efb49573a70dd746dafd3a71e696afcc94534de6f12ffd9b20e743fb231a2fd4

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/02/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Size

216KB
MD5

5a9169891ded4607a2407de402ba40d3
SHA1

2f9e5274b36ba565110b46c809e78bb274533ac2
SHA256

efb49573a70dd746dafd3a71e696afcc94534de6f12ffd9b20e743fb231a2fd4
SHA512

207a7f04e599603ab580ae808aec0ec1263b199ef43360298b8f9008bcfc031870a5e02a4729ae181f8319f772a3acd9e0f292d4ed491c107be16066312650cc
SSDEEP

3072:jEGh0oOl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGYlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a1a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001410b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000142cc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a1a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a1a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a1a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30F80E4-0610-425c-B8FF-8B47ED126D4B}	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{498B957C-6631-4399-B753-56F494B4747B}	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}	{8C21B718-53D2-4647-B271-F7824CF86520}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}\stubpath = "C:\\Windows\\{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe"	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}\stubpath = "C:\\Windows\\{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe"	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}	{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}\stubpath = "C:\\Windows\\{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe"	{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}\stubpath = "C:\\Windows\\{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe"	{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58048389-8AE0-40a5-A9D4-96976792F815}	{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30F80E4-0610-425c-B8FF-8B47ED126D4B}\stubpath = "C:\\Windows\\{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe"	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}\stubpath = "C:\\Windows\\{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe"	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C21B718-53D2-4647-B271-F7824CF86520}	{498B957C-6631-4399-B753-56F494B4747B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C21B718-53D2-4647-B271-F7824CF86520}\stubpath = "C:\\Windows\\{8C21B718-53D2-4647-B271-F7824CF86520}.exe"	{498B957C-6631-4399-B753-56F494B4747B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{498B957C-6631-4399-B753-56F494B4747B}\stubpath = "C:\\Windows\\{498B957C-6631-4399-B753-56F494B4747B}.exe"	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}\stubpath = "C:\\Windows\\{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe"	{8C21B718-53D2-4647-B271-F7824CF86520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}\stubpath = "C:\\Windows\\{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe"	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}	{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58048389-8AE0-40a5-A9D4-96976792F815}\stubpath = "C:\\Windows\\{58048389-8AE0-40a5-A9D4-96976792F815}.exe"	{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe
2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe
2588	{498B957C-6631-4399-B753-56F494B4747B}.exe
2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe
2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe
2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe
1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe
1632	{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe
2792	{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe
2136	{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe
1484	{58048389-8AE0-40a5-A9D4-96976792F815}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{498B957C-6631-4399-B753-56F494B4747B}.exe	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe
File created	C:\Windows\{8C21B718-53D2-4647-B271-F7824CF86520}.exe	{498B957C-6631-4399-B753-56F494B4747B}.exe
File created	C:\Windows\{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	{8C21B718-53D2-4647-B271-F7824CF86520}.exe
File created	C:\Windows\{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe	{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe
File created	C:\Windows\{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe
File created	C:\Windows\{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe
File created	C:\Windows\{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe
File created	C:\Windows\{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe
File created	C:\Windows\{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe	{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe
File created	C:\Windows\{58048389-8AE0-40a5-A9D4-96976792F815}.exe	{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe
File created	C:\Windows\{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe
Token: SeIncBasePriorityPrivilege	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe
Token: SeIncBasePriorityPrivilege	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe
Token: SeIncBasePriorityPrivilege	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe
Token: SeIncBasePriorityPrivilege	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe
Token: SeIncBasePriorityPrivilege	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe
Token: SeIncBasePriorityPrivilege	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe
Token: SeIncBasePriorityPrivilege	1632	{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe
Token: SeIncBasePriorityPrivilege	2792	{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe
Token: SeIncBasePriorityPrivilege	2136	{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2184	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	28
PID 2904 wrote to memory of 2184	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	28
PID 2904 wrote to memory of 2184	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	28
PID 2904 wrote to memory of 2184	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	28
PID 2904 wrote to memory of 2540	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	29
PID 2904 wrote to memory of 2540	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	29
PID 2904 wrote to memory of 2540	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	29
PID 2904 wrote to memory of 2540	2904	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	29
PID 2184 wrote to memory of 2604	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	30
PID 2184 wrote to memory of 2604	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	30
PID 2184 wrote to memory of 2604	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	30
PID 2184 wrote to memory of 2604	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	30
PID 2184 wrote to memory of 2672	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	31
PID 2184 wrote to memory of 2672	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	31
PID 2184 wrote to memory of 2672	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	31
PID 2184 wrote to memory of 2672	2184	{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe	31
PID 2604 wrote to memory of 2588	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	32
PID 2604 wrote to memory of 2588	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	32
PID 2604 wrote to memory of 2588	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	32
PID 2604 wrote to memory of 2588	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	32
PID 2604 wrote to memory of 2724	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	33
PID 2604 wrote to memory of 2724	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	33
PID 2604 wrote to memory of 2724	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	33
PID 2604 wrote to memory of 2724	2604	{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe	33
PID 2588 wrote to memory of 2532	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	37
PID 2588 wrote to memory of 2532	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	37
PID 2588 wrote to memory of 2532	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	37
PID 2588 wrote to memory of 2532	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	37
PID 2588 wrote to memory of 2924	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	36
PID 2588 wrote to memory of 2924	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	36
PID 2588 wrote to memory of 2924	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	36
PID 2588 wrote to memory of 2924	2588	{498B957C-6631-4399-B753-56F494B4747B}.exe	36
PID 2532 wrote to memory of 2036	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	38
PID 2532 wrote to memory of 2036	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	38
PID 2532 wrote to memory of 2036	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	38
PID 2532 wrote to memory of 2036	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	38
PID 2532 wrote to memory of 960	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	39
PID 2532 wrote to memory of 960	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	39
PID 2532 wrote to memory of 960	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	39
PID 2532 wrote to memory of 960	2532	{8C21B718-53D2-4647-B271-F7824CF86520}.exe	39
PID 2036 wrote to memory of 2420	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	41
PID 2036 wrote to memory of 2420	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	41
PID 2036 wrote to memory of 2420	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	41
PID 2036 wrote to memory of 2420	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	41
PID 2036 wrote to memory of 1684	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	40
PID 2036 wrote to memory of 1684	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	40
PID 2036 wrote to memory of 1684	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	40
PID 2036 wrote to memory of 1684	2036	{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe	40
PID 2420 wrote to memory of 1752	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	43
PID 2420 wrote to memory of 1752	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	43
PID 2420 wrote to memory of 1752	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	43
PID 2420 wrote to memory of 1752	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	43
PID 2420 wrote to memory of 2680	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	42
PID 2420 wrote to memory of 2680	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	42
PID 2420 wrote to memory of 2680	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	42
PID 2420 wrote to memory of 2680	2420	{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe	42
PID 1752 wrote to memory of 1632	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	45
PID 1752 wrote to memory of 1632	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	45
PID 1752 wrote to memory of 1632	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	45
PID 1752 wrote to memory of 1632	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	45
PID 1752 wrote to memory of 1532	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	44
PID 1752 wrote to memory of 1532	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	44
PID 1752 wrote to memory of 1532	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	44
PID 1752 wrote to memory of 1532	1752	{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe
  C:\Windows\{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe
    C:\Windows\{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\{498B957C-6631-4399-B753-56F494B4747B}.exe
      C:\Windows\{498B957C-6631-4399-B753-56F494B4747B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{498B9~1.EXE > nul
        5⤵
        
        PID:2924
    - - C:\Windows\{8C21B718-53D2-4647-B271-F7824CF86520}.exe
        
        C:\Windows\{8C21B718-53D2-4647-B271-F7824CF86520}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe
        
        C:\Windows\{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EB94~1.EXE > nul
        7⤵
        
        PID:1684
        
        C:\Windows\{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe
        
        C:\Windows\{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9730~1.EXE > nul
        8⤵
        
        PID:2680
        
        C:\Windows\{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe
        
        C:\Windows\{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB20D~1.EXE > nul
        9⤵
        
        PID:1532
        
        C:\Windows\{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe
        
        C:\Windows\{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{683E7~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe
        
        C:\Windows\{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79DC4~1.EXE > nul
        11⤵
        
        PID:604
        
        C:\Windows\{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe
        
        C:\Windows\{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\{58048389-8AE0-40a5-A9D4-96976792F815}.exe
        
        C:\Windows\{58048389-8AE0-40a5-A9D4-96976792F815}.exe
        12⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5B16~1.EXE > nul
        12⤵
        
        PID:1060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C21B~1.EXE > nul
        6⤵
        
        PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA1DB~1.EXE > nul
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A30F8~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{498B957C-6631-4399-B753-56F494B4747B}.exe

Filesize
216KB

MD5
cfa0c902cea5020a9e346c6cdcf59bd4

SHA1
503529dd1429ef8fe39883155da71a9567e98dd5

SHA256
d96baea6c8075b64908354dadcb1069418af751913909785c0516b9becebdf31

SHA512
0acd6bc9fbf74c4172e0805cc896450930a63d6c60a664c5a709af483577c0f77095eaca3f0fe1b2cfcd63ba44d99f8bb564f3a71899df892ee25e06ef0d06a2

Download Submit
C:\Windows\{58048389-8AE0-40a5-A9D4-96976792F815}.exe

Filesize
216KB

MD5
ab5ac7d963e2a19c77bbbdac524c26de

SHA1
2d7a4e3b9e55c7ab53a4dab6ba7c63f52915e7bd

SHA256
f218337b198717c9b843091115851f782f4d3940c30757b73516b5bf84c8c673

SHA512
7aba9eed00c9e04c6d173ca86399d05001656e29f5e5e9dbda5cb73de11d5d304e44a67369f5b77d8151ff08e69419938e4f4ebb5a5a61d2f809a48c3706cb19

Download Submit
C:\Windows\{5EB94C0C-AF42-4d22-9A0B-1D30A33E8BB8}.exe

Filesize
216KB

MD5
24633fdba158187e6f8af2bbcf777464

SHA1
1ec7b3e8aaf5e68ec630730998b085c7c83bec7e

SHA256
bc271450abc5c4fc66fc2c3398c52053811a2f3b05c0aa1f4553fc05376022b5

SHA512
6c58d6602c91a53e159238f3b2f43811ca17e89e0303231ab4e7c55aa56286e0c02476c5ac53253602c106161be68b515f5d67cbdd9b2c4368636f1e122f4620

Download Submit
C:\Windows\{683E7D81-A9F2-49ec-91AB-4CB3A47CE65D}.exe

Filesize
216KB

MD5
1c8464e4c2f15bc3e76295a66ba6ed98

SHA1
c83742a83d83a9e3fcd42bcce049d7ea31caa6f1

SHA256
24ec81aba5f73bf2014fae5d87b5f88201d8d29a43346d80b63a20d3c68bf81a

SHA512
a89edbe7070b878a765308ecd65a8a5aff4c316899d1a0d78107fdd954848c0172eb727e5afc20be467f45536bc94679fde15995bd0f158e47ade9a263824548

Download Submit
C:\Windows\{79DC4B9A-BDC9-40c7-BC93-5D92FC5A6F0B}.exe

Filesize
216KB

MD5
038be5d9d704df9acf976229925aadfb

SHA1
8ebd9e50e4470a6769644a23b61838a7de31f83a

SHA256
df388d3bbcc2fe2a52199d67aab0320a5cefb9dc68933d20c329bdf0df0ee062

SHA512
a0f486603f10e7cc12cd4db2145f6849d6264ddb8655fa2577378459ad387ea62d22e9efbbc5ecc4b721cf2df4389fc93980566043ed2b9fcedf439915824a16

Download Submit
C:\Windows\{8C21B718-53D2-4647-B271-F7824CF86520}.exe

Filesize
216KB

MD5
605d965019997fb2e090044281827579

SHA1
7b07bf37e493e0302e9dc8621e55417b001a7643

SHA256
48e3f9a46835bde30dbd1fbe029a0f8bf0b28bbdaad6df693d83893c463852ea

SHA512
e4cc3ab9d47d0dd7c4f1b1cf622e6c0ae4f42a6fa9207889e879589e26c83e6a4928a433572064407d0d7ee54f49b8d51bf1469bc86b2106fa7ba234ea821357

Download Submit
C:\Windows\{A30F80E4-0610-425c-B8FF-8B47ED126D4B}.exe

Filesize
216KB

MD5
7f335e8a17ecdd5fb9826abeed702a5b

SHA1
7d3e98f1b1c40753f3d5ae0f93f842c8ef735d04

SHA256
29eac3d2d5ac565863350c6387a72237306b95e24ce575060b642e5d7d7469d1

SHA512
c226147fd967720f603a82bcae541ce860d56aab6d788e9de7613028090268fdb3f145181f272ed8dd21489c684e7a9b109917d8eda4c70a8bf3293f80140a9d

Download Submit
C:\Windows\{A5B16D6B-2EB9-4e2d-9311-FB207B9097CA}.exe

Filesize
216KB

MD5
a67671979dbe88c55e44c91dc2d49db9

SHA1
9c4d6b62e221c4fcf9f5aa5555cd58389fc02fe8

SHA256
0ef5680137a6ad8ff842a5e40e1536bc7c2fcadbf77e0b58628b5873ef718ce4

SHA512
6c77260c4e89de377b33e7a15c511c3f5eabf50b58386a3fc1a358a1c66d9c95513944acb249a297b25cfc71c92c0816fb8c0ae80668a4c5a2dd106c5c64fd94

Download Submit
C:\Windows\{BB20D6E4-753B-42a0-89FB-FEF85DDC28D5}.exe

Filesize
216KB

MD5
96bec28d73b15dc0510c0eeb928b9bfe

SHA1
9851cbcf3c7c825ef0b3c6d162c2246db6723c30

SHA256
d74c14e7c8227cc6d2bac9fa9962a887e9879ab626a50348da583ef0b1260e58

SHA512
2789ab507d0a690a7ba362f2eae5db228180e4e878bcdeb124df290e9bcf5fe991cd3b9de7ec12699c356f044206fdfa75affc6c119b46e34beece37ba9ba2be

Download Submit
C:\Windows\{D97300F4-19B3-43bd-9BCE-3D85D88D71F9}.exe

Filesize
216KB

MD5
baac74bf277335153fc22edd35be4163

SHA1
70dcc9a7dedc24b3b1203444afafe939f7ba5da7

SHA256
ced27d76887d2d9af8f422c0702b76e851b5b5700d147e6be1778ed39f2c5481

SHA512
5e3027d7198d48c481fcaa6fb90298c914749b7765cffef70a18ad76f154ec044ff267571949a5356c275d9d873876560cedaae3985387e9aaf58c20e304632b

Download Submit
C:\Windows\{FA1DBCEC-196C-4b1c-80F8-5C21A8B951F1}.exe

Filesize
216KB

MD5
adab58ab2a901848c8e5cdb4fd51c0cd

SHA1
86f3f69cc4f97bb7ffd58c2926f3a631b6846adb

SHA256
600994ab9b0c77eb5010e7cd9124d70ed5f803ebaeee3fc0b7c87ba8ee61de86

SHA512
59b77251f0a3f968009d40e52c71a8fdbaab1d18b8177b1c0ecb2fb731d739317eb3cb95aa41e521112996e6f267b61fa463c17736cf2b750bdef876a4e47632

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads