e9486c4885fa2d8bf53a63ccef1967ff15110843fb15143c9531ff3deed7203b

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Size

408KB
MD5

46a214a0d9052a48ff8fd42eb3454a77
SHA1

84426da7dfee4a63a29defd912c172c2c2834dac
SHA256

e9486c4885fa2d8bf53a63ccef1967ff15110843fb15143c9531ff3deed7203b
SHA512

6669ead45e1ead872b8a762e87320a7d93b389d280d8c66f7b033893512e4ca5a1346dfc85773c0f2cca49a5f05c6b5429547b71de676657a4ce58873e69949d
SSDEEP

3072:CEGh0oql3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012252-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001225f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012252-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012252-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012252-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001225f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016fc4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000017081-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016fc4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9011A089-4C6A-4b19-891E-7FA9658AF234}\stubpath = "C:\\Windows\\{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe"	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{418E3D07-52D0-4d35-9CA1-3E32749593D5}	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2604E298-50AF-451d-85D0-FEF8FDF05AA3}	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2604E298-50AF-451d-85D0-FEF8FDF05AA3}\stubpath = "C:\\Windows\\{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe"	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}\stubpath = "C:\\Windows\\{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe"	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}\stubpath = "C:\\Windows\\{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe"	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}\stubpath = "C:\\Windows\\{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe"	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8166D5DF-CECE-486e-A631-5612D251E0E7}\stubpath = "C:\\Windows\\{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe"	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}\stubpath = "C:\\Windows\\{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe"	{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}	{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F80111C-3127-47dd-9F7F-CD5FEB381662}\stubpath = "C:\\Windows\\{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe"	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8166D5DF-CECE-486e-A631-5612D251E0E7}	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39F6BDB-639D-4694-B527-951FDD4C858C}\stubpath = "C:\\Windows\\{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe"	{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9011A089-4C6A-4b19-891E-7FA9658AF234}	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F80111C-3127-47dd-9F7F-CD5FEB381662}	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{418E3D07-52D0-4d35-9CA1-3E32749593D5}\stubpath = "C:\\Windows\\{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe"	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}	{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F39F6BDB-639D-4694-B527-951FDD4C858C}	{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}\stubpath = "C:\\Windows\\{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}.exe"	{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe
2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe
2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe
2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe
2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe
2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe
1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe
2908	{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe
108	{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe
1696	{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe
2308	{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe
File created	C:\Windows\{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe	{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe
File created	C:\Windows\{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe	{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe
File created	C:\Windows\{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe
File created	C:\Windows\{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe
File created	C:\Windows\{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe
File created	C:\Windows\{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe
File created	C:\Windows\{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
File created	C:\Windows\{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe
File created	C:\Windows\{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe
File created	C:\Windows\{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}.exe	{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe
Token: SeIncBasePriorityPrivilege	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe
Token: SeIncBasePriorityPrivilege	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe
Token: SeIncBasePriorityPrivilege	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe
Token: SeIncBasePriorityPrivilege	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe
Token: SeIncBasePriorityPrivilege	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe
Token: SeIncBasePriorityPrivilege	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe
Token: SeIncBasePriorityPrivilege	2908	{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe
Token: SeIncBasePriorityPrivilege	108	{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe
Token: SeIncBasePriorityPrivilege	1696	{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1340	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	28
PID 2152 wrote to memory of 1340	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	28
PID 2152 wrote to memory of 1340	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	28
PID 2152 wrote to memory of 1340	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	28
PID 2152 wrote to memory of 2660	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	29
PID 2152 wrote to memory of 2660	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	29
PID 2152 wrote to memory of 2660	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	29
PID 2152 wrote to memory of 2660	2152	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	29
PID 1340 wrote to memory of 2844	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	30
PID 1340 wrote to memory of 2844	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	30
PID 1340 wrote to memory of 2844	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	30
PID 1340 wrote to memory of 2844	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	30
PID 1340 wrote to memory of 2888	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	31
PID 1340 wrote to memory of 2888	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	31
PID 1340 wrote to memory of 2888	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	31
PID 1340 wrote to memory of 2888	1340	{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe	31
PID 2844 wrote to memory of 2620	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	34
PID 2844 wrote to memory of 2620	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	34
PID 2844 wrote to memory of 2620	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	34
PID 2844 wrote to memory of 2620	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	34
PID 2844 wrote to memory of 1716	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	35
PID 2844 wrote to memory of 1716	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	35
PID 2844 wrote to memory of 1716	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	35
PID 2844 wrote to memory of 1716	2844	{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe	35
PID 2620 wrote to memory of 2184	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	36
PID 2620 wrote to memory of 2184	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	36
PID 2620 wrote to memory of 2184	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	36
PID 2620 wrote to memory of 2184	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	36
PID 2620 wrote to memory of 576	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	37
PID 2620 wrote to memory of 576	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	37
PID 2620 wrote to memory of 576	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	37
PID 2620 wrote to memory of 576	2620	{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe	37
PID 2184 wrote to memory of 2964	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	38
PID 2184 wrote to memory of 2964	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	38
PID 2184 wrote to memory of 2964	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	38
PID 2184 wrote to memory of 2964	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	38
PID 2184 wrote to memory of 2960	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	39
PID 2184 wrote to memory of 2960	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	39
PID 2184 wrote to memory of 2960	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	39
PID 2184 wrote to memory of 2960	2184	{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe	39
PID 2964 wrote to memory of 2644	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	40
PID 2964 wrote to memory of 2644	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	40
PID 2964 wrote to memory of 2644	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	40
PID 2964 wrote to memory of 2644	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	40
PID 2964 wrote to memory of 1652	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	41
PID 2964 wrote to memory of 1652	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	41
PID 2964 wrote to memory of 1652	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	41
PID 2964 wrote to memory of 1652	2964	{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe	41
PID 2644 wrote to memory of 1224	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	42
PID 2644 wrote to memory of 1224	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	42
PID 2644 wrote to memory of 1224	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	42
PID 2644 wrote to memory of 1224	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	42
PID 2644 wrote to memory of 2624	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	43
PID 2644 wrote to memory of 2624	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	43
PID 2644 wrote to memory of 2624	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	43
PID 2644 wrote to memory of 2624	2644	{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe	43
PID 1224 wrote to memory of 2908	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	44
PID 1224 wrote to memory of 2908	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	44
PID 1224 wrote to memory of 2908	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	44
PID 1224 wrote to memory of 2908	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	44
PID 1224 wrote to memory of 2952	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	45
PID 1224 wrote to memory of 2952	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	45
PID 1224 wrote to memory of 2952	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	45
PID 1224 wrote to memory of 2952	1224	{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe
  C:\Windows\{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe
    C:\Windows\{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe
      C:\Windows\{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe
        
        C:\Windows\{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe
        
        C:\Windows\{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe
        
        C:\Windows\{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe
        
        C:\Windows\{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe
        
        C:\Windows\{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4A4~1.EXE > nul
        10⤵
        
        PID:1592
        
        C:\Windows\{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe
        
        C:\Windows\{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe
        
        C:\Windows\{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}.exe
        
        C:\Windows\{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F39F6~1.EXE > nul
        12⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8C70~1.EXE > nul
        11⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8166D~1.EXE > nul
        9⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BC5C~1.EXE > nul
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2604E~1.EXE > nul
        7⤵
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BFB9~1.EXE > nul
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{418E3~1.EXE > nul
        5⤵
        
        PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4F801~1.EXE > nul
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9011A~1.EXE > nul
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2604E298-50AF-451d-85D0-FEF8FDF05AA3}.exe

Filesize
408KB

MD5
8bd47c98656df7462eecb5194eeb0892

SHA1
e573c43d9fe71a2d7eca6c9efade6f6cb7a9fc55

SHA256
a01e331fc41e77ec68a24b15b57107147a01b9f85c25a199201545daf537b40b

SHA512
303df2d2b4a9f896c4d35ed7c440d8c80759be0f29bc121f4e5573b3a8c4fdaed6425d90da05964bd8418ec7b871df5cf51797bca1ffff6c33a325c72d4d8cb9

Download Submit
C:\Windows\{3BFB9E36-A0BC-4399-9FA1-9393DDB098A6}.exe

Filesize
408KB

MD5
6b847d2fa8c834ca719c1591f9fe083d

SHA1
06b8617a1ffe544e6d59600973cbdccb0358d909

SHA256
2cba3cf4f5426b2335f0682e275aca72df8457c49762641b0bda5cd334615f9b

SHA512
99e99204e64f11c5da0f5f9797ee4a366db736b77ef2ce97735f18aa2d58566f42a933db9e17298ee4b3454ddcc98c871474e6fa2a73e5c1a26c48861c54b461

Download Submit
C:\Windows\{418E3D07-52D0-4d35-9CA1-3E32749593D5}.exe

Filesize
408KB

MD5
8d9c71e45b55b2b43f870ec79822d163

SHA1
1b8dd52a3cfa904bf9939ea204478fcc06285015

SHA256
76204b6669599cbeb2da50d364aaf4a73777a96bf7e275c9a4970dc3902386ec

SHA512
1c81d926a5c862d88f54ed9b67a9b3b61aad8695f65304ccc7d679eb14d79305b88d8a8511722b26572786f5d1c9ad224ee043810de8652cd2963231ed974842

Download Submit
C:\Windows\{4247E305-5D12-4c2c-AEE1-0DD744CBA08A}.exe

Filesize
408KB

MD5
09f90768064958fca464ca9113bd565a

SHA1
8ba9fd39fd834c32f4e47178c3418e7c31f2a738

SHA256
5479a6dd1b002d4657713fe7c0f9b14a6db0fd82b81ed43867259c26da9e4374

SHA512
aff7a1a3eeb0e7bfe35aa177190bc206e171982f543acdc67edf9568a878845681fd27ab26ae40dbab949c93bfb0e6497049b33f306f5d264e9d4f15202024f0

Download Submit
C:\Windows\{4F80111C-3127-47dd-9F7F-CD5FEB381662}.exe

Filesize
408KB

MD5
76b49c61d2c860d534a301e5108dfdec

SHA1
7810f7271f5cdd9889f5892e6ef8e8039b3d9e35

SHA256
3caa2cdceeb17e7025c1118c10e0c34265b2b50227f979d1d3d7242b14f0d5d6

SHA512
14674ec78d1fe1f4a9d8f1d3be7f3aafaf8d74153d79980d9d31b6ab24d81277ab30d5ac0812995b8222bd108f0eda04be36d4b2e5d3919587988ddf9a40527b

Download Submit
C:\Windows\{5BC5CF53-C013-4be6-AB91-DB1D95B8310C}.exe

Filesize
408KB

MD5
ff6e17e2c75dbcc52abe817655182862

SHA1
0ca9573bd20c2eb4f00bef4a4018cb54c27dba87

SHA256
33a8af789a42b8b9f8b971b14535f7dadad20eb6d69fb4bd2faa772d2a77b64f

SHA512
0e42acf78cd45a5dab1f8d58d8920d9f85d3a139c751d984269436c7768df1ee86877a4015a092d521a59101d07a785301773b3da20241791511ff5c58814b50

Download Submit
C:\Windows\{8166D5DF-CECE-486e-A631-5612D251E0E7}.exe

Filesize
408KB

MD5
3b03e67ae034edb32a8c7fc0ccfd1dd4

SHA1
869bc431839a02c46e8d08a893d4c69c6105faef

SHA256
33e2730d2142c6bd2dbc34ea7a4e7f6058a8f8c6b39f3bee66a71464feed7cb4

SHA512
99688833f342e5f84ad0832e66ef0220aa1e6307ab7fe08a082e82ec7f72e63aace0ec5e5bc8050528f058a4b509e47ee27e4c8af32154a8e21648fd3df8fa68

Download Submit
C:\Windows\{9011A089-4C6A-4b19-891E-7FA9658AF234}.exe

Filesize
408KB

MD5
1ed7a720fd8eab364ff776ab8764bf7b

SHA1
19ab8dc8efe9faf65402e7abcc19c0d726d07f40

SHA256
4d385a7dda1bd9ebb0ff6cf12cab910a902ddc50b7987a2222e7a08808de5ac1

SHA512
38882c8dea97fe6810997b45cc3413e6d4a4165030c3c78d828720e2234a23bab61e18bf76b9f59d8eff1fe4998d5cfa76ea60b7d343b46b9213b4e095f7083c

Download Submit
C:\Windows\{A8C70D02-E3E2-4308-809D-A9DAA2D90DEB}.exe

Filesize
408KB

MD5
199cc29bc22594027fca1f291da18688

SHA1
0f88a4a14e40b218d88b56ee039955fae9f802f2

SHA256
0581ede1c866018b2050bb47824211fa1bd9cdc062c771e4c28418d1f77a5a2f

SHA512
38638d7a6b8d41ace63ce0a12103f26ea831b4588bcf95260d4621719b1fa8a88f3cfd939e6c862d4827766a1c54111b2c9cf4f9964ddb25aad7794bfc27b9a3

Download Submit
C:\Windows\{EE4A4672-FFCE-4c82-97EA-C5EE9351A6BF}.exe

Filesize
408KB

MD5
344399c0a04ae78c6a70852f3d0d8c94

SHA1
276f9638292bd4b382cc7018117275977440085b

SHA256
06a1b97ffa59062c130230717d6db961f73093dcf6f97fe7b7d49023d0c6024c

SHA512
298aa55888905426810abeca74dc0749048c0a11a7fce0b069fb60a9468aa40ff9e6a3c600b9cdc21eb42934fabb5be6dc768cd488e0729e13b0cea9626b1384

Download Submit
C:\Windows\{F39F6BDB-639D-4694-B527-951FDD4C858C}.exe

Filesize
408KB

MD5
6509396554e76ca7072851bb4a780764

SHA1
3c6c29de658157d50fbf1688ef86edb7f1c650a4

SHA256
b9abb18aa26327b56be8d1897f0495bbe0b7b256a9a1f2182c7a5b257125ebf3

SHA512
a471dfa7596881a584c58433d61705367dd01582e909dc4e538945f17fe5c4b7244041e73cb4f4d3539a3c7c48988c7d362a47747aa22abae8d32cf9f13efc38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads