c92f44dd25a7572356e3740412aa93c4e056842541c771c25f11463242b13a5c

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe
Size

380KB
MD5

f066efa8a499022db3ab214a6a545d47
SHA1

23c04eee288917ce10725b46482dc80bb8f59d2e
SHA256

c92f44dd25a7572356e3740412aa93c4e056842541c771c25f11463242b13a5c
SHA512

14f842b3278820e846273e3f5b71fef57825d33a38d87dbb057d56a79c50faa8b36fedb889500e7ed21f40cc720a6eac3c053869b1e1dd1f0eccd9b37295d5e0
SSDEEP

3072:mEGh0oIlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGCl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000133a9-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000133c4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000133a9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a24-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000133a9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000133a9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000133a9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}	{A5383D66-5EE5-43b6-9666-0597576545CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}\stubpath = "C:\\Windows\\{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}.exe"	{A5383D66-5EE5-43b6-9666-0597576545CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B944F1-6DEA-4aab-B9EE-8D68293623FF}	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5383D66-5EE5-43b6-9666-0597576545CC}	{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00F367FA-6F93-4f5e-8364-A4B954209EEC}	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FAB2B5D-6426-4fa2-8A40-57394477D337}	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FAB2B5D-6426-4fa2-8A40-57394477D337}\stubpath = "C:\\Windows\\{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe"	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10547490-441E-464b-8AD9-7B2A87AF2B59}\stubpath = "C:\\Windows\\{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe"	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65F46A39-2051-4c83-9F16-5495C7B49123}	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78329D81-7F88-47fc-B60B-58F5332E512F}	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78329D81-7F88-47fc-B60B-58F5332E512F}\stubpath = "C:\\Windows\\{78329D81-7F88-47fc-B60B-58F5332E512F}.exe"	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5383D66-5EE5-43b6-9666-0597576545CC}\stubpath = "C:\\Windows\\{A5383D66-5EE5-43b6-9666-0597576545CC}.exe"	{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0200205C-0FBC-485a-B82E-91DA4CA176E5}	{65F46A39-2051-4c83-9F16-5495C7B49123}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0200205C-0FBC-485a-B82E-91DA4CA176E5}\stubpath = "C:\\Windows\\{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe"	{65F46A39-2051-4c83-9F16-5495C7B49123}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B944F1-6DEA-4aab-B9EE-8D68293623FF}\stubpath = "C:\\Windows\\{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe"	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F959C15F-DE0C-4c3f-AB30-DF3927892E83}\stubpath = "C:\\Windows\\{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe"	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F959C15F-DE0C-4c3f-AB30-DF3927892E83}	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10547490-441E-464b-8AD9-7B2A87AF2B59}	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65F46A39-2051-4c83-9F16-5495C7B49123}\stubpath = "C:\\Windows\\{65F46A39-2051-4c83-9F16-5495C7B49123}.exe"	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}\stubpath = "C:\\Windows\\{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe"	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00F367FA-6F93-4f5e-8364-A4B954209EEC}\stubpath = "C:\\Windows\\{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe"	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe
2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe
1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe
2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe
2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe
1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe
1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe
2776	{65F46A39-2051-4c83-9F16-5495C7B49123}.exe
2972	{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe
384	{A5383D66-5EE5-43b6-9666-0597576545CC}.exe
284	{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe
File created	C:\Windows\{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe
File created	C:\Windows\{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe
File created	C:\Windows\{65F46A39-2051-4c83-9F16-5495C7B49123}.exe	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe
File created	C:\Windows\{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe	{65F46A39-2051-4c83-9F16-5495C7B49123}.exe
File created	C:\Windows\{A5383D66-5EE5-43b6-9666-0597576545CC}.exe	{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe
File created	C:\Windows\{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}.exe	{A5383D66-5EE5-43b6-9666-0597576545CC}.exe
File created	C:\Windows\{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe
File created	C:\Windows\{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe
File created	C:\Windows\{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe
File created	C:\Windows\{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe
Token: SeIncBasePriorityPrivilege	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe
Token: SeIncBasePriorityPrivilege	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe
Token: SeIncBasePriorityPrivilege	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe
Token: SeIncBasePriorityPrivilege	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe
Token: SeIncBasePriorityPrivilege	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe
Token: SeIncBasePriorityPrivilege	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe
Token: SeIncBasePriorityPrivilege	2776	{65F46A39-2051-4c83-9F16-5495C7B49123}.exe
Token: SeIncBasePriorityPrivilege	2972	{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe
Token: SeIncBasePriorityPrivilege	384	{A5383D66-5EE5-43b6-9666-0597576545CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2996	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	28
PID 2188 wrote to memory of 2996	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	28
PID 2188 wrote to memory of 2996	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	28
PID 2188 wrote to memory of 2996	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	28
PID 2188 wrote to memory of 2816	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	29
PID 2188 wrote to memory of 2816	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	29
PID 2188 wrote to memory of 2816	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	29
PID 2188 wrote to memory of 2816	2188	2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe	29
PID 2996 wrote to memory of 2648	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	30
PID 2996 wrote to memory of 2648	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	30
PID 2996 wrote to memory of 2648	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	30
PID 2996 wrote to memory of 2648	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	30
PID 2996 wrote to memory of 2684	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	31
PID 2996 wrote to memory of 2684	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	31
PID 2996 wrote to memory of 2684	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	31
PID 2996 wrote to memory of 2684	2996	{78329D81-7F88-47fc-B60B-58F5332E512F}.exe	31
PID 2648 wrote to memory of 1732	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	32
PID 2648 wrote to memory of 1732	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	32
PID 2648 wrote to memory of 1732	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	32
PID 2648 wrote to memory of 1732	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	32
PID 2648 wrote to memory of 2580	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	33
PID 2648 wrote to memory of 2580	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	33
PID 2648 wrote to memory of 2580	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	33
PID 2648 wrote to memory of 2580	2648	{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe	33
PID 1732 wrote to memory of 2584	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	36
PID 1732 wrote to memory of 2584	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	36
PID 1732 wrote to memory of 2584	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	36
PID 1732 wrote to memory of 2584	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	36
PID 1732 wrote to memory of 2924	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	37
PID 1732 wrote to memory of 2924	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	37
PID 1732 wrote to memory of 2924	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	37
PID 1732 wrote to memory of 2924	1732	{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe	37
PID 2584 wrote to memory of 2348	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	39
PID 2584 wrote to memory of 2348	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	39
PID 2584 wrote to memory of 2348	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	39
PID 2584 wrote to memory of 2348	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	39
PID 2584 wrote to memory of 2168	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	38
PID 2584 wrote to memory of 2168	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	38
PID 2584 wrote to memory of 2168	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	38
PID 2584 wrote to memory of 2168	2584	{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe	38
PID 2348 wrote to memory of 1840	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	41
PID 2348 wrote to memory of 1840	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	41
PID 2348 wrote to memory of 1840	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	41
PID 2348 wrote to memory of 1840	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	41
PID 2348 wrote to memory of 1480	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	40
PID 2348 wrote to memory of 1480	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	40
PID 2348 wrote to memory of 1480	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	40
PID 2348 wrote to memory of 1480	2348	{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe	40
PID 1840 wrote to memory of 1200	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	43
PID 1840 wrote to memory of 1200	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	43
PID 1840 wrote to memory of 1200	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	43
PID 1840 wrote to memory of 1200	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	43
PID 1840 wrote to memory of 2712	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	42
PID 1840 wrote to memory of 2712	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	42
PID 1840 wrote to memory of 2712	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	42
PID 1840 wrote to memory of 2712	1840	{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe	42
PID 1200 wrote to memory of 2776	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	44
PID 1200 wrote to memory of 2776	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	44
PID 1200 wrote to memory of 2776	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	44
PID 1200 wrote to memory of 2776	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	44
PID 1200 wrote to memory of 1632	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	45
PID 1200 wrote to memory of 1632	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	45
PID 1200 wrote to memory of 1632	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	45
PID 1200 wrote to memory of 1632	1200	{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_f066efa8a499022db3ab214a6a545d47_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{78329D81-7F88-47fc-B60B-58F5332E512F}.exe
  C:\Windows\{78329D81-7F88-47fc-B60B-58F5332E512F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe
    C:\Windows\{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe
      C:\Windows\{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe
        
        C:\Windows\{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00F36~1.EXE > nul
        6⤵
        
        PID:2168
      - C:\Windows\{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe
        
        C:\Windows\{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F959C~1.EXE > nul
        7⤵
        
        PID:1480
        
        C:\Windows\{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe
        
        C:\Windows\{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FAB2~1.EXE > nul
        8⤵
        
        PID:2712
        
        C:\Windows\{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe
        
        C:\Windows\{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{65F46A39-2051-4c83-9F16-5495C7B49123}.exe
        
        C:\Windows\{65F46A39-2051-4c83-9F16-5495C7B49123}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65F46~1.EXE > nul
        10⤵
        
        PID:2336
        
        C:\Windows\{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe
        
        C:\Windows\{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02002~1.EXE > nul
        11⤵
        
        PID:796
        
        C:\Windows\{A5383D66-5EE5-43b6-9666-0597576545CC}.exe
        
        C:\Windows\{A5383D66-5EE5-43b6-9666-0597576545CC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}.exe
        
        C:\Windows\{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5383~1.EXE > nul
        12⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10547~1.EXE > nul
        9⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B4FB~1.EXE > nul
        5⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80B94~1.EXE > nul
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{78329~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00F367FA-6F93-4f5e-8364-A4B954209EEC}.exe

Filesize
380KB

MD5
34b44f7a8e5ee62d4bb50fca88fec029

SHA1
c10c380adeb1571f11cb8fac9d8c5053d2698297

SHA256
a2a865bc3bc43566b03436d28eb9c2b8cb691fd69d10577a6f9e04a63b613e2f

SHA512
e83c58f438fa243a13e263c744396a1d6cd3aff18147485c53e59afa31453484dade4474db02018ac49eb3090562af1d871237a28fe2a8b8742ee0f6f0398807

Download Submit
C:\Windows\{0200205C-0FBC-485a-B82E-91DA4CA176E5}.exe

Filesize
380KB

MD5
adc4ee2057fb57090c825375a3f65e92

SHA1
b55baa6fb090dae25da4286b1381bb56359c0fef

SHA256
5b0cd418bcc0a3a6c862af5adbf10f2edc9eb75c4c1735d0e35ff8de76dadff1

SHA512
74e5e7d10ed9f6d94c2aa825fe3e608793c666f49a3df0d344944a727dec442f0b9fbbcc219daa20065d91fb2d400a0439e02f0f22665952949d354a71651d5c

Download Submit
C:\Windows\{10547490-441E-464b-8AD9-7B2A87AF2B59}.exe

Filesize
380KB

MD5
94c9f23ae8e5bd100334ba8b2cf1aca0

SHA1
58f437a4ec65d5508898a1023085aea9d8298d3f

SHA256
1af42d9bb202c54d03e2c06c7c894f6cf7af166c84067e10ff96a00df80891f0

SHA512
5cce23d1247b6757430edc7464f5f5c63b6c0112419a4da0713f22e76c55a0d45bcac0d1ca385d55892254b3fd913b73e024c586c7a3536dbd4a4483d192c26a

Download Submit
C:\Windows\{1AA47CC7-B43B-4dec-B25A-0144EADF51AD}.exe

Filesize
380KB

MD5
0d4405fca97a15711cea70b51a7c1688

SHA1
82f2547fc56b10ca63677c9ab281ad2d22adf4bc

SHA256
1c37352c42eca69b5c6a4892773758a85f3372471a73829c7116c3306738390c

SHA512
d94e825af6ebe8147df2eff8fd1a86c64903140449971b2468a492424899a885c09bc7afe05d9e8ba530f1ab5fb50da6fb920a806c70ef3ff660c05c505fcf3a

Download Submit
C:\Windows\{4B4FBDC9-6C95-4221-AF3C-5B0CDD78E620}.exe

Filesize
380KB

MD5
157c50cf69b26c52f972e78dd7cd6c27

SHA1
aac0ab6917fd0b1c996b41bb23c164e66177e0e3

SHA256
e60a6e99284bf3e734f20dd48c2363b7d0530e374d8b27a42978a9b1e3dd142c

SHA512
72f158866681857a6b7639782a3e972fdb154bcb199fdece8c90babf52493b1a078298fdaaf73d5a49fa14501c997ffd02f7fb69f0a88f8b25cc587bcbc950e0

Download Submit
C:\Windows\{65F46A39-2051-4c83-9F16-5495C7B49123}.exe

Filesize
380KB

MD5
5e360433bffee37033b2656d43360dd5

SHA1
c67e5de3abae2f489312bedff228a6db53c643b6

SHA256
d750cab74c7994fd614a2d17574ccb6c03261af0fe7b5fc1b5923dab452e91b9

SHA512
9be417edf0896fd363ea4074a4acb3af6d3fc639e8e3ea7268f8d20d53d0a1214db0a46647eb2f73c5b0dab39ccf35a1338e5c5ef52f09d2cbc51d540ccad89c

Download Submit
C:\Windows\{6FAB2B5D-6426-4fa2-8A40-57394477D337}.exe

Filesize
380KB

MD5
c6856d036e74e57da06a268fbc809833

SHA1
ca8321a6f339c3d187fad992623365fc080fe9a0

SHA256
57bdb241a45869d73679459c4476dc9a00cca15f087153975cf91c57a5774e54

SHA512
f50b705e2ba5f7f5fcf6f358051af3ca3d5f8eef7209143ad0732090230d5c1d289c023bfe8e502dc360f31f598fc5fdb7c444868ef048f49e91e39d9d3ae997

Download Submit
C:\Windows\{78329D81-7F88-47fc-B60B-58F5332E512F}.exe

Filesize
380KB

MD5
4f16b1672711b3066e7fdab735dbed3c

SHA1
9a14ea0b9352d305652459dd0d95959ea0c0292e

SHA256
37e204d9acdc5941258660f602d7f2741e9a4e2611797f333c2bab2ae6f76f03

SHA512
d14a547d9973e0f5a854c075dbffe7ac7fd714d71bc6fc5959c5071b289e1e9c48a190dd02d35ee65d216b912bd7ea7f310c44469456c348a6b34447f3e7010a

Download Submit
C:\Windows\{80B944F1-6DEA-4aab-B9EE-8D68293623FF}.exe

Filesize
380KB

MD5
4dda1146f72ca08747cdcd88e6087047

SHA1
514bc3af30fa2a31b591306c1d02434093ec7d9e

SHA256
44b9d8d8419c106b8a3bdbc136216a5c9fd696c9573d15ec9316ab1e3b90047d

SHA512
878ca4f1cc170acfd2f87cd564e26c6d44d16590304da019547b99f28df371f923b53dfb54273d6b6ea1bc88c34c07e2187cf8729fea4df00d53c68f3b07fe10

Download Submit
C:\Windows\{A5383D66-5EE5-43b6-9666-0597576545CC}.exe

Filesize
380KB

MD5
c8cd0c8cea486e9d238ab45ae6b89283

SHA1
3b772e0cb1ded620f04745422467ea313c7826e8

SHA256
7399a50ce2435f520f17629276c3edab90446d176b2cf483de7a0a7a84ce7642

SHA512
abe164962caa0386793e506c31ebb188c34ebc0ef6838d31569a88d36238d025fe29e57fa2395d20a9abd1b7a3c4a5a94e4738450b8cc58a83c0b8cbf5f2511b

Download Submit
C:\Windows\{F959C15F-DE0C-4c3f-AB30-DF3927892E83}.exe

Filesize
380KB

MD5
1a01168120d70b4e65b5ee49f0220934

SHA1
fde658e67acd83988cc64c0e01cc2c84f87a51ab

SHA256
32ed54cb78343592ac9a0a63087c18bc9970497c0f7732d4ff7aa92ceb1d9cc9

SHA512
4e020ce7573c8f487df8bff536fbfee990afe789a6b1ee27c0b199725f7b1967bfb1ed837b2e991fe5047fcd9a1340f4f8b5884d116500bf0a089e206e6e8880

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads