e9bd989f4393d3c34c997aea8d4beb783a97308953607125a4f557728fd9a134

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
Size

216KB
MD5

45886ed8872c2047266f3d095cda4b0a
SHA1

ccfc7df17fbae56f4cab6fe43cd0e1c4d379062b
SHA256

e9bd989f4393d3c34c997aea8d4beb783a97308953607125a4f557728fd9a134
SHA512

ef458237f89ba08162f0c573d729f87fc8a667c883cd2c9cf8afb783ac1b4879576935a5a9191ab65a485f5d64aff34f64740c4ec9803b26720ba5734d6424b0
SSDEEP

3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGVlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012263-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012281-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}\stubpath = "C:\\Windows\\{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe"	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}\stubpath = "C:\\Windows\\{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe"	{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}\stubpath = "C:\\Windows\\{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe"	{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}\stubpath = "C:\\Windows\\{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe"	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8353DF91-474D-4532-A07B-1DE543304065}	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8353DF91-474D-4532-A07B-1DE543304065}\stubpath = "C:\\Windows\\{8353DF91-474D-4532-A07B-1DE543304065}.exe"	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF29769-10C0-441a-A8DF-A379B9F2DA26}	{8353DF91-474D-4532-A07B-1DE543304065}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF29769-10C0-441a-A8DF-A379B9F2DA26}\stubpath = "C:\\Windows\\{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe"	{8353DF91-474D-4532-A07B-1DE543304065}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A634825A-62DD-4a48-A08D-9FACFCD66259}	{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A634825A-62DD-4a48-A08D-9FACFCD66259}\stubpath = "C:\\Windows\\{A634825A-62DD-4a48-A08D-9FACFCD66259}.exe"	{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}	{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{208AE65B-FC9A-4294-94D7-1A476D49B36A}	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2CD1C42-9929-419c-BADB-80A438AA938F}\stubpath = "C:\\Windows\\{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe"	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}\stubpath = "C:\\Windows\\{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe"	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{491B41B3-EC78-4129-B015-C3B9E3816407}\stubpath = "C:\\Windows\\{491B41B3-EC78-4129-B015-C3B9E3816407}.exe"	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}	{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{208AE65B-FC9A-4294-94D7-1A476D49B36A}\stubpath = "C:\\Windows\\{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe"	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2CD1C42-9929-419c-BADB-80A438AA938F}	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{491B41B3-EC78-4129-B015-C3B9E3816407}	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe
2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe
2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe
2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe
2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe
2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe
268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe
880	{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe
1616	{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe
3012	{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe
1736	{A634825A-62DD-4a48-A08D-9FACFCD66259}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A634825A-62DD-4a48-A08D-9FACFCD66259}.exe	{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe
File created	C:\Windows\{8353DF91-474D-4532-A07B-1DE543304065}.exe	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe
File created	C:\Windows\{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe
File created	C:\Windows\{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe
File created	C:\Windows\{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe	{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe
File created	C:\Windows\{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe
File created	C:\Windows\{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe	{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe
File created	C:\Windows\{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
File created	C:\Windows\{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe
File created	C:\Windows\{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe
File created	C:\Windows\{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	{8353DF91-474D-4532-A07B-1DE543304065}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe
Token: SeIncBasePriorityPrivilege	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe
Token: SeIncBasePriorityPrivilege	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe
Token: SeIncBasePriorityPrivilege	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe
Token: SeIncBasePriorityPrivilege	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe
Token: SeIncBasePriorityPrivilege	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe
Token: SeIncBasePriorityPrivilege	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe
Token: SeIncBasePriorityPrivilege	880	{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe
Token: SeIncBasePriorityPrivilege	1616	{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe
Token: SeIncBasePriorityPrivilege	3012	{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2256	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	28
PID 1080 wrote to memory of 2256	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	28
PID 1080 wrote to memory of 2256	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	28
PID 1080 wrote to memory of 2256	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	28
PID 1080 wrote to memory of 2716	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	29
PID 1080 wrote to memory of 2716	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	29
PID 1080 wrote to memory of 2716	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	29
PID 1080 wrote to memory of 2716	1080	2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe	29
PID 2256 wrote to memory of 2856	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	30
PID 2256 wrote to memory of 2856	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	30
PID 2256 wrote to memory of 2856	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	30
PID 2256 wrote to memory of 2856	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	30
PID 2256 wrote to memory of 2896	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	31
PID 2256 wrote to memory of 2896	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	31
PID 2256 wrote to memory of 2896	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	31
PID 2256 wrote to memory of 2896	2256	{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe	31
PID 2856 wrote to memory of 2636	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	34
PID 2856 wrote to memory of 2636	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	34
PID 2856 wrote to memory of 2636	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	34
PID 2856 wrote to memory of 2636	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	34
PID 2856 wrote to memory of 2888	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	35
PID 2856 wrote to memory of 2888	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	35
PID 2856 wrote to memory of 2888	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	35
PID 2856 wrote to memory of 2888	2856	{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe	35
PID 2636 wrote to memory of 2800	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	36
PID 2636 wrote to memory of 2800	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	36
PID 2636 wrote to memory of 2800	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	36
PID 2636 wrote to memory of 2800	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	36
PID 2636 wrote to memory of 2736	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	37
PID 2636 wrote to memory of 2736	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	37
PID 2636 wrote to memory of 2736	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	37
PID 2636 wrote to memory of 2736	2636	{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe	37
PID 2800 wrote to memory of 2600	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	39
PID 2800 wrote to memory of 2600	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	39
PID 2800 wrote to memory of 2600	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	39
PID 2800 wrote to memory of 2600	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	39
PID 2800 wrote to memory of 2016	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	38
PID 2800 wrote to memory of 2016	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	38
PID 2800 wrote to memory of 2016	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	38
PID 2800 wrote to memory of 2016	2800	{8353DF91-474D-4532-A07B-1DE543304065}.exe	38
PID 2600 wrote to memory of 2472	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	41
PID 2600 wrote to memory of 2472	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	41
PID 2600 wrote to memory of 2472	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	41
PID 2600 wrote to memory of 2472	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	41
PID 2600 wrote to memory of 1088	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	40
PID 2600 wrote to memory of 1088	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	40
PID 2600 wrote to memory of 1088	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	40
PID 2600 wrote to memory of 1088	2600	{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe	40
PID 2472 wrote to memory of 268	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	42
PID 2472 wrote to memory of 268	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	42
PID 2472 wrote to memory of 268	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	42
PID 2472 wrote to memory of 268	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	42
PID 2472 wrote to memory of 688	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	43
PID 2472 wrote to memory of 688	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	43
PID 2472 wrote to memory of 688	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	43
PID 2472 wrote to memory of 688	2472	{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe	43
PID 268 wrote to memory of 880	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	45
PID 268 wrote to memory of 880	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	45
PID 268 wrote to memory of 880	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	45
PID 268 wrote to memory of 880	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	45
PID 268 wrote to memory of 2768	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	44
PID 268 wrote to memory of 2768	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	44
PID 268 wrote to memory of 2768	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	44
PID 268 wrote to memory of 2768	268	{491B41B3-EC78-4129-B015-C3B9E3816407}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe
  C:\Windows\{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe
    C:\Windows\{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe
      C:\Windows\{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{8353DF91-474D-4532-A07B-1DE543304065}.exe
        
        C:\Windows\{8353DF91-474D-4532-A07B-1DE543304065}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8353D~1.EXE > nul
        6⤵
        
        PID:2016
      - C:\Windows\{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe
        
        C:\Windows\{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AF29~1.EXE > nul
        7⤵
        
        PID:1088
        
        C:\Windows\{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe
        
        C:\Windows\{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{491B41B3-EC78-4129-B015-C3B9E3816407}.exe
        
        C:\Windows\{491B41B3-EC78-4129-B015-C3B9E3816407}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{491B4~1.EXE > nul
        9⤵
        
        PID:2768
        
        C:\Windows\{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe
        
        C:\Windows\{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7EF6~1.EXE > nul
        10⤵
        
        PID:544
        
        C:\Windows\{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe
        
        C:\Windows\{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE41~1.EXE > nul
        11⤵
        
        PID:2176
        
        C:\Windows\{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe
        
        C:\Windows\{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\{A634825A-62DD-4a48-A08D-9FACFCD66259}.exe
        
        C:\Windows\{A634825A-62DD-4a48-A08D-9FACFCD66259}.exe
        12⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F81A~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4E69~1.EXE > nul
        8⤵
        
        PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39980~1.EXE > nul
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2CD1~1.EXE > nul
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{208AE~1.EXE > nul
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{208AE65B-FC9A-4294-94D7-1A476D49B36A}.exe

Filesize
216KB

MD5
cb25e26b3f3782cf32dc17b9acd15750

SHA1
7df58268d82a7868e591e29b3a21516b3fa095c9

SHA256
857286c8b2c25f2fd3cb06979d7cd3bcfc961f71c6322b692403c89394f75204

SHA512
a37ef553cfe325c2fbcf31a8fa4b2dc4e764402615b481783510b83b0ab769c5287d6d374f28471747a423e337ca0c531a50e33f10bb2f5df6fa7949065acf77

Download Submit
C:\Windows\{39980ACB-9B1B-4474-A0C3-F9D6694CFF38}.exe

Filesize
216KB

MD5
45f4731f3a7f0486c713b4af9b8f25bf

SHA1
71fd752ed459b0f160d70f5bce655083a184349f

SHA256
3ab636b0ec0f53858fc4189f262f99d316ddfc68dca8a802f1fd535e69b328b5

SHA512
2338a1be5b985a2ca69eaca982ab8aced948f3478d3e4809ae3bb36d86a6b105219f2c80779d259510ad658ff064296c438418c6314c133047a782f146b975e0

Download Submit
C:\Windows\{3AF29769-10C0-441a-A8DF-A379B9F2DA26}.exe

Filesize
216KB

MD5
d5a4cdf957c1c687df33e3827dc0c943

SHA1
c9cf850e6ed515c036159900da7d30b70fdf24ef

SHA256
45cb4f80f734a72811a4797511341a51237c8c198edbde95a07fb33c9e549bcf

SHA512
467443308912224305ca7ce97bf71a0ef74fa188cf0eae4cd0bed5fb002869ad2af2c9f79eaad5905cbf80ecc5c2b23abf86190d4f8be922c9e78f88b7d7206b

Download Submit
C:\Windows\{491B41B3-EC78-4129-B015-C3B9E3816407}.exe

Filesize
216KB

MD5
3109914c7eb091b6221cd95424249d37

SHA1
b3d452234a5fca019428859c1ae7f9a2da267dd9

SHA256
18653bcd9f66516481458e734eaf960010c5d4a4a1a1c2ca82d372d6ac342b10

SHA512
2c25f8faeadac49542d8a01a7256aacbf9da9976eb98ec992eaf6340ab3fd46036ec00cd892383466b4e66bbda50f4e0e29c6be18da3a88e77455177c5eaaecc

Download Submit
C:\Windows\{4EE41F40-9EC7-4f8e-8BA9-25F05B446654}.exe

Filesize
216KB

MD5
c28065765c46098cff7f0e5cc190da48

SHA1
820ab5b41e2c03df663569133cfd718676024c9e

SHA256
91b81f7148eb7d2aa3e2e0ea76fe0eb0c839ad5acb8189d5819758638014563b

SHA512
af42e0163fb0fc87e184b706236bfa2ae3be7e157ec208457d2afe50fc796074f5adfab9f9f83596bad2e9cd40a2e70ab66c140e36696f502d7f1baa1baea99d

Download Submit
C:\Windows\{7F81A784-A80C-4b4a-9C2A-5D81D63D4A93}.exe

Filesize
216KB

MD5
8763e3cb0e844b6f01d2fde6e10e4dad

SHA1
de7c87a9db39d058b4a77b27e96fa26128a48624

SHA256
51cfdf7b0ac47032f53fd3921283964a72416bab653ff16ddc0b83a1f53ffd25

SHA512
7629d7d24cf5f59fdd8152a76481503d8afaa7292f1d9e8714a14b4aee95de7e4cc570829f3081952757273b591ce9654d2e48c0beb74f8ea3f7e26cc41ce5f3

Download Submit
C:\Windows\{8353DF91-474D-4532-A07B-1DE543304065}.exe

Filesize
216KB

MD5
e62a313c5feb461eac51cbacd827a901

SHA1
97f7674987331966b4acf1eb252b45546f496feb

SHA256
7c9b8e49425eb18eaf51f94f2cb56f62276afe1d845b49eaaac5b12e82a85e89

SHA512
b497c79cdfa3a7a4dd0283057befe6045517b1c8bbd6896a4efe2f29d6fc9b89c7e6e9f3497e6a334956dd9895e6cc3713d0caa18c57a90fc8536f181768fa8d

Download Submit
C:\Windows\{A634825A-62DD-4a48-A08D-9FACFCD66259}.exe

Filesize
216KB

MD5
3eedf9130f4b66590daeff8aad1da395

SHA1
edcdae071b8f0c4eeb3da177a7c1dcc18dc198ad

SHA256
05b0d2e1da521681a6076a1896d5bf72ee8cf02c647ad87d1bde97f3ab50d374

SHA512
8acd3b91d4c6eaaff818439d2d21d432d0fa4e6b4c8ccf728d35efed2f6cb4159a33961a8eb99c4a148aa3c45a8df310d44337fbbd820ca63bdb14179669b6dc

Download Submit
C:\Windows\{C2CD1C42-9929-419c-BADB-80A438AA938F}.exe

Filesize
216KB

MD5
419ef9b657e2268134f91eb8730fb02f

SHA1
38f302f4f47d5724c27471460dcb92fe2aa5e6ef

SHA256
1a3f63e3bfb854a8d15e818835b129c63468e9f93954e80193330df42f511317

SHA512
73b9242fd49401f89c41531fe004a2de90ea8f381603906bd56c589edb4a63f35470653bed83da4dbd184792c1ded4b0a4726a708674d12eb1d51d45fb86cff4

Download Submit
C:\Windows\{C7EF6F5F-EAA4-4b46-BFE0-C24E138F3D98}.exe

Filesize
216KB

MD5
c1c8c7967aaac4507bae7214ce1ccf6d

SHA1
549cc367bece414e5217e5b9adbb3de957e8a661

SHA256
da0ce358b06e49708b2e00934c16e690aa203366ec25ec688c4cb819fefd43a5

SHA512
60664d388f3927930dbdfdf4bcdfff5e679a8ddf559d42342aeb5b3992b701707bbb9930a68121eb491cf422bf2bf5a1f64ff8379c05bc58fd8c58cc14f9e887

Download Submit
C:\Windows\{E4E69D5D-CDAE-42a8-BAB4-210B5D766500}.exe

Filesize
216KB

MD5
97163e625f911a381fbdb13de9dd2c63

SHA1
3dd94a8ff3b5adec5fed21d100964824acb57087

SHA256
4dd9768c09ce460385408506cac69bd7c456485b0e8cb1795321fd9fc6001f45

SHA512
84dc883503236225a1156786aaacf1b94e8225adda3547e4048d89fdc72786a6c4e7ffd8368d80764fee98970038b2872f6d591fb64d9b9db5de0eb0fb23b462

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads