e7f44ca2e2b667c4028c7b783dbbe402b768051eab6396318f057cfd7d6f0360

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 04:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Size

180KB
MD5

f3741bca08a664227f2437f039d7dd2c
SHA1

5c5e4b7d12fd0eca38003009060469747874cc63
SHA256

e7f44ca2e2b667c4028c7b783dbbe402b768051eab6396318f057cfd7d6f0360
SHA512

6fb6741c34d2ce0bb26c2fff13d8877f7936fcfa752f7e6039373ff4c076658bb5a1358c5d9ffa603511832a3ebc4d921afaf4bb667613fee93f61146d11c95b
SSDEEP

3072:jEGh0orlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014f71-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001567f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014f71-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014f71-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014f71-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001568c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015be6-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001568c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2CBA760-C8FB-4348-837B-D116568ED2D7}\stubpath = "C:\\Windows\\{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe"	{AF079D74-E86D-45d6-857B-20D730082351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}\stubpath = "C:\\Windows\\{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe"	{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}\stubpath = "C:\\Windows\\{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe"	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}\stubpath = "C:\\Windows\\{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe"	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF079D74-E86D-45d6-857B-20D730082351}	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}	{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47753917-BF15-4b43-A41D-28128EA731EC}\stubpath = "C:\\Windows\\{47753917-BF15-4b43-A41D-28128EA731EC}.exe"	{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E10C772-DC86-421c-AAF5-D13BE5A16A43}\stubpath = "C:\\Windows\\{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe"	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF079D74-E86D-45d6-857B-20D730082351}\stubpath = "C:\\Windows\\{AF079D74-E86D-45d6-857B-20D730082351}.exe"	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069ACB54-7AD1-4cc7-9225-3373EE6447C9}	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47753917-BF15-4b43-A41D-28128EA731EC}	{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}\stubpath = "C:\\Windows\\{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe"	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2CBA760-C8FB-4348-837B-D116568ED2D7}	{AF079D74-E86D-45d6-857B-20D730082351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069ACB54-7AD1-4cc7-9225-3373EE6447C9}\stubpath = "C:\\Windows\\{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe"	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A851B03-B13E-4896-8E88-8FD638D0F976}	{47753917-BF15-4b43-A41D-28128EA731EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A851B03-B13E-4896-8E88-8FD638D0F976}\stubpath = "C:\\Windows\\{3A851B03-B13E-4896-8E88-8FD638D0F976}.exe"	{47753917-BF15-4b43-A41D-28128EA731EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}\stubpath = "C:\\Windows\\{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe"	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E10C772-DC86-421c-AAF5-D13BE5A16A43}	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe

Deletes itself 1 IoCs

pid	Process
1160	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe
2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe
2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe
2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe
2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe
2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe
308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe
540	{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe
2276	{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe
1404	{47753917-BF15-4b43-A41D-28128EA731EC}.exe
1624	{3A851B03-B13E-4896-8E88-8FD638D0F976}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
File created	C:\Windows\{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe
File created	C:\Windows\{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe
File created	C:\Windows\{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe
File created	C:\Windows\{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe
File created	C:\Windows\{AF079D74-E86D-45d6-857B-20D730082351}.exe	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe
File created	C:\Windows\{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	{AF079D74-E86D-45d6-857B-20D730082351}.exe
File created	C:\Windows\{3A851B03-B13E-4896-8E88-8FD638D0F976}.exe	{47753917-BF15-4b43-A41D-28128EA731EC}.exe
File created	C:\Windows\{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe
File created	C:\Windows\{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe	{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe
File created	C:\Windows\{47753917-BF15-4b43-A41D-28128EA731EC}.exe	{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe
Token: SeIncBasePriorityPrivilege	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe
Token: SeIncBasePriorityPrivilege	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe
Token: SeIncBasePriorityPrivilege	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe
Token: SeIncBasePriorityPrivilege	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe
Token: SeIncBasePriorityPrivilege	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe
Token: SeIncBasePriorityPrivilege	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe
Token: SeIncBasePriorityPrivilege	540	{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe
Token: SeIncBasePriorityPrivilege	2276	{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe
Token: SeIncBasePriorityPrivilege	1404	{47753917-BF15-4b43-A41D-28128EA731EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1816	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	28
PID 2756 wrote to memory of 1816	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	28
PID 2756 wrote to memory of 1816	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	28
PID 2756 wrote to memory of 1816	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	28
PID 2756 wrote to memory of 1160	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	29
PID 2756 wrote to memory of 1160	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	29
PID 2756 wrote to memory of 1160	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	29
PID 2756 wrote to memory of 1160	2756	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	29
PID 1816 wrote to memory of 2640	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	30
PID 1816 wrote to memory of 2640	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	30
PID 1816 wrote to memory of 2640	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	30
PID 1816 wrote to memory of 2640	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	30
PID 1816 wrote to memory of 2556	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	31
PID 1816 wrote to memory of 2556	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	31
PID 1816 wrote to memory of 2556	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	31
PID 1816 wrote to memory of 2556	1816	{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe	31
PID 2640 wrote to memory of 2748	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	32
PID 2640 wrote to memory of 2748	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	32
PID 2640 wrote to memory of 2748	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	32
PID 2640 wrote to memory of 2748	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	32
PID 2640 wrote to memory of 2456	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	33
PID 2640 wrote to memory of 2456	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	33
PID 2640 wrote to memory of 2456	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	33
PID 2640 wrote to memory of 2456	2640	{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe	33
PID 2748 wrote to memory of 2148	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	36
PID 2748 wrote to memory of 2148	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	36
PID 2748 wrote to memory of 2148	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	36
PID 2748 wrote to memory of 2148	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	36
PID 2748 wrote to memory of 1800	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	37
PID 2748 wrote to memory of 1800	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	37
PID 2748 wrote to memory of 1800	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	37
PID 2748 wrote to memory of 1800	2748	{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe	37
PID 2148 wrote to memory of 2720	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	38
PID 2148 wrote to memory of 2720	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	38
PID 2148 wrote to memory of 2720	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	38
PID 2148 wrote to memory of 2720	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	38
PID 2148 wrote to memory of 2780	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	39
PID 2148 wrote to memory of 2780	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	39
PID 2148 wrote to memory of 2780	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	39
PID 2148 wrote to memory of 2780	2148	{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe	39
PID 2720 wrote to memory of 2160	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	40
PID 2720 wrote to memory of 2160	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	40
PID 2720 wrote to memory of 2160	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	40
PID 2720 wrote to memory of 2160	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	40
PID 2720 wrote to memory of 1996	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	41
PID 2720 wrote to memory of 1996	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	41
PID 2720 wrote to memory of 1996	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	41
PID 2720 wrote to memory of 1996	2720	{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe	41
PID 2160 wrote to memory of 308	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	42
PID 2160 wrote to memory of 308	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	42
PID 2160 wrote to memory of 308	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	42
PID 2160 wrote to memory of 308	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	42
PID 2160 wrote to memory of 2256	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	43
PID 2160 wrote to memory of 2256	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	43
PID 2160 wrote to memory of 2256	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	43
PID 2160 wrote to memory of 2256	2160	{AF079D74-E86D-45d6-857B-20D730082351}.exe	43
PID 308 wrote to memory of 540	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	44
PID 308 wrote to memory of 540	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	44
PID 308 wrote to memory of 540	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	44
PID 308 wrote to memory of 540	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	44
PID 308 wrote to memory of 2216	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	45
PID 308 wrote to memory of 2216	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	45
PID 308 wrote to memory of 2216	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	45
PID 308 wrote to memory of 2216	308	{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe
  C:\Windows\{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe
    C:\Windows\{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe
      C:\Windows\{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe
        
        C:\Windows\{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe
        
        C:\Windows\{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{AF079D74-E86D-45d6-857B-20D730082351}.exe
        
        C:\Windows\{AF079D74-E86D-45d6-857B-20D730082351}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe
        
        C:\Windows\{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe
        
        C:\Windows\{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe
        
        C:\Windows\{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{47753917-BF15-4b43-A41D-28128EA731EC}.exe
        
        C:\Windows\{47753917-BF15-4b43-A41D-28128EA731EC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\{3A851B03-B13E-4896-8E88-8FD638D0F976}.exe
        
        C:\Windows\{3A851B03-B13E-4896-8E88-8FD638D0F976}.exe
        12⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47753~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33CF3~1.EXE > nul
        11⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{069AC~1.EXE > nul
        10⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2CBA~1.EXE > nul
        9⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF079~1.EXE > nul
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF94B~1.EXE > nul
        7⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{444E4~1.EXE > nul
        6⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E10C~1.EXE > nul
        5⤵
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E6AB~1.EXE > nul
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3F596~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{069ACB54-7AD1-4cc7-9225-3373EE6447C9}.exe

Filesize
180KB

MD5
d09990d220af7f36d72c038a10e6efd0

SHA1
e25782e9140b9c51753bbcd894de4001cf22281a

SHA256
df5ceea9c010032ea64edbf9b84f439264423e20d7e22dbfc1e7915efcab5445

SHA512
a3a81461a29ca71b59057118cac662a7c4324e0bc5c5b1fc2e77ef75b5bfb829459df4cb37d12e29b5882c35d3c944b28977e949316b9e42fce25444b61df5c8

Download Submit
C:\Windows\{1E10C772-DC86-421c-AAF5-D13BE5A16A43}.exe

Filesize
180KB

MD5
4f3e584af01851e361fdfdb954f4bd88

SHA1
78fbd76d95f8ed569d3630f080808c2595061c82

SHA256
2a14974c7ee5095f2181872d52744c7869c5578a24d5d442f28e31307b213391

SHA512
850d9fe8a74350b852be1c039f29ff608458e5fb563b98a8f85a53a4109d36e14b9b380e7feffd42b33823416e5703b3629d185e4546cb10721fbcba92608ab5

Download Submit
C:\Windows\{33CF3776-7F0E-400f-AF35-A2E94CCD41DA}.exe

Filesize
180KB

MD5
65c410696293ef971edbbdb24924b6de

SHA1
2c233c5d6e9eea275ab017b84d6fff74916ae624

SHA256
76c02a6105b38a1744b666ec0048f06219f90564bdd1ff1979e9c8d78e24185d

SHA512
0c1d4d6214f2a95df391d11e8b087bdfcdcf6867bdf6db279245d44517172a008d4ab5927c834056feb0684c3391b637f3bd23d696ffeffe909972f73cc79a63

Download Submit
C:\Windows\{3A851B03-B13E-4896-8E88-8FD638D0F976}.exe

Filesize
180KB

MD5
8d2ed3e0b45b809db0041e3901d733df

SHA1
b5024ef4de88a5554ed1b47ce2a0186a9238018e

SHA256
7957dc42a4573b08930426db50e7ab597356b66764a9547741838bcf2e461bc3

SHA512
a99d71724aae2809c05aa45842906b36f26505d2768fcea88eb7dc9ae4ead82542544f081d0b5046fc6584d8ea17ee5c97c852e80203af1712c8aa1e34317813

Download Submit
C:\Windows\{3F596A77-33D7-4111-8EF0-37AE1E4E2F8D}.exe

Filesize
180KB

MD5
e68edd86428944e81c17829c4de2b6ab

SHA1
417570f158f370b51e9a06ccf10affad35c22e3d

SHA256
4eb488d6d057cdca6d54647ce5f39ba86dae0726065590a0f3f75772ebeb8b3a

SHA512
7488c1a7a1f4f117e3eceea1ed3f026a07f0c86e34a68dfde6da551b5e728af85e59c2f771eda8c823f4301b85533a5c1d87a9714d63065e05f663426d51ce82

Download Submit
C:\Windows\{444E4D91-4A04-4a4e-ADFA-6A18DE7EB458}.exe

Filesize
180KB

MD5
3c9cf5813f740b7c88b593c7bdb268cf

SHA1
d0422405fbcfcbfb58ae9a6df78bf4fa09ea2d37

SHA256
9868bd24fa47c4c1c193d86180cf5b7b086f1fc1df874e34518bc353e7c3cee2

SHA512
03302e1d62ccd4ea23998b69d249c69de1a0317b7bafab3ef789d0dca184e77734f7ff823283a5757b9792b80c050a20363139dbc7d27405449a41e39a425e94

Download Submit
C:\Windows\{47753917-BF15-4b43-A41D-28128EA731EC}.exe

Filesize
180KB

MD5
1affd24b004ad0462af7b469187a3f3f

SHA1
c8a739a3c0b68a42713d07f69040934a44161b83

SHA256
e0b62d3448043c08e9fdc7dad315400881d66b1020066ce8f19890cd48c8da7a

SHA512
d5ee3cfaa1d16270a777341c998d05158c3d5d162aa16a71a8adcb20ce27b13e1d904703c06e11bf6f107857074eab9fa7b1266b8bf4ecf3fbcf6e9dcb7be5b8

Download Submit
C:\Windows\{8E6AB1FD-2974-47a6-82EB-C7E73EB661E6}.exe

Filesize
180KB

MD5
17cb8a5a984f99ff2944c788b5e0dcae

SHA1
42749619197a31e8db927a510dfcc5bc5a8e8488

SHA256
2fddae8c3e6d164900db6048830ed3fdc05ec3f8b46a20c5c351db560f8d5468

SHA512
35a7fa43ec7af762e00bab82acc37385cedf565336d27f5b73c7cad488d35edcdb0fd1226458f585bc79ed4b3a4d945eb2dc6ab5483135cd6dfa309f96278b7c

Download Submit
C:\Windows\{AF079D74-E86D-45d6-857B-20D730082351}.exe

Filesize
180KB

MD5
d83721428a5a0243c6e9325f90d582c2

SHA1
c19a54ec03dde7068f5609a97db18d5edba3358c

SHA256
df688311ee7174e4cba4316172a384fee24cab1a5c681f53e70c5760aca8b772

SHA512
6afc89a37d110368252c9831e9701c0defe4923b88b404d40893febe6181a219f4306f2247ca8c109f0685d7b7fe9cbdcc5c165c72f8bbc4ce9b4e015d23bae5

Download Submit
C:\Windows\{C2CBA760-C8FB-4348-837B-D116568ED2D7}.exe

Filesize
180KB

MD5
898feacf389ed239ef60b3d3de3b826f

SHA1
7655f3f256aef131a87126c5b81be626182ba04e

SHA256
3752b1e708f0d97b9182b4ce0987bb82749d5c07699a4e4de771832d9511f0b8

SHA512
bb3763651823ccfe96c1bee6ca4b2cc765d69cf688e0ffb247cf3fa18e21d617ad956a5f67b9713c846b5a38707d4f44fd3ff183bc18308c8e45e49118544e30

Download Submit
C:\Windows\{FF94BB12-CB25-4df2-92DB-4AE8A5F6A69C}.exe

Filesize
180KB

MD5
85ea1f9671ca1fcfd0af6cabfc1920c6

SHA1
713c1502f59508f133196703b19877ed42814fc8

SHA256
1d984c4fb279ff8d21b9553f2a4cc2825d6299c15196a8e101bbfb1cf3ed0b2f

SHA512
532b49106141a283fe5e3bf5a29eb6e69b11ca7ca8d00e969f24f4abaf9f4b0f580580881a29f930df887ee0fae188c9fa7c1bb0cc917d1905c80c6ad2f649b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads