849529722613d0f1dad8052be01645d2ec130b54fce0a2cc5d4f9bd60057aad2

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 19:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe
Size

372KB
MD5

788a7fa9b7baf5127a531b195de010e0
SHA1

9899fce0531b57451c01a4b0a1bde09c703eb9cd
SHA256

849529722613d0f1dad8052be01645d2ec130b54fce0a2cc5d4f9bd60057aad2
SHA512

a487b27d7714b29d562f5f09c00b4d4205908d789b4ee0baea4d1aa0b0c4e1a0c84cae356079ef666edebda88bea1915e8d227e872cce77344d6de114358cf27
SSDEEP

3072:CEGh0oclMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG6lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001223f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012266-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003700000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{523C265E-4697-42ce-8A1D-B890A17A0121}	{07102F8F-0626-4ff3-9B28-774641704C73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}\stubpath = "C:\\Windows\\{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe"	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{625AFEAC-360A-452a-9C7E-8CE4DB38129E}\stubpath = "C:\\Windows\\{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe"	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F780249-891A-4af6-A00B-E005CA414F32}	{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077832A3-2BE7-4b24-90A4-9D543A39F87C}\stubpath = "C:\\Windows\\{077832A3-2BE7-4b24-90A4-9D543A39F87C}.exe"	{9F780249-891A-4af6-A00B-E005CA414F32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07102F8F-0626-4ff3-9B28-774641704C73}	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB44888-4037-41e4-AD42-AF7EF8EBE450}	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{625AFEAC-360A-452a-9C7E-8CE4DB38129E}	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077832A3-2BE7-4b24-90A4-9D543A39F87C}	{9F780249-891A-4af6-A00B-E005CA414F32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29FBF91C-7513-4c82-98B2-C6056C90EE33}\stubpath = "C:\\Windows\\{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe"	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4259D279-0024-4d4f-9F60-779FF5FF5254}	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4259D279-0024-4d4f-9F60-779FF5FF5254}\stubpath = "C:\\Windows\\{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe"	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{837249F5-B843-48a9-ADDF-69B80E124F9A}	{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F780249-891A-4af6-A00B-E005CA414F32}\stubpath = "C:\\Windows\\{9F780249-891A-4af6-A00B-E005CA414F32}.exe"	{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07102F8F-0626-4ff3-9B28-774641704C73}\stubpath = "C:\\Windows\\{07102F8F-0626-4ff3-9B28-774641704C73}.exe"	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80A0ADA4-C622-4802-B74D-9008B39B8220}\stubpath = "C:\\Windows\\{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe"	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29FBF91C-7513-4c82-98B2-C6056C90EE33}	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{523C265E-4697-42ce-8A1D-B890A17A0121}\stubpath = "C:\\Windows\\{523C265E-4697-42ce-8A1D-B890A17A0121}.exe"	{07102F8F-0626-4ff3-9B28-774641704C73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB44888-4037-41e4-AD42-AF7EF8EBE450}\stubpath = "C:\\Windows\\{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe"	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{837249F5-B843-48a9-ADDF-69B80E124F9A}\stubpath = "C:\\Windows\\{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe"	{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80A0ADA4-C622-4802-B74D-9008B39B8220}	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe
2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe
2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe
520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe
1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe
3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe
2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe
2892	{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe
1480	{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe
328	{9F780249-891A-4af6-A00B-E005CA414F32}.exe
2028	{077832A3-2BE7-4b24-90A4-9D543A39F87C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{07102F8F-0626-4ff3-9B28-774641704C73}.exe	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe
File created	C:\Windows\{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	{07102F8F-0626-4ff3-9B28-774641704C73}.exe
File created	C:\Windows\{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe
File created	C:\Windows\{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe
File created	C:\Windows\{077832A3-2BE7-4b24-90A4-9D543A39F87C}.exe	{9F780249-891A-4af6-A00B-E005CA414F32}.exe
File created	C:\Windows\{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe
File created	C:\Windows\{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe
File created	C:\Windows\{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe
File created	C:\Windows\{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe
File created	C:\Windows\{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe	{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe
File created	C:\Windows\{9F780249-891A-4af6-A00B-E005CA414F32}.exe	{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe
Token: SeIncBasePriorityPrivilege	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe
Token: SeIncBasePriorityPrivilege	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe
Token: SeIncBasePriorityPrivilege	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe
Token: SeIncBasePriorityPrivilege	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe
Token: SeIncBasePriorityPrivilege	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe
Token: SeIncBasePriorityPrivilege	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe
Token: SeIncBasePriorityPrivilege	2892	{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe
Token: SeIncBasePriorityPrivilege	1480	{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe
Token: SeIncBasePriorityPrivilege	328	{9F780249-891A-4af6-A00B-E005CA414F32}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2648	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	28
PID 1488 wrote to memory of 2648	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	28
PID 1488 wrote to memory of 2648	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	28
PID 1488 wrote to memory of 2648	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	28
PID 1488 wrote to memory of 2752	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	29
PID 1488 wrote to memory of 2752	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	29
PID 1488 wrote to memory of 2752	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	29
PID 1488 wrote to memory of 2752	1488	2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe	29
PID 2648 wrote to memory of 2796	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	30
PID 2648 wrote to memory of 2796	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	30
PID 2648 wrote to memory of 2796	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	30
PID 2648 wrote to memory of 2796	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	30
PID 2648 wrote to memory of 2216	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	31
PID 2648 wrote to memory of 2216	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	31
PID 2648 wrote to memory of 2216	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	31
PID 2648 wrote to memory of 2216	2648	{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe	31
PID 2796 wrote to memory of 2596	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	35
PID 2796 wrote to memory of 2596	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	35
PID 2796 wrote to memory of 2596	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	35
PID 2796 wrote to memory of 2596	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	35
PID 2796 wrote to memory of 2580	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	34
PID 2796 wrote to memory of 2580	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	34
PID 2796 wrote to memory of 2580	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	34
PID 2796 wrote to memory of 2580	2796	{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe	34
PID 2596 wrote to memory of 520	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	37
PID 2596 wrote to memory of 520	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	37
PID 2596 wrote to memory of 520	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	37
PID 2596 wrote to memory of 520	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	37
PID 2596 wrote to memory of 768	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	36
PID 2596 wrote to memory of 768	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	36
PID 2596 wrote to memory of 768	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	36
PID 2596 wrote to memory of 768	2596	{07102F8F-0626-4ff3-9B28-774641704C73}.exe	36
PID 520 wrote to memory of 1508	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	38
PID 520 wrote to memory of 1508	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	38
PID 520 wrote to memory of 1508	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	38
PID 520 wrote to memory of 1508	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	38
PID 520 wrote to memory of 2984	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	39
PID 520 wrote to memory of 2984	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	39
PID 520 wrote to memory of 2984	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	39
PID 520 wrote to memory of 2984	520	{523C265E-4697-42ce-8A1D-B890A17A0121}.exe	39
PID 1508 wrote to memory of 3020	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	40
PID 1508 wrote to memory of 3020	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	40
PID 1508 wrote to memory of 3020	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	40
PID 1508 wrote to memory of 3020	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	40
PID 1508 wrote to memory of 2716	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	41
PID 1508 wrote to memory of 2716	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	41
PID 1508 wrote to memory of 2716	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	41
PID 1508 wrote to memory of 2716	1508	{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe	41
PID 3020 wrote to memory of 2904	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	42
PID 3020 wrote to memory of 2904	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	42
PID 3020 wrote to memory of 2904	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	42
PID 3020 wrote to memory of 2904	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	42
PID 3020 wrote to memory of 1084	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	43
PID 3020 wrote to memory of 1084	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	43
PID 3020 wrote to memory of 1084	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	43
PID 3020 wrote to memory of 1084	3020	{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe	43
PID 2904 wrote to memory of 2892	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	44
PID 2904 wrote to memory of 2892	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	44
PID 2904 wrote to memory of 2892	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	44
PID 2904 wrote to memory of 2892	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	44
PID 2904 wrote to memory of 2884	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	45
PID 2904 wrote to memory of 2884	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	45
PID 2904 wrote to memory of 2884	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	45
PID 2904 wrote to memory of 2884	2904	{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_788a7fa9b7baf5127a531b195de010e0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe
  C:\Windows\{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe
    C:\Windows\{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29FBF~1.EXE > nul
      4⤵
      PID:2580
  - - C:\Windows\{07102F8F-0626-4ff3-9B28-774641704C73}.exe
      C:\Windows\{07102F8F-0626-4ff3-9B28-774641704C73}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07102~1.EXE > nul
        5⤵
        
        PID:768
    - - C:\Windows\{523C265E-4697-42ce-8A1D-B890A17A0121}.exe
        
        C:\Windows\{523C265E-4697-42ce-8A1D-B890A17A0121}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:520
      - C:\Windows\{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe
        
        C:\Windows\{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe
        
        C:\Windows\{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe
        
        C:\Windows\{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe
        
        C:\Windows\{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe
        
        C:\Windows\{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{9F780249-891A-4af6-A00B-E005CA414F32}.exe
        
        C:\Windows\{9F780249-891A-4af6-A00B-E005CA414F32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\{077832A3-2BE7-4b24-90A4-9D543A39F87C}.exe
        
        C:\Windows\{077832A3-2BE7-4b24-90A4-9D543A39F87C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F780~1.EXE > nul
        12⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83724~1.EXE > nul
        11⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{625AF~1.EXE > nul
        10⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4259D~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4463F~1.EXE > nul
        8⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB44~1.EXE > nul
        7⤵
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{523C2~1.EXE > nul
        6⤵
        
        PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80A0A~1.EXE > nul
    3⤵
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07102F8F-0626-4ff3-9B28-774641704C73}.exe

Filesize
372KB

MD5
d12c4ba965bf40d41557e851bd7206f3

SHA1
bb5f10f7ab8934218f9d86ba9b2677674e15fa19

SHA256
ce171a7d251612614c8f881e9cb8f2b06ec0704f0544b64d716ea1bfd9ef036d

SHA512
1e2802cdccd14740d8fcaf172a1e7401861fea27d34842bef130766f75154e083c050cc969a0421565727021e40bffc21a2411a30a86c93a506635f208b2dc6a

Download Submit
C:\Windows\{077832A3-2BE7-4b24-90A4-9D543A39F87C}.exe

Filesize
372KB

MD5
2e09babe3b3bff001fb57c7e3432bb67

SHA1
85d7c4b87cb62b4c34f446fb3b077fcdf9250568

SHA256
91b719334068a38409d12382c0482596955af33e358c7adf7c4889aea1d53a50

SHA512
ec54298dd9786ca397796eb54677a0079d5f5c31c0559843fb826e01825dd228d6de748442db72d1411c1df992ab150c1504f100abdbf4c4213fb61b1555cf94

Download Submit
C:\Windows\{29FBF91C-7513-4c82-98B2-C6056C90EE33}.exe

Filesize
372KB

MD5
8d43428f8c6f1fb6a737ac718b2f3dab

SHA1
9cebaa319104c49563dc5e2b5b1103c5966dec57

SHA256
6637e42de37eca4687a2c3ccf254ea9bf47ba37688461f4ed490978373476bd2

SHA512
cf98533322ef409d056ee4afc1ec4cd90454ca39e92e5fe48dec81a400d2a5bb0192e7ca42237d29853906dac276566b9c38d4f77960f5ade4a84d0bc272b6dd

Download Submit
C:\Windows\{4259D279-0024-4d4f-9F60-779FF5FF5254}.exe

Filesize
372KB

MD5
7973c46df774047fbcfec108c2d72cb5

SHA1
eedb1ed37864fb71542a910216e6184207a4daa8

SHA256
2c1a0ed36cbc0c253d29efc0274560ff63d179a17af6804ab1e888503a520e11

SHA512
bab694ae6ce3f8bb5988955d1b0377a465d853fdb65df714341777a37f7ef7cf90d00ce8fab4d8eb7e29834fe72f92d3a543f23b47cb19b7ff1fdebe467e13c0

Download Submit
C:\Windows\{4463FD8B-D49A-49c6-B9A5-AF2BEF0EDAB5}.exe

Filesize
372KB

MD5
f234cb6817803d96a2e7e7e875e85899

SHA1
1f1e2b477488a95500c0f8ade2cdc614aa2b7e7a

SHA256
b6fbe8ccbce15e5b931dbd3be50018334b8176802580e39e7537b8bc5c522946

SHA512
9b201c460981f6742994020aed9074a36a8395e3bca0161c70cda808afd7071a5968e6a9aca28b4c386a5b3e355fa1741b753f0d8f29b6072a8336cda238acf1

Download Submit
C:\Windows\{523C265E-4697-42ce-8A1D-B890A17A0121}.exe

Filesize
372KB

MD5
136b71afa710d1731ea9d11b1ed5d70a

SHA1
5293adadcf338ca41668460539137373391fecf3

SHA256
e064fefb6facef2ceee0b5f3c757df47b6424bb8590f7e95575f0362e6efd224

SHA512
84862bf93e80fb91aa010cdefabd7484ca0d04ec20b9381063a0936af418cde397e3873a083e51429aa81311c927a49feedc6ea675da5cc0c58155a4059c96b5

Download Submit
C:\Windows\{625AFEAC-360A-452a-9C7E-8CE4DB38129E}.exe

Filesize
372KB

MD5
0d88fe77e71843d396da71d76ff2949c

SHA1
46d62657d5973ba2a0088af084780060cd9835b3

SHA256
272013ef5ae6942fe5fa55f321d365491690d305177db10342e8bc5f02b5a68e

SHA512
8c84a6cbdf01ae8781772b782017887d8af93fcd815d0e8d16bd78470e648d750a1d495b097365ca62ec4e7d22470916990dfa14f7f2baca6fc5de95d43feac3

Download Submit
C:\Windows\{6AB44888-4037-41e4-AD42-AF7EF8EBE450}.exe

Filesize
372KB

MD5
e9715467ebf11fdf38eefd58d8f9cf85

SHA1
cf7a11855f57b985895d5068ab0872a0090fa825

SHA256
a5528f7dff8edffb11a53285402651fc49e36377be7b4fa5ff83b480af34a6c1

SHA512
cbc3bc8403d61af184799f36d57b6bb708098199b17d3afb1da9c6c197df1d095d3314b2e6453e16ba090f246ca829f8367b14bd2a4faf8bcb10abd6ba739ee1

Download Submit
C:\Windows\{80A0ADA4-C622-4802-B74D-9008B39B8220}.exe

Filesize
372KB

MD5
329cfef72fb47108add006c1dd6949f6

SHA1
f144bfcfeebb7a85b1cb590b6313a383b43774e2

SHA256
32ba00787d1379ac7a57817dfb50bd8de2e13f22378a4ee53b73f90049e33a50

SHA512
ad65a5a55f32b1e77d6092d402796f0ae496cf03518857ce42293556a6dbddc82c66c6a6a634e83daf6c4b5416ad7cca40e45486df2e8ca1614680ee0ae60dbd

Download Submit
C:\Windows\{837249F5-B843-48a9-ADDF-69B80E124F9A}.exe

Filesize
372KB

MD5
c256503fc9af4afc07999151455a2fe7

SHA1
ff87a88840aed6dec6cf2609daff61b60970eeb6

SHA256
8a06f95a6be648f44e317d6993445925b7dda6d988e1e7edd987c5362c9e2f6c

SHA512
0674a6dd4471a277d4d81febd3e8c0112eb527383d715276f916835e79d32f1208f0274b741a75c334a9b016741f6780bd65f5ff946b5aaf0060e951beb4fa50

Download Submit
C:\Windows\{9F780249-891A-4af6-A00B-E005CA414F32}.exe

Filesize
372KB

MD5
1cade0e69eb9e2d3d0c7be9edfbbddc4

SHA1
20960057904edabfc0b6496f310786d4f5d72c9b

SHA256
0f7157a6c81021cf16a645bb950091e3884c70283d87e880af633e2a433954be

SHA512
5405e8d97e7cdddac814c757954a59e3a33699de41c9c189abe1e282ff0b82f46436f430cb9fbb83c1ac3f320ac992dffa446d9bcfdc115f58abb32faa48b81d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads