a854c053db6fe5a40a4bd293aa56ff706e6982a658b794ac5c8b4c96f3977ad5

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Size

168KB
MD5

ae68e30253e1764755ead503930ac4ee
SHA1

004cb47f48dc1229be6c6a23b2a8f5ca0af4db3d
SHA256

a854c053db6fe5a40a4bd293aa56ff706e6982a658b794ac5c8b4c96f3977ad5
SHA512

df600c0118ec3eae38b4f625622bb82cc5ac2f7b3222bd9fb26ccbee4d5847b22b9445c4f65e8e878267253ba39a7ac705078beaece9d2b351022ecd5c321953
SSDEEP

1536:1EGh0onlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0onlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000143fb-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d61-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016122-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016122-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016122-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000161ee-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000016122-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000161ee-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000163eb-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{246F2190-D5B3-47c4-BF5A-5A14FD956030}	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F5146B-0A25-43be-9955-5D0CF6610B82}\stubpath = "C:\\Windows\\{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe"	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}\stubpath = "C:\\Windows\\{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe"	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE56A58D-9699-468a-860F-F4D5022F569F}	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}\stubpath = "C:\\Windows\\{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe"	{FE56A58D-9699-468a-860F-F4D5022F569F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{515C0534-69E9-447b-88C6-29B5B0EEA239}	{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{985D1450-B831-4683-BBBD-D67EAE4FC411}\stubpath = "C:\\Windows\\{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe"	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}\stubpath = "C:\\Windows\\{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe"	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}\stubpath = "C:\\Windows\\{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe"	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE56A58D-9699-468a-860F-F4D5022F569F}\stubpath = "C:\\Windows\\{FE56A58D-9699-468a-860F-F4D5022F569F}.exe"	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}	{FE56A58D-9699-468a-860F-F4D5022F569F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F5146B-0A25-43be-9955-5D0CF6610B82}	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{246F2190-D5B3-47c4-BF5A-5A14FD956030}\stubpath = "C:\\Windows\\{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe"	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}\stubpath = "C:\\Windows\\{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe"	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{985D1450-B831-4683-BBBD-D67EAE4FC411}	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC00655E-C044-4865-B794-1A05F5AD4EDA}	{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC00655E-C044-4865-B794-1A05F5AD4EDA}\stubpath = "C:\\Windows\\{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe"	{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{515C0534-69E9-447b-88C6-29B5B0EEA239}\stubpath = "C:\\Windows\\{515C0534-69E9-447b-88C6-29B5B0EEA239}.exe"	{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe
2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe
2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe
2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe
2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe
2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe
2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe
840	{FE56A58D-9699-468a-860F-F4D5022F569F}.exe
2256	{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe
2996	{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe
624	{515C0534-69E9-447b-88C6-29B5B0EEA239}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe
File created	C:\Windows\{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe
File created	C:\Windows\{FE56A58D-9699-468a-860F-F4D5022F569F}.exe	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe
File created	C:\Windows\{515C0534-69E9-447b-88C6-29B5B0EEA239}.exe	{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe
File created	C:\Windows\{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe
File created	C:\Windows\{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe	{FE56A58D-9699-468a-860F-F4D5022F569F}.exe
File created	C:\Windows\{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe	{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe
File created	C:\Windows\{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
File created	C:\Windows\{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe
File created	C:\Windows\{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe
File created	C:\Windows\{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe
Token: SeIncBasePriorityPrivilege	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe
Token: SeIncBasePriorityPrivilege	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe
Token: SeIncBasePriorityPrivilege	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe
Token: SeIncBasePriorityPrivilege	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe
Token: SeIncBasePriorityPrivilege	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe
Token: SeIncBasePriorityPrivilege	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe
Token: SeIncBasePriorityPrivilege	840	{FE56A58D-9699-468a-860F-F4D5022F569F}.exe
Token: SeIncBasePriorityPrivilege	2256	{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe
Token: SeIncBasePriorityPrivilege	2996	{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2884	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	28
PID 3036 wrote to memory of 2884	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	28
PID 3036 wrote to memory of 2884	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	28
PID 3036 wrote to memory of 2884	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	28
PID 3036 wrote to memory of 2528	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	29
PID 3036 wrote to memory of 2528	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	29
PID 3036 wrote to memory of 2528	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	29
PID 3036 wrote to memory of 2528	3036	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	29
PID 2884 wrote to memory of 2512	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	30
PID 2884 wrote to memory of 2512	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	30
PID 2884 wrote to memory of 2512	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	30
PID 2884 wrote to memory of 2512	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	30
PID 2884 wrote to memory of 2736	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	31
PID 2884 wrote to memory of 2736	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	31
PID 2884 wrote to memory of 2736	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	31
PID 2884 wrote to memory of 2736	2884	{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe	31
PID 2512 wrote to memory of 2552	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	32
PID 2512 wrote to memory of 2552	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	32
PID 2512 wrote to memory of 2552	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	32
PID 2512 wrote to memory of 2552	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	32
PID 2512 wrote to memory of 2492	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	33
PID 2512 wrote to memory of 2492	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	33
PID 2512 wrote to memory of 2492	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	33
PID 2512 wrote to memory of 2492	2512	{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe	33
PID 2552 wrote to memory of 2188	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	36
PID 2552 wrote to memory of 2188	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	36
PID 2552 wrote to memory of 2188	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	36
PID 2552 wrote to memory of 2188	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	36
PID 2552 wrote to memory of 1476	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	37
PID 2552 wrote to memory of 1476	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	37
PID 2552 wrote to memory of 1476	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	37
PID 2552 wrote to memory of 1476	2552	{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe	37
PID 2188 wrote to memory of 2444	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	38
PID 2188 wrote to memory of 2444	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	38
PID 2188 wrote to memory of 2444	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	38
PID 2188 wrote to memory of 2444	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	38
PID 2188 wrote to memory of 2668	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	39
PID 2188 wrote to memory of 2668	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	39
PID 2188 wrote to memory of 2668	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	39
PID 2188 wrote to memory of 2668	2188	{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe	39
PID 2444 wrote to memory of 2284	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	40
PID 2444 wrote to memory of 2284	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	40
PID 2444 wrote to memory of 2284	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	40
PID 2444 wrote to memory of 2284	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	40
PID 2444 wrote to memory of 1636	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	41
PID 2444 wrote to memory of 1636	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	41
PID 2444 wrote to memory of 1636	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	41
PID 2444 wrote to memory of 1636	2444	{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe	41
PID 2284 wrote to memory of 2112	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	42
PID 2284 wrote to memory of 2112	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	42
PID 2284 wrote to memory of 2112	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	42
PID 2284 wrote to memory of 2112	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	42
PID 2284 wrote to memory of 1720	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	43
PID 2284 wrote to memory of 1720	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	43
PID 2284 wrote to memory of 1720	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	43
PID 2284 wrote to memory of 1720	2284	{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe	43
PID 2112 wrote to memory of 840	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	44
PID 2112 wrote to memory of 840	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	44
PID 2112 wrote to memory of 840	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	44
PID 2112 wrote to memory of 840	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	44
PID 2112 wrote to memory of 1040	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	45
PID 2112 wrote to memory of 1040	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	45
PID 2112 wrote to memory of 1040	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	45
PID 2112 wrote to memory of 1040	2112	{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe
  C:\Windows\{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe
    C:\Windows\{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe
      C:\Windows\{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe
        
        C:\Windows\{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe
        
        C:\Windows\{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe
        
        C:\Windows\{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe
        
        C:\Windows\{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{FE56A58D-9699-468a-860F-F4D5022F569F}.exe
        
        C:\Windows\{FE56A58D-9699-468a-860F-F4D5022F569F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe
        
        C:\Windows\{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe
        
        C:\Windows\{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{515C0534-69E9-447b-88C6-29B5B0EEA239}.exe
        
        C:\Windows\{515C0534-69E9-447b-88C6-29B5B0EEA239}.exe
        12⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC006~1.EXE > nul
        12⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02F47~1.EXE > nul
        11⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE56A~1.EXE > nul
        10⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD046~1.EXE > nul
        9⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A42DF~1.EXE > nul
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{985D1~1.EXE > nul
        7⤵
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CB52~1.EXE > nul
        6⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76FC7~1.EXE > nul
        5⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36F51~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{246F2~1.EXE > nul
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02F47A1F-FFF5-4fdb-BB6B-14B90461A32D}.exe

Filesize
168KB

MD5
89dfc00cc8798df240230f0e94e394bb

SHA1
dba9af9b996836bf9829752a70bae30d649817a6

SHA256
1e60a825dbca993bfe3a6ed62ebdf33cc7bddf0b5b5299b23c4b25f73746fe69

SHA512
5376fc2916813a57a089377f95ef00501a9746f96e247bf0d9584549d52093d32eca8e43690905c6448f4de5bd7646efcc397eafcd5c5547097f2d0a55b8d44b

Download Submit
C:\Windows\{246F2190-D5B3-47c4-BF5A-5A14FD956030}.exe

Filesize
168KB

MD5
0204e04da21018b84076da0fb28fa9fe

SHA1
3ee6ab59801fc23900add83856e3bb79a6d061bf

SHA256
7af522ff1931d4109c9f2269e2b302df3a10f2f536a880fb14933d2edbc3757c

SHA512
150769512c7c89b9987c1edbe8ac280d2fb4a684c50e687327be123471d07c3d2e5b905c45d3a67f8be4a48f06cb9ab87e456c6d1d715e884fb4d4d91f2a2992

Download Submit
C:\Windows\{36F5146B-0A25-43be-9955-5D0CF6610B82}.exe

Filesize
168KB

MD5
9b906e94cb4eb46dbf944c4363d3b678

SHA1
88a1fefc8b88239fe2b125f995fdfce8e88a2e45

SHA256
d46fe78f79180de923e9aa84d0a107d14c40131ed3a0ab48ae6c0de4dc0acff9

SHA512
d91dc4ff267d420d11799506291267ee9cf442784caddf8abf609af8662b926687932778d7733625e66ae5de44a9463557e11017832217eb28eaf00c5e14d6f2

Download Submit
C:\Windows\{515C0534-69E9-447b-88C6-29B5B0EEA239}.exe

Filesize
168KB

MD5
4d3f7c6b4ae66c5d59af8e9c8bbe68ab

SHA1
0a96d517ac30917d72f94988a367cd116515c00c

SHA256
c370d06c5b958c372d1a529b066205da6456b8d737c239d3068841a35c741209

SHA512
8eee9b97b88ffbef1232548aa726e9c55e27aa2a2f706ed110b24f4e8a41b9033315219b645a80db42dc2952618a368663e2a84082e4dae930cde68b1e2b6a37

Download Submit
C:\Windows\{76FC7AC0-3D29-40c1-B322-6FD43F77DAA5}.exe

Filesize
168KB

MD5
a1be0bfa669a293274ac625de3343cec

SHA1
d4867c0fa46c1fcbea3049b9d1d62259ba54b16e

SHA256
e047cc8744c26b3f1f012909bb2314518552ac3f668664afc7c5736f7318d7da

SHA512
785dc2a987a57763ba9ed0ac757ad49c48f48b5ad1c090371b0ee12403593cea85ee7b9675897d59d7f0dd047efc450e7fb06b31762f44f26aea9f94e225e0e8

Download Submit
C:\Windows\{8CB52D88-6E18-4c19-A25F-ED0E6235A2C6}.exe

Filesize
168KB

MD5
3fdc43482429c3250f378ae497e9d5d9

SHA1
2332b1cdc9e7b721f7776b4d1619fe344066ebb1

SHA256
22321294f670c5cf950297cfeca076aa8b161323b043a1470ab5369927f487f0

SHA512
d22e8da3790344651ebfc7965380314c30d1be4025987f99b286ca639cb4b6797e9a91c9569caca0e3ee60e20cb30ebefce72fdb80feda6957ade7e123e273bf

Download Submit
C:\Windows\{985D1450-B831-4683-BBBD-D67EAE4FC411}.exe

Filesize
168KB

MD5
cf9acc9319d8c19e85246b1896f7fd08

SHA1
ffc2b4475f9673369494ba470f783ef05935ed2b

SHA256
60f8911fa1495f6ffe0ad00e1bd846d23829bbeb1e5f6f04380c672cb405caee

SHA512
e661de49b6957b35199bb9ac42772ca052d12699b64d54799c4efd345dff7625805c64d98d34c35f8c02c81ba10a945a6a3ab66704c40592bf9416280dd8e405

Download Submit
C:\Windows\{A42DFAC0-8EB4-49ca-B905-8FE5D336FC22}.exe

Filesize
168KB

MD5
4100677cec8f2aef8e2b34d73c72aff4

SHA1
16ffe80638c1013ff1c23a93d6b55660a36179da

SHA256
6fdb2a69f4bbf7a3fcf8b11971cb3ee1d035f2d3bc5c14b7dac67946814b10b7

SHA512
96cf1b9950c4f0d501149765d2222158d5190b6f2ae7e9eb24c3944a2cb6c60ce02ab6c28487c1bfc99f88f2cfa35c7eb9c26d33cc496362caf32bc37cb975fa

Download Submit
C:\Windows\{BD046BE7-D98F-47a2-8A10-4C43DAE50C0A}.exe

Filesize
168KB

MD5
f5dc62e059bde9f7bee94d03c04ffac8

SHA1
d7cae9d3e1bb1615baf4277284fac29dfee44f88

SHA256
45b00c083fdacb1bc2cf99b2ba03d4e39d6440c886234ef94e8ac95e5c9fbf4f

SHA512
f4081cc6729535860aa84f7456f347b0d54f9137222779b66a7d01059a95a876fdda30d3cb4bd0ae55d7ce90ebd6786a5ce95f8f6d904b82fa823db6429aef08

Download Submit
C:\Windows\{EC00655E-C044-4865-B794-1A05F5AD4EDA}.exe

Filesize
168KB

MD5
fca78d7b24d944a8429012fb0dd56a39

SHA1
4b95c443e9037e7b1d7d1c11901bd5d04567b924

SHA256
43908179f3d9e5336a288ff7ab74de8cecfd2054651708cca3a088a0a9917a76

SHA512
09734359b5b2f8be936cba5a05bae64481745a5e8b9b1f25c7fdec1e462fec0b0872a6f2d5b8970e54ec03e238c9be89c1554c1e9cf6e1f5bde7ada975567198

Download Submit
C:\Windows\{FE56A58D-9699-468a-860F-F4D5022F569F}.exe

Filesize
168KB

MD5
282e9be3d9feca0ad20be1ba3e6b60fc

SHA1
06328a1759db09d187a4baf150b561c5db8bffab

SHA256
421ac112c30ee15f1d6da374ccf15d047f10c41ad7cce05d670d35ea3a0d36c7

SHA512
7cf40b55c0e6af41de66d0ce7c380d9bda6aa7468c55125a07ef9f4f491e48fba06db2bddd947d0e0882fa68312eff0967114a97e04ae48f58b3a96f73403458

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads