afd4fa36e4650b9b55ef7fd28de23394ec3b60758637e7ce04e70de0dac7d304

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-02-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Size

344KB
MD5

209cee592d123b00861687a32242b75b
SHA1

49b0ae7f2e57ac2edb14dbbe06a2d452109a7f15
SHA256

afd4fa36e4650b9b55ef7fd28de23394ec3b60758637e7ce04e70de0dac7d304
SHA512

7fa6de22baa9b4a29359b2fedb39b88300977b58ceab49ebbce7ddd9d0bd3fa0e3348f350e98d76328cdebfae09f6fe5c71000c5c4230dbcb49ea52a9af5496f
SSDEEP

3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGWlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012247-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015c52-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012247-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012247-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012247-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012247-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93785771-48CF-4984-B24C-B2B4BF2FC25F}	{1426439E-8E7E-48d9-A2B4-842553386440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}\stubpath = "C:\\Windows\\{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe"	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49549F60-848C-4955-85B1-96EE80F0F517}	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{596443AA-40BF-4f40-92CE-31538860AFB9}	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1426439E-8E7E-48d9-A2B4-842553386440}\stubpath = "C:\\Windows\\{1426439E-8E7E-48d9-A2B4-842553386440}.exe"	{4670C338-59C9-4426-A6E3-B67D6912181D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93785771-48CF-4984-B24C-B2B4BF2FC25F}\stubpath = "C:\\Windows\\{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe"	{1426439E-8E7E-48d9-A2B4-842553386440}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF452887-787B-4ab5-8914-BC67761AA6C1}	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF452887-787B-4ab5-8914-BC67761AA6C1}\stubpath = "C:\\Windows\\{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe"	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1426439E-8E7E-48d9-A2B4-842553386440}	{4670C338-59C9-4426-A6E3-B67D6912181D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49549F60-848C-4955-85B1-96EE80F0F517}\stubpath = "C:\\Windows\\{49549F60-848C-4955-85B1-96EE80F0F517}.exe"	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49021A3-8A51-4e5c-93EA-91878EBEF313}	{49549F60-848C-4955-85B1-96EE80F0F517}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{596443AA-40BF-4f40-92CE-31538860AFB9}\stubpath = "C:\\Windows\\{596443AA-40BF-4f40-92CE-31538860AFB9}.exe"	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}\stubpath = "C:\\Windows\\{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}.exe"	{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}\stubpath = "C:\\Windows\\{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe"	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39EF6B8-D3F3-4c97-A099-F99518106493}	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39EF6B8-D3F3-4c97-A099-F99518106493}\stubpath = "C:\\Windows\\{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe"	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4670C338-59C9-4426-A6E3-B67D6912181D}\stubpath = "C:\\Windows\\{4670C338-59C9-4426-A6E3-B67D6912181D}.exe"	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}	{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49021A3-8A51-4e5c-93EA-91878EBEF313}\stubpath = "C:\\Windows\\{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe"	{49549F60-848C-4955-85B1-96EE80F0F517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4670C338-59C9-4426-A6E3-B67D6912181D}	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe
2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe
2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe
2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe
2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe
2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe
2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe
540	{4670C338-59C9-4426-A6E3-B67D6912181D}.exe
1668	{1426439E-8E7E-48d9-A2B4-842553386440}.exe
2236	{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe
2144	{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe
File created	C:\Windows\{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe
File created	C:\Windows\{4670C338-59C9-4426-A6E3-B67D6912181D}.exe	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe
File created	C:\Windows\{1426439E-8E7E-48d9-A2B4-842553386440}.exe	{4670C338-59C9-4426-A6E3-B67D6912181D}.exe
File created	C:\Windows\{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}.exe	{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe
File created	C:\Windows\{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
File created	C:\Windows\{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe
File created	C:\Windows\{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	{49549F60-848C-4955-85B1-96EE80F0F517}.exe
File created	C:\Windows\{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe	{1426439E-8E7E-48d9-A2B4-842553386440}.exe
File created	C:\Windows\{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe
File created	C:\Windows\{49549F60-848C-4955-85B1-96EE80F0F517}.exe	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe
Token: SeIncBasePriorityPrivilege	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe
Token: SeIncBasePriorityPrivilege	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe
Token: SeIncBasePriorityPrivilege	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe
Token: SeIncBasePriorityPrivilege	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe
Token: SeIncBasePriorityPrivilege	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe
Token: SeIncBasePriorityPrivilege	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe
Token: SeIncBasePriorityPrivilege	540	{4670C338-59C9-4426-A6E3-B67D6912181D}.exe
Token: SeIncBasePriorityPrivilege	1668	{1426439E-8E7E-48d9-A2B4-842553386440}.exe
Token: SeIncBasePriorityPrivilege	2236	{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3008	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	28
PID 2844 wrote to memory of 3008	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	28
PID 2844 wrote to memory of 3008	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	28
PID 2844 wrote to memory of 3008	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	28
PID 2844 wrote to memory of 2852	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	29
PID 2844 wrote to memory of 2852	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	29
PID 2844 wrote to memory of 2852	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	29
PID 2844 wrote to memory of 2852	2844	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	29
PID 3008 wrote to memory of 2644	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	32
PID 3008 wrote to memory of 2644	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	32
PID 3008 wrote to memory of 2644	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	32
PID 3008 wrote to memory of 2644	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	32
PID 3008 wrote to memory of 2460	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	33
PID 3008 wrote to memory of 2460	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	33
PID 3008 wrote to memory of 2460	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	33
PID 3008 wrote to memory of 2460	3008	{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe	33
PID 2644 wrote to memory of 2632	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	34
PID 2644 wrote to memory of 2632	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	34
PID 2644 wrote to memory of 2632	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	34
PID 2644 wrote to memory of 2632	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	34
PID 2644 wrote to memory of 2380	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	35
PID 2644 wrote to memory of 2380	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	35
PID 2644 wrote to memory of 2380	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	35
PID 2644 wrote to memory of 2380	2644	{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe	35
PID 2632 wrote to memory of 2788	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	36
PID 2632 wrote to memory of 2788	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	36
PID 2632 wrote to memory of 2788	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	36
PID 2632 wrote to memory of 2788	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	36
PID 2632 wrote to memory of 588	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	37
PID 2632 wrote to memory of 588	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	37
PID 2632 wrote to memory of 588	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	37
PID 2632 wrote to memory of 588	2632	{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe	37
PID 2788 wrote to memory of 2340	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	38
PID 2788 wrote to memory of 2340	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	38
PID 2788 wrote to memory of 2340	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	38
PID 2788 wrote to memory of 2340	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	38
PID 2788 wrote to memory of 1924	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	39
PID 2788 wrote to memory of 1924	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	39
PID 2788 wrote to memory of 1924	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	39
PID 2788 wrote to memory of 1924	2788	{49549F60-848C-4955-85B1-96EE80F0F517}.exe	39
PID 2340 wrote to memory of 2428	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	41
PID 2340 wrote to memory of 2428	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	41
PID 2340 wrote to memory of 2428	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	41
PID 2340 wrote to memory of 2428	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	41
PID 2340 wrote to memory of 2464	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	40
PID 2340 wrote to memory of 2464	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	40
PID 2340 wrote to memory of 2464	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	40
PID 2340 wrote to memory of 2464	2340	{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe	40
PID 2428 wrote to memory of 2284	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	42
PID 2428 wrote to memory of 2284	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	42
PID 2428 wrote to memory of 2284	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	42
PID 2428 wrote to memory of 2284	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	42
PID 2428 wrote to memory of 1936	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	43
PID 2428 wrote to memory of 1936	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	43
PID 2428 wrote to memory of 1936	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	43
PID 2428 wrote to memory of 1936	2428	{596443AA-40BF-4f40-92CE-31538860AFB9}.exe	43
PID 2284 wrote to memory of 540	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	44
PID 2284 wrote to memory of 540	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	44
PID 2284 wrote to memory of 540	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	44
PID 2284 wrote to memory of 540	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	44
PID 2284 wrote to memory of 1932	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	45
PID 2284 wrote to memory of 1932	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	45
PID 2284 wrote to memory of 1932	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	45
PID 2284 wrote to memory of 1932	2284	{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe
  C:\Windows\{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe
    C:\Windows\{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe
      C:\Windows\{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{49549F60-848C-4955-85B1-96EE80F0F517}.exe
        
        C:\Windows\{49549F60-848C-4955-85B1-96EE80F0F517}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe
        
        C:\Windows\{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4902~1.EXE > nul
        7⤵
        
        PID:2464
        
        C:\Windows\{596443AA-40BF-4f40-92CE-31538860AFB9}.exe
        
        C:\Windows\{596443AA-40BF-4f40-92CE-31538860AFB9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe
        
        C:\Windows\{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{4670C338-59C9-4426-A6E3-B67D6912181D}.exe
        
        C:\Windows\{4670C338-59C9-4426-A6E3-B67D6912181D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4670C~1.EXE > nul
        10⤵
        
        PID:2028
        
        C:\Windows\{1426439E-8E7E-48d9-A2B4-842553386440}.exe
        
        C:\Windows\{1426439E-8E7E-48d9-A2B4-842553386440}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14264~1.EXE > nul
        11⤵
        
        PID:2232
        
        C:\Windows\{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe
        
        C:\Windows\{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}.exe
        
        C:\Windows\{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}.exe
        12⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93785~1.EXE > nul
        12⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF452~1.EXE > nul
        9⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59644~1.EXE > nul
        8⤵
        
        PID:1936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49549~1.EXE > nul
        6⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A10CD~1.EXE > nul
        5⤵
        
        PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E39EF~1.EXE > nul
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE25~1.EXE > nul
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1426439E-8E7E-48d9-A2B4-842553386440}.exe

Filesize
344KB

MD5
ba04f6bbdaa67fb00fafe2f32f8a21ec

SHA1
46863a6749da74b14101f698499102e87167dd15

SHA256
a286641c9457c322883992554566149a7700eeedd9ebc62a897ce3b6bc771332

SHA512
9682fae5f2ba0161e0b00dbd3530a339b02aec9ef9edfb089774290bbcdd28a7218de30a478ed075dd745ff3f5000b726ce623cb8e2e03d666982d3962a374fd

Download Submit
C:\Windows\{4670C338-59C9-4426-A6E3-B67D6912181D}.exe

Filesize
344KB

MD5
f9a1684f13fdea6498313da305173796

SHA1
3e4893ad8ca7b09e99b15a055ce99a75c8196388

SHA256
caf9e26d03e040f782090d61da13797276955a98a7234f3fdf13723fc2cccc7c

SHA512
2942f7ed76349762973f6fedc4894ad275f81bb1de63c010cdac256105b56309c7a2c1ea63b387027382544be21866239c734d0aa392c0ace2f1fea025af0d25

Download Submit
C:\Windows\{49549F60-848C-4955-85B1-96EE80F0F517}.exe

Filesize
344KB

MD5
76e431951f62bc55e257057476e27997

SHA1
04ffe5973d7fe06c733939072294bd1699ba667a

SHA256
e4ce40c6b03e7c909b9712c460376eb4d32a9873bb98b388dc0c728adabebccb

SHA512
5ee826eed16d2534afd1ac99785e54a3c0b688b9d96fabbe439f61fc4a93b821e05210b3a8227b4d91e1e1702496c198ce2176f10d78aa13b93f2a94300c8931

Download Submit
C:\Windows\{596443AA-40BF-4f40-92CE-31538860AFB9}.exe

Filesize
344KB

MD5
b0da5546ddec54e31062da5614bb5235

SHA1
77088d5870c77c94a0e3bed6a7f04a6539de6047

SHA256
07661c0cc35a98efe83f996cfa9da6350b03a7660322f80a9d3a3da97e6ca454

SHA512
ff493c2ad0fe18f8ea843b6fe1e4138d992ac736eb22c1b7a7bfbd9a4f5fb142a49e1bc906fa3c6922043fbc93de7c7e5061717a72c21db5a9e9cf4a22809b69

Download Submit
C:\Windows\{7AFD91FE-5F9A-45f2-B4B6-D9E6C543C7AB}.exe

Filesize
344KB

MD5
35334ce8efc71e1b197eee1efdf9a0d8

SHA1
7c111beb00eda09e42ef19f59418febd05fcfeaa

SHA256
1086efeef3180f0511c7550416ff5eacd65f9d5b33090215eab19623bd2462a4

SHA512
9052119d206afc2461e9c9673e74c2bf3dc5bb819ac3cd6910b0fd003758a9f66e6ed0ec245fbeb71ee40d9d1c1f198e8d7bb666933806212eabc01417ff523a

Download Submit
C:\Windows\{93785771-48CF-4984-B24C-B2B4BF2FC25F}.exe

Filesize
344KB

MD5
dad6ed827616f813f4302ac585311713

SHA1
bda16b5dbd9231f3a2c06269fac83ec262b77c73

SHA256
cfef32aa4211dbf8352e90de45a3245b983436efa632e9658a20b457495907c1

SHA512
c711ac9979b8ad456df0b4b79c9060bc9c47d9ee8a9b605f443241e0a0fb7d3db7ae2bf4cea5cd13b88435339a62a30c212bc3c35f6fae384e372d8058a55bb6

Download Submit
C:\Windows\{A10CDEE5-6DBC-46df-8D32-BB5B1D72B9E2}.exe

Filesize
344KB

MD5
34f9b17f6548e765c245d49c02795475

SHA1
67d9acc30b0ab0e77ac3905f3ad2f25484e587f6

SHA256
a7dd2e123c3f6aaf9c863d2adccaeaaacc8b3f90ba362859678be329aaf2f2e8

SHA512
2563bed65e2cd6d8cb951bf45605952f8d8f188dba7721df5f73d66aed20001c0825bf8f9236bc7b4c0caf7d7632baf019faf42e2ce9b34855922ba8fb5292f2

Download Submit
C:\Windows\{C49021A3-8A51-4e5c-93EA-91878EBEF313}.exe

Filesize
344KB

MD5
c15d8c0be7d8cd61dcb9c75650e25999

SHA1
af5a1618be6aab2f36676e726c2596dd165c03ef

SHA256
54272eb06af62717a12d54f5a1be81f24752b52743c803fe559de5d4bf79f3d3

SHA512
a03f9b2691d837122610125aacf1a97dcccdcd451650e1f7dba9cc349da9906ca6f586b4aa623da9034280bf9a7f90eef444a7c9e389c8fe78ba2cd0ecfe6f55

Download Submit
C:\Windows\{DF452887-787B-4ab5-8914-BC67761AA6C1}.exe

Filesize
344KB

MD5
8b2c049e2ca9f479d434afe7f60c1f3d

SHA1
ab724ba52f9547137b4601d94bc9b6c5899d03b7

SHA256
135c8e8c62a73609a48976f2cef9084544d49db2fb2ae86ecb56c345464df850

SHA512
b384742dce7d128064c230b59e85f799c307969e772c87c91383881d9dad51f22f22e20ea60e7a21fff5681738472c0423844d37da7344151b52fb05d449d271

Download Submit
C:\Windows\{E39EF6B8-D3F3-4c97-A099-F99518106493}.exe

Filesize
344KB

MD5
af027bd7e5b47087e5f649480ee6f0a7

SHA1
55dbcbe2765704326ab735a968fd3f9c63671d6c

SHA256
9b12bfd83847e19ff089b042e5e1daa16f863cf948476628ea7396933522fbd3

SHA512
1d20f2701c5d43945cedfffcc9f0c965c36ede52f1afa5a59efc7d6a22fafff1e120cc28fdaade6fa71d83c35080bad8b44df29c1084eb1629edf940706071f3

Download Submit
C:\Windows\{EDE253BD-E450-4381-A7E8-49AFBA85ECC3}.exe

Filesize
344KB

MD5
5cf1353d4d0a4a88b7bed09480aaf996

SHA1
9b7508b67a3152efb13214bd91a459fb0e7c725d

SHA256
4b6c931a79c8be071767c2c09e787071ab931e6b236a5ac41a860d85a7e96b84

SHA512
4926acb3be74d06ba94d354abc87d4db82c303cc445c9b50ef0f9785d74f5aab8aa511b4cce4ef3fada6904ae5c0fa734b7181d352e9cb6267e1ecbef3a96d6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads