5ea8125435b39ed8ebed4989eae9c9803affecd70917d30d59d9408a221e204a

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 09:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Size

408KB
MD5

97adaab74671504809e24a3664645a12
SHA1

b483c51c9ff1857bbb56fa75463b750bfc4fb2ff
SHA256

5ea8125435b39ed8ebed4989eae9c9803affecd70917d30d59d9408a221e204a
SHA512

acc2d4a18192138131c86e56ee3d46319a8211abee7490ac0a0742850cd34023d6930446d9d504e02243f65f1c04957f95578d93cbe0e233b42a463f116192e0
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGmldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001567f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001567f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a00000001567f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001568c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b00000001567f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}\stubpath = "C:\\Windows\\{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe"	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32C109F1-A607-4144-BCCB-86F749F90267}\stubpath = "C:\\Windows\\{32C109F1-A607-4144-BCCB-86F749F90267}.exe"	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB951F17-42A7-4ade-B7E4-48B901C480CC}	{32C109F1-A607-4144-BCCB-86F749F90267}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}	{8BAE1739-3535-4f58-A100-217322729144}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{934C7301-7E4D-404e-83AA-28E04605ABA2}	{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B10E30D-799D-4e48-93CC-94BD84373A64}	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC8CCE58-B765-4043-92F0-E4552752C1F8}\stubpath = "C:\\Windows\\{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe"	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}\stubpath = "C:\\Windows\\{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe"	{8BAE1739-3535-4f58-A100-217322729144}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{934C7301-7E4D-404e-83AA-28E04605ABA2}\stubpath = "C:\\Windows\\{934C7301-7E4D-404e-83AA-28E04605ABA2}.exe"	{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B10E30D-799D-4e48-93CC-94BD84373A64}\stubpath = "C:\\Windows\\{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe"	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC8CCE58-B765-4043-92F0-E4552752C1F8}	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32C109F1-A607-4144-BCCB-86F749F90267}	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAE1739-3535-4f58-A100-217322729144}\stubpath = "C:\\Windows\\{8BAE1739-3535-4f58-A100-217322729144}.exe"	{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEDAF25E-84C0-4a26-BED9-20DB7690C840}	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEDAF25E-84C0-4a26-BED9-20DB7690C840}\stubpath = "C:\\Windows\\{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe"	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}\stubpath = "C:\\Windows\\{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe"	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB951F17-42A7-4ade-B7E4-48B901C480CC}\stubpath = "C:\\Windows\\{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe"	{32C109F1-A607-4144-BCCB-86F749F90267}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAE1739-3535-4f58-A100-217322729144}	{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}\stubpath = "C:\\Windows\\{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe"	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe
2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe
2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe
1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe
2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe
348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe
704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe
332	{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe
1964	{8BAE1739-3535-4f58-A100-217322729144}.exe
2304	{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe
1288	{934C7301-7E4D-404e-83AA-28E04605ABA2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe
File created	C:\Windows\{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe
File created	C:\Windows\{8BAE1739-3535-4f58-A100-217322729144}.exe	{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe
File created	C:\Windows\{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe
File created	C:\Windows\{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe
File created	C:\Windows\{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe
File created	C:\Windows\{32C109F1-A607-4144-BCCB-86F749F90267}.exe	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe
File created	C:\Windows\{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe	{32C109F1-A607-4144-BCCB-86F749F90267}.exe
File created	C:\Windows\{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe	{8BAE1739-3535-4f58-A100-217322729144}.exe
File created	C:\Windows\{934C7301-7E4D-404e-83AA-28E04605ABA2}.exe	{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe
File created	C:\Windows\{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe
Token: SeIncBasePriorityPrivilege	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe
Token: SeIncBasePriorityPrivilege	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe
Token: SeIncBasePriorityPrivilege	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe
Token: SeIncBasePriorityPrivilege	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe
Token: SeIncBasePriorityPrivilege	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe
Token: SeIncBasePriorityPrivilege	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe
Token: SeIncBasePriorityPrivilege	332	{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe
Token: SeIncBasePriorityPrivilege	1964	{8BAE1739-3535-4f58-A100-217322729144}.exe
Token: SeIncBasePriorityPrivilege	2304	{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2648	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	28
PID 2208 wrote to memory of 2648	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	28
PID 2208 wrote to memory of 2648	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	28
PID 2208 wrote to memory of 2648	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	28
PID 2208 wrote to memory of 2164	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	29
PID 2208 wrote to memory of 2164	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	29
PID 2208 wrote to memory of 2164	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	29
PID 2208 wrote to memory of 2164	2208	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	29
PID 2648 wrote to memory of 2584	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	30
PID 2648 wrote to memory of 2584	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	30
PID 2648 wrote to memory of 2584	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	30
PID 2648 wrote to memory of 2584	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	30
PID 2648 wrote to memory of 2468	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	31
PID 2648 wrote to memory of 2468	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	31
PID 2648 wrote to memory of 2468	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	31
PID 2648 wrote to memory of 2468	2648	{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe	31
PID 2584 wrote to memory of 2800	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	32
PID 2584 wrote to memory of 2800	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	32
PID 2584 wrote to memory of 2800	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	32
PID 2584 wrote to memory of 2800	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	32
PID 2584 wrote to memory of 2632	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	33
PID 2584 wrote to memory of 2632	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	33
PID 2584 wrote to memory of 2632	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	33
PID 2584 wrote to memory of 2632	2584	{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe	33
PID 2800 wrote to memory of 1804	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	36
PID 2800 wrote to memory of 1804	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	36
PID 2800 wrote to memory of 1804	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	36
PID 2800 wrote to memory of 1804	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	36
PID 2800 wrote to memory of 2720	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	37
PID 2800 wrote to memory of 2720	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	37
PID 2800 wrote to memory of 2720	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	37
PID 2800 wrote to memory of 2720	2800	{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe	37
PID 1804 wrote to memory of 2796	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	38
PID 1804 wrote to memory of 2796	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	38
PID 1804 wrote to memory of 2796	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	38
PID 1804 wrote to memory of 2796	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	38
PID 1804 wrote to memory of 2920	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	39
PID 1804 wrote to memory of 2920	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	39
PID 1804 wrote to memory of 2920	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	39
PID 1804 wrote to memory of 2920	1804	{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe	39
PID 2796 wrote to memory of 348	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	40
PID 2796 wrote to memory of 348	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	40
PID 2796 wrote to memory of 348	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	40
PID 2796 wrote to memory of 348	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	40
PID 2796 wrote to memory of 1236	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	41
PID 2796 wrote to memory of 1236	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	41
PID 2796 wrote to memory of 1236	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	41
PID 2796 wrote to memory of 1236	2796	{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe	41
PID 348 wrote to memory of 704	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	42
PID 348 wrote to memory of 704	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	42
PID 348 wrote to memory of 704	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	42
PID 348 wrote to memory of 704	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	42
PID 348 wrote to memory of 1692	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	43
PID 348 wrote to memory of 1692	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	43
PID 348 wrote to memory of 1692	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	43
PID 348 wrote to memory of 1692	348	{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe	43
PID 704 wrote to memory of 332	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	44
PID 704 wrote to memory of 332	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	44
PID 704 wrote to memory of 332	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	44
PID 704 wrote to memory of 332	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	44
PID 704 wrote to memory of 780	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	45
PID 704 wrote to memory of 780	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	45
PID 704 wrote to memory of 780	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	45
PID 704 wrote to memory of 780	704	{32C109F1-A607-4144-BCCB-86F749F90267}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe
  C:\Windows\{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe
    C:\Windows\{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe
      C:\Windows\{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe
        
        C:\Windows\{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe
        
        C:\Windows\{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe
        
        C:\Windows\{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\{32C109F1-A607-4144-BCCB-86F749F90267}.exe
        
        C:\Windows\{32C109F1-A607-4144-BCCB-86F749F90267}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe
        
        C:\Windows\{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\{8BAE1739-3535-4f58-A100-217322729144}.exe
        
        C:\Windows\{8BAE1739-3535-4f58-A100-217322729144}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe
        
        C:\Windows\{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{934C7301-7E4D-404e-83AA-28E04605ABA2}.exe
        
        C:\Windows\{934C7301-7E4D-404e-83AA-28E04605ABA2}.exe
        12⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45F16~1.EXE > nul
        12⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BAE1~1.EXE > nul
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB951~1.EXE > nul
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32C10~1.EXE > nul
        9⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B25C7~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44A2C~1.EXE > nul
        7⤵
        
        PID:1236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{794AE~1.EXE > nul
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC8CC~1.EXE > nul
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B10E~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EEDAF~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32C109F1-A607-4144-BCCB-86F749F90267}.exe

Filesize
408KB

MD5
188d626342d9a737932de0dca1ddff31

SHA1
a3bd9f3fbd61f7de3c302edc7e97fa99297ca90f

SHA256
3a9a0030f6f0c14c2fb35b9fcc37698329098fd1985800c3a2382824bf084b29

SHA512
48c085eefcde9b9ce5a084dc8727316fea1c13f0cae7dee21582d9d23833ad4e73b9b16c2d0347f8008c80d63513feb90cb979bb2f42ad510ae90029ef0394f8

Download Submit
C:\Windows\{44A2CFD3-84AB-4bba-90FD-26BA2095E3F4}.exe

Filesize
408KB

MD5
d5de8b91dcff10e4340c37a5657a78c9

SHA1
eef585d549d28b9e6596701293e51b350495d905

SHA256
cb4a534a0ac52017c26b8162c5532589d22b5b9d223f14d320f7bce8dada8abc

SHA512
47525e21c87e60c5f3c46bb71a8ea73df9c47ee1b8d42f09671496b84f62f88064b5790075b3b92897df829c98aa104a53c2e6a4e49ef94718d47e21f96bb83d

Download Submit
C:\Windows\{45F16070-D6D6-4516-B5AD-CE6BA3EA17C9}.exe

Filesize
408KB

MD5
d0253c6b42a654d2bf7ad4b2549b0ed8

SHA1
88727bce8daeba491a7cfbd5f71c70efb2995a54

SHA256
19b156973b28a179a3a7272308edb716d54c1a4dfe3adab0df8a61a42221ff71

SHA512
612c49e97409e67d7e7979029ce8db758ab86ff974b5446094d50d854b59520f2f9e973eeb44efada309fc8aed3875ca6c9f77e16d36d3927f2b8a8ca5c122e1

Download Submit
C:\Windows\{794AE788-6C33-4798-B48D-C6B8C6F9A4D4}.exe

Filesize
408KB

MD5
3f48caccd9ceee705be31df027bdd618

SHA1
46c81aa8d0807eb8dc1aeb7d11804053a1397e00

SHA256
dd38ecf6b36692bb1241fa9fbbe4ce90fcb0e8f9c45715e47c761f35d6e08c39

SHA512
932a3dffb9528d516f2b7eb08f4f12cde8aae073cd3c6986825fd9de3a977ceda26520d35315a2060c45c60da6b182036d39e55a3dfa9b6206b602b536a8bde2

Download Submit
C:\Windows\{8B10E30D-799D-4e48-93CC-94BD84373A64}.exe

Filesize
408KB

MD5
c3a8d9c549c44ef4cd8634baf62c7153

SHA1
1e3337ae9be5300a88259051319962da4a43fa0b

SHA256
ffb21d39b7fd1540c0c2a73074b998bbddc0dedc5bed525001a798ea18126f1c

SHA512
dc2571677e945b5abf23e066ac4b0c3fe96b87415969bfcc6fa5932559ea5b7e09e581b94d7a03dfb9fd015f5171b13a9eac6d27c802520efe4525f749d08728

Download Submit
C:\Windows\{8BAE1739-3535-4f58-A100-217322729144}.exe

Filesize
408KB

MD5
0fd68200e6f03ba6f58636422b6399fb

SHA1
f0ddfdeadc2b833f5bc4b456775351cde6dc4e8f

SHA256
fb4b9d46d508e912b6299855cae5ae1a604e0f8d4ecaccba43b3a8a4f1af72cc

SHA512
b2c06fc2bde1f1c7023a180abd8b65df7553edbdabc43ab4e46e813b79d9b4b0f8b05673bea8cd55e3be081e724e5e9a1cb8e572a4d26a1cc0361cb9b4f37b75

Download Submit
C:\Windows\{934C7301-7E4D-404e-83AA-28E04605ABA2}.exe

Filesize
408KB

MD5
984301b593303eb220108b5aec3098b6

SHA1
8a860417eecff4b539a2875471e8bf1abb57f43e

SHA256
86156d2e7ae1c108b72795f1eb0aaaea056965cc28e4928f2d8e4c29169b8faa

SHA512
16fa1952e760f324932e5df1dd03ba5edcbf4a8282daab0b3cf4b13fb2714eb23a163565c678282f4b72e5ac6fd323f92b88f0cc8433d9dcf0bb325e86ace49c

Download Submit
C:\Windows\{B25C70F1-2E76-4e87-BBD2-B993B8E4D114}.exe

Filesize
408KB

MD5
37c3a20ee39f172c4b94ee8d64c5b2fa

SHA1
c43e78b205f18f17b49c62b98373387ed1bed1ee

SHA256
00c25a25d3c88c0dfebee48a0a3f0c582dcfdf6ae4c20fbad8cf2912032d0379

SHA512
e0ec1d8b8b32204727b988e47723c01452618476843fc66779bc32f5efa889fe7fae0c13b0cceee69dc411b17a4d713a1dcdbda99641b70eedc1edafaa61cd9f

Download Submit
C:\Windows\{CB951F17-42A7-4ade-B7E4-48B901C480CC}.exe

Filesize
408KB

MD5
4eb6d612d11dc8e29a2254f783b09ed6

SHA1
451f2f71ba489e7da620792b942b415619c9b339

SHA256
b5c5aab333e11abc0af0e017659d22e7c01a1615b8dbd3d7a2cef65c73516ea9

SHA512
7d9a4944b2a2ebf4db1aa8fc17f17e1af2d9dfd89fed34ff5fcc469af46922485679db34be22a903b8ce61796ba2d90ce99aa750802b179d1f8be59e83293e4a

Download Submit
C:\Windows\{CC8CCE58-B765-4043-92F0-E4552752C1F8}.exe

Filesize
408KB

MD5
410570041d9a2d9c8fe6ddf737e0b915

SHA1
b2de9e53164e8a0b6bb45a1a047bde625d7e0f0c

SHA256
a1ec5d579ab3464acbf7850a8e9b2eeeff75c8da22912b9902c449011b1d1a5a

SHA512
f1ca87d1507ab47674226ace4f2214862c71ae7d9bc150b1d2f4053fb1e927ce9fb53664d7eeb193e3356fa573e4a19c35ae60c8a81a243dbe695862eba45cfe

Download Submit
C:\Windows\{EEDAF25E-84C0-4a26-BED9-20DB7690C840}.exe

Filesize
408KB

MD5
214a4b95d611b34eabaa2872860b3e86

SHA1
376bb795c39f8acc103bce61a3750748b797fc90

SHA256
1d123bb737522f57dff59537c4213a4d671f0c122bc4e5a7718b7d16623bd099

SHA512
cd641a44d7066f697793f6aeeda198b66741c604fb8bc308655fba884e09447dfd4afd3a617c18dad00ab96f4d70d540a24ff30f07db3bf81ba3431b6fbe3106

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads