6fb2e1165a5e03a4de53be569fe1189de6ffc0458b64ffa8e43f4db69427c671

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe
Size

344KB
MD5

af85f83e22784df35d6e85f816661b8e
SHA1

f46c8c18ce2343c05dcd7277c1d6a96e09ca3177
SHA256

6fb2e1165a5e03a4de53be569fe1189de6ffc0458b64ffa8e43f4db69427c671
SHA512

1d767da71df18ef1c8d853db90b8730793c9c74476fae580d5b9993a59d63210a04747cc5b1b68ffab0de98b21744af12bcc54d5b6135529302163b45df8755f
SSDEEP

3072:mEGh0owlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGilqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001231a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a3d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001231a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a7c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001231a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001231a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001231a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}\stubpath = "C:\\Windows\\{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe"	{64062A74-6072-4c9d-A237-6D1F018C918F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA661024-D427-49de-88E9-E09966EE3082}\stubpath = "C:\\Windows\\{EA661024-D427-49de-88E9-E09966EE3082}.exe"	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37AA93A9-06E0-4f05-823E-5C43ECC473E2}	{EA661024-D427-49de-88E9-E09966EE3082}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37AA93A9-06E0-4f05-823E-5C43ECC473E2}\stubpath = "C:\\Windows\\{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe"	{EA661024-D427-49de-88E9-E09966EE3082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA0D8B9-E910-4464-9EB3-B00994A034F8}	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA0D8B9-E910-4464-9EB3-B00994A034F8}\stubpath = "C:\\Windows\\{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe"	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424FCAE4-6BC0-48d4-9327-67919BC8AB23}	{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}	{64062A74-6072-4c9d-A237-6D1F018C918F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA661024-D427-49de-88E9-E09966EE3082}	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}\stubpath = "C:\\Windows\\{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe"	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}\stubpath = "C:\\Windows\\{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe"	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{733B00A0-E4C9-47da-847B-02844E5C19D2}	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64062A74-6072-4c9d-A237-6D1F018C918F}	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424FCAE4-6BC0-48d4-9327-67919BC8AB23}\stubpath = "C:\\Windows\\{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe"	{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7132A949-9292-4d4c-9F23-BFF19F8AE96F}\stubpath = "C:\\Windows\\{7132A949-9292-4d4c-9F23-BFF19F8AE96F}.exe"	{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}\stubpath = "C:\\Windows\\{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe"	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{733B00A0-E4C9-47da-847B-02844E5C19D2}\stubpath = "C:\\Windows\\{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe"	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64062A74-6072-4c9d-A237-6D1F018C918F}\stubpath = "C:\\Windows\\{64062A74-6072-4c9d-A237-6D1F018C918F}.exe"	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7132A949-9292-4d4c-9F23-BFF19F8AE96F}	{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe
2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe
2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe
1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe
2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe
2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe
1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe
1648	{64062A74-6072-4c9d-A237-6D1F018C918F}.exe
2304	{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe
876	{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe
1504	{7132A949-9292-4d4c-9F23-BFF19F8AE96F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	{EA661024-D427-49de-88E9-E09966EE3082}.exe
File created	C:\Windows\{64062A74-6072-4c9d-A237-6D1F018C918F}.exe	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe
File created	C:\Windows\{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe	{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe
File created	C:\Windows\{7132A949-9292-4d4c-9F23-BFF19F8AE96F}.exe	{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe
File created	C:\Windows\{EA661024-D427-49de-88E9-E09966EE3082}.exe	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe
File created	C:\Windows\{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe
File created	C:\Windows\{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe
File created	C:\Windows\{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe
File created	C:\Windows\{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe
File created	C:\Windows\{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe	{64062A74-6072-4c9d-A237-6D1F018C918F}.exe
File created	C:\Windows\{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe
Token: SeIncBasePriorityPrivilege	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe
Token: SeIncBasePriorityPrivilege	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe
Token: SeIncBasePriorityPrivilege	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe
Token: SeIncBasePriorityPrivilege	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe
Token: SeIncBasePriorityPrivilege	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe
Token: SeIncBasePriorityPrivilege	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe
Token: SeIncBasePriorityPrivilege	1648	{64062A74-6072-4c9d-A237-6D1F018C918F}.exe
Token: SeIncBasePriorityPrivilege	2304	{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe
Token: SeIncBasePriorityPrivilege	876	{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1712	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	28
PID 2112 wrote to memory of 1712	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	28
PID 2112 wrote to memory of 1712	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	28
PID 2112 wrote to memory of 1712	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	28
PID 2112 wrote to memory of 2552	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	29
PID 2112 wrote to memory of 2552	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	29
PID 2112 wrote to memory of 2552	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	29
PID 2112 wrote to memory of 2552	2112	2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe	29
PID 1712 wrote to memory of 2584	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	30
PID 1712 wrote to memory of 2584	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	30
PID 1712 wrote to memory of 2584	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	30
PID 1712 wrote to memory of 2584	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	30
PID 1712 wrote to memory of 2996	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	31
PID 1712 wrote to memory of 2996	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	31
PID 1712 wrote to memory of 2996	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	31
PID 1712 wrote to memory of 2996	1712	{EA661024-D427-49de-88E9-E09966EE3082}.exe	31
PID 2584 wrote to memory of 2488	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	32
PID 2584 wrote to memory of 2488	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	32
PID 2584 wrote to memory of 2488	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	32
PID 2584 wrote to memory of 2488	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	32
PID 2584 wrote to memory of 2624	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	33
PID 2584 wrote to memory of 2624	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	33
PID 2584 wrote to memory of 2624	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	33
PID 2584 wrote to memory of 2624	2584	{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe	33
PID 2488 wrote to memory of 1036	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	36
PID 2488 wrote to memory of 1036	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	36
PID 2488 wrote to memory of 1036	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	36
PID 2488 wrote to memory of 1036	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	36
PID 2488 wrote to memory of 1720	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	37
PID 2488 wrote to memory of 1720	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	37
PID 2488 wrote to memory of 1720	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	37
PID 2488 wrote to memory of 1720	2488	{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe	37
PID 1036 wrote to memory of 2796	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	38
PID 1036 wrote to memory of 2796	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	38
PID 1036 wrote to memory of 2796	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	38
PID 1036 wrote to memory of 2796	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	38
PID 1036 wrote to memory of 2896	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	39
PID 1036 wrote to memory of 2896	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	39
PID 1036 wrote to memory of 2896	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	39
PID 1036 wrote to memory of 2896	1036	{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe	39
PID 2796 wrote to memory of 2024	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	40
PID 2796 wrote to memory of 2024	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	40
PID 2796 wrote to memory of 2024	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	40
PID 2796 wrote to memory of 2024	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	40
PID 2796 wrote to memory of 1828	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	41
PID 2796 wrote to memory of 1828	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	41
PID 2796 wrote to memory of 1828	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	41
PID 2796 wrote to memory of 1828	2796	{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe	41
PID 2024 wrote to memory of 1056	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	42
PID 2024 wrote to memory of 1056	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	42
PID 2024 wrote to memory of 1056	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	42
PID 2024 wrote to memory of 1056	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	42
PID 2024 wrote to memory of 1984	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	43
PID 2024 wrote to memory of 1984	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	43
PID 2024 wrote to memory of 1984	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	43
PID 2024 wrote to memory of 1984	2024	{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe	43
PID 1056 wrote to memory of 1648	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	44
PID 1056 wrote to memory of 1648	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	44
PID 1056 wrote to memory of 1648	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	44
PID 1056 wrote to memory of 1648	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	44
PID 1056 wrote to memory of 1692	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	45
PID 1056 wrote to memory of 1692	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	45
PID 1056 wrote to memory of 1692	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	45
PID 1056 wrote to memory of 1692	1056	{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_af85f83e22784df35d6e85f816661b8e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{EA661024-D427-49de-88E9-E09966EE3082}.exe
  C:\Windows\{EA661024-D427-49de-88E9-E09966EE3082}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe
    C:\Windows\{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe
      C:\Windows\{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe
        
        C:\Windows\{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe
        
        C:\Windows\{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe
        
        C:\Windows\{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe
        
        C:\Windows\{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{64062A74-6072-4c9d-A237-6D1F018C918F}.exe
        
        C:\Windows\{64062A74-6072-4c9d-A237-6D1F018C918F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe
        
        C:\Windows\{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe
        
        C:\Windows\{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\{7132A949-9292-4d4c-9F23-BFF19F8AE96F}.exe
        
        C:\Windows\{7132A949-9292-4d4c-9F23-BFF19F8AE96F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{424FC~1.EXE > nul
        12⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E880~1.EXE > nul
        11⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64062~1.EXE > nul
        10⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{733B0~1.EXE > nul
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F90D2~1.EXE > nul
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA0D~1.EXE > nul
        7⤵
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6148D~1.EXE > nul
        6⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD1EF~1.EXE > nul
        5⤵
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{37AA9~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA661~1.EXE > nul
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{37AA93A9-06E0-4f05-823E-5C43ECC473E2}.exe

Filesize
344KB

MD5
ea8b1f554ed1d0eddb209bdd859b9f5f

SHA1
a20aa1ddd9cf608baf101b970e150a4ed49b2feb

SHA256
6fca95eff689e89ec250e07ecd6c5e8dddecdedf2f509601120de28db6feca31

SHA512
8e1bec1c6189a5c9eeefda35b95d91b42c4b9e83e34757508dfa5eddea83e07dda2440cfbec4319c08428369f2d9f8c0e8ed21240ac9ca83f588d1bc5b3839c9

Download Submit
C:\Windows\{424FCAE4-6BC0-48d4-9327-67919BC8AB23}.exe

Filesize
344KB

MD5
4188c3f54e9515a83b31bae0bcd59933

SHA1
811ce2e398ffee72e1876b8a5c14d416bf749b35

SHA256
18bd92cffd3a02392b38434d5f49a1b315ac63b7c9cd47ea526aa91bb2f0314d

SHA512
43be9c8742a6cce2dd01b80eecc228938ca0978adb36adaccc1fc4db7ca2f830e4e40a6fee3e82e8cd44468cf3d1b2dc35772a4e0f620555dbf1c92689693fb7

Download Submit
C:\Windows\{6148DAA6-4D64-47f8-8AE3-A73F5198A1C8}.exe

Filesize
344KB

MD5
ea12cd2af88d06759f286d4800fcdd98

SHA1
3723b0cfa87d7f07e45c527b29f5dce143c1d633

SHA256
1150dd6af918ecd70467dd2eba4a1af3b71b1495b26fe815c774b2ccb00d95d2

SHA512
9f0bef9016dfe4210b1f417d76df2d528cc691ec4a188ea58ae641751edc3587d479beb3599f910df1fcd79dcd78963ff4023ecd7493f0f19296ace9dec83700

Download Submit
C:\Windows\{64062A74-6072-4c9d-A237-6D1F018C918F}.exe

Filesize
344KB

MD5
fd2477b066e8822a34d3d979c39463e3

SHA1
b5ef6984558830e0d6297d84467addb470b30384

SHA256
5e60451cb0a46f7e872b58dbe562663390c514d8fe968c5daa1801aee2728ac5

SHA512
7f662f17bc11dcc1807fc63848ea7be3b7060b1465c3e92c5fcc245720afea8355f44c6b459df1894f978831af50714f0a737bf9a9e4d2e4a523edc28501eacc

Download Submit
C:\Windows\{7132A949-9292-4d4c-9F23-BFF19F8AE96F}.exe

Filesize
344KB

MD5
17b958cd122e0c0d08edc210d60af13b

SHA1
d8f1ca4809b6611b3e4239e3efe36c55daf17cc1

SHA256
5cb9e1a13174465192f1f1dfaeb1df5c7908811d4c94119aa2d478148ff49ccb

SHA512
3fb50ea346cdb515f7766445769b70471c8c169bcc0c010b40ec6b1a71f7ee8fe45427ba8c0062e90715032357ea8d33fcc9e0f90e616ae5cfd27516868a0521

Download Submit
C:\Windows\{733B00A0-E4C9-47da-847B-02844E5C19D2}.exe

Filesize
344KB

MD5
85df598ad3ee1cf06bf473553cca0023

SHA1
2891e9e45cf8288cd5b66bdb6fede90870ca9af2

SHA256
1ca892554f32ab2c4364048aeed11c248da46a77f52fe8c510b31a2f2ccb9436

SHA512
acb0b8f92c2dcf0bde5264d090b6dbf01d2101370abc8a38f722ce3f8bb44b755aa04720d0e6e251d8784d7a324892e3d5de8c791c0b74a72319077470ee87a8

Download Submit
C:\Windows\{7E880FDD-2EAA-47f6-8DF0-DE72FFE0B0DA}.exe

Filesize
344KB

MD5
a0421977c3934a0f92788b717b315f6a

SHA1
f7761d6a50cd75c132acc7227366f6b5074d9683

SHA256
9fbb74a15537744a9c4876a7a236c48a1ac5a7ef19845949e44df3443a8de264

SHA512
4ca803fea42233a1dcb0beb457f2d3b91a21690358f3a9cb47521dc5c365bdeb11b6bf8e190d19cdfa72a467dfbcded335282510b38472e06a58be61915641ce

Download Submit
C:\Windows\{9AA0D8B9-E910-4464-9EB3-B00994A034F8}.exe

Filesize
344KB

MD5
1d27f049752ea23294c43715b76d46c6

SHA1
b71ce27204a7f9305dc22060a7b2f3497c7354c6

SHA256
12cfc972c6d807a88c53097722421054c4c6575de5a26510be9d3386761d81b2

SHA512
69fec053078780bcfe38e6adcb2259680d086197cf86505e765349ff9c94b9cd5f81543dd0d553b006a1961da91d3b839f7bd87f6e604eda66a13d0a2338e8cc

Download Submit
C:\Windows\{CD1EFD9F-6267-4db6-A5B5-F4D237E8DD9A}.exe

Filesize
344KB

MD5
769b373059b3e6b597aa865ec7c03209

SHA1
58bc7075e6abc15caf8f8af281347d293b9c4464

SHA256
8130b7f836243c0a407a879573e304903e7482c711709d11039debc7825903ac

SHA512
10658bc4333b6837b190e616e9fb9c1572d95e58d1d84ffcf13d2d84652f09e0b7ce290f496ed1987170d808db57aa758aaf82d7007a0d02739a526cef6b7391

Download Submit
C:\Windows\{EA661024-D427-49de-88E9-E09966EE3082}.exe

Filesize
344KB

MD5
e35f57eb1200e723d52241c1b08ddf8a

SHA1
cf07a298562d6ff5c9703719ebe8e12566ed7b7b

SHA256
f19278f7693cfcb5643439963094963d27bcd0735803e28bc7c8d25515502058

SHA512
007bd01a215599bc2b8ea6acccb0d2ed2060eefa03caa95fa9ab351e664239d2b58af4a3292651671bc06c27c9d45968bd6539ee5904c2525f70cf0f6308368c

Download Submit
C:\Windows\{F90D220A-4829-4cb5-822D-52E7E2E8D5F1}.exe

Filesize
344KB

MD5
08b3ed1e8b02d5f0a9ff6ddddebb186c

SHA1
33a6d1c940e3b1a056af93ad9ea4ddf19571b46c

SHA256
1a9fc9c09a51c6001ba61135cbbf1f73ccf9f7aca6145d81d72d36b449fafaab

SHA512
b06a8e0fc89f56a136cda6166f217ce3a0abba7349b193c950c7abdaf01fc8260fe5f3301cb30b20fb73b28753c69d70bd092c7f12c95518e13fb8d465bab35e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads