7d969909277d6dc541e11218ab1b447e45d46684efa92ac8d889bfff96c9de37

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe
Size

344KB
MD5

d10212723e61ed24909b906e620a767e
SHA1

acbd4a21b5e0679d8971151e0092514f6cfe3dc9
SHA256

7d969909277d6dc541e11218ab1b447e45d46684efa92ac8d889bfff96c9de37
SHA512

c3a371b8266ee8597a24f390b8b3117f088b9534e29ee7b805023c33917888856183d0fd4c755e8d2621c7a5e20ccd58c04c170f9e218109ba25819369fa03b6
SSDEEP

3072:mEGh0oIlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGSlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014af0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001225c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014af0-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001225c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014af0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014af0-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014af0-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014b50-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FAE05C7-DD72-4a13-8057-16E323E09AEB}\stubpath = "C:\\Windows\\{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe"	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79470E55-34D2-400c-A70D-4A095CCFDCCC}	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79470E55-34D2-400c-A70D-4A095CCFDCCC}\stubpath = "C:\\Windows\\{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe"	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A124C67-F238-4a43-AF72-56F6C09A7410}\stubpath = "C:\\Windows\\{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe"	{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}\stubpath = "C:\\Windows\\{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe"	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F6584E1-C798-48b6-A73A-B1E66516C342}\stubpath = "C:\\Windows\\{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe"	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1819BB00-0C70-452f-B56D-35D57616EA17}\stubpath = "C:\\Windows\\{1819BB00-0C70-452f-B56D-35D57616EA17}.exe"	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A124C67-F238-4a43-AF72-56F6C09A7410}	{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}\stubpath = "C:\\Windows\\{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}.exe"	{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F6584E1-C798-48b6-A73A-B1E66516C342}	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92EBBDB-4946-445b-A379-60F4CC81792F}	{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B32792E-4A7F-46ad-86CB-829B479A25E2}\stubpath = "C:\\Windows\\{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe"	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1819BB00-0C70-452f-B56D-35D57616EA17}	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FAE05C7-DD72-4a13-8057-16E323E09AEB}	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B32792E-4A7F-46ad-86CB-829B479A25E2}	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}\stubpath = "C:\\Windows\\{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe"	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92EBBDB-4946-445b-A379-60F4CC81792F}\stubpath = "C:\\Windows\\{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe"	{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}	{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}\stubpath = "C:\\Windows\\{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe"	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe
2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe
2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe
2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe
1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe
2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe
2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe
2124	{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe
1236	{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe
2696	{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe
1992	{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe
File created	C:\Windows\{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe
File created	C:\Windows\{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe
File created	C:\Windows\{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe
File created	C:\Windows\{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe	{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe
File created	C:\Windows\{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe	{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe
File created	C:\Windows\{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe
File created	C:\Windows\{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe
File created	C:\Windows\{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}.exe	{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe
File created	C:\Windows\{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe
File created	C:\Windows\{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe
Token: SeIncBasePriorityPrivilege	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe
Token: SeIncBasePriorityPrivilege	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe
Token: SeIncBasePriorityPrivilege	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe
Token: SeIncBasePriorityPrivilege	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe
Token: SeIncBasePriorityPrivilege	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe
Token: SeIncBasePriorityPrivilege	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe
Token: SeIncBasePriorityPrivilege	2124	{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe
Token: SeIncBasePriorityPrivilege	1236	{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe
Token: SeIncBasePriorityPrivilege	2696	{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2028	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	28
PID 2336 wrote to memory of 2028	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	28
PID 2336 wrote to memory of 2028	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	28
PID 2336 wrote to memory of 2028	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	28
PID 2336 wrote to memory of 1908	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	29
PID 2336 wrote to memory of 1908	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	29
PID 2336 wrote to memory of 1908	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	29
PID 2336 wrote to memory of 1908	2336	2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe	29
PID 2028 wrote to memory of 2572	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	32
PID 2028 wrote to memory of 2572	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	32
PID 2028 wrote to memory of 2572	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	32
PID 2028 wrote to memory of 2572	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	32
PID 2028 wrote to memory of 2752	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	33
PID 2028 wrote to memory of 2752	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	33
PID 2028 wrote to memory of 2752	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	33
PID 2028 wrote to memory of 2752	2028	{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe	33
PID 2572 wrote to memory of 2832	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	34
PID 2572 wrote to memory of 2832	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	34
PID 2572 wrote to memory of 2832	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	34
PID 2572 wrote to memory of 2832	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	34
PID 2572 wrote to memory of 2612	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	35
PID 2572 wrote to memory of 2612	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	35
PID 2572 wrote to memory of 2612	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	35
PID 2572 wrote to memory of 2612	2572	{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe	35
PID 2832 wrote to memory of 2508	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	36
PID 2832 wrote to memory of 2508	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	36
PID 2832 wrote to memory of 2508	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	36
PID 2832 wrote to memory of 2508	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	36
PID 2832 wrote to memory of 2940	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	37
PID 2832 wrote to memory of 2940	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	37
PID 2832 wrote to memory of 2940	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	37
PID 2832 wrote to memory of 2940	2832	{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe	37
PID 2508 wrote to memory of 1540	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	38
PID 2508 wrote to memory of 1540	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	38
PID 2508 wrote to memory of 1540	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	38
PID 2508 wrote to memory of 1540	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	38
PID 2508 wrote to memory of 740	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	39
PID 2508 wrote to memory of 740	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	39
PID 2508 wrote to memory of 740	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	39
PID 2508 wrote to memory of 740	2508	{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe	39
PID 1540 wrote to memory of 2656	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	40
PID 1540 wrote to memory of 2656	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	40
PID 1540 wrote to memory of 2656	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	40
PID 1540 wrote to memory of 2656	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	40
PID 1540 wrote to memory of 1940	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	41
PID 1540 wrote to memory of 1940	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	41
PID 1540 wrote to memory of 1940	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	41
PID 1540 wrote to memory of 1940	1540	{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe	41
PID 2656 wrote to memory of 2088	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	42
PID 2656 wrote to memory of 2088	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	42
PID 2656 wrote to memory of 2088	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	42
PID 2656 wrote to memory of 2088	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	42
PID 2656 wrote to memory of 2684	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	43
PID 2656 wrote to memory of 2684	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	43
PID 2656 wrote to memory of 2684	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	43
PID 2656 wrote to memory of 2684	2656	{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe	43
PID 2088 wrote to memory of 2124	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	44
PID 2088 wrote to memory of 2124	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	44
PID 2088 wrote to memory of 2124	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	44
PID 2088 wrote to memory of 2124	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	44
PID 2088 wrote to memory of 2708	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	45
PID 2088 wrote to memory of 2708	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	45
PID 2088 wrote to memory of 2708	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	45
PID 2088 wrote to memory of 2708	2088	{1819BB00-0C70-452f-B56D-35D57616EA17}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_d10212723e61ed24909b906e620a767e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe
  C:\Windows\{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe
    C:\Windows\{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe
      C:\Windows\{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe
        
        C:\Windows\{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe
        
        C:\Windows\{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe
        
        C:\Windows\{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{1819BB00-0C70-452f-B56D-35D57616EA17}.exe
        
        C:\Windows\{1819BB00-0C70-452f-B56D-35D57616EA17}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe
        
        C:\Windows\{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe
        
        C:\Windows\{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe
        
        C:\Windows\{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}.exe
        
        C:\Windows\{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E92EB~1.EXE > nul
        12⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A124~1.EXE > nul
        11⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79470~1.EXE > nul
        10⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1819B~1.EXE > nul
        9⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{657ED~1.EXE > nul
        8⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B327~1.EXE > nul
        7⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FAE0~1.EXE > nul
        6⤵
        
        PID:740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F658~1.EXE > nul
        5⤵
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1CC6~1.EXE > nul
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF43F~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1819BB00-0C70-452f-B56D-35D57616EA17}.exe

Filesize
128KB

MD5
755730916b6507d7ceb0ec3f51217d9b

SHA1
6c01fb4cb39a2ac73a307ce88fab3b89f84e6d3c

SHA256
02f395dea8b027d6a5352926997c543fff9cc36b81ac9135cc9b7b4aa6dddae9

SHA512
37a723248fe5b4cb6fda9d0eb3b0b3c4fccfaa938ccd7a61d59e26b22e3e75300d845546ed41c39db52697459ca760adc633d87d138b4a6e929b687dc65b734f

Download Submit
C:\Windows\{1819BB00-0C70-452f-B56D-35D57616EA17}.exe

Filesize
344KB

MD5
bdd2150f73fa9fe74d66c717b8406f74

SHA1
1aa9fc229fbdc963ad7f4d86b16365aba44030d1

SHA256
94f4526f393bd4a3f228297c00374b6ac980727ecfaab602f95322e1958ec741

SHA512
f7eb1f57be3d2f38a81dcecac4dd1f6d2fe314c0cd6b4aa3dce6918656e33256c072e41f9bcde66351e1aab219c2a129f26f087122b7a34a50a24e81bf72fbbe

Download Submit
C:\Windows\{2F6584E1-C798-48b6-A73A-B1E66516C342}.exe

Filesize
344KB

MD5
936b9094dfb783b7495193cc532206d9

SHA1
a0ffcfabae3c58e1fb61fb26ee93756d76cbbec0

SHA256
2f92aabe2ac6cbc9db69550478885a6e668f85fc69561ad7da38705ce39ac478

SHA512
c260fd238ee3fc80de59f5f36b7fef0904661407359f0c3afd985c288e782d72ce5617d2ac961dc912ec250867fea1bf234bf36b80c1ae68c94d3a72887c58f4

Download Submit
C:\Windows\{3B32792E-4A7F-46ad-86CB-829B479A25E2}.exe

Filesize
344KB

MD5
b92024e3a157ed07bc86b7527bd62a4e

SHA1
81ce7810daf9e36309e0d6d1f9c0381897217437

SHA256
27ee0eba6fb7e9cb97a7b1b3e74347a81f24f8d32e8bf4a07eeec03b2bf922ac

SHA512
8ba2be8d0ed5e8c232a4f19a2ec4596b9af8055303200c0dc122b42e3cf0a886879d0b9c57c39488ba235378d797613dd2ce516ec67ec96e2792cd8238d42b95

Download Submit
C:\Windows\{657ED51C-E3E3-4004-A0A3-ABD9F92EF1BA}.exe

Filesize
344KB

MD5
5987e3abfaa3e7e18a3656e6e2971dcf

SHA1
2b5c3d643f3e871aa7970c40a848da75f1af3a5b

SHA256
c938929b64401db29cd7440b4477278ac06fb4eee32f9c9f7b67fa1803f3ccca

SHA512
fd5127cae3c86d5596b89b1646c1bf7c5229a8ff6bd3dabf0254dee0560aa936d6fe0015a0c9a0264bf53479b162cf5852399e1194afd2353a08bebea66dcfed

Download Submit
C:\Windows\{79470E55-34D2-400c-A70D-4A095CCFDCCC}.exe

Filesize
344KB

MD5
31918d93387ecb2dce58d5732015f80d

SHA1
d6f373b7f0e8e52bb4e0d9ed96f3298b344b2468

SHA256
c2dc93b2f77c5514121f3e38a561327507fea752cdaa799d774e7e581e50cd63

SHA512
fcdf31487c1810d6406f1fc73e11ff084969801f29d77fd109b312fb6812785db7eeba96d910883942f0fd4ef9af871e3d29a73c1b6aa14a200dac40643c9382

Download Submit
C:\Windows\{7A124C67-F238-4a43-AF72-56F6C09A7410}.exe

Filesize
344KB

MD5
95f9f9a91e6994dac3da7fe56464215b

SHA1
b7d8cf9a3568f550b951ce4c934da730ef660dcc

SHA256
1b4669fbbd47002dab9566594df6df98037b870b9b2ad5bcd79dea0d31733a68

SHA512
5956ca97a0950bb33e70782dda433389265bc4b4f5c9811a3ec6bedc83ae0ff849b84b4e145baa8e95d6ff1ff5e8e43944a45f82bba4e92d743d28a1945f9998

Download Submit
C:\Windows\{7FAE05C7-DD72-4a13-8057-16E323E09AEB}.exe

Filesize
344KB

MD5
aead95d045397b64e4f55d4da89a0025

SHA1
adcbfd8abbc21cd62468bcc8dbaef0202a4436cc

SHA256
3c6772ca5d15ad456352edd2d91027b1e3ec1a42bac70a4fc8a30a7d0d65200b

SHA512
eb215e56ccda103d557f0fecf57b5e09c6e2c213a643a9ded8e730c31decc35cadfe8578095cde29d2c88a2a044e3d8d1b283abf57e2bed74d1f2f6f2a3f10e2

Download Submit
C:\Windows\{B1CC6440-E3EC-4f84-B68D-343FA428C0C9}.exe

Filesize
344KB

MD5
64cdc17272463cf212054db826bd999b

SHA1
62d10b2969d0f35673532aed99c9954ab1e64d53

SHA256
872accbac12e6c15aa73f5a3627ee14e0e74b532fb366ea2b0a8342af3968f67

SHA512
c60dca7bab67cf3c3fb8596c42b936031db06f257bcef5030991afdd1ab41be61097cf1f4a50489646e0b710818e219f4f2e8ca7f0dadf565f5a2be9f9927a1d

Download Submit
C:\Windows\{DF43F8F8-69BC-4bd4-AC1B-BE99434AB9CA}.exe

Filesize
344KB

MD5
6427db92eb194ea1f57684b076aea660

SHA1
4eb9dbe7248be728a1dc7e8c9b4fb0910757b480

SHA256
16708e17fcf02176407e344c567c27f965d31d695ce69db66b277ac65a642edd

SHA512
613f473b3ade186bbdb0c27ee5c3f63cea843349a6fb7a0cfa4c6761d737199b96fb80b5f317b38f60c7b095b3d0ad790c34030a2359afdc034ec3141e21e3b7

Download Submit
C:\Windows\{E92EBBDB-4946-445b-A379-60F4CC81792F}.exe

Filesize
344KB

MD5
2496e51d182d89d7f3f84e07dea8c09b

SHA1
c3b463eb26b9b77c3b282bf24b00f7a6f667fc21

SHA256
30e9073290d173d127fe76d122878dff8b53dd501b0c023deaed32ffda560d46

SHA512
ac467effa61c02209497ae5c74fa7bf48b24a2abbf1c3fa1c055e76147501eb3c3d35b809f058ca1ed29fd740a581883c4496fdd3aff815d68b7a7bb8b52f43c

Download Submit
C:\Windows\{EBCDE0C0-5F10-4312-BBAC-E7807B71F0B4}.exe

Filesize
344KB

MD5
d3ff8a65794d6f57158b91fd60993ebc

SHA1
1bbdcdf93833fdd8b65b101e0267b4f7e4e26c38

SHA256
25655fd33867f53f34fe36967f2e2212a170b2f9499b602a211e3520c3d472e3

SHA512
cf49ab9efe950ad0daf4aff49c0431609cc63f184d26960b8d6a8f0de35622c1da4c03a00e52d3cf508cd62c7af763dc372be973260dd67b136934e99ca70a3d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads