827de4f7d304e8128d7a1b89db5ecdeb8409068189a5e71d025eee1921af347c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Size

180KB
MD5

08e1c33f3759e7fbed092ce590c0ac49
SHA1

caeea6e46b8e3f99b8e946ee7e7ed6380e0cdc28
SHA256

827de4f7d304e8128d7a1b89db5ecdeb8409068189a5e71d025eee1921af347c
SHA512

a5dfcf72fe73cc1bc6a61adc17dffd6731eec75874d8cfca4883bdfd6c71026591fff1c58a69621b4fb2cfe08a34ab33dd98ad8cef8474c593684616e77b15d2
SSDEEP

3072:jEGh0odlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG3l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0013000000014e3d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A9E7481-28F9-4891-9513-3D49FB99748F}	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}	{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}\stubpath = "C:\\Windows\\{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe"	{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}	{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E293DE-83CB-45c7-AB77-F27BAB5534F4}	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E293DE-83CB-45c7-AB77-F27BAB5534F4}\stubpath = "C:\\Windows\\{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe"	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}\stubpath = "C:\\Windows\\{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}.exe"	{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4897CAB-EBC1-4cbc-A09D-010C6611B217}\stubpath = "C:\\Windows\\{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe"	{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{215E4690-81FF-490c-A7EF-C8E70BCBC00F}	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}\stubpath = "C:\\Windows\\{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe"	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE65002E-950C-4b22-8595-874754036F3C}	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}	{FE65002E-950C-4b22-8595-874754036F3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}\stubpath = "C:\\Windows\\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe"	{FE65002E-950C-4b22-8595-874754036F3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA064B03-2541-4ea9-A61B-F2E545D40081}	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9EAB7B9-0726-4901-9E40-17D956C5A23D}\stubpath = "C:\\Windows\\{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe"	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A9E7481-28F9-4891-9513-3D49FB99748F}\stubpath = "C:\\Windows\\{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe"	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA064B03-2541-4ea9-A61B-F2E545D40081}\stubpath = "C:\\Windows\\{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe"	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE65002E-950C-4b22-8595-874754036F3C}\stubpath = "C:\\Windows\\{FE65002E-950C-4b22-8595-874754036F3C}.exe"	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4897CAB-EBC1-4cbc-A09D-010C6611B217}	{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9EAB7B9-0726-4901-9E40-17D956C5A23D}	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{215E4690-81FF-490c-A7EF-C8E70BCBC00F}\stubpath = "C:\\Windows\\{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe"	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe
2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe
2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe
552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe
2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe
2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe
1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe
2216	{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe
1644	{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe
856	{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe
3016	{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
File created	C:\Windows\{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe
File created	C:\Windows\{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe
File created	C:\Windows\{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe
File created	C:\Windows\{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe
File created	C:\Windows\{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}.exe	{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe
File created	C:\Windows\{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe
File created	C:\Windows\{FE65002E-950C-4b22-8595-874754036F3C}.exe	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe
File created	C:\Windows\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	{FE65002E-950C-4b22-8595-874754036F3C}.exe
File created	C:\Windows\{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe	{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe
File created	C:\Windows\{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe	{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe
Token: SeIncBasePriorityPrivilege	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe
Token: SeIncBasePriorityPrivilege	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe
Token: SeIncBasePriorityPrivilege	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe
Token: SeIncBasePriorityPrivilege	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe
Token: SeIncBasePriorityPrivilege	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe
Token: SeIncBasePriorityPrivilege	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe
Token: SeIncBasePriorityPrivilege	2216	{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe
Token: SeIncBasePriorityPrivilege	1644	{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe
Token: SeIncBasePriorityPrivilege	856	{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2632	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	28
PID 640 wrote to memory of 2632	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	28
PID 640 wrote to memory of 2632	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	28
PID 640 wrote to memory of 2632	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	28
PID 640 wrote to memory of 2924	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	29
PID 640 wrote to memory of 2924	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	29
PID 640 wrote to memory of 2924	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	29
PID 640 wrote to memory of 2924	640	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	29
PID 2632 wrote to memory of 2384	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	32
PID 2632 wrote to memory of 2384	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	32
PID 2632 wrote to memory of 2384	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	32
PID 2632 wrote to memory of 2384	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	32
PID 2632 wrote to memory of 2812	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	33
PID 2632 wrote to memory of 2812	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	33
PID 2632 wrote to memory of 2812	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	33
PID 2632 wrote to memory of 2812	2632	{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe	33
PID 2384 wrote to memory of 2376	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	34
PID 2384 wrote to memory of 2376	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	34
PID 2384 wrote to memory of 2376	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	34
PID 2384 wrote to memory of 2376	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	34
PID 2384 wrote to memory of 2432	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	35
PID 2384 wrote to memory of 2432	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	35
PID 2384 wrote to memory of 2432	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	35
PID 2384 wrote to memory of 2432	2384	{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe	35
PID 2376 wrote to memory of 552	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	36
PID 2376 wrote to memory of 552	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	36
PID 2376 wrote to memory of 552	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	36
PID 2376 wrote to memory of 552	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	36
PID 2376 wrote to memory of 1048	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	37
PID 2376 wrote to memory of 1048	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	37
PID 2376 wrote to memory of 1048	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	37
PID 2376 wrote to memory of 1048	2376	{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe	37
PID 552 wrote to memory of 2328	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	38
PID 552 wrote to memory of 2328	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	38
PID 552 wrote to memory of 2328	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	38
PID 552 wrote to memory of 2328	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	38
PID 552 wrote to memory of 372	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	39
PID 552 wrote to memory of 372	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	39
PID 552 wrote to memory of 372	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	39
PID 552 wrote to memory of 372	552	{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe	39
PID 2328 wrote to memory of 2672	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	41
PID 2328 wrote to memory of 2672	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	41
PID 2328 wrote to memory of 2672	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	41
PID 2328 wrote to memory of 2672	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	41
PID 2328 wrote to memory of 1828	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	40
PID 2328 wrote to memory of 1828	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	40
PID 2328 wrote to memory of 1828	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	40
PID 2328 wrote to memory of 1828	2328	{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe	40
PID 2672 wrote to memory of 1796	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	43
PID 2672 wrote to memory of 1796	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	43
PID 2672 wrote to memory of 1796	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	43
PID 2672 wrote to memory of 1796	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	43
PID 2672 wrote to memory of 1972	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	42
PID 2672 wrote to memory of 1972	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	42
PID 2672 wrote to memory of 1972	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	42
PID 2672 wrote to memory of 1972	2672	{FE65002E-950C-4b22-8595-874754036F3C}.exe	42
PID 1796 wrote to memory of 2216	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	44
PID 1796 wrote to memory of 2216	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	44
PID 1796 wrote to memory of 2216	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	44
PID 1796 wrote to memory of 2216	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	44
PID 1796 wrote to memory of 936	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	45
PID 1796 wrote to memory of 936	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	45
PID 1796 wrote to memory of 936	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	45
PID 1796 wrote to memory of 936	1796	{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe
  C:\Windows\{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe
    C:\Windows\{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe
      C:\Windows\{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe
        
        C:\Windows\{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe
        
        C:\Windows\{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C40A9~1.EXE > nul
        7⤵
        
        PID:1828
        
        C:\Windows\{FE65002E-950C-4b22-8595-874754036F3C}.exe
        
        C:\Windows\{FE65002E-950C-4b22-8595-874754036F3C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE650~1.EXE > nul
        8⤵
        
        PID:1972
        
        C:\Windows\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe
        
        C:\Windows\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe
        
        C:\Windows\{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA064~1.EXE > nul
        10⤵
        
        PID:1556
        
        C:\Windows\{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe
        
        C:\Windows\{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4897~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe
        
        C:\Windows\{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}.exe
        
        C:\Windows\{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}.exe
        12⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AD85~1.EXE > nul
        12⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02F39~1.EXE > nul
        9⤵
        
        PID:936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{215E4~1.EXE > nul
        6⤵
        
        PID:372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A9E7~1.EXE > nul
        5⤵
        
        PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9EAB~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{02E29~1.EXE > nul
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02E293DE-83CB-45c7-AB77-F27BAB5534F4}.exe

Filesize
180KB

MD5
328880be084192cbb22bbff233d414f9

SHA1
e558df95780c80d43d4b5c6648b245e720f8f906

SHA256
df5a86db7bda9838f4a2c6ca982343b2f77e30c5f88dae644779d45d911dfad5

SHA512
4c4bbd7cc1d25ce0560843277327114289b72be167e634072a8e0699089b08cb1cbe561bcd391319d4e9eebc66df8bd6aa6f8881dafd6a191f9f7874e0c02576

Download Submit
C:\Windows\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe

Filesize
180KB

MD5
03e0f5d6b9b2f578ad28efc104211a31

SHA1
9bba376f5ea9e9aeb4a0c375a460cc8a898bcf2c

SHA256
dd493c4599381d8b7749846536ba699ca773351872b4a6dcdfc97609b1fee154

SHA512
8be0b2a4b4e55d0011f0bbf0084759e30b9012ef7f3c4dfa813cbf921b49dbe802da3cd529ab2a71c318d635dbd197b5f92a46df9d5dd208aa6c9ebae18bfd82

Download Submit
C:\Windows\{02F393DC-A6B8-4e2e-96AF-4A3E0B2EEE79}.exe

Filesize
150KB

MD5
081665bdb1f55415c839325b9983ada3

SHA1
1655d3c8a9adf6a7bd7a8b1dd2939bcf04c915dc

SHA256
677fd1ad0f905f531471f4616cf6c73b26babedc319eaa70f43d09ca7f251889

SHA512
2205bf90764e6a08bc6215cff111371d33234926eefbc10863ab26f0fac5c31fab03aa67915ff1cdb93d14e9650151bbae36236b268d0bbd1ed0446cd63e446b

Download Submit
C:\Windows\{215E4690-81FF-490c-A7EF-C8E70BCBC00F}.exe

Filesize
180KB

MD5
377a48a7f6eaa6bc8147e77207b0ea3a

SHA1
6703ca0da262b23f38fee727055f0e885b7c40e5

SHA256
7845bc671dcf9be53f60aade2c191d6bea2bfc04403e86b2555db5db8049752f

SHA512
47cb687cb7d810b9baac420e02e769d06da47a5ba30aac525d089e3e508c0be37768da47a462ffb8f263db38f6cdc5d5a63cf2030278296f2eb0e7fb621cd2be

Download Submit
C:\Windows\{2AD85B27-92C3-437f-A3A2-B4F2F1FB9CF5}.exe

Filesize
180KB

MD5
c0e7d3d37e708ec3de2ba2ddab0d8911

SHA1
79d344d2aa36bd249c92bbf49c7cd6f16bd0b413

SHA256
3fab8b69c8bc765b4990550defa0baca424d34ef1e25f50c2291131cbfe47dc4

SHA512
3235996d68bdf2f2bc0f90dade69caca37c1f60e2f69a39616304ed39a7c40733c0fad7802047aaf1fc337b2e0cf97927050cd8a97bff86ba57813308564b89a

Download Submit
C:\Windows\{7A9E7481-28F9-4891-9513-3D49FB99748F}.exe

Filesize
180KB

MD5
6b702fe1fb41d1b8d76f564173301cce

SHA1
5653475d6b99996c621b3b216e469c877ead425c

SHA256
b5f269f4d316e523a2548f33a28e9d0f419580c628117dc66b734ed4c5d071d9

SHA512
52cfb5548f2f5a23baac832b8a55590f080a00e0de74fa67af438b6bf9039be64b050771fe59365a233ec6f5e85e960d53c550ccfc814c68258e6cdbf8f331a5

Download Submit
C:\Windows\{A4897CAB-EBC1-4cbc-A09D-010C6611B217}.exe

Filesize
180KB

MD5
71286dea72df167fa117de5670f06126

SHA1
049e38a727999acccb28136579c4e9103057486f

SHA256
ec67acf6970fd92c0af7aa137a245750de4aa95e03c7e6913a199b478145eb9a

SHA512
d71fff5eff6542fb9856a2604af02f626e72dcd9f82abdee95f18f0245e864a4b2ee40ab32860790bb1c35edc73190f018fc52653274b9f6e31a8a88f8066ba9

Download Submit
C:\Windows\{C40A95C2-BFE5-4dd2-AA62-1642A0D135D8}.exe

Filesize
180KB

MD5
18970bc145c78e8a0f2a3c7a24d38520

SHA1
1082e7b0858fad650b0d8a7af1813367eb4d327e

SHA256
9f35866318d8654fffd572ffe6d178f8fdd3d14ee9d7276403745c789757e396

SHA512
55f63039d99a2f09de71b54576bb5c3707aca22aeddb77166f8a6ee3368187c38168550a6ceb34b37d09cae5949c02202d0632915de1545f760309617d2e0e33

Download Submit
C:\Windows\{DA064B03-2541-4ea9-A61B-F2E545D40081}.exe

Filesize
180KB

MD5
7e9f0e47da0065b6f97645b8d293bb00

SHA1
c83bc963d5ccd2cc63c7bbb3c8f09db3d8c1a836

SHA256
db089302060d199e26daef555dafa958393eaab874d9557a321e94a476c8cd81

SHA512
00c86a2a0d01a29048d57ea80290d2366f72940a43035d1f1bdc471b855766631a1bf9dc3a80e0a5ca8c3f74a8ca83c778e734f719663827741778017de8bc71

Download Submit
C:\Windows\{F159B72E-1ACA-4c24-B4E3-5767AA5CDE45}.exe

Filesize
180KB

MD5
9d5ce37989a1a67d7b5041b92a865d8a

SHA1
0c62acd554e9f19077277035ba87fa4a058ba5a0

SHA256
a4cbec0ff072e4bd8922280a68e7b3340769374c6048f959826083e8bc87a2de

SHA512
22005de91cf37fb235e198721c2790dc4cb9e875403b19ee47dc4a837718d45995232b758634da256d2c6d6ed39dde0c26124692d9f672940f2389d451d344d8

Download Submit
C:\Windows\{F9EAB7B9-0726-4901-9E40-17D956C5A23D}.exe

Filesize
180KB

MD5
c73154c0eefaae780e25a17bb2446979

SHA1
62ea215edb55772b1847c9d801b365c9626f11a1

SHA256
b223817b841c490ee18fbe5cbc1ee7a7f5ef1d8b5cde4b8873646739a925a45c

SHA512
1c730dad7768fd92e3923571c97ddebb3722dfb60b3d87a38312a90a36a152b5cd6a64360343b8860c6433db0d399dfceac6133c348f9a7f4d7d25fab0eaa822

Download Submit
C:\Windows\{FE65002E-950C-4b22-8595-874754036F3C}.exe

Filesize
180KB

MD5
4ea709923ab6fc891d8d1ff3501f7147

SHA1
3bfd639fc06d41d2db4d447de4a941c5bdd8fc33

SHA256
7be9f40ce32d94a6fe7cce77cad4a3ce4d1ce692dc487175d2aa76de7f4d005e

SHA512
f5e53e0f0308db2f977c500ae42a9f14692b682ad90a44430f5a3a690527356a337b8fa336cf3af9af3ea98823d0e545e289a4a0ed2704ed1d0765e57c5c1df7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads