406aa3426a61f5c0e3558897f2b4b3045a9e572fe32ea8e4411be18f98636a26

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe
Size

372KB
MD5

e9482bbc1da3366a20a2e00bd5e70715
SHA1

f705e211582a08fa0898b439499f42f44ed676c1
SHA256

406aa3426a61f5c0e3558897f2b4b3045a9e572fe32ea8e4411be18f98636a26
SHA512

3b21297cb609b58be66db83cd94412928767c0c6aefb3e5a224d74588d1dc322cadb7113c3484db4e48d8e01229565344519b5045961d5362f4d96dc673f89b5
SSDEEP

3072:CEGh0oklMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG2lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012243-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012243-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012243-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002000000001602a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012243-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012243-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012243-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012243-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B75836A-BE04-48a3-AD08-0272E03EA963}	{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D984E463-FF92-4f74-989B-C6704F7BB1BD}\stubpath = "C:\\Windows\\{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe"	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92F16F1A-804C-4d6d-95C8-83D13163F13F}\stubpath = "C:\\Windows\\{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe"	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74945EFD-913A-405b-A376-D08842EF66B8}	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}\stubpath = "C:\\Windows\\{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe"	{74945EFD-913A-405b-A376-D08842EF66B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74945EFD-913A-405b-A376-D08842EF66B8}\stubpath = "C:\\Windows\\{74945EFD-913A-405b-A376-D08842EF66B8}.exe"	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B75836A-BE04-48a3-AD08-0272E03EA963}\stubpath = "C:\\Windows\\{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe"	{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}\stubpath = "C:\\Windows\\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe"	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C09E0F2-15CE-4118-BF81-1AB57B88D298}\stubpath = "C:\\Windows\\{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe"	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D984E463-FF92-4f74-989B-C6704F7BB1BD}	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92F16F1A-804C-4d6d-95C8-83D13163F13F}	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}\stubpath = "C:\\Windows\\{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe"	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{399F8702-1C95-4633-BC46-78554D3C5BA8}\stubpath = "C:\\Windows\\{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe"	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D742B2D-0056-40d7-A8AA-BAE9499E821B}\stubpath = "C:\\Windows\\{4D742B2D-0056-40d7-A8AA-BAE9499E821B}.exe"	{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C09E0F2-15CE-4118-BF81-1AB57B88D298}	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}\stubpath = "C:\\Windows\\{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe"	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{399F8702-1C95-4633-BC46-78554D3C5BA8}	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D742B2D-0056-40d7-A8AA-BAE9499E821B}	{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}	{74945EFD-913A-405b-A376-D08842EF66B8}.exe

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe
2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe
2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe
2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe
1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe
2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe
1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe
1760	{74945EFD-913A-405b-A376-D08842EF66B8}.exe
844	{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe
3004	{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe
2316	{4D742B2D-0056-40d7-A8AA-BAE9499E821B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe
File created	C:\Windows\{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe
File created	C:\Windows\{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe
File created	C:\Windows\{74945EFD-913A-405b-A376-D08842EF66B8}.exe	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe
File created	C:\Windows\{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe	{74945EFD-913A-405b-A376-D08842EF66B8}.exe
File created	C:\Windows\{4D742B2D-0056-40d7-A8AA-BAE9499E821B}.exe	{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe
File created	C:\Windows\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe
File created	C:\Windows\{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe
File created	C:\Windows\{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe
File created	C:\Windows\{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe
File created	C:\Windows\{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe	{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe
Token: SeIncBasePriorityPrivilege	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe
Token: SeIncBasePriorityPrivilege	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe
Token: SeIncBasePriorityPrivilege	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe
Token: SeIncBasePriorityPrivilege	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe
Token: SeIncBasePriorityPrivilege	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe
Token: SeIncBasePriorityPrivilege	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe
Token: SeIncBasePriorityPrivilege	1760	{74945EFD-913A-405b-A376-D08842EF66B8}.exe
Token: SeIncBasePriorityPrivilege	844	{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe
Token: SeIncBasePriorityPrivilege	3004	{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2332	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	28
PID 1732 wrote to memory of 2332	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	28
PID 1732 wrote to memory of 2332	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	28
PID 1732 wrote to memory of 2332	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	28
PID 1732 wrote to memory of 2932	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	29
PID 1732 wrote to memory of 2932	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	29
PID 1732 wrote to memory of 2932	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	29
PID 1732 wrote to memory of 2932	1732	2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe	29
PID 2332 wrote to memory of 2568	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	32
PID 2332 wrote to memory of 2568	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	32
PID 2332 wrote to memory of 2568	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	32
PID 2332 wrote to memory of 2568	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	32
PID 2332 wrote to memory of 2676	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	33
PID 2332 wrote to memory of 2676	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	33
PID 2332 wrote to memory of 2676	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	33
PID 2332 wrote to memory of 2676	2332	{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe	33
PID 2568 wrote to memory of 2616	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	34
PID 2568 wrote to memory of 2616	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	34
PID 2568 wrote to memory of 2616	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	34
PID 2568 wrote to memory of 2616	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	34
PID 2568 wrote to memory of 2556	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	35
PID 2568 wrote to memory of 2556	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	35
PID 2568 wrote to memory of 2556	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	35
PID 2568 wrote to memory of 2556	2568	{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe	35
PID 2616 wrote to memory of 2612	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	36
PID 2616 wrote to memory of 2612	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	36
PID 2616 wrote to memory of 2612	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	36
PID 2616 wrote to memory of 2612	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	36
PID 2616 wrote to memory of 3036	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	37
PID 2616 wrote to memory of 3036	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	37
PID 2616 wrote to memory of 3036	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	37
PID 2616 wrote to memory of 3036	2616	{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe	37
PID 2612 wrote to memory of 1264	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	38
PID 2612 wrote to memory of 1264	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	38
PID 2612 wrote to memory of 1264	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	38
PID 2612 wrote to memory of 1264	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	38
PID 2612 wrote to memory of 1756	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	39
PID 2612 wrote to memory of 1756	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	39
PID 2612 wrote to memory of 1756	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	39
PID 2612 wrote to memory of 1756	2612	{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe	39
PID 1264 wrote to memory of 2872	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	41
PID 1264 wrote to memory of 2872	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	41
PID 1264 wrote to memory of 2872	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	41
PID 1264 wrote to memory of 2872	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	41
PID 1264 wrote to memory of 2816	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	40
PID 1264 wrote to memory of 2816	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	40
PID 1264 wrote to memory of 2816	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	40
PID 1264 wrote to memory of 2816	1264	{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe	40
PID 2872 wrote to memory of 1204	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	42
PID 2872 wrote to memory of 1204	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	42
PID 2872 wrote to memory of 1204	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	42
PID 2872 wrote to memory of 1204	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	42
PID 2872 wrote to memory of 1912	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	43
PID 2872 wrote to memory of 1912	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	43
PID 2872 wrote to memory of 1912	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	43
PID 2872 wrote to memory of 1912	2872	{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe	43
PID 1204 wrote to memory of 1760	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	44
PID 1204 wrote to memory of 1760	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	44
PID 1204 wrote to memory of 1760	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	44
PID 1204 wrote to memory of 1760	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	44
PID 1204 wrote to memory of 2508	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	45
PID 1204 wrote to memory of 2508	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	45
PID 1204 wrote to memory of 2508	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	45
PID 1204 wrote to memory of 2508	1204	{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_e9482bbc1da3366a20a2e00bd5e70715_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe
  C:\Windows\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe
    C:\Windows\{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe
      C:\Windows\{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe
        
        C:\Windows\{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe
        
        C:\Windows\{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92F16~1.EXE > nul
        7⤵
        
        PID:2816
        
        C:\Windows\{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe
        
        C:\Windows\{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe
        
        C:\Windows\{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{74945EFD-913A-405b-A376-D08842EF66B8}.exe
        
        C:\Windows\{74945EFD-913A-405b-A376-D08842EF66B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe
        
        C:\Windows\{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe
        
        C:\Windows\{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{4D742B2D-0056-40d7-A8AA-BAE9499E821B}.exe
        
        C:\Windows\{4D742B2D-0056-40d7-A8AA-BAE9499E821B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B758~1.EXE > nul
        12⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B721E~1.EXE > nul
        11⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74945~1.EXE > nul
        10⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{399F8~1.EXE > nul
        9⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAB50~1.EXE > nul
        8⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7C73~1.EXE > nul
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D984E~1.EXE > nul
        5⤵
        
        PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C09E~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{988F9~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{399F8702-1C95-4633-BC46-78554D3C5BA8}.exe

Filesize
372KB

MD5
48aad8c566bb7f4c71a4e036534ae708

SHA1
1ef66091dea3cd666cfc94199818945be472d562

SHA256
64ba86942498b46822d31cf195e9ea9f5f8a5b4c2a65b451fa78abf3df4c6bdb

SHA512
60910ffda77d169f65ab8366e66ec3e11fab2e1e6352dcc7946099fc0d30f98ab451f8a36a0e14e145a7473665759104413928d8e80f887c2bd1db9b119928ee

Download Submit
C:\Windows\{3B75836A-BE04-48a3-AD08-0272E03EA963}.exe

Filesize
372KB

MD5
c52757af2ae9f3381b696e00dca2784e

SHA1
97f89572b66fdd4942bbf35cce61c04637dcc467

SHA256
19b4c122bd86d1b7ea985feb1b437d8581e6e26d3b32f97946af351be5f594cc

SHA512
02d82e5c6adc8828779cc7f2bfc4cc663e81526cd6221f9d8a45525de34ef393718ad38d3d9738a686e839a34668a64f1e063b3cba01cc7155902a6d4232675d

Download Submit
C:\Windows\{4C09E0F2-15CE-4118-BF81-1AB57B88D298}.exe

Filesize
372KB

MD5
86a6d37c5cb9b28b8522cf9a2bbd1f94

SHA1
baeb28ed7180aedea8ef6052a460b5a661ac9367

SHA256
27d594051bdf5bf673e7da1a2dd888f053f2bcb732e7cdc2903cc151de17ac63

SHA512
f8b84a79e22a873bc8e82ef446f5558066239fbe1b5e73992ed4306b128dd8b6bce1ef65adf55c7efcb6dfd0cd1fdc03aae32983f126c24951256f84a57f0567

Download Submit
C:\Windows\{4D742B2D-0056-40d7-A8AA-BAE9499E821B}.exe

Filesize
372KB

MD5
7a6662ea5b77d57533eade442a031796

SHA1
01217a970a3e5dc1abea77370d14398a3f780f6c

SHA256
d70cb1c9f903f7ab1980c74e6b794e2cbb6c6a3f967a09384ca16e83228380ee

SHA512
e9a454687bb7be26497e082135482360923b58fec5461dcd24abd117228d1601dd9a93e25332be4faef03e23364f03282a5d1d5f1cae451a2750c9e7f5b3ca80

Download Submit
C:\Windows\{74945EFD-913A-405b-A376-D08842EF66B8}.exe

Filesize
372KB

MD5
f16352b7a468df6d37f103fd737d837a

SHA1
8942e7814243080c8382c2f6aee0f2b76c5883ca

SHA256
76bec42b0d41e977ffe111207b83cb352747881b13dcac2b41695c283ffdd99c

SHA512
d4564a57acda89571596166a6795c36971324121417c6fbe5edfedc27e17fd61c0d198a7b2e3aa650c4cdc15f9ed168c251009d15583ee22c8ff9d910bcc80d1

Download Submit
C:\Windows\{92F16F1A-804C-4d6d-95C8-83D13163F13F}.exe

Filesize
372KB

MD5
fffeb2406c56893a9faa34e67c75f1da

SHA1
30ef9f57799809cdd20381c63bccbac112c1c1cf

SHA256
eefc18effa054382e21689d3a00eb58ed300d67690a16780b74bf385cf5793cf

SHA512
bb4b185b88a60071e2aafb1e5fa9aa42381e1049deba399f7f1626cc90658d2539eb8f9df019427cf3ee1d99cfece0cfd376d68584015e76c84ef55c5b9dc331

Download Submit
C:\Windows\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe

Filesize
284KB

MD5
48f68bef4ce1127f2319b70b42bfe3c1

SHA1
898c7d66be7b6465340e5474d0d3ae321fe42e8e

SHA256
d97431bff056b25b1079921c1e7f80151c617f7e548f155090791a0643faa136

SHA512
1652a5594855ecdf871d683a3befca7e4bded9bd90df8b79deaea4aa7fb336b82553a6199c9eebc3f1589770ae9f44c3479c695ab38cac87ca68c9f8769ff24f

Download Submit
C:\Windows\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe

Filesize
182KB

MD5
340ca31b5e09937104e64464c32c518b

SHA1
fb4d66277b694a9390c783fc2878e390d48b6dd5

SHA256
97f4d4ce89e48dfda2046ebb93b0459562858f9d33346d0a1a0ac609b385614a

SHA512
503dbd77c800a007f02f1cec2efa10b10b29f778cb1bfb4af69fcae90b87d990814d8e8d743af862346b134cf08168a7ca7f5551191eead578c8df3e8e8c2a99

Download Submit
C:\Windows\{988F9BB2-3B2D-4434-B97B-CAC8DD7EAAC5}.exe

Filesize
372KB

MD5
034f6ec2d4759caa1e7704b9445c7e20

SHA1
081efe0e41e0807aee10a96067b3ffe57921e02d

SHA256
7894e89cd58ffe2e28443dac3674839f99436d52ec025b2ef969d14c937ba507

SHA512
cc91545a89b0a63706f2f7767e3846b4e961340d9b5dac4f62440c169e960144705b165dc1367d4a6690beb06d4755c1aa3ec542d0331a27081aecf9df1a59c7

Download Submit
C:\Windows\{B721E82A-3FC5-4f74-A47B-A21E4FAB263D}.exe

Filesize
372KB

MD5
c1a6c026b110a566f9933c1ba15b076a

SHA1
71f9120e1a24b2e1650566db16d660eb0ae85383

SHA256
570ee5d2ba27f79b929ff32aa21620c4d61c5f6cd1f08ad065d1684fd82c67eb

SHA512
64800711150ddec3401fe80eba953d1c6aa7aab3ad2edeb91db484135db2bb38c31d0afd859c490289490b52c47253cc2d8e7aefe7920c3e1cc76046532f8d55

Download Submit
C:\Windows\{B7C73DB5-7C24-4ce7-877C-3CA0D4DD4DB5}.exe

Filesize
372KB

MD5
736393a5f153718f61db2c8c99e1f9d4

SHA1
35ec196c2126836ae367a35e6c0d3afa57acbb8d

SHA256
5b752e4e329b9b3c26e5d37bddf8eedcc5f5eaac7007520155306273b71cce97

SHA512
8ed876bfc07c50b740d8d049e13f38e70b30601666f69919ff278f9642e22f273dbde5e385c4214847663de48b73546f9db2b053751c4dd71d78ad2b1bce1334

Download Submit
C:\Windows\{D984E463-FF92-4f74-989B-C6704F7BB1BD}.exe

Filesize
372KB

MD5
e710034f4dc94b7faa6a0d0a597d5037

SHA1
12a247b5aefee0158288ad0a17ee81bb533f7b02

SHA256
a2c8f2a9851b728dcabe549c9e4f7a307a729e221c28618a201e8a1bfbc0d61c

SHA512
4ab7173474358acb14ee785844c4b13ef02d0e8c24fa51613a1ca80e1904826a9d600c40b4bfc673ddc359aa76d4bf7a6c78c5fdd695676a5775b3344061ab61

Download Submit
C:\Windows\{FAB50610-E016-4bbc-8AD6-9B548DB80E9A}.exe

Filesize
372KB

MD5
3bfb16552a265b034506ad6c04283662

SHA1
dbdfd7b29a8d2a47d5bd4fae5815ee788f652fa4

SHA256
41321e842169d1427b7e7f149d94ab1c45787ddb9fc7faa5cec8e7bc9b5a6043

SHA512
e0104c510fd8a1047022a74244832317c27da302fba5750db20df03eeccc054372ca5aebb046afe5b33ff21a26acaa6f6a10c46a2b323a72919579a99697134e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads