93521e466a28b9ebc5e2f2f0d913c831d7ac738bba8ae1fdf78ef86ae5f80714

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Size

197KB
MD5

f593dd5d1b21d67c3f9fad68d5bfee20
SHA1

37d964ec7552ce27de1d9f03a5a24a515e5a3320
SHA256

93521e466a28b9ebc5e2f2f0d913c831d7ac738bba8ae1fdf78ef86ae5f80714
SHA512

1bd1915876695b75a9c386ed2b368999b7d064b2f9bca1e5f1fe1dcd41ada7e55ec4802f5d6428bb8b5c424d9d1d371dc83bab0ea1ac8c505afb33735f99a982
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGdlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001225c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014177-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d50-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001225c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001225c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}	{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F8F05DC-4529-404d-853A-E804B8D732D0}	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}\stubpath = "C:\\Windows\\{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe"	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB2B970A-3137-4965-A8D3-A1852552C9A7}\stubpath = "C:\\Windows\\{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe"	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}	{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}	{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}\stubpath = "C:\\Windows\\{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe"	{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}\stubpath = "C:\\Windows\\{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}.exe"	{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F8F05DC-4529-404d-853A-E804B8D732D0}\stubpath = "C:\\Windows\\{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe"	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3116147-24C0-439d-A867-8A5945BDEC1E}	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3116147-24C0-439d-A867-8A5945BDEC1E}\stubpath = "C:\\Windows\\{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe"	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}\stubpath = "C:\\Windows\\{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe"	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}\stubpath = "C:\\Windows\\{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe"	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97FBB3F9-4B2E-4695-B869-376F8626FB2D}	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97FBB3F9-4B2E-4695-B869-376F8626FB2D}\stubpath = "C:\\Windows\\{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe"	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6F57E5-AF90-4a18-9326-69F3BF709A73}	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6F57E5-AF90-4a18-9326-69F3BF709A73}\stubpath = "C:\\Windows\\{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe"	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB2B970A-3137-4965-A8D3-A1852552C9A7}	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}\stubpath = "C:\\Windows\\{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe"	{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe
2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe
2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe
1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe
1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe
1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe
2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe
772	{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe
2256	{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe
488	{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe
2908	{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe
File created	C:\Windows\{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
File created	C:\Windows\{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe
File created	C:\Windows\{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe
File created	C:\Windows\{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe
File created	C:\Windows\{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe
File created	C:\Windows\{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe
File created	C:\Windows\{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe
File created	C:\Windows\{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe	{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe
File created	C:\Windows\{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe	{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe
File created	C:\Windows\{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}.exe	{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe
Token: SeIncBasePriorityPrivilege	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe
Token: SeIncBasePriorityPrivilege	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe
Token: SeIncBasePriorityPrivilege	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe
Token: SeIncBasePriorityPrivilege	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe
Token: SeIncBasePriorityPrivilege	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe
Token: SeIncBasePriorityPrivilege	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe
Token: SeIncBasePriorityPrivilege	772	{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe
Token: SeIncBasePriorityPrivilege	2256	{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe
Token: SeIncBasePriorityPrivilege	488	{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2264	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	28
PID 2016 wrote to memory of 2700	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	29
PID 2264 wrote to memory of 2556	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	30
PID 2264 wrote to memory of 2556	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	30
PID 2264 wrote to memory of 2556	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	30
PID 2264 wrote to memory of 2556	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	30
PID 2264 wrote to memory of 2712	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	31
PID 2264 wrote to memory of 2712	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	31
PID 2264 wrote to memory of 2712	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	31
PID 2264 wrote to memory of 2712	2264	{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe	31
PID 2556 wrote to memory of 2724	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	32
PID 2556 wrote to memory of 2724	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	32
PID 2556 wrote to memory of 2724	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	32
PID 2556 wrote to memory of 2724	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	32
PID 2556 wrote to memory of 2500	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	33
PID 2556 wrote to memory of 2500	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	33
PID 2556 wrote to memory of 2500	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	33
PID 2556 wrote to memory of 2500	2556	{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe	33
PID 2724 wrote to memory of 1960	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	36
PID 2724 wrote to memory of 1960	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	36
PID 2724 wrote to memory of 1960	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	36
PID 2724 wrote to memory of 1960	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	36
PID 2724 wrote to memory of 2152	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	37
PID 2724 wrote to memory of 2152	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	37
PID 2724 wrote to memory of 2152	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	37
PID 2724 wrote to memory of 2152	2724	{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe	37
PID 1960 wrote to memory of 1820	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	38
PID 1960 wrote to memory of 1820	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	38
PID 1960 wrote to memory of 1820	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	38
PID 1960 wrote to memory of 1820	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	38
PID 1960 wrote to memory of 2848	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	39
PID 1960 wrote to memory of 2848	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	39
PID 1960 wrote to memory of 2848	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	39
PID 1960 wrote to memory of 2848	1960	{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe	39
PID 1820 wrote to memory of 1980	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	40
PID 1820 wrote to memory of 1980	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	40
PID 1820 wrote to memory of 1980	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	40
PID 1820 wrote to memory of 1980	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	40
PID 1820 wrote to memory of 2148	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	41
PID 1820 wrote to memory of 2148	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	41
PID 1820 wrote to memory of 2148	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	41
PID 1820 wrote to memory of 2148	1820	{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe	41
PID 1980 wrote to memory of 2212	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	43
PID 1980 wrote to memory of 2212	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	43
PID 1980 wrote to memory of 2212	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	43
PID 1980 wrote to memory of 2212	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	43
PID 1980 wrote to memory of 1468	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	42
PID 1980 wrote to memory of 1468	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	42
PID 1980 wrote to memory of 1468	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	42
PID 1980 wrote to memory of 1468	1980	{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe	42
PID 2212 wrote to memory of 772	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	44
PID 2212 wrote to memory of 772	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	44
PID 2212 wrote to memory of 772	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	44
PID 2212 wrote to memory of 772	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	44
PID 2212 wrote to memory of 1704	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	45
PID 2212 wrote to memory of 1704	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	45
PID 2212 wrote to memory of 1704	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	45
PID 2212 wrote to memory of 1704	2212	{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe
  C:\Windows\{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe
    C:\Windows\{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe
      C:\Windows\{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe
        
        C:\Windows\{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe
        
        C:\Windows\{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe
        
        C:\Windows\{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B52~1.EXE > nul
        8⤵
        
        PID:1468
        
        C:\Windows\{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe
        
        C:\Windows\{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe
        
        C:\Windows\{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe
        
        C:\Windows\{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe
        
        C:\Windows\{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
        
        C:\Windows\{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}.exe
        
        C:\Windows\{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}.exe
        12⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ECBF~1.EXE > nul
        12⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E35C5~1.EXE > nul
        11⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97FBB~1.EXE > nul
        10⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB2B9~1.EXE > nul
        9⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3116~1.EXE > nul
        7⤵
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7ACA~1.EXE > nul
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F1A8~1.EXE > nul
        5⤵
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F8F0~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B6F5~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3F1A8314-D9C0-4e57-8794-6D4BF29D66C5}.exe

Filesize
197KB

MD5
8c8face5c5770bead308f4f4c2f3abe7

SHA1
1b918eef86a03916710a54f6829e36a5266615b4

SHA256
f90527dce0fc550a927a2b454663cbec9d585c4bacbd85ec1a8072248a0c4a57

SHA512
27616d67f0df157d1289c64b6b2399a7a5228cc05f56ea8cff7335aed6f94dfad4d638b1e8be2ee7b94130f475ab8a86b305297b36530756ca39f5e884aa174e

Download Submit
C:\Windows\{3F8F05DC-4529-404d-853A-E804B8D732D0}.exe

Filesize
197KB

MD5
ae24ea458e6a6fcbd23799052277beae

SHA1
5a81ad6ff6c71e20bfd8630bda67ce454e25a468

SHA256
8823e8a86be7de267f2c51c6545b0ab547c1edb849b5e0437344a483bc547fe7

SHA512
97a865881001ce61d525939584ea7196f1b33b41aa912cff13b7e4ff591b1656c2777196293d2be0b8e5925925b8b4af6caf9ac31e29db781a572ed2a6ebfc69

Download Submit
C:\Windows\{5B6F57E5-AF90-4a18-9326-69F3BF709A73}.exe

Filesize
197KB

MD5
ea6333861090a4d9c2dde2dc82833f9d

SHA1
53efe1cca85d674ef38b1260d8db3501bc07c962

SHA256
56ac1e566dd54696a840daaa37ae44619e394c4664de729f8a049d6e75c19bb4

SHA512
5acad3a8f967c24075e0b8a3e165f05092397fe6f757326adf327cbfb98e29847107e777fb6538b1660a65a537c5a9e1fc502748c40add4f5820f1a6bbd6fa04

Download Submit
C:\Windows\{7ECBF6A1-A5AC-4645-94B1-7A2C5D00D7F4}.exe

Filesize
197KB

MD5
ab50251fbe9ac46cf01b2c42376d7c59

SHA1
06c14684eb4ce452e7fa7e4faddec2516cfc88cf

SHA256
ccb470f0dc87461dafd7a741d49cb1f4ed4150857f7bd85412175b597fa8eac4

SHA512
9944985c57d7e13f76d6e41cd64ed8ee1141dde7b68751a75779f34447a5fa6233b26d4e7356443df9158c0dc12c7502cac9c6ca12df267e8bd0bcf9cad1ecaa

Download Submit
C:\Windows\{94B527E0-FE3F-4c1c-A1EA-BF25074AE01B}.exe

Filesize
197KB

MD5
ded04cf949aaa481933c029e6f7bee5a

SHA1
b637b827d29b3c850f1f61a8e2d74ad91d36f130

SHA256
cf83a352003b439b823e84f2cdd10551bf31e731dc49e382772a51dea6bd355c

SHA512
7b76ded472c599f42c538f2602b282b5445f178fbf4eeffab720fdc94cfa002ffb8b8cc98540430114a45f1d056f147d18ff222514af7045abf0e387f6219d83

Download Submit
C:\Windows\{97FBB3F9-4B2E-4695-B869-376F8626FB2D}.exe

Filesize
197KB

MD5
60bd3006a6fa35a73bee65b9ac4b9241

SHA1
1684e189acb90cca8f1d956b0953f91341d32756

SHA256
779d229e567adc6c9f43f20a72a7ef22278a3960a87177c40a286faa329da14b

SHA512
26d2e3531b80a9ba6b2f237340e302349bad6f171a0b130e1798f23bbb79792f8b30f5f26bc9b14387431fe83864a53a6e3924ab0074a74d122a3a569c9bb4c3

Download Submit
C:\Windows\{A3116147-24C0-439d-A867-8A5945BDEC1E}.exe

Filesize
197KB

MD5
104941fc4e6b6e9946eee0aa3894a51f

SHA1
3b94f26485353541961a8c1725772a7e2da872e2

SHA256
4d0466f21cf42a16478f1acbaad525ff8b29d878a83fcadec2dea4e1e6519c82

SHA512
f960e7b207a7b8228d4346865b67c27e36bfe6a5fc4b8e9ac858fc04d6ae6b2a398db6b0a7e1da45fcda3d3f61dbecc6b460bf7a964bb394fb1a8d6456bdd667

Download Submit
C:\Windows\{A83E8400-2ADB-41d6-AAA2-A423CF8E8587}.exe

Filesize
197KB

MD5
fd8f60253747c1d3b973eda6603107da

SHA1
eea560ad74920d1f6faadc7081ace6694f4cead2

SHA256
26591083c0602ad5e957a9e9cd0422f3451b4069dd79438eece722dd22e7e779

SHA512
76b33584579c914394394e6c807d7448f278449059d35dfafd5fea4d1c047a7c0a5676d3dd91accbf5a3d28aa57a477788985fddf576dfa7f0ce61e4d10b4d50

Download Submit
C:\Windows\{B7ACA72B-BC1C-4d5f-B6AE-BB40D35E86C6}.exe

Filesize
197KB

MD5
9e5e857a86b7454ed1e95fa631838eac

SHA1
e34a599e51bf98233919ca055e4efc1bc2ce094d

SHA256
d58f2b13740a2bf4004782da54f52cee4cdfd98e062e176746fc8cb439348694

SHA512
d5e2f2836a2e43d4e9c36e061380c73cf0f8990861032596937ff68eb4020785f9a4df1da437191dc1e8af30ad042b3bf747d72141793ceaffa41c5ef8322069

Download Submit
C:\Windows\{E35C50EC-9A15-4f64-A525-E2FF1D5A1F19}.exe

Filesize
197KB

MD5
1afb8da6ae44c6724c9527cb3858956b

SHA1
ae07436649dae6b7f19ea33f79a40b6f34b8223b

SHA256
51306770d38dd80a14d6f261aa2822e91061ab64f6b33de1d242d400132b3dcd

SHA512
960bbd6b3188b3f20bd53394cb79776225ed768c829f0dd7705b9783b2dfa1caa0021ceb682ff99c8f9101f51471a64b987567d0174a014b89a2ce33697d891d

Download Submit
C:\Windows\{FB2B970A-3137-4965-A8D3-A1852552C9A7}.exe

Filesize
197KB

MD5
3e913a4080e1f1e07d6ad5f41316ae13

SHA1
de36299521cb4577be49237ece8118c00e6749cf

SHA256
43c1a84b5a525fd613dad72121d4572e7d602fa3005528ff8a22cbc5e620350f

SHA512
431c455d8b3fdfb4f820a55069735985dba72de54a3bdaca1701ee5559a8e27c3dcbd709e10070faff914ac26d60fa2c0f14c4acfebd37746b48d3c659b0cd57

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads