0fa816b4bb7fb2eefaff5a02506a76d21435e1575dabe03ca593cbd5a339385f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Size

168KB
MD5

08152c85d9bd8b77a9121e07bbb0f10e
SHA1

bd1ff68cc613910114893e9e6c5b5730e0816999
SHA256

0fa816b4bb7fb2eefaff5a02506a76d21435e1575dabe03ca593cbd5a339385f
SHA512

f2f4f3bd4e5f8df5a4501406df5d74095efb1482e89f800e0c77063212558f7ca765ae8951c025bf238e7b4781ec4d54ccb3d34e9f357a04827c1374ba6ef71d
SSDEEP

1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130fc-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016432-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016576-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016432-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016432-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016432-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016432-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B99778C3-4976-4a1f-B480-A0F08F7D830B}\stubpath = "C:\\Windows\\{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe"	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D4ED490-98BA-4953-8F67-F89DF84777E2}\stubpath = "C:\\Windows\\{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe"	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}\stubpath = "C:\\Windows\\{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe"	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}	{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F02389-CD37-48e5-A925-935369951C89}	{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F02389-CD37-48e5-A925-935369951C89}\stubpath = "C:\\Windows\\{41F02389-CD37-48e5-A925-935369951C89}.exe"	{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17530240-7066-477a-B67D-1B5C69345BAD}\stubpath = "C:\\Windows\\{17530240-7066-477a-B67D-1B5C69345BAD}.exe"	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86F9272-28E9-47ba-9B32-381B94C48B0C}\stubpath = "C:\\Windows\\{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe"	{17530240-7066-477a-B67D-1B5C69345BAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94F93B1E-93E0-4227-8A7A-DD29709FD932}\stubpath = "C:\\Windows\\{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe"	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D643995-13B4-4dcd-BB57-6B2F7866735D}	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D643995-13B4-4dcd-BB57-6B2F7866735D}\stubpath = "C:\\Windows\\{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe"	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94F5213F-67A7-4711-9A18-97BAB23E8853}\stubpath = "C:\\Windows\\{94F5213F-67A7-4711-9A18-97BAB23E8853}.exe"	{41F02389-CD37-48e5-A925-935369951C89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94F5213F-67A7-4711-9A18-97BAB23E8853}	{41F02389-CD37-48e5-A925-935369951C89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17530240-7066-477a-B67D-1B5C69345BAD}	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1F32C25-D41F-4c0b-90AC-7539286E60C0}\stubpath = "C:\\Windows\\{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe"	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94F93B1E-93E0-4227-8A7A-DD29709FD932}	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}\stubpath = "C:\\Windows\\{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe"	{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86F9272-28E9-47ba-9B32-381B94C48B0C}	{17530240-7066-477a-B67D-1B5C69345BAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B99778C3-4976-4a1f-B480-A0F08F7D830B}	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D4ED490-98BA-4953-8F67-F89DF84777E2}	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1F32C25-D41F-4c0b-90AC-7539286E60C0}	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe
2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe
2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe
1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe
1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe
1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe
1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe
2572	{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe
780	{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe
1336	{41F02389-CD37-48e5-A925-935369951C89}.exe
2160	{94F5213F-67A7-4711-9A18-97BAB23E8853}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe
File created	C:\Windows\{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe
File created	C:\Windows\{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe
File created	C:\Windows\{41F02389-CD37-48e5-A925-935369951C89}.exe	{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe
File created	C:\Windows\{17530240-7066-477a-B67D-1B5C69345BAD}.exe	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
File created	C:\Windows\{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	{17530240-7066-477a-B67D-1B5C69345BAD}.exe
File created	C:\Windows\{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe
File created	C:\Windows\{94F5213F-67A7-4711-9A18-97BAB23E8853}.exe	{41F02389-CD37-48e5-A925-935369951C89}.exe
File created	C:\Windows\{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe
File created	C:\Windows\{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe
File created	C:\Windows\{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe	{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe
Token: SeIncBasePriorityPrivilege	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe
Token: SeIncBasePriorityPrivilege	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe
Token: SeIncBasePriorityPrivilege	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe
Token: SeIncBasePriorityPrivilege	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe
Token: SeIncBasePriorityPrivilege	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe
Token: SeIncBasePriorityPrivilege	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe
Token: SeIncBasePriorityPrivilege	2572	{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe
Token: SeIncBasePriorityPrivilege	780	{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe
Token: SeIncBasePriorityPrivilege	1336	{41F02389-CD37-48e5-A925-935369951C89}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2132	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	28
PID 2056 wrote to memory of 2132	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	28
PID 2056 wrote to memory of 2132	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	28
PID 2056 wrote to memory of 2132	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	28
PID 2056 wrote to memory of 2496	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	29
PID 2056 wrote to memory of 2496	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	29
PID 2056 wrote to memory of 2496	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	29
PID 2056 wrote to memory of 2496	2056	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	29
PID 2132 wrote to memory of 2888	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	30
PID 2132 wrote to memory of 2888	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	30
PID 2132 wrote to memory of 2888	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	30
PID 2132 wrote to memory of 2888	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	30
PID 2132 wrote to memory of 2524	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	31
PID 2132 wrote to memory of 2524	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	31
PID 2132 wrote to memory of 2524	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	31
PID 2132 wrote to memory of 2524	2132	{17530240-7066-477a-B67D-1B5C69345BAD}.exe	31
PID 2888 wrote to memory of 2464	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	34
PID 2888 wrote to memory of 2464	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	34
PID 2888 wrote to memory of 2464	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	34
PID 2888 wrote to memory of 2464	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	34
PID 2888 wrote to memory of 2952	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	35
PID 2888 wrote to memory of 2952	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	35
PID 2888 wrote to memory of 2952	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	35
PID 2888 wrote to memory of 2952	2888	{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe	35
PID 2464 wrote to memory of 1140	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	36
PID 2464 wrote to memory of 1140	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	36
PID 2464 wrote to memory of 1140	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	36
PID 2464 wrote to memory of 1140	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	36
PID 2464 wrote to memory of 796	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	37
PID 2464 wrote to memory of 796	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	37
PID 2464 wrote to memory of 796	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	37
PID 2464 wrote to memory of 796	2464	{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe	37
PID 1140 wrote to memory of 1644	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	38
PID 1140 wrote to memory of 1644	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	38
PID 1140 wrote to memory of 1644	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	38
PID 1140 wrote to memory of 1644	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	38
PID 1140 wrote to memory of 2784	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	39
PID 1140 wrote to memory of 2784	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	39
PID 1140 wrote to memory of 2784	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	39
PID 1140 wrote to memory of 2784	1140	{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe	39
PID 1644 wrote to memory of 1480	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	40
PID 1644 wrote to memory of 1480	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	40
PID 1644 wrote to memory of 1480	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	40
PID 1644 wrote to memory of 1480	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	40
PID 1644 wrote to memory of 1788	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	41
PID 1644 wrote to memory of 1788	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	41
PID 1644 wrote to memory of 1788	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	41
PID 1644 wrote to memory of 1788	1644	{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe	41
PID 1480 wrote to memory of 1144	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	42
PID 1480 wrote to memory of 1144	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	42
PID 1480 wrote to memory of 1144	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	42
PID 1480 wrote to memory of 1144	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	42
PID 1480 wrote to memory of 308	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	43
PID 1480 wrote to memory of 308	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	43
PID 1480 wrote to memory of 308	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	43
PID 1480 wrote to memory of 308	1480	{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe	43
PID 1144 wrote to memory of 2572	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	44
PID 1144 wrote to memory of 2572	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	44
PID 1144 wrote to memory of 2572	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	44
PID 1144 wrote to memory of 2572	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	44
PID 1144 wrote to memory of 2492	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	45
PID 1144 wrote to memory of 2492	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	45
PID 1144 wrote to memory of 2492	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	45
PID 1144 wrote to memory of 2492	1144	{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\{17530240-7066-477a-B67D-1B5C69345BAD}.exe
  C:\Windows\{17530240-7066-477a-B67D-1B5C69345BAD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe
    C:\Windows\{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe
      C:\Windows\{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe
        
        C:\Windows\{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe
        
        C:\Windows\{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe
        
        C:\Windows\{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe
        
        C:\Windows\{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe
        
        C:\Windows\{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe
        
        C:\Windows\{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\{41F02389-CD37-48e5-A925-935369951C89}.exe
        
        C:\Windows\{41F02389-CD37-48e5-A925-935369951C89}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\{94F5213F-67A7-4711-9A18-97BAB23E8853}.exe
        
        C:\Windows\{94F5213F-67A7-4711-9A18-97BAB23E8853}.exe
        12⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41F02~1.EXE > nul
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A243C~1.EXE > nul
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73CF8~1.EXE > nul
        10⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D643~1.EXE > nul
        9⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94F93~1.EXE > nul
        8⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1F32~1.EXE > nul
        7⤵
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D4ED~1.EXE > nul
        6⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9977~1.EXE > nul
        5⤵
        
        PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B86F9~1.EXE > nul
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17530~1.EXE > nul
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17530240-7066-477a-B67D-1B5C69345BAD}.exe

Filesize
168KB

MD5
2efbef7ed4f4bc4a2295935c8881a106

SHA1
28feb1a63c63f2013248e6a9a5a8a8f0d6ea578f

SHA256
0fcf47412089f3eddc0ffd609f1beac58fecd6ed731140ce46fe88de2ab25a89

SHA512
923a94a4f9abd0d8220276d4e1bdcb55a784ed248a603742fc1e5c7eb4379c32b89c5331201684f07e10da7f2be9fc4d1fea7267a1d6e024f64b8560cd6c78fb

Download Submit
C:\Windows\{3D4ED490-98BA-4953-8F67-F89DF84777E2}.exe

Filesize
168KB

MD5
3043d5563ba958518574cb6bf4c84b82

SHA1
2d3ef15153cb85a4d531ff25797fc563f433d2f4

SHA256
9a4f49cda3d7f12dcc758b41cfa96406395580d13c84c20f738d550217dbdb81

SHA512
d64eaa137e54c3befe186a57f69b076a010fbb2f3b0460a787bb02c353d0c56eb800510e268c0e01f714f7855ca14eb4bcb9ed55b3ab4c704b27e577ba5066c2

Download Submit
C:\Windows\{41F02389-CD37-48e5-A925-935369951C89}.exe

Filesize
168KB

MD5
7e0390c172e45a557c52b53050007d8e

SHA1
fd6c21d85a74f013f5e13f3263595d871843a484

SHA256
40a28f5ec6cd4caa6bbf863b039cf6d918d74ae2b0066caf726bfe7feb6b2faf

SHA512
060abdb99b3f9cec538b0b9e4955be1b1e23df7e83f113cf67d65764855f300e903d7e0249490f82e9c9e31da76c1115d1cbb102f4b9542ae908a5b94be677e9

Download Submit
C:\Windows\{4D643995-13B4-4dcd-BB57-6B2F7866735D}.exe

Filesize
168KB

MD5
a22ee0eaf44277b36a06778f001a5376

SHA1
4ac3701cc5bb47224c6bad7983fab4d11ddc5ebd

SHA256
09bb81a73710ce0da7b20a54643ec018d2380719a69c18c88ed53f68cf8f5acb

SHA512
dc1da430bf0a53034eb1219766865bea2e14dbd3d8add8b6170a78eacb0fb512d518e2d31480dd26662436beb3f452c7b2de1222ee8dfe2d900929dc4f868e1c

Download Submit
C:\Windows\{73CF8BEC-B4E1-4d18-83F6-C8DDD7EF981C}.exe

Filesize
168KB

MD5
5f3bd9868e845c6f3f307a9611576fa6

SHA1
1e5079578a41af5b684be18fcfdcebd3619e8cec

SHA256
c00247850fed19c6b6326c1858776bc7c2fc45cb54d4d106c761421bc1959ca9

SHA512
a8fad97680d092bf1e6ed8fc9110d4810e5de173510ee75a5ca38b0d2a3eaf6783a81c37c333ae02d33ffee5f5cd4318d5762b6618cce1704f57a6ca9d6dbc75

Download Submit
C:\Windows\{94F5213F-67A7-4711-9A18-97BAB23E8853}.exe

Filesize
168KB

MD5
1d437ac2829f62adc37b955a033377a2

SHA1
f312be1dd87001048f3373910878a1a8d90649dc

SHA256
a991e77abd601f2cc450efba5d0e93629f4fd26c47d9964d49003fc4bce1b5fd

SHA512
1944bcb98d7cf53fd1c5967e3ac4aa9b7bef1ea2626bbef4f7def87d14c4058682caed4b477f8df0ce2d093bdc5f76c201f97da0e3ddaafb30da1ae0b0d4199e

Download Submit
C:\Windows\{94F93B1E-93E0-4227-8A7A-DD29709FD932}.exe

Filesize
168KB

MD5
33513e9759945b15aaade7d738fab516

SHA1
9ccaf8953af9102daf989864cad5a66d671d919f

SHA256
a63b3444f987685777bf92487d5c1724d2b719663530b14358724a644d78c833

SHA512
b2dcf3506d2f092263f18c2ccf5bfc5638d499ff4437103bb3fe7825dc7d6bd4dded6b7491bf0c689e80e8da8c397d7e21a2d10f2286c07d8801f097fdeba0ec

Download Submit
C:\Windows\{A243CDFD-3079-4ee8-A3DB-7CBBDB481A45}.exe

Filesize
168KB

MD5
88ccb30154a77187119baf1ba0572035

SHA1
03ae2fb083a3f9252dc54dae39310673a81d95c1

SHA256
0ea9acdd590bf3b377424b86679563d18eb8342ac7c25ab4591392562adfc7b0

SHA512
ec31c17467792d1a90da934e8049a8aa34c6bd67034591d06fcca18226a6f883d68d8d5589f992304a52f3d46721662d19f231fd51575b2b64a2bf64bb112f65

Download Submit
C:\Windows\{B86F9272-28E9-47ba-9B32-381B94C48B0C}.exe

Filesize
168KB

MD5
c848a627cae4f5792fcc41b5af3b4d66

SHA1
6a86dc1857a0aa907c4bbb9389ceb528e584e95e

SHA256
65d67b6f9b06d895cbfc292163503f1b100985286fd3694d8c1ee5f438db9af4

SHA512
c082b7ae8560313940164a69f92d83adf20fd43a5978f9f1501debdbdf52d07832f02348e8f1c64d29ee812d0d54b41b09b84699ec5412e41653a9fe79a5ba1c

Download Submit
C:\Windows\{B99778C3-4976-4a1f-B480-A0F08F7D830B}.exe

Filesize
168KB

MD5
2a6995e520120b8d14d70298cd333569

SHA1
8f5eba947710c27a3e4e134b69806f269f9bbd0b

SHA256
51634f0cc2af44f2665e036151f4b044eb289ea4b3184b2686c44d9ddab5cbfc

SHA512
f817395fa344cc02d22fb8e0e472a62b5ec8054431672671c74942a6c6793a46e80457ab1472dc0fa872843b195fed64827cb1462d5d66eb8edcdc95938dcdb2

Download Submit
C:\Windows\{F1F32C25-D41F-4c0b-90AC-7539286E60C0}.exe

Filesize
168KB

MD5
f835293d63b122ccf6f86e654bdd5673

SHA1
5e1d0a584775dfd500753b67f1e9ea744e02cc68

SHA256
b17f855ed1b05e0a0f220f3884fc317763f96fe9b2eb42508438869856223fd5

SHA512
79a7bbc400aedb3d89d4a86218e343fc64557d93be9c4937ee88552c2fdf6c6316e5c0c75c82f1a0583ff6da8c95efe639d20847de99f8b8142c6fb6f66a7d7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads