3ea4f12edb6fb60a75a9870498c974fec67cf061f919571930813d5cf9b337f1

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Size

372KB
MD5

46afb1cab6fcc1662494adf71d83f28f
SHA1

6146867f5d36a1c1e262dc541972843029ce10c4
SHA256

3ea4f12edb6fb60a75a9870498c974fec67cf061f919571930813d5cf9b337f1
SHA512

814ba0ca2c4063a96ea70be2ed2d66f46ac97584c5fa7643f41d6692007b4279679c743011a09a84c08bbe74e89d53b83707aa757bc628442ee0dc03a970bd03
SSDEEP

3072:CEGh0odlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGrlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001447e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014539-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001447e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000149f5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001447e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001447e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001447e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C24BBCC-B047-452d-8721-D7C995AB976F}	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0B428A3-F065-496b-BB3C-04B5CCB0F163}	{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}	{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}\stubpath = "C:\\Windows\\{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}.exe"	{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC314F1-7767-4d57-8932-CB799240F163}	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}\stubpath = "C:\\Windows\\{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe"	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{842715F7-6E9F-4763-81EE-C4FBD8BC3434}	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC314F1-7767-4d57-8932-CB799240F163}\stubpath = "C:\\Windows\\{0FC314F1-7767-4d57-8932-CB799240F163}.exe"	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A2BD2A2-3289-4dd7-85F5-7BD038017592}	{0FC314F1-7767-4d57-8932-CB799240F163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{842715F7-6E9F-4763-81EE-C4FBD8BC3434}\stubpath = "C:\\Windows\\{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe"	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}\stubpath = "C:\\Windows\\{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe"	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}\stubpath = "C:\\Windows\\{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe"	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}	{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0B428A3-F065-496b-BB3C-04B5CCB0F163}\stubpath = "C:\\Windows\\{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe"	{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}\stubpath = "C:\\Windows\\{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe"	{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}\stubpath = "C:\\Windows\\{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe"	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A2BD2A2-3289-4dd7-85F5-7BD038017592}\stubpath = "C:\\Windows\\{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe"	{0FC314F1-7767-4d57-8932-CB799240F163}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C24BBCC-B047-452d-8721-D7C995AB976F}\stubpath = "C:\\Windows\\{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe"	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe
2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe
2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe
2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe
2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe
2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe
2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe
808	{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe
2416	{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe
608	{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe
3008	{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe
File created	C:\Windows\{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
File created	C:\Windows\{0FC314F1-7767-4d57-8932-CB799240F163}.exe	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe
File created	C:\Windows\{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe
File created	C:\Windows\{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe
File created	C:\Windows\{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe
File created	C:\Windows\{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe	{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe
File created	C:\Windows\{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe	{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe
File created	C:\Windows\{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}.exe	{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe
File created	C:\Windows\{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	{0FC314F1-7767-4d57-8932-CB799240F163}.exe
File created	C:\Windows\{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe
Token: SeIncBasePriorityPrivilege	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe
Token: SeIncBasePriorityPrivilege	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe
Token: SeIncBasePriorityPrivilege	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe
Token: SeIncBasePriorityPrivilege	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe
Token: SeIncBasePriorityPrivilege	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe
Token: SeIncBasePriorityPrivilege	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe
Token: SeIncBasePriorityPrivilege	808	{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe
Token: SeIncBasePriorityPrivilege	2416	{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe
Token: SeIncBasePriorityPrivilege	608	{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1856	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	28
PID 1688 wrote to memory of 1856	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	28
PID 1688 wrote to memory of 1856	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	28
PID 1688 wrote to memory of 1856	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	28
PID 1688 wrote to memory of 2680	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	29
PID 1688 wrote to memory of 2680	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	29
PID 1688 wrote to memory of 2680	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	29
PID 1688 wrote to memory of 2680	1688	2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe	29
PID 1856 wrote to memory of 2672	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	30
PID 1856 wrote to memory of 2672	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	30
PID 1856 wrote to memory of 2672	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	30
PID 1856 wrote to memory of 2672	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	30
PID 1856 wrote to memory of 2756	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	31
PID 1856 wrote to memory of 2756	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	31
PID 1856 wrote to memory of 2756	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	31
PID 1856 wrote to memory of 2756	1856	{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe	31
PID 2672 wrote to memory of 2832	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	32
PID 2672 wrote to memory of 2832	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	32
PID 2672 wrote to memory of 2832	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	32
PID 2672 wrote to memory of 2832	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	32
PID 2672 wrote to memory of 1928	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	33
PID 2672 wrote to memory of 1928	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	33
PID 2672 wrote to memory of 1928	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	33
PID 2672 wrote to memory of 1928	2672	{0FC314F1-7767-4d57-8932-CB799240F163}.exe	33
PID 2832 wrote to memory of 2520	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	36
PID 2832 wrote to memory of 2520	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	36
PID 2832 wrote to memory of 2520	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	36
PID 2832 wrote to memory of 2520	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	36
PID 2832 wrote to memory of 2264	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	37
PID 2832 wrote to memory of 2264	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	37
PID 2832 wrote to memory of 2264	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	37
PID 2832 wrote to memory of 2264	2832	{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe	37
PID 2520 wrote to memory of 2648	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	38
PID 2520 wrote to memory of 2648	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	38
PID 2520 wrote to memory of 2648	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	38
PID 2520 wrote to memory of 2648	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	38
PID 2520 wrote to memory of 2732	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	39
PID 2520 wrote to memory of 2732	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	39
PID 2520 wrote to memory of 2732	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	39
PID 2520 wrote to memory of 2732	2520	{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe	39
PID 2648 wrote to memory of 2796	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	40
PID 2648 wrote to memory of 2796	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	40
PID 2648 wrote to memory of 2796	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	40
PID 2648 wrote to memory of 2796	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	40
PID 2648 wrote to memory of 1188	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	41
PID 2648 wrote to memory of 1188	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	41
PID 2648 wrote to memory of 1188	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	41
PID 2648 wrote to memory of 1188	2648	{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe	41
PID 2796 wrote to memory of 2856	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	42
PID 2796 wrote to memory of 2856	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	42
PID 2796 wrote to memory of 2856	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	42
PID 2796 wrote to memory of 2856	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	42
PID 2796 wrote to memory of 2956	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	43
PID 2796 wrote to memory of 2956	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	43
PID 2796 wrote to memory of 2956	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	43
PID 2796 wrote to memory of 2956	2796	{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe	43
PID 2856 wrote to memory of 808	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	44
PID 2856 wrote to memory of 808	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	44
PID 2856 wrote to memory of 808	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	44
PID 2856 wrote to memory of 808	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	44
PID 2856 wrote to memory of 1796	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	45
PID 2856 wrote to memory of 1796	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	45
PID 2856 wrote to memory of 1796	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	45
PID 2856 wrote to memory of 1796	2856	{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_46afb1cab6fcc1662494adf71d83f28f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe
  C:\Windows\{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\{0FC314F1-7767-4d57-8932-CB799240F163}.exe
    C:\Windows\{0FC314F1-7767-4d57-8932-CB799240F163}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe
      C:\Windows\{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe
        
        C:\Windows\{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe
        
        C:\Windows\{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe
        
        C:\Windows\{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe
        
        C:\Windows\{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe
        
        C:\Windows\{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe
        
        C:\Windows\{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe
        
        C:\Windows\{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}.exe
        
        C:\Windows\{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}.exe
        12⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0B42~1.EXE > nul
        12⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7D74~1.EXE > nul
        11⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B14CF~1.EXE > nul
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C24B~1.EXE > nul
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84271~1.EXE > nul
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31F28~1.EXE > nul
        7⤵
        
        PID:1188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D8F~1.EXE > nul
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A2BD~1.EXE > nul
        5⤵
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0FC31~1.EXE > nul
      4⤵
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1DF5E~1.EXE > nul
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FC314F1-7767-4d57-8932-CB799240F163}.exe

Filesize
372KB

MD5
e29d3704314ad14ee737ff1bf1179c8c

SHA1
cd0cf1c9e978839dafd86ecd87007df85802fabe

SHA256
030c4c7bdebd356f8d4b32f244799068422394342ed27bfd22e7d41af0bf6024

SHA512
33dd71f87e42c824a950631455f58df4ac91b590d39cab8e7d2862852e64693ecd0b5e9881c788fa7aee67536cb745d65598ec25dddbff56b00ea8e0f83da2e7

Download Submit
C:\Windows\{1DF5EDD2-B666-48a1-8362-B4FCAEFF58A3}.exe

Filesize
372KB

MD5
7c8fe3eec42b78c585ae9e12618147e2

SHA1
c13272bb6474ae527b9a4c5f51984dc3cc0f2809

SHA256
064774ae4cb1b6d82e6713a4a0fba599065a4920b4539156e1095e747e8b80e2

SHA512
7cd2892d6917847c89c49e2ddf6df481e886855485864c81de3983f907c06e4f12582f54d477e26b4f708b381341f9ccf306fa029dad0bb1af1542eef8a955d2

Download Submit
C:\Windows\{31F28615-8A1F-4fa1-B70E-EE63EEC2E2CC}.exe

Filesize
372KB

MD5
db325b0ef9881c2808b9c278cf324ce9

SHA1
4b619bc85cbceba2b0106c72d4a0cb9244b08054

SHA256
ed20925e96b58ed734946dd69536be627815967f5e07f9e879aac4b846503678

SHA512
060e3e8b67d157b3494224da1794a8ba95dc50b0d69f9a14af3dfe994d91e4376bcb140b2a743184a5a0915b1bff1aba1bc568367c4487d18222e680897d48e0

Download Submit
C:\Windows\{3A2BD2A2-3289-4dd7-85F5-7BD038017592}.exe

Filesize
372KB

MD5
aa66d3132921c3cea96bef65fbfa1a65

SHA1
ce6bfe0d03e636841a3a773c07ab6d00b6c79cac

SHA256
b04f6daba55c241eb3b55be104fc6da309355ce7d394b2627dc7e81e2799be32

SHA512
d1d6821e05061de96b3f7b2960268a3e8b4098aff29b10c3d0b5cdcf2d41d9bd3fdd2df07c756fe32af0493211a3df8627587b1de922deb838841fca26cef2d5

Download Submit
C:\Windows\{3C24BBCC-B047-452d-8721-D7C995AB976F}.exe

Filesize
372KB

MD5
fe1e165ecce5c57c2ad899d3a0758a0f

SHA1
30cafae3a60a727116cc3479d1efd12c74d71aba

SHA256
3754d09236cb203bf644b91c6b8c80f373d0f18a67cba12ff5c4ada9e1936eb7

SHA512
69d3b83a17a8ca22183d032d3d1ee02c14045b641043cad2b3e80260c503595f6cea42b0acbcfce850f05ad1ae1b442af8b50641575394aa33c37a5a9448b954

Download Submit
C:\Windows\{842715F7-6E9F-4763-81EE-C4FBD8BC3434}.exe

Filesize
372KB

MD5
2e9b07d93f8f323f128003004c9d78e1

SHA1
e744a146ce9d7f3fe55333f2312988507877ac78

SHA256
b0910def67fbed701db1f5ff4dfd1904f7fec18427d44c56a69da2eab4370d5b

SHA512
2ccc8350b3e9a79cd2a7c4b43fd4584dd06db7e2fd44da8269bc2ee8477309f804cc305d4e329c54b91c77cd6213a40d9abe1a78fcbdd7b5b6313cf6582fd150

Download Submit
C:\Windows\{AC3478CC-B7FD-4c62-B4C1-D49DF3DD880E}.exe

Filesize
372KB

MD5
bdfd1f8e9ad29d87d4ac877b1f80c506

SHA1
2c1e9da0a4258b0405a80e7772f6d987bfe79064

SHA256
2555eaaaf390f49021aafa8850b3878e6f74f4abb5e8da2efdb5dfc1b48306d9

SHA512
0c7b469a75a97f956d339ea46a96e68efa35ba7b00360a6f3afd38329e44efb995bf46327f4d613089dc310ed80f0ac869b685acc0521a85e9360702e52390aa

Download Submit
C:\Windows\{B0B428A3-F065-496b-BB3C-04B5CCB0F163}.exe

Filesize
372KB

MD5
6ad2d2f9acbf41fae7148ef26443b22b

SHA1
451bc8ca9de474f1789723e450a91c73d0be42ff

SHA256
9064ad48c8395b022f3541e82a9d42867cf94e478ba211fd5516cd5d08266aef

SHA512
7e4d7a2c487c64befe747054cdfc9fa7a2d43e958c7680ca01ffacc8def96f96eb35f96a0b9685febc72f6ab908a6f9244abcce5f5e2bb921bbd6e15e11ccb1f

Download Submit
C:\Windows\{B14CF0D9-A2C1-4b8e-BA9E-7A482F5918BB}.exe

Filesize
372KB

MD5
2b3f9e630f238014fdebfa536ef98d03

SHA1
66a82833eab8da62a7e18a2cd4de0b46e9f85666

SHA256
79872fd97d775c323950f3b4fcdabdc8018af87ac00681b049fc91eca560a299

SHA512
c62ce851a526b63d8374582bf6a29006c86845da1ca2bb9f80f90a12d6d35bfe082b7c788b7081d22dcedf4d0e02b640bf15b72d0c8566ba83c119be5166f6a0

Download Submit
C:\Windows\{D7D740F8-9D6A-4806-8A31-F1FED7EA0CC2}.exe

Filesize
372KB

MD5
5985446b37319a11ee1c2b5459019860

SHA1
70fe554650715e50398a687ad6587ad89b21508f

SHA256
584d9762e0edd7c83e4ac7dca16f6c7c4a73220a5d2a5bc7fc24ad0139f86d0e

SHA512
3c798e28c25c4f25cc1667c2b93ec710189f84f4f541fd79cbb458a994209d1ca2dcd0ca0cba82ebb7b1ca5916a649eac19ecb29b3d856a370ea0f9551e7bf57

Download Submit
C:\Windows\{E2D8FE26-97EA-4ef4-8BFB-B2D84DBC9823}.exe

Filesize
372KB

MD5
94d6c264228abc01c6836f0906ce0e64

SHA1
458e549312d33355ec7e0c01aa9bf4b6232c08ac

SHA256
a286a5f9fdb917166a0adea10943fbcb162089832cbbf1ee1b948256aa35b048

SHA512
1b82572db9779febe7c95079a0784833b5295d7826fa978452ac571e09ec6bf6ea608dc09a90fc9e7d6db713349b0ddf7e7b30c3c7e95192a47ab44e185fd12f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads