8f0e5a7d0dc997aa919d46d2ce6158a7166a6bd35231f323f43ccaa8853c554a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe
Size

204KB
MD5

71c0297266742f36e4bca755840e98a4
SHA1

361680f67410753254b2723784fc60635e6b1e12
SHA256

8f0e5a7d0dc997aa919d46d2ce6158a7166a6bd35231f323f43ccaa8853c554a
SHA512

3c4c078a0abeab3afea5fd49f35a6256ca61a6b3d3eaf194ff77f3c93aeb340d8b427d52d43a8797ac0f4efb6f53ec32bfe50d4067478924cb14806b055e7fce
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oDl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b309-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x005700000001430e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b309-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0055000000014318-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b309-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000b309-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000b309-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE331D6C-7B2A-4995-9BE4-86AB4D687442}	{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{708CE27D-50E6-428f-B864-8E02DB9D915D}	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDB5395E-578C-4491-9CC3-2562C04D38E7}\stubpath = "C:\\Windows\\{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe"	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12465B34-7859-4210-A2BE-35BDA55E59B0}	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{304B2A5E-0D96-4600-800F-1B1EFD85C059}	{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}\stubpath = "C:\\Windows\\{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe"	{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}	{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{708CE27D-50E6-428f-B864-8E02DB9D915D}\stubpath = "C:\\Windows\\{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe"	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68E3A6E3-B376-4679-BC03-12EA8960B48F}\stubpath = "C:\\Windows\\{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe"	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12465B34-7859-4210-A2BE-35BDA55E59B0}\stubpath = "C:\\Windows\\{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe"	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}\stubpath = "C:\\Windows\\{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe"	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{304B2A5E-0D96-4600-800F-1B1EFD85C059}\stubpath = "C:\\Windows\\{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe"	{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE331D6C-7B2A-4995-9BE4-86AB4D687442}\stubpath = "C:\\Windows\\{AE331D6C-7B2A-4995-9BE4-86AB4D687442}.exe"	{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}\stubpath = "C:\\Windows\\{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe"	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}\stubpath = "C:\\Windows\\{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe"	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68E3A6E3-B376-4679-BC03-12EA8960B48F}	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2157912-FF31-478e-ACFC-37E14A40D9BE}	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2157912-FF31-478e-ACFC-37E14A40D9BE}\stubpath = "C:\\Windows\\{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe"	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDB5395E-578C-4491-9CC3-2562C04D38E7}	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe
2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe
2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe
1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe
2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe
1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe
2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe
2220	{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe
2068	{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe
2192	{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe
588	{AE331D6C-7B2A-4995-9BE4-86AB4D687442}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe
File created	C:\Windows\{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe
File created	C:\Windows\{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe
File created	C:\Windows\{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe	{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe
File created	C:\Windows\{AE331D6C-7B2A-4995-9BE4-86AB4D687442}.exe	{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe
File created	C:\Windows\{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe
File created	C:\Windows\{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe
File created	C:\Windows\{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe
File created	C:\Windows\{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe
File created	C:\Windows\{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe
File created	C:\Windows\{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe	{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe
Token: SeIncBasePriorityPrivilege	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe
Token: SeIncBasePriorityPrivilege	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe
Token: SeIncBasePriorityPrivilege	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe
Token: SeIncBasePriorityPrivilege	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe
Token: SeIncBasePriorityPrivilege	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe
Token: SeIncBasePriorityPrivilege	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe
Token: SeIncBasePriorityPrivilege	2220	{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe
Token: SeIncBasePriorityPrivilege	2068	{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe
Token: SeIncBasePriorityPrivilege	2192	{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2888	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	28
PID 2116 wrote to memory of 2888	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	28
PID 2116 wrote to memory of 2888	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	28
PID 2116 wrote to memory of 2888	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	28
PID 2116 wrote to memory of 2656	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	29
PID 2116 wrote to memory of 2656	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	29
PID 2116 wrote to memory of 2656	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	29
PID 2116 wrote to memory of 2656	2116	2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe	29
PID 2888 wrote to memory of 2676	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	30
PID 2888 wrote to memory of 2676	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	30
PID 2888 wrote to memory of 2676	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	30
PID 2888 wrote to memory of 2676	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	30
PID 2888 wrote to memory of 2560	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	31
PID 2888 wrote to memory of 2560	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	31
PID 2888 wrote to memory of 2560	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	31
PID 2888 wrote to memory of 2560	2888	{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe	31
PID 2676 wrote to memory of 2580	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	32
PID 2676 wrote to memory of 2580	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	32
PID 2676 wrote to memory of 2580	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	32
PID 2676 wrote to memory of 2580	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	32
PID 2676 wrote to memory of 2724	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	33
PID 2676 wrote to memory of 2724	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	33
PID 2676 wrote to memory of 2724	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	33
PID 2676 wrote to memory of 2724	2676	{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe	33
PID 2580 wrote to memory of 1956	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	36
PID 2580 wrote to memory of 1956	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	36
PID 2580 wrote to memory of 1956	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	36
PID 2580 wrote to memory of 1956	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	36
PID 2580 wrote to memory of 2764	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	37
PID 2580 wrote to memory of 2764	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	37
PID 2580 wrote to memory of 2764	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	37
PID 2580 wrote to memory of 2764	2580	{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe	37
PID 1956 wrote to memory of 2424	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	38
PID 1956 wrote to memory of 2424	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	38
PID 1956 wrote to memory of 2424	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	38
PID 1956 wrote to memory of 2424	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	38
PID 1956 wrote to memory of 1236	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	39
PID 1956 wrote to memory of 1236	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	39
PID 1956 wrote to memory of 1236	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	39
PID 1956 wrote to memory of 1236	1956	{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe	39
PID 2424 wrote to memory of 1824	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	40
PID 2424 wrote to memory of 1824	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	40
PID 2424 wrote to memory of 1824	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	40
PID 2424 wrote to memory of 1824	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	40
PID 2424 wrote to memory of 2336	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	41
PID 2424 wrote to memory of 2336	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	41
PID 2424 wrote to memory of 2336	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	41
PID 2424 wrote to memory of 2336	2424	{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe	41
PID 1824 wrote to memory of 2008	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	42
PID 1824 wrote to memory of 2008	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	42
PID 1824 wrote to memory of 2008	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	42
PID 1824 wrote to memory of 2008	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	42
PID 1824 wrote to memory of 1680	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	43
PID 1824 wrote to memory of 1680	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	43
PID 1824 wrote to memory of 1680	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	43
PID 1824 wrote to memory of 1680	1824	{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe	43
PID 2008 wrote to memory of 2220	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	44
PID 2008 wrote to memory of 2220	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	44
PID 2008 wrote to memory of 2220	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	44
PID 2008 wrote to memory of 2220	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	44
PID 2008 wrote to memory of 1640	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	45
PID 2008 wrote to memory of 1640	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	45
PID 2008 wrote to memory of 1640	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	45
PID 2008 wrote to memory of 1640	2008	{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_71c0297266742f36e4bca755840e98a4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe
  C:\Windows\{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe
    C:\Windows\{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe
      C:\Windows\{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe
        
        C:\Windows\{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe
        
        C:\Windows\{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe
        
        C:\Windows\{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe
        
        C:\Windows\{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe
        
        C:\Windows\{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe
        
        C:\Windows\{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe
        
        C:\Windows\{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\{AE331D6C-7B2A-4995-9BE4-86AB4D687442}.exe
        
        C:\Windows\{AE331D6C-7B2A-4995-9BE4-86AB4D687442}.exe
        12⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F83A~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{304B2~1.EXE > nul
        11⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA9EA~1.EXE > nul
        10⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12465~1.EXE > nul
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB53~1.EXE > nul
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68E3A~1.EXE > nul
        7⤵
        
        PID:2336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45F74~1.EXE > nul
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2157~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{708CE~1.EXE > nul
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C9ED~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12465B34-7859-4210-A2BE-35BDA55E59B0}.exe

Filesize
204KB

MD5
16141c2cbaa29e0aa0b663f76b4fc47a

SHA1
9dc4f02eba3dc503f6a1ad9f1c7d42b6d0aca9f8

SHA256
4574727cbf15b7cf04201d35f4ed0883ab40e7789628f33ad31c9c7828fb0d9b

SHA512
7f4116d4de6acdb4cd4165cf80c2f8e4412f2f4943ae0df133844698d2deade15cdb5a7d8ea16d16373ddea80c04560ee753ad39ea00868d7ace672d4d0eb215

Download Submit
C:\Windows\{2F83ABA7-4ECF-41a0-A13D-6FA8FAAE83B1}.exe

Filesize
204KB

MD5
4fab167a3ae31cfc57f197d3a74295f7

SHA1
5a1603d390225657e1547aa3d883e374ac743356

SHA256
f206ba27749b574d9cf26b16c08b89adde65a6689f37c411150fa1264cb1d6a5

SHA512
c096a1acd43303b17c89957c1dbe164ba401fd8419e3c49c0573ec5e5858ec2d3368f3ea2f73ee3c3492bea768be6a5f956b94e990e4b82d6fc95f12f34741c7

Download Submit
C:\Windows\{304B2A5E-0D96-4600-800F-1B1EFD85C059}.exe

Filesize
204KB

MD5
a9ef989cdcfc365140195b55a22dba89

SHA1
8fc1fc081f949c998c95c797c28c2a2fc56a4122

SHA256
548c301c230282ed8d7da074a61137d37d6d62a31749ebb352a33203722923ee

SHA512
d2aa9d7912f58693a6d1aa7145b3b49988b4d2fdc6f4a202351e6dd387575336b539584a84e9269b83937e1378d5aef72f675c9028688fcda544d51bef5f7714

Download Submit
C:\Windows\{45F74325-7BCB-4e7d-9A76-B9FEC2BA3D91}.exe

Filesize
204KB

MD5
e5d3cb158ff0fa506287a7dc7461d29b

SHA1
e63236c55784dec1144415af187961650d4bf317

SHA256
51fbc0aee6e6eee2f4d1794eec9b741ab95943c3b41bd673a3576264e395c06e

SHA512
2a184b203c567ba4b61f92e441f4e3785dcdb47026b3dd124c594f112ca22f209a3d70b64b7b4ed4428662a0b5542958d2d08fec8522533d97275497f6eff9a0

Download Submit
C:\Windows\{68E3A6E3-B376-4679-BC03-12EA8960B48F}.exe

Filesize
204KB

MD5
91c012e7ad9952859463b0a9be9f4b11

SHA1
f82d75879acca63235d2376da76b48541ae04613

SHA256
3c8614e692eed0cb359c2bf7cc4cb0ac33c9464f461890ba1eb661a07a334a79

SHA512
1ed5336cf3cda6433fda57c2b824682d91f0c18fc12e77d497e3a84dd94a0e974cd69d8a37804a8883fa19a02a4aedfb4409ad155ad32978e73caf9eceb4c870

Download Submit
C:\Windows\{708CE27D-50E6-428f-B864-8E02DB9D915D}.exe

Filesize
204KB

MD5
474482262e07a3d8c95d956f9739b5cb

SHA1
cebbc7eec25e4ad1b3d92cc3b16e1a68f38dd286

SHA256
405fdcec1f0743e023af68515139b5d3cff79a5caeaffbbdd56b5b8f2729eebd

SHA512
651fcbd48fda5dbc8f17089adfcb8efdcac55f8f3268fd16643c3171e7d45830191fd46b2ccdba5f36cddf20472dc4a67b4b79ae9440e6e3c94be71de7307daa

Download Submit
C:\Windows\{9C9ED2E0-D6BF-4062-86DF-34E6F238F2E0}.exe

Filesize
204KB

MD5
ffa0a30a09202eb70526fd39210c7514

SHA1
21b257c0a9e15ab10781e7a6a66a0a90799e2462

SHA256
294c62194f0a21e4e73fc3591221a1e9cb970c38c8a5dbafc76c627aea33a16d

SHA512
aba82ca8e121bea178b291d125860a50bae3458e69898dfb56c2ac8453558bbbc7e47affecedc755e0cd1924c3ef9d9a81f1d1653830e25225db04e3471e76ca

Download Submit
C:\Windows\{AE331D6C-7B2A-4995-9BE4-86AB4D687442}.exe

Filesize
204KB

MD5
57bab8a5fabb229f5da7d2b6b2368fc0

SHA1
d1e9d2d388035b4702cfdfd8090b6a372f260f5a

SHA256
e2ddff1622e0e6ac81af0df80c3fbee6e5b27b2e5aa7018d6ed422b18939613e

SHA512
dd8157f92c7224ba60c2a141697fd0e0c34582e4669e5c4367f65d220f714f6a6247f3d61582236b04ba8204e4a5ca4081d3718fb066fc299e35bd7fb8724234

Download Submit
C:\Windows\{DDB5395E-578C-4491-9CC3-2562C04D38E7}.exe

Filesize
204KB

MD5
668c4fb9228f105f68bf300312966041

SHA1
10163acbd277c8879285ddd3377f2285ae01c381

SHA256
cd6134cc1a0e95a0c19ce061f759d32d480ba7184a898c6fe66500ffe9339e55

SHA512
99ce2cf166574bb54184e1c3077fe65af4fb88beeb1cb387c150a902b7f74482383c54bdc4f710fae3907c8a2cd1788765e32e28120bc4c22c5a19285c92e953

Download Submit
C:\Windows\{E2157912-FF31-478e-ACFC-37E14A40D9BE}.exe

Filesize
204KB

MD5
f807fd1ffb6adc0d7f9fa136cbbef98d

SHA1
c13d21ad27000bb5f9696e7f42c862822342b9f5

SHA256
e7db20fe13134c53bd9c2060c7222e239418bba76fda66eb7eb13ce9be1c8610

SHA512
8824200703bad14795af3ec7146a8307017b7d5f4993e19d8a09137ac152409df2dbb9a14a0d36310d54dffa56dd8a345244f8e4c47f370c95ddf27444023cea

Download Submit
C:\Windows\{FA9EA14E-B82D-45dc-AD0F-E5C19B725167}.exe

Filesize
204KB

MD5
443cae6c45870ba86956fef33c0ac425

SHA1
f28e59f4291f78fdbbdcbb426a4ae69910fac310

SHA256
a4fd8075ee81732f5183d527202a64778c9c58e4d900045daa45da086fa91b83

SHA512
44e1aad9ef44fe81911850429ecf5911f704f01a566fe25fe2e74b5b534e99e507f312e259bd9d2018e2df773d111d53955ade74069a24385cd75ef35f6f4b26

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads