to memory of 2244	1152	2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe	29
PID 2308 wrote to memory of 2568	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	32
PID 2308 wrote to memory of 2568	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	32
PID 2308 wrote to memory of 2568	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	32
PID 2308 wrote to memory of 2568	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	32
PID 2308 wrote to memory of 1964	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	33
PID 2308 wrote to memory of 1964	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	33
PID 2308 wrote to memory of 1964	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	33
PID 2308 wrote to memory of 1964	2308	{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe	33
PID 2568 wrote to memory of 2608	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	34
PID 2568 wrote to memory of 2608	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	34
PID 2568 wrote to memory of 2608	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	34
PID 2568 wrote to memory of 2608	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	34
PID 2568 wrote to memory of 2536	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	35
PID 2568 wrote to memory of 2536	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	35
PID 2568 wrote to memory of 2536	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	35
PID 2568 wrote to memory of 2536	2568	{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe	35
PID 2608 wrote to memory of 2496	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	36
PID 2608 wrote to memory of 2496	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	36
PID 2608 wrote to memory of 2496	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	36
PID 2608 wrote to memory of 2496	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	36
PID 2608 wrote to memory of 1148	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	37
PID 2608 wrote to memory of 1148	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	37
PID 2608 wrote to memory of 1148	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	37
PID 2608 wrote to memory of 1148	2608	{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe	37
PID 2496 wrote to memory of 2600	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	38
PID 2496 wrote to memory of 2600	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	38
PID 2496 wrote to memory of 2600	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	38
PID 2496 wrote to memory of 2600	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	38
PID 2496 wrote to memory of 2388	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	39
PID 2496 wrote to memory of 2388	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	39
PID 2496 wrote to memory of 2388	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	39
PID 2496 wrote to memory of 2388	2496	{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe	39
PID 2600 wrote to memory of 2428	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	40
PID 2600 wrote to memory of 2428	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	40
PID 2600 wrote to memory of 2428	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	40
PID 2600 wrote to memory of 2428	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	40
PID 2600 wrote to memory of 956	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	41
PID 2600 wrote to memory of 956	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	41
PID 2600 wrote to memory of 956	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	41
PID 2600 wrote to memory of 956	2600	{D854AE4B-F204-4ae5-AE0F-408802485115}.exe	41
PID 2428 wrote to memory of 2036	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	42
PID 2428 wrote to memory of 2036	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	42
PID 2428 wrote to memory of 2036	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	42
PID 2428 wrote to memory of 2036	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	42
PID 2428 wrote to memory of 1940	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	43
PID 2428 wrote to memory of 1940	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	43
PID 2428 wrote to memory of 1940	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	43
PID 2428 wrote to memory of 1940	2428	{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe	43
PID 2036 wrote to memory of 1736	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	44
PID 2036 wrote to memory of 1736	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	44
PID 2036 wrote to memory of 1736	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	44
PID 2036 wrote to memory of 1736	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	44
PID 2036 wrote to memory of 896	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	45
PID 2036 wrote to memory of 896	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	45
PID 2036 wrote to memory of 896	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	45
PID 2036 wrote to memory of 896	2036	{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_b9014062b13cd8396c19b0678b1242e3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe
  C:\Windows\{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe
    C:\Windows\{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe
      C:\Windows\{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe
        
        C:\Windows\{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\{D854AE4B-F204-4ae5-AE0F-408802485115}.exe
        
        C:\Windows\{D854AE4B-F204-4ae5-AE0F-408802485115}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe
        
        C:\Windows\{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe
        
        C:\Windows\{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe
        
        C:\Windows\{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe
        
        C:\Windows\{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe
        
        C:\Windows\{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}.exe
        
        C:\Windows\{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}.exe
        12⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44E45~1.EXE > nul
        12⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF0DB~1.EXE > nul
        11⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB44~1.EXE > nul
        10⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A96A~1.EXE > nul
        9⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75423~1.EXE > nul
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D854A~1.EXE > nul
        7⤵
        
        PID:956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E0F~1.EXE > nul
        6⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B86~1.EXE > nul
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C22DB~1.EXE > nul
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0C5B~1.EXE > nul
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{44E4533E-77D3-4f5a-A6E1-EA8432C74EF8}.exe

Filesize
168KB

MD5
d2a519d32de21cbc06374b3c118e096e

SHA1
e9af2f19a90b6a4830fd4878417259fcda63662e

SHA256
9b9d4980d0ccff84892c26eec97716e15328ad78bb264ee006e0d0579822a643

SHA512
6923307971717ce046ea8a4228e9dae9c4936915e6cd719d949d232fd2bb345a5e081c137b82a3fde4e10ee6fdd4502e5b5cb3ccffa752a69236c9003006db8c

Download Submit
C:\Windows\{75423B39-62CC-4141-B5BD-DFC777B9BC41}.exe

Filesize
168KB

MD5
00c41edda37aa4bb2ae6f07c95dae0ca

SHA1
078bec3a982f0b10a6320ff825eb5e62a932cee6

SHA256
a23d895b20a969c0673092c88077a7ce3994afd8c30d247d661ce8a712ba88cf

SHA512
4437cc15d14f48a7286111176b4f66e96ee4e2a7efdda5193becb89f075f7f8105a8fda0372b10af8cb1ac6d1d86a70c57d635ff3c227694331b35b3409ad329

Download Submit
C:\Windows\{7A96A7A2-A434-439a-AD66-EF9A5AD51A3A}.exe

Filesize
168KB

MD5
62232b6b226af569ccb023aac7e0fb81

SHA1
8b3dcdc30783d53d8da93754e5a6c18f1b0b0643

SHA256
3474c8bc049578b14d1c8f1e2fdca0cf046f29adff39db66ec0a529a9cfba9e7

SHA512
4e60743c71c0cd4c95c878f048611a9ef7b2c1a51546345f1838785ac9dc5ae542408a418b35d0c5188652099b0490bcee315078cf049c288d9846a973de67b8

Download Submit
C:\Windows\{7CC38B36-CDB6-41bb-A2B2-F1A8827A5042}.exe

Filesize
168KB

MD5
bf3f7407c8b20ccc664e668d23fd377c

SHA1
16444d77776a4dd64ab93869dd986a65e70e1e4c

SHA256
de4fe54cf6ea59288e1c636cf4b7a651ee490119541e04b563fc080180c05c68

SHA512
b2d0df36cfd07edffe7f353066866787c27e67fc9572ed08db26301e4357a65f5b00579408287e61ff1c5a8d158b819eb317622a37648f2051c99177819b8aa9

Download Submit
C:\Windows\{AEB44A4D-66AB-4db3-B175-8BF8EA8A9697}.exe

Filesize
168KB

MD5
6ce142d5127543daf8d58e9d1f602e36

SHA1
a825e2cbe6617fb121f3ba07d0016da5e93d0cdc

SHA256
12f915512cc128db403bde3b97f69aa5a0c530139fbe2cfb33227700c171c358

SHA512
32d7ba0b59acd3e5fc780066cf7945e42f285225b6f3dddbe5cd7ba80f2618a50e8e425ae5763c57c797f12dff35eaed5349b9815b5c4b46465be8671d42d933

Download Submit
C:\Windows\{C22DB9FD-3AE1-46ae-8D1D-06C6E3F46279}.exe

Filesize
168KB

MD5
12f2e159132ddfbb60afdc446d9e903f

SHA1
8843720b2c0dd504dcda13d54fba0317101e5814

SHA256
3adca13185e0e007e8b1153f134b94bf046526264b03fa5cd984ca091deed0eb

SHA512
e3578a8793a6da9dd3e45315583fd0a77597e405d9137e9396862b5c6941c20824aeef89225adca22e26ac1c5970108714f762643243cd044db674c7fe1a4535

Download Submit
C:\Windows\{C9E0FE12-6DAE-4d02-A81B-9DEEE1B47F92}.exe

Filesize
168KB

MD5
f814c470b70d46c5d810867247be43dd

SHA1
26d12706a0c08a30386eda5c6df870e395e162f1

SHA256
a7f9249f68003287344ed0318c731159b900bf0f27a5622ba81926d4df405a28

SHA512
c361b4d87da559c7863189b9b4fa5589a15da6936c9d0feae9a6741919e0b67abdb8ed4e89e396f02cdce8032efabf0c13a4a06660c1382f379aa5d417e3b014

Download Submit
C:\Windows\{D0C5B73B-EFA1-4810-A2CD-1B2D557A1EE5}.exe

Filesize
168KB

MD5
38066bccd73c2bcfbd3e2808ef3cd1c7

SHA1
79ff74667b0ce44cf3e3a83e4405e685b2cd2f67

SHA256
502ddbb4d0726b4eeca1893de5ed47d6c49aec361fbafd12b2a1dd80d8823ecb

SHA512
779f5a28e9d78194aea67ed847032932ede6b2111c49d2610e0e304df14f7b9eac441cae763a8128f4051001ecc2dd73072278425083acfac82d361bcfc9922f

Download Submit
C:\Windows\{D854AE4B-F204-4ae5-AE0F-408802485115}.exe

Filesize
168KB

MD5
d6fb794010abc22f29d20661d464400c

SHA1
f984fe03aa876ff995c8ce7071ea17d561fa39b6

SHA256
18e23b4521b6a0d561af566309f60eccedb6ebe117564a237b964eecc75099d1

SHA512
21502934a11854e567b55c42026c177aa13adb80e34954a432c32923fff60da44911018f56a8288b3b9bb94039ffd0cab811dbf75a2a5c175a13c784d83b175d

Download Submit
C:\Windows\{E7B86451-E4DE-4327-A07E-049D8265FE1E}.exe

Filesize
168KB

MD5
90e9cb9700f26743d1d61e483e818eb9

SHA1
7cbbfc80a52dd5fd10762924871b6838bbcfe226

SHA256
53bab467cf3e994cfbfc35e725556ab8d939b4cd68161e3095cf0842e510403e

SHA512
d13a8b9e68b772d037821b28db59a29959712031bc4c6baa74e2522b84cbdd923a95395b3636e76ea678a6fa597861a215040a4c865eb6aedb04d6919fbbc2aa

Download Submit
C:\Windows\{EF0DBE21-67ED-4ec2-BB35-83DC2A0FE204}.exe

Filesize
168KB

MD5
6dcd4309363bcc8bb0f9641b76272ef8

SHA1
61f143358176fbb7f091d5af3ce0b658a812a017

SHA256
6cbe2cab0539281fa1cbe57f83f0c9da1f0bb206adebf0d37d6848fcaf4f44e9

SHA512
63a7947e8b14a632cf7574302f1128b7f239c899205896bcbc67163c9e624742ad4baf7d70fd47fc89dbd40c440004988a6142311d0ee97676d1353105d51def

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads