bac9666b064c4036d52c171e738c0ee5f15d0d6a51bce16afd94af5a262ca3e7

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Size

168KB
MD5

ad336ad6d2574145e379ba9bf0671535
SHA1

267410f225576b98a015266c8eef7dec314fd00f
SHA256

bac9666b064c4036d52c171e738c0ee5f15d0d6a51bce16afd94af5a262ca3e7
SHA512

20fe5c36de9c3830f434a1921abdcd8b1f3da853bb6459a4e4c5a8d5e8f390e8de4bbecabba07fa033c0014f9f0d4b7d227af43c991f3e94554a86bf4789c8f8
SSDEEP

1536:1EGh0oQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001470b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014e5a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001470b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015023-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001470b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001470b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001470b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}\stubpath = "C:\\Windows\\{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe"	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F967439-4D6E-4e7b-8B40-9387F1BF9172}\stubpath = "C:\\Windows\\{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe"	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}\stubpath = "C:\\Windows\\{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe"	{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9E693DF-4CC3-40a6-938F-E3FF4F293958}\stubpath = "C:\\Windows\\{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe"	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90B25105-C84B-40bc-BFD0-FAFE0630409D}\stubpath = "C:\\Windows\\{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe"	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}	{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}\stubpath = "C:\\Windows\\{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe"	{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A75D27B4-37B2-4356-A162-BFEE8A97E589}	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90B25105-C84B-40bc-BFD0-FAFE0630409D}	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CABA8260-15BA-42a7-B530-9CA9BEF6234E}	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82272D03-F34D-46f4-9B49-4ED29AF3F20F}	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82272D03-F34D-46f4-9B49-4ED29AF3F20F}\stubpath = "C:\\Windows\\{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe"	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}\stubpath = "C:\\Windows\\{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}.exe"	{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}	{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A75D27B4-37B2-4356-A162-BFEE8A97E589}\stubpath = "C:\\Windows\\{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe"	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF08A81A-DC61-4a58-B19B-029AD402C68A}	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF08A81A-DC61-4a58-B19B-029AD402C68A}\stubpath = "C:\\Windows\\{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe"	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9E693DF-4CC3-40a6-938F-E3FF4F293958}	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F967439-4D6E-4e7b-8B40-9387F1BF9172}	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CABA8260-15BA-42a7-B530-9CA9BEF6234E}\stubpath = "C:\\Windows\\{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe"	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}	{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe
2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe
2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe
1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe
2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe
280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe
1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe
1556	{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe
2236	{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe
2024	{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe
2796	{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe
File created	C:\Windows\{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe	{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe
File created	C:\Windows\{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}.exe	{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe
File created	C:\Windows\{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
File created	C:\Windows\{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe
File created	C:\Windows\{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe
File created	C:\Windows\{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe
File created	C:\Windows\{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe
File created	C:\Windows\{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe
File created	C:\Windows\{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe
File created	C:\Windows\{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe	{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe
Token: SeIncBasePriorityPrivilege	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe
Token: SeIncBasePriorityPrivilege	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe
Token: SeIncBasePriorityPrivilege	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe
Token: SeIncBasePriorityPrivilege	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe
Token: SeIncBasePriorityPrivilege	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe
Token: SeIncBasePriorityPrivilege	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe
Token: SeIncBasePriorityPrivilege	1556	{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe
Token: SeIncBasePriorityPrivilege	2236	{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe
Token: SeIncBasePriorityPrivilege	2024	{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2128	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	28
PID 2952 wrote to memory of 2128	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	28
PID 2952 wrote to memory of 2128	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	28
PID 2952 wrote to memory of 2128	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	28
PID 2952 wrote to memory of 2532	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	29
PID 2952 wrote to memory of 2532	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	29
PID 2952 wrote to memory of 2532	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	29
PID 2952 wrote to memory of 2532	2952	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	29
PID 2128 wrote to memory of 2704	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	30
PID 2128 wrote to memory of 2704	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	30
PID 2128 wrote to memory of 2704	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	30
PID 2128 wrote to memory of 2704	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	30
PID 2128 wrote to memory of 2604	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	31
PID 2128 wrote to memory of 2604	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	31
PID 2128 wrote to memory of 2604	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	31
PID 2128 wrote to memory of 2604	2128	{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe	31
PID 2704 wrote to memory of 2680	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	32
PID 2704 wrote to memory of 2680	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	32
PID 2704 wrote to memory of 2680	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	32
PID 2704 wrote to memory of 2680	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	32
PID 2704 wrote to memory of 2556	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	33
PID 2704 wrote to memory of 2556	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	33
PID 2704 wrote to memory of 2556	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	33
PID 2704 wrote to memory of 2556	2704	{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe	33
PID 2680 wrote to memory of 1888	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	36
PID 2680 wrote to memory of 1888	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	36
PID 2680 wrote to memory of 1888	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	36
PID 2680 wrote to memory of 1888	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	36
PID 2680 wrote to memory of 2636	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	37
PID 2680 wrote to memory of 2636	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	37
PID 2680 wrote to memory of 2636	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	37
PID 2680 wrote to memory of 2636	2680	{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe	37
PID 1888 wrote to memory of 2856	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	38
PID 1888 wrote to memory of 2856	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	38
PID 1888 wrote to memory of 2856	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	38
PID 1888 wrote to memory of 2856	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	38
PID 1888 wrote to memory of 1716	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	39
PID 1888 wrote to memory of 1716	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	39
PID 1888 wrote to memory of 1716	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	39
PID 1888 wrote to memory of 1716	1888	{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe	39
PID 2856 wrote to memory of 280	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	40
PID 2856 wrote to memory of 280	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	40
PID 2856 wrote to memory of 280	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	40
PID 2856 wrote to memory of 280	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	40
PID 2856 wrote to memory of 708	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	41
PID 2856 wrote to memory of 708	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	41
PID 2856 wrote to memory of 708	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	41
PID 2856 wrote to memory of 708	2856	{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe	41
PID 280 wrote to memory of 1516	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	42
PID 280 wrote to memory of 1516	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	42
PID 280 wrote to memory of 1516	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	42
PID 280 wrote to memory of 1516	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	42
PID 280 wrote to memory of 2904	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	43
PID 280 wrote to memory of 2904	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	43
PID 280 wrote to memory of 2904	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	43
PID 280 wrote to memory of 2904	280	{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe	43
PID 1516 wrote to memory of 1556	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	44
PID 1516 wrote to memory of 1556	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	44
PID 1516 wrote to memory of 1556	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	44
PID 1516 wrote to memory of 1556	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	44
PID 1516 wrote to memory of 1464	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	45
PID 1516 wrote to memory of 1464	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	45
PID 1516 wrote to memory of 1464	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	45
PID 1516 wrote to memory of 1464	1516	{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe
  C:\Windows\{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe
    C:\Windows\{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe
      C:\Windows\{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe
        
        C:\Windows\{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe
        
        C:\Windows\{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe
        
        C:\Windows\{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe
        
        C:\Windows\{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe
        
        C:\Windows\{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe
        
        C:\Windows\{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe
        
        C:\Windows\{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}.exe
        
        C:\Windows\{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}.exe
        12⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9C83~1.EXE > nul
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F715~1.EXE > nul
        11⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82272~1.EXE > nul
        10⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CABA8~1.EXE > nul
        9⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F967~1.EXE > nul
        8⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90B25~1.EXE > nul
        7⤵
        
        PID:708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9E69~1.EXE > nul
        6⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD0EC~1.EXE > nul
        5⤵
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF08A~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A75D2~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F715EF1-D766-4ce2-B02F-EFF06C4103C3}.exe

Filesize
168KB

MD5
14ff76e8ade625e09a2c3a69d1159ef7

SHA1
b2b5f2611cb1c80480b518e923ec8bee800329b0

SHA256
d7a9c4f1f0904627aa80ec279222f8b6a6a3df6d8aaa8300e2ed96e37d53faec

SHA512
d0d6efa3a15c28d4db6b836dfd65117db3b8192a3267295b257b2b7a753b9ef829656536627fcaa1a4db724024891a2232366259b89a072bfcbe058f67618252

Download Submit
C:\Windows\{3F967439-4D6E-4e7b-8B40-9387F1BF9172}.exe

Filesize
168KB

MD5
9370e094f75627ad357ac07fd88e5d85

SHA1
c278529d79d238d461bd16f2b59fffb8e51e58f5

SHA256
45d776b6d7528cc63fcb231bfd758fa9ab87add0887bbcf8a66b3e5825128a22

SHA512
39e95527eea68c7c2c52dbabfa184db18b538b6436c486a5dadfd8dd6eb4d92a55dfe43e009edbfcb939cb244eb058efcf89574ec88ba7ce639d25a168844928

Download Submit
C:\Windows\{82272D03-F34D-46f4-9B49-4ED29AF3F20F}.exe

Filesize
168KB

MD5
c1fcb7b43b1e86ba88879dc05cc9132f

SHA1
0542ac528b6fa2b7ed0b80b4286600789186a2f4

SHA256
963e6d9c0ace2c5972e136c2adc0f144fcd9b8fff80a22536ecc409167fbf0ae

SHA512
1573d65fa8119112e3c8171f90d031b81779ac45ada5ddca7a08145a5199e2e749856894532184be47d53c39db8088217da555bf47d8a2da8a4b4ccce5601599

Download Submit
C:\Windows\{90B25105-C84B-40bc-BFD0-FAFE0630409D}.exe

Filesize
168KB

MD5
169a637007fbc57b68dc19c8bf2c35d7

SHA1
9f5a4c5085d518b98a64a1ffba3dc1447a0e2e97

SHA256
2cafa261bdfe05b11e0b7644f36cd1585014b3177e5be138c0635e9e8778fb3c

SHA512
0142e636e041ccff817f07fbaac7a2a1bc36e54a24aed4eaa7838c149e68fc788f8502d959466579cc6440ec4a311cb3cd679077dc899190002a905e069644ac

Download Submit
C:\Windows\{A75D27B4-37B2-4356-A162-BFEE8A97E589}.exe

Filesize
168KB

MD5
51ce15fcbb375e97a01f37c7c4e15438

SHA1
1921cbe60733eafad03e61b7dfa71974167fcbe1

SHA256
aa8535be3834bdc67cb9bf2736d018baec4f506c524da06130fa8f61aea5211a

SHA512
226c0b904cb30378a260adaa488f5d9247908a7f127212177fb60896f206edebac25f3d978d1dbbfd4444300cff482b960931d91d5af4158dccd9daeffa74b9e

Download Submit
C:\Windows\{AD0EC947-7160-4ca1-9A50-CD0EBBCA0166}.exe

Filesize
168KB

MD5
b639595c42c31b891dc27badae6a8594

SHA1
141b6f41f9456960d29fcbbebceb506277188bc8

SHA256
8791fef5a873305586c1eef9bba039a21133ddb23203f54fd809fc3c3918c8c5

SHA512
6d278477e4fea5f5714e4f1210574e8c50b630fe40d4cd974f7257d2b09ac5f07d4da95cc7ade0e2740f6f77c5b6105ffc75fbe906052ed4416ab546b9c10601

Download Submit
C:\Windows\{BF08A81A-DC61-4a58-B19B-029AD402C68A}.exe

Filesize
168KB

MD5
4e389000241a0b2a16ef2807a2f5667d

SHA1
9f4ac2f603877eac88e0e007f3f4da48919911fd

SHA256
bb1047623bdc9f1daa9ef390b1e61a54e08aac7ec5dd247c7c3dd3b1c8571ae2

SHA512
915de0e8765115acf462d4610c8b5d27fd2f99e6d4c901b5fb981f5a041aba9ecdb088999d809ad7ba15df9c32c8a14e58269e029ce80f6bbf7aebff63db2b79

Download Submit
C:\Windows\{CABA8260-15BA-42a7-B530-9CA9BEF6234E}.exe

Filesize
168KB

MD5
fe880be6b8920170ffb184805021f74d

SHA1
4629df73a8254d8a885e52112fdda75df65015f3

SHA256
f0e0521a39c22a5c895ad8276cd352836f14901f0f8496eea000a0163946a352

SHA512
c02e76c1451db1205d0ae4e99a58ba8ee9c99e5322b597ca1494e7ec4b6cf793b44cb29b7aa2cabd79f61527fcddb32e1c0eb7012de27647361ebcb4369db70c

Download Submit
C:\Windows\{E9C83960-B4A2-4f99-A2F7-597AA6AF09EC}.exe

Filesize
168KB

MD5
03f4af9d069f4102fde823752a720e1c

SHA1
fa7357853ab486b6212bddc67da7708c5c7bd0d6

SHA256
230c57028a0f333734e13d26814a49329ba5ad6ac33acadc74b867e6719baa97

SHA512
55ec579cc2f5dac20980df31f79cc9c4afe722e55f224710255756e9d95e9fed1e63ac50acbb4dece312aa106c2d749213a6dd86554f9a9634e4bc7d55221b74

Download Submit
C:\Windows\{E9E693DF-4CC3-40a6-938F-E3FF4F293958}.exe

Filesize
168KB

MD5
3e0ab906281ea03df2f43b613563fce9

SHA1
93c97f9b93593c09779cc44c3b050dae14918559

SHA256
b1ec0b5cb22903a5992ea1e8a803c33586866bfbad881e0b63e590db78bb293f

SHA512
873c2c4c84ac534d9c87f40043329682bf10c4bd14c470ca759c057b2f1fcb668daf7152178f45206efb4d8d2c3d9e6d048f0944c56a1e202993de964036cc36

Download Submit
C:\Windows\{EF4621A4-A8F5-406f-8BD0-84FF20E9F207}.exe

Filesize
168KB

MD5
893d5083cb31056d7df585f3f52084ee

SHA1
fe7087ce830f57c1a6e128c83db76fdcf6cadaaf

SHA256
530bd46bf1f09604dfc9e0d17e9aa5613ca3197c7307051f0e3fa83e96723e01

SHA512
71fd89379feca0327867f920de862d6e48d3360849e8cf9df6ab57fe06fc7eed17096d28f448c2a392b41e27d851c6d4e69d92cfe5e47cf15add6f3253101da6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads