3b817ecfc36f7b3eb5dd4ca1d1252e5aa80cf1bbb43d7806e2486f33c0cad334

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
Size

344KB
MD5

bdf2acef414e9f13517ffa325fd55ca1
SHA1

f62eacd4cbeea1844b865f0f14bd3bd65c3ed34d
SHA256

3b817ecfc36f7b3eb5dd4ca1d1252e5aa80cf1bbb43d7806e2486f33c0cad334
SHA512

128ff1b7e9d80eda6dea9a53b5102b3d2731931e76b03fa9cd186192650a6ec691f4db32bda40716778d28b21231568809232f7e5d8ffd0570e1759cb9cd7371
SSDEEP

3072:mEGh0o3lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGhlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 10 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d24-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d84-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d89-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d84-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d89-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016d84-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016d89-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016d84-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016d89-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016d84-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11799107-98BB-4164-A33D-22EB66476F92}	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11799107-98BB-4164-A33D-22EB66476F92}\stubpath = "C:\\Windows\\{11799107-98BB-4164-A33D-22EB66476F92}.exe"	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}	{11799107-98BB-4164-A33D-22EB66476F92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}\stubpath = "C:\\Windows\\{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe"	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F78E794E-1EC9-4594-A84E-079DF772CF50}\stubpath = "C:\\Windows\\{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe"	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01D5B90-116F-4b0d-88BA-500DD0DAD306}\stubpath = "C:\\Windows\\{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe"	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{677DC0B8-798D-4caf-9B6C-B536B1361A00}	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01D5B90-116F-4b0d-88BA-500DD0DAD306}	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}\stubpath = "C:\\Windows\\{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe"	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F78E794E-1EC9-4594-A84E-079DF772CF50}	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}\stubpath = "C:\\Windows\\{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe"	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C491926-8644-4f00-80EE-5C5E45C3655A}	{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C491926-8644-4f00-80EE-5C5E45C3655A}\stubpath = "C:\\Windows\\{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe"	{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3931226-FC93-4c47-A075-27C349403D5E}	{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{677DC0B8-798D-4caf-9B6C-B536B1361A00}\stubpath = "C:\\Windows\\{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe"	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}\stubpath = "C:\\Windows\\{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe"	{11799107-98BB-4164-A33D-22EB66476F92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3931226-FC93-4c47-A075-27C349403D5E}\stubpath = "C:\\Windows\\{C3931226-FC93-4c47-A075-27C349403D5E}.exe"	{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
1620	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe
1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe
572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe
1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe
1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe
1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe
2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe
2692	{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe
1836	{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe
3048	{C3931226-FC93-4c47-A075-27C349403D5E}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	{11799107-98BB-4164-A33D-22EB66476F92}.exe
File created	C:\Windows\{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe
File created	C:\Windows\{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe
File created	C:\Windows\{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
File created	C:\Windows\{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe
File created	C:\Windows\{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe
File created	C:\Windows\{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe	{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe
File created	C:\Windows\{C3931226-FC93-4c47-A075-27C349403D5E}.exe	{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe
File created	C:\Windows\{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe
File created	C:\Windows\{11799107-98BB-4164-A33D-22EB66476F92}.exe	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe
Token: SeIncBasePriorityPrivilege	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe
Token: SeIncBasePriorityPrivilege	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe
Token: SeIncBasePriorityPrivilege	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe
Token: SeIncBasePriorityPrivilege	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe
Token: SeIncBasePriorityPrivilege	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe
Token: SeIncBasePriorityPrivilege	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe
Token: SeIncBasePriorityPrivilege	2692	{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe
Token: SeIncBasePriorityPrivilege	1836	{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 876	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	30
PID 2228 wrote to memory of 876	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	30
PID 2228 wrote to memory of 876	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	30
PID 2228 wrote to memory of 876	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	30
PID 2228 wrote to memory of 1620	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	31
PID 2228 wrote to memory of 1620	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	31
PID 2228 wrote to memory of 1620	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	31
PID 2228 wrote to memory of 1620	2228	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	31
PID 876 wrote to memory of 1760	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	32
PID 876 wrote to memory of 1760	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	32
PID 876 wrote to memory of 1760	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	32
PID 876 wrote to memory of 1760	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	32
PID 876 wrote to memory of 2024	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	33
PID 876 wrote to memory of 2024	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	33
PID 876 wrote to memory of 2024	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	33
PID 876 wrote to memory of 2024	876	{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe	33
PID 1760 wrote to memory of 572	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	34
PID 1760 wrote to memory of 572	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	34
PID 1760 wrote to memory of 572	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	34
PID 1760 wrote to memory of 572	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	34
PID 1760 wrote to memory of 464	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	35
PID 1760 wrote to memory of 464	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	35
PID 1760 wrote to memory of 464	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	35
PID 1760 wrote to memory of 464	1760	{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe	35
PID 572 wrote to memory of 1752	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	36
PID 572 wrote to memory of 1752	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	36
PID 572 wrote to memory of 1752	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	36
PID 572 wrote to memory of 1752	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	36
PID 572 wrote to memory of 2412	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	37
PID 572 wrote to memory of 2412	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	37
PID 572 wrote to memory of 2412	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	37
PID 572 wrote to memory of 2412	572	{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe	37
PID 1752 wrote to memory of 1772	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	38
PID 1752 wrote to memory of 1772	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	38
PID 1752 wrote to memory of 1772	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	38
PID 1752 wrote to memory of 1772	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	38
PID 1752 wrote to memory of 2616	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	39
PID 1752 wrote to memory of 2616	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	39
PID 1752 wrote to memory of 2616	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	39
PID 1752 wrote to memory of 2616	1752	{11799107-98BB-4164-A33D-22EB66476F92}.exe	39
PID 1772 wrote to memory of 1136	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	40
PID 1772 wrote to memory of 1136	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	40
PID 1772 wrote to memory of 1136	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	40
PID 1772 wrote to memory of 1136	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	40
PID 1772 wrote to memory of 2828	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	41
PID 1772 wrote to memory of 2828	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	41
PID 1772 wrote to memory of 2828	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	41
PID 1772 wrote to memory of 2828	1772	{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe	41
PID 1136 wrote to memory of 2632	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	42
PID 1136 wrote to memory of 2632	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	42
PID 1136 wrote to memory of 2632	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	42
PID 1136 wrote to memory of 2632	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	42
PID 1136 wrote to memory of 2836	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	43
PID 1136 wrote to memory of 2836	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	43
PID 1136 wrote to memory of 2836	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	43
PID 1136 wrote to memory of 2836	1136	{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe	43
PID 2632 wrote to memory of 2692	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	44
PID 2632 wrote to memory of 2692	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	44
PID 2632 wrote to memory of 2692	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	44
PID 2632 wrote to memory of 2692	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	44
PID 2632 wrote to memory of 1868	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	45
PID 2632 wrote to memory of 1868	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	45
PID 2632 wrote to memory of 1868	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	45
PID 2632 wrote to memory of 1868	2632	{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe
  C:\Windows\{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe
    C:\Windows\{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe
      C:\Windows\{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\{11799107-98BB-4164-A33D-22EB66476F92}.exe
        
        C:\Windows\{11799107-98BB-4164-A33D-22EB66476F92}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe
        
        C:\Windows\{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe
        
        C:\Windows\{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe
        
        C:\Windows\{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe
        
        C:\Windows\{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe
        
        C:\Windows\{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C491~1.EXE > nul
        11⤵
        
        PID:3016
        
        C:\Windows\{C3931226-FC93-4c47-A075-27C349403D5E}.exe
        
        C:\Windows\{C3931226-FC93-4c47-A075-27C349403D5E}.exe
        11⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F78E7~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92956~1.EXE > nul
        9⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C00F8~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26D90~1.EXE > nul
        7⤵
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11799~1.EXE > nul
        6⤵
        
        PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A01D5~1.EXE > nul
        5⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{677DC~1.EXE > nul
      4⤵
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67C76~1.EXE > nul
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C491926-8644-4f00-80EE-5C5E45C3655A}.exe

Filesize
344KB

MD5
43a3c007269468e1f1b501d4dca4560d

SHA1
57775633130455ad8bdca25b056dad98a20a2d27

SHA256
1a2b2f84c5bbbaebf4c8aa35bf78de868a40e65965402de552f45c6a2dccb26f

SHA512
65f56af9d05b42be8a67c8ba274f02ad3c26ed35e6eb540b890d4e4dd124444e12762df098dcd142ffb3ffd5e9456fccee35945271c45408a951bb3846d54c04

Download Submit
C:\Windows\{11799107-98BB-4164-A33D-22EB66476F92}.exe

Filesize
344KB

MD5
108a7ced5d0d98f1fce84614c8c8be35

SHA1
088f2e69b6221fd48db4701f436620a2cf33abbb

SHA256
ba2a9e710f02fb5bb898e68c6db7c55475e3accd09f54529e55703d1d6824c4b

SHA512
6f3e0c6fb473c12607ba3e1170de463657be59a87c3637f46807a18c592bb42bd4bad110ccdaa631e9c72974b99bcf4893a20716785d7b469bdb8e4b184dbd36

Download Submit
C:\Windows\{26D908E8-FAC5-4a5e-93BF-1A6B8DE91367}.exe

Filesize
344KB

MD5
fcf93860688fb707461ac5f701767a36

SHA1
215288cce8769297c5b7f954aee305a022869cdd

SHA256
f700ac5277d23d1a314dd0e95642c7df0738a944aa00a0d4d6073f1f78a9ed32

SHA512
611a2e16ab1db301c140285e5c75dedc6054c504faf7b3b252e56f7424c0a10f5649fe00a8f6e90626fe213b013a01c6c821724266167a9ef534a7fa400c54d7

Download Submit
C:\Windows\{677DC0B8-798D-4caf-9B6C-B536B1361A00}.exe

Filesize
344KB

MD5
382c037f4e035d0b47f394d505038b60

SHA1
d468f1c69e3bc4a5ea4b70e8257d5797f9ff7c03

SHA256
5ac264da23704041fd6ecd8de439d528d94a750399face4c22dcdff65121e052

SHA512
be90ca9eaf1a8a0c6af38cc9ed46905d2cea04e8c784500f7de6efaf99437ef14b206983fb95e2355c5b7339a48c522ec0447e96fac3b1592f54e1045f23de7b

Download Submit
C:\Windows\{67C766B4-F5D5-4038-8FE7-ABAEF60F5BF9}.exe

Filesize
344KB

MD5
9e36a5183b0791189c006fb1e8e62e6b

SHA1
e3639bd6021bce7ba134fc28f931e6d7b4cf558e

SHA256
b9d8a7f49ef5f5d68f1f73d346ff6ddc4ba8cedae2e19a4dd3a7c046d528f57e

SHA512
eca6810e505649866c807287c5d523c84b13309c39ac24d87e95911b61ad1d1ff513ae72c70c6027c10d59ad1cd30d468b8289ce55f46a212040d58ea3392de5

Download Submit
C:\Windows\{92956367-E8F4-4a0d-BF94-C1EDBE5BA14C}.exe

Filesize
344KB

MD5
1d796bc058afbde65e92840adf3ce2d3

SHA1
b548f8bb2a4cd6bf8e8f8e81841f9462e8ebd58d

SHA256
f2d3d7f252510463e6522d0f97c99fddc00f3e5afc783545c7a7d95a5baf29ac

SHA512
9227561c49b8b40225e871e8b226b4b561bb36da148b332531dac689bc56dea4e5f9b180d07f1c87d3c7d68fea3c90ee405c6f265d3ca7c0b3f2df5ccd3eafd0

Download Submit
C:\Windows\{A01D5B90-116F-4b0d-88BA-500DD0DAD306}.exe

Filesize
344KB

MD5
b00904b598d98b701e347791fd1fca50

SHA1
0863796148e1deedfafe55d8ad243864fe9bced8

SHA256
4f378f5233fb7818b953e2596e60a45b6ae085b07ad0741d2915cceefa666049

SHA512
722184b1f3208664494f820105f1ac09c6e6fb426648f06ebcb7104b0da5e95b094d8fc6f83ba5495c13c95493d5471077b221a83425254d71adb022958db453

Download Submit
C:\Windows\{C00F8A8C-ECB1-4151-AD6D-E9649B7FE433}.exe

Filesize
344KB

MD5
c00793f585805c7395957b4b564340f9

SHA1
722577bf8b467671a8cf68077f86abd7609125ba

SHA256
ca21fcf818f9894b4b4e6d2f8a5114225d8af18237042b3d782c656e981514ad

SHA512
9db5b8a2788fe3129df30c395aa4106249dd94ed71097222d59b1793ee32fecdfc4156da4f5fb625ce88b1ea57fef28501abf80561c2e4bb4febf73cadd98e6e

Download Submit
C:\Windows\{C3931226-FC93-4c47-A075-27C349403D5E}.exe

Filesize
344KB

MD5
9de9dedda0edea8cda1203a99f52d232

SHA1
fb5c7ae69d1cf58b21684fc3c1abbba0b4504c22

SHA256
635bc220ee5cc122d8873c8bd63e448edc530308b4ee6dac0bb6998b57e4556c

SHA512
25fac82ecaa9d6876ddbf7ab3acc62b94cc578cabb999963898dc635900fa9c271b254cf01f1b5cbf68af666be05d04dafadedad97b898eeea9feb7f79428af8

Download Submit
C:\Windows\{F78E794E-1EC9-4594-A84E-079DF772CF50}.exe

Filesize
344KB

MD5
c4e8b295a70d9f92f1e3a9db3f437973

SHA1
70ad06080c8cd33f0882b0dbf840534c1819c885

SHA256
99f1eb6766c4f478a25afc7179eb442a86c5cf6e1ea21bee1e89e05e16a9cdee

SHA512
a6c1a385e1d34347e1e4016cfa90e405498500766136423c7d7f99b5f2e570fad23b0bc4289d4bb88abc218d48fe48415c85fe74ea7054f47cdb9ce38d085dcb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads