723d6e9642c5ff9a7d1a6a0af4ea58f08e88d7025060b83aca083e3b493b6e2f

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe
Size

204KB
MD5

a35addbb113cecd1b6d1a91c2974be2a
SHA1

ea393bfbaea4783c9c34ce5999ede1723afde89d
SHA256

723d6e9642c5ff9a7d1a6a0af4ea58f08e88d7025060b83aca083e3b493b6e2f
SHA512

fb640234b0acadfe02912b8f35fdcebe275ba65ce0e67b9e84e355c7b42da0e98046ff73e3f623081a229f6ec4031675d9caa9835861f5777cd034bfa05b16ee
SSDEEP

1536:1EGh0o+l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o+l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c4c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cb0-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46462E7F-CD68-4dce-995D-47C43C797A05}	{2E583854-44F8-4184-802A-01E8F93277D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}	{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}\stubpath = "C:\\Windows\\{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe"	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BD042A7-5722-49f8-858A-03A95DF7A6BB}\stubpath = "C:\\Windows\\{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe"	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F80DAD-6DF0-483f-97E2-0664D1D75509}	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BD042A7-5722-49f8-858A-03A95DF7A6BB}	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E583854-44F8-4184-802A-01E8F93277D4}\stubpath = "C:\\Windows\\{2E583854-44F8-4184-802A-01E8F93277D4}.exe"	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BF4A1C5-4E91-493f-B75A-7C0F17616710}\stubpath = "C:\\Windows\\{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe"	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0490FE10-497B-4a97-B67A-3CE91A68380E}	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}\stubpath = "C:\\Windows\\{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe"	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E583854-44F8-4184-802A-01E8F93277D4}	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7B3A69-BE7B-49fb-BD41-F723417C039A}	{46462E7F-CD68-4dce-995D-47C43C797A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}\stubpath = "C:\\Windows\\{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}.exe"	{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BF4A1C5-4E91-493f-B75A-7C0F17616710}	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F80DAD-6DF0-483f-97E2-0664D1D75509}\stubpath = "C:\\Windows\\{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe"	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0490FE10-497B-4a97-B67A-3CE91A68380E}\stubpath = "C:\\Windows\\{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe"	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46462E7F-CD68-4dce-995D-47C43C797A05}\stubpath = "C:\\Windows\\{46462E7F-CD68-4dce-995D-47C43C797A05}.exe"	{2E583854-44F8-4184-802A-01E8F93277D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA7B3A69-BE7B-49fb-BD41-F723417C039A}\stubpath = "C:\\Windows\\{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe"	{46462E7F-CD68-4dce-995D-47C43C797A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}\stubpath = "C:\\Windows\\{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe"	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe
2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe
2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe
1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe
2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe
1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe
2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe
1456	{2E583854-44F8-4184-802A-01E8F93277D4}.exe
2012	{46462E7F-CD68-4dce-995D-47C43C797A05}.exe
268	{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe
1700	{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}.exe	{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe
File created	C:\Windows\{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe
File created	C:\Windows\{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe
File created	C:\Windows\{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe
File created	C:\Windows\{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe
File created	C:\Windows\{2E583854-44F8-4184-802A-01E8F93277D4}.exe	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe
File created	C:\Windows\{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe
File created	C:\Windows\{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe
File created	C:\Windows\{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe
File created	C:\Windows\{46462E7F-CD68-4dce-995D-47C43C797A05}.exe	{2E583854-44F8-4184-802A-01E8F93277D4}.exe
File created	C:\Windows\{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe	{46462E7F-CD68-4dce-995D-47C43C797A05}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe
Token: SeIncBasePriorityPrivilege	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe
Token: SeIncBasePriorityPrivilege	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe
Token: SeIncBasePriorityPrivilege	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe
Token: SeIncBasePriorityPrivilege	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe
Token: SeIncBasePriorityPrivilege	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe
Token: SeIncBasePriorityPrivilege	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe
Token: SeIncBasePriorityPrivilege	1456	{2E583854-44F8-4184-802A-01E8F93277D4}.exe
Token: SeIncBasePriorityPrivilege	2012	{46462E7F-CD68-4dce-995D-47C43C797A05}.exe
Token: SeIncBasePriorityPrivilege	268	{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2760	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	28
PID 2836 wrote to memory of 2760	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	28
PID 2836 wrote to memory of 2760	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	28
PID 2836 wrote to memory of 2760	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	28
PID 2836 wrote to memory of 2436	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	29
PID 2836 wrote to memory of 2436	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	29
PID 2836 wrote to memory of 2436	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	29
PID 2836 wrote to memory of 2436	2836	2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe	29
PID 2760 wrote to memory of 2452	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	30
PID 2760 wrote to memory of 2452	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	30
PID 2760 wrote to memory of 2452	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	30
PID 2760 wrote to memory of 2452	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	30
PID 2760 wrote to memory of 2580	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	31
PID 2760 wrote to memory of 2580	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	31
PID 2760 wrote to memory of 2580	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	31
PID 2760 wrote to memory of 2580	2760	{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe	31
PID 2452 wrote to memory of 2916	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	32
PID 2452 wrote to memory of 2916	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	32
PID 2452 wrote to memory of 2916	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	32
PID 2452 wrote to memory of 2916	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	32
PID 2452 wrote to memory of 2500	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	33
PID 2452 wrote to memory of 2500	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	33
PID 2452 wrote to memory of 2500	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	33
PID 2452 wrote to memory of 2500	2452	{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe	33
PID 2916 wrote to memory of 1584	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	36
PID 2916 wrote to memory of 1584	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	36
PID 2916 wrote to memory of 1584	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	36
PID 2916 wrote to memory of 1584	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	36
PID 2916 wrote to memory of 2628	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	37
PID 2916 wrote to memory of 2628	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	37
PID 2916 wrote to memory of 2628	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	37
PID 2916 wrote to memory of 2628	2916	{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe	37
PID 1584 wrote to memory of 2728	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	38
PID 1584 wrote to memory of 2728	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	38
PID 1584 wrote to memory of 2728	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	38
PID 1584 wrote to memory of 2728	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	38
PID 1584 wrote to memory of 2740	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	39
PID 1584 wrote to memory of 2740	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	39
PID 1584 wrote to memory of 2740	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	39
PID 1584 wrote to memory of 2740	1584	{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe	39
PID 2728 wrote to memory of 1768	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	40
PID 2728 wrote to memory of 1768	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	40
PID 2728 wrote to memory of 1768	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	40
PID 2728 wrote to memory of 1768	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	40
PID 2728 wrote to memory of 2396	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	41
PID 2728 wrote to memory of 2396	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	41
PID 2728 wrote to memory of 2396	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	41
PID 2728 wrote to memory of 2396	2728	{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe	41
PID 1768 wrote to memory of 2300	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	42
PID 1768 wrote to memory of 2300	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	42
PID 1768 wrote to memory of 2300	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	42
PID 1768 wrote to memory of 2300	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	42
PID 1768 wrote to memory of 2516	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	43
PID 1768 wrote to memory of 2516	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	43
PID 1768 wrote to memory of 2516	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	43
PID 1768 wrote to memory of 2516	1768	{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe	43
PID 2300 wrote to memory of 1456	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	44
PID 2300 wrote to memory of 1456	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	44
PID 2300 wrote to memory of 1456	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	44
PID 2300 wrote to memory of 1456	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	44
PID 2300 wrote to memory of 1136	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	45
PID 2300 wrote to memory of 1136	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	45
PID 2300 wrote to memory of 1136	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	45
PID 2300 wrote to memory of 1136	2300	{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_a35addbb113cecd1b6d1a91c2974be2a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe
  C:\Windows\{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe
    C:\Windows\{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe
      C:\Windows\{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe
        
        C:\Windows\{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe
        
        C:\Windows\{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe
        
        C:\Windows\{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe
        
        C:\Windows\{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{2E583854-44F8-4184-802A-01E8F93277D4}.exe
        
        C:\Windows\{2E583854-44F8-4184-802A-01E8F93277D4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{46462E7F-CD68-4dce-995D-47C43C797A05}.exe
        
        C:\Windows\{46462E7F-CD68-4dce-995D-47C43C797A05}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe
        
        C:\Windows\{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}.exe
        
        C:\Windows\{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA7B3~1.EXE > nul
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46462~1.EXE > nul
        11⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E583~1.EXE > nul
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B582E~1.EXE > nul
        9⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BD04~1.EXE > nul
        8⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0490F~1.EXE > nul
        7⤵
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78F80~1.EXE > nul
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CA4B~1.EXE > nul
        5⤵
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC5C~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BF4A~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0490FE10-497B-4a97-B67A-3CE91A68380E}.exe

Filesize
204KB

MD5
2f0197f10d822d3a6e6c2ff450f42968

SHA1
ceefcc1cc1d92be3ed4cee7d8d05a0c3d1d95e56

SHA256
7add0a5097bb897641b11dd0a9b6e5f2fac376c923d0eabb8182efa7fc786214

SHA512
ade3c4e532c52582487cecae26781d8492739fea65aa820840c413faaa192f3724906b559a41495b533c02304882d4fae918d82df9f3f8a8e5ec53ded169debe

Download Submit
C:\Windows\{14AA6BA7-649E-4664-88B5-770ECA4EAD9F}.exe

Filesize
204KB

MD5
fa418073edfcb4d4c48d27e8c75959d3

SHA1
ccd2fc8b685590a81761b0eb7401604d0f22d804

SHA256
4c2eb9fe2aaade5f3def3ac9bf95ef3e129cf8372bd7f1f06bf0ca2ea39758f6

SHA512
f1cd634ebcd85f2ee924504cb320c70e907f0d09f53f104b798158e947243a654da5ce5221f1cbcb2bb9f4c5ccf68956060d40b0dbc85e7261c7fcaafa9a936b

Download Submit
C:\Windows\{1BF4A1C5-4E91-493f-B75A-7C0F17616710}.exe

Filesize
204KB

MD5
b1cb8c7f99cf320cf6c967ce0b723fd0

SHA1
73cb536f0b91bab730b80786176c0b7e9a44b551

SHA256
25da21334682aaebe421974696a16d48a2c1090fe94310eb05cdad00349b08bb

SHA512
497a4bd4a0df6c85a1910b9d9414a8fa92cf7b75020bd431bb98ea0f40bfb5a63e87d909b3f77ebd5eab5e46d5353af99bb71d1630ef2f318c0f62fbd8599953

Download Submit
C:\Windows\{2E583854-44F8-4184-802A-01E8F93277D4}.exe

Filesize
204KB

MD5
d2ede7b1a7b028bd8dc7a442d8e9dc01

SHA1
c2348d96722cd3fd999169287bad9111966fa0b5

SHA256
5cd51adad10a8fe82a639383bcb7a8ed509538b71645ff2c715cebdea14d4990

SHA512
59b3b3c375d5226e60f2b28b1ddaaa7f3d024758d52ca63a9cedfe03cfe043222da7d087fc2cd7e0cfb7ddd9d1de8a08ef09d3a0a3f9cad9e335617d5ed50acf

Download Submit
C:\Windows\{46462E7F-CD68-4dce-995D-47C43C797A05}.exe

Filesize
204KB

MD5
5afba9eb3f21716d912ff5754280e48b

SHA1
b84e314243cd7adf4cc9e862616de913a6112b41

SHA256
c958708318051939d93da48ee551216100e081dc9c0e165ba00ba4a729f88a42

SHA512
1acb58622a586b812026e5a45fa458b36ba5d9fd75c9a58ab2969ce80127f40362b70b074121d875b05d49278b6cde562fbcc052cf635bcf7e7c1e65621698c9

Download Submit
C:\Windows\{5BD042A7-5722-49f8-858A-03A95DF7A6BB}.exe

Filesize
204KB

MD5
c7bec2c6f1090ef2c754d301367725e2

SHA1
10079e4fac9a05b3c5c341a5609c09901ab44948

SHA256
98c9a1217e523de3aa401c1e0c259edea587966b6686ac1fba33e639c4e553c3

SHA512
93fc45fdee59b81c8f3b9409d73dde0568c310fa82192aafe906292f3183e23643365c951706cad8ced204872133ff1c377490e7c24d237672e4415e83b9764f

Download Submit
C:\Windows\{6CA4B525-91D8-4e8b-8ED1-820B2EE0303C}.exe

Filesize
204KB

MD5
e9996514d9b2d6254b5e274ec2e5b48e

SHA1
0d63ecc022d4431f21fb45a2ebf5dcdefd17a897

SHA256
b60e35367d045913ceb6794424b1c05ca9eb11a122a41c39cc8fa0317ba7e6a9

SHA512
8fc451d05d22c937998de8abe038dd107923528175985c41bcc7d7e40186b29932bffe6722247c93ad05a110b4b2183d08d98942c8aa43d54fa8f4ae0ecb84a7

Download Submit
C:\Windows\{78F80DAD-6DF0-483f-97E2-0664D1D75509}.exe

Filesize
204KB

MD5
f8ab795d5e241af4df21219ce8796947

SHA1
d1bfced29f39bab243520dc9977a43538798a6e5

SHA256
8b481548ace1f2e19af7478823815ac0021047ed2e17985cfc0e7580d4b1547d

SHA512
15a5a759e5605187c0726457afdfe304e18592808046ecb60978b253daf82afbbeb0f8838af0a559a99982dd793924daca05ed4b0fa96b2bb4ebfbbb3e3d69dd

Download Submit
C:\Windows\{8CC5C5CC-5194-43d1-B305-75C7340A2FA0}.exe

Filesize
204KB

MD5
02b79b8c169f23c7cc8bbd7e3fda6547

SHA1
0b23b93468297abf359f8529da8b8a25430fade2

SHA256
79c97845ae9345a31d201b233b3b1125e3b2fcc2cc4997cfeb8adcf1b812d2f5

SHA512
1628de6f1725027272a559ee5d5fb51bf449e5c17d8c351ac511d581b9747be4de72b960cde8981ed4a6d525d9d304dab75f0f43b22d26da4b02b844578a8bbe

Download Submit
C:\Windows\{B582EA76-9BB5-43a3-810A-C67C7D49DA8F}.exe

Filesize
204KB

MD5
3ca188edf8050322b656b3331393107a

SHA1
c9e1f88cc0278c661d314955fd6d33dce5c7d3e3

SHA256
eeb7dd56157e4a3b208078c61af68bf0b85915e3e7b2eb1e016c03d87c0736cd

SHA512
da1dabb67b9bf5517fa9f859282d2a26037021a89cf329b888b8d520720c29d3be99ae14d8710b35ae7002a7c8537c45b0fd4ba7aab16b1463fc7fb4f5671d30

Download Submit
C:\Windows\{EA7B3A69-BE7B-49fb-BD41-F723417C039A}.exe

Filesize
204KB

MD5
73f018ba859ebb36456e1edf38b3277a

SHA1
c6e5eeb1587f582ddfe0fbb56d5d9e37e768e154

SHA256
5b62422ccf998aa65e39b403ee78ef21d9e65f9ac5eafda4a482e471d1adaf78

SHA512
fb7e570615d2b3ab98d4f1dd71d9432d93e758008b1a8847cd1a39ab1ede98e0cdce2474dc0d996776fb13f0715a3cec0c402554104a3fb57f25e9559d707654

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads