979e7baea4ad563a278e45f2a32904012ce3f4816adb45a5efa9e8d4caa3f299

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe
Size

372KB
MD5

a8d275e7a50eb7097f1fd84da1f8548f
SHA1

7aea7a3082e8e5a41623671010a6e75747467c10
SHA256

979e7baea4ad563a278e45f2a32904012ce3f4816adb45a5efa9e8d4caa3f299
SHA512

fa3d29d07c846d1e80da238dc85d59264bef44328c426ed00428c07085c7d35ca941b10fd95be2f87b0d5f102e01578900c2efddeeab0dfe81884010e4eab7b9
SSDEEP

3072:CEGh0oElMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGClkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012239-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014b86-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012239-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002600000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002700000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002800000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}\stubpath = "C:\\Windows\\{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe"	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}	{F0B88FD5-693E-4bad-9151-A9D228580765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A567D4BE-8E88-4534-8C04-4CCF00B24B69}\stubpath = "C:\\Windows\\{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe"	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9748B42-EF67-493a-9363-9E3A8301BFE5}\stubpath = "C:\\Windows\\{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe"	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C928729-B814-44d9-8E39-12190752B077}\stubpath = "C:\\Windows\\{1C928729-B814-44d9-8E39-12190752B077}.exe"	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F813F7-69F9-4473-9D02-8B037A6DBCB2}\stubpath = "C:\\Windows\\{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe"	{1C928729-B814-44d9-8E39-12190752B077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0B88FD5-693E-4bad-9151-A9D228580765}	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D091009C-83E6-4299-BA07-07E4698F1FFB}	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D091009C-83E6-4299-BA07-07E4698F1FFB}\stubpath = "C:\\Windows\\{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe"	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A567D4BE-8E88-4534-8C04-4CCF00B24B69}	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}\stubpath = "C:\\Windows\\{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe"	{F0B88FD5-693E-4bad-9151-A9D228580765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2DFA403-EB0F-4046-8AFD-C5592436272D}\stubpath = "C:\\Windows\\{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe"	{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE44749E-31E5-4057-AE06-8FC6629EF640}	{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9748B42-EF67-493a-9363-9E3A8301BFE5}	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C928729-B814-44d9-8E39-12190752B077}	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F813F7-69F9-4473-9D02-8B037A6DBCB2}	{1C928729-B814-44d9-8E39-12190752B077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2DFA403-EB0F-4046-8AFD-C5592436272D}	{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE44749E-31E5-4057-AE06-8FC6629EF640}\stubpath = "C:\\Windows\\{CE44749E-31E5-4057-AE06-8FC6629EF640}.exe"	{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46C9F3F-024C-457b-9558-297335AE1E9B}	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46C9F3F-024C-457b-9558-297335AE1E9B}\stubpath = "C:\\Windows\\{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe"	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0B88FD5-693E-4bad-9151-A9D228580765}\stubpath = "C:\\Windows\\{F0B88FD5-693E-4bad-9151-A9D228580765}.exe"	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe
2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe
2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe
2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe
1684	{1C928729-B814-44d9-8E39-12190752B077}.exe
2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe
2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe
468	{F0B88FD5-693E-4bad-9151-A9D228580765}.exe
2128	{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe
2384	{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe
1904	{CE44749E-31E5-4057-AE06-8FC6629EF640}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe
File created	C:\Windows\{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe
File created	C:\Windows\{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	{1C928729-B814-44d9-8E39-12190752B077}.exe
File created	C:\Windows\{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe	{F0B88FD5-693E-4bad-9151-A9D228580765}.exe
File created	C:\Windows\{F0B88FD5-693E-4bad-9151-A9D228580765}.exe	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe
File created	C:\Windows\{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe	{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe
File created	C:\Windows\{CE44749E-31E5-4057-AE06-8FC6629EF640}.exe	{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe
File created	C:\Windows\{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe
File created	C:\Windows\{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe
File created	C:\Windows\{1C928729-B814-44d9-8E39-12190752B077}.exe	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe
File created	C:\Windows\{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe
Token: SeIncBasePriorityPrivilege	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe
Token: SeIncBasePriorityPrivilege	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe
Token: SeIncBasePriorityPrivilege	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe
Token: SeIncBasePriorityPrivilege	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe
Token: SeIncBasePriorityPrivilege	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe
Token: SeIncBasePriorityPrivilege	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe
Token: SeIncBasePriorityPrivilege	468	{F0B88FD5-693E-4bad-9151-A9D228580765}.exe
Token: SeIncBasePriorityPrivilege	2128	{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe
Token: SeIncBasePriorityPrivilege	2384	{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2564	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	28
PID 1368 wrote to memory of 2564	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	28
PID 1368 wrote to memory of 2564	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	28
PID 1368 wrote to memory of 2564	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	28
PID 1368 wrote to memory of 2696	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	29
PID 1368 wrote to memory of 2696	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	29
PID 1368 wrote to memory of 2696	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	29
PID 1368 wrote to memory of 2696	1368	2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe	29
PID 2564 wrote to memory of 2144	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	30
PID 2564 wrote to memory of 2144	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	30
PID 2564 wrote to memory of 2144	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	30
PID 2564 wrote to memory of 2144	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	30
PID 2564 wrote to memory of 1628	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	31
PID 2564 wrote to memory of 1628	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	31
PID 2564 wrote to memory of 1628	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	31
PID 2564 wrote to memory of 1628	2564	{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe	31
PID 2144 wrote to memory of 2584	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	32
PID 2144 wrote to memory of 2584	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	32
PID 2144 wrote to memory of 2584	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	32
PID 2144 wrote to memory of 2584	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	32
PID 2144 wrote to memory of 2416	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	33
PID 2144 wrote to memory of 2416	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	33
PID 2144 wrote to memory of 2416	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	33
PID 2144 wrote to memory of 2416	2144	{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe	33
PID 2584 wrote to memory of 2848	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	36
PID 2584 wrote to memory of 2848	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	36
PID 2584 wrote to memory of 2848	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	36
PID 2584 wrote to memory of 2848	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	36
PID 2584 wrote to memory of 2900	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	37
PID 2584 wrote to memory of 2900	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	37
PID 2584 wrote to memory of 2900	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	37
PID 2584 wrote to memory of 2900	2584	{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe	37
PID 2848 wrote to memory of 1684	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	38
PID 2848 wrote to memory of 1684	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	38
PID 2848 wrote to memory of 1684	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	38
PID 2848 wrote to memory of 1684	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	38
PID 2848 wrote to memory of 2080	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	39
PID 2848 wrote to memory of 2080	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	39
PID 2848 wrote to memory of 2080	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	39
PID 2848 wrote to memory of 2080	2848	{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe	39
PID 1684 wrote to memory of 2636	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	40
PID 1684 wrote to memory of 2636	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	40
PID 1684 wrote to memory of 2636	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	40
PID 1684 wrote to memory of 2636	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	40
PID 1684 wrote to memory of 2736	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	41
PID 1684 wrote to memory of 2736	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	41
PID 1684 wrote to memory of 2736	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	41
PID 1684 wrote to memory of 2736	1684	{1C928729-B814-44d9-8E39-12190752B077}.exe	41
PID 2636 wrote to memory of 2780	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	42
PID 2636 wrote to memory of 2780	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	42
PID 2636 wrote to memory of 2780	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	42
PID 2636 wrote to memory of 2780	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	42
PID 2636 wrote to memory of 2856	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	43
PID 2636 wrote to memory of 2856	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	43
PID 2636 wrote to memory of 2856	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	43
PID 2636 wrote to memory of 2856	2636	{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe	43
PID 2780 wrote to memory of 468	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	44
PID 2780 wrote to memory of 468	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	44
PID 2780 wrote to memory of 468	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	44
PID 2780 wrote to memory of 468	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	44
PID 2780 wrote to memory of 1516	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	45
PID 2780 wrote to memory of 1516	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	45
PID 2780 wrote to memory of 1516	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	45
PID 2780 wrote to memory of 1516	2780	{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_a8d275e7a50eb7097f1fd84da1f8548f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe
  C:\Windows\{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe
    C:\Windows\{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe
      C:\Windows\{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe
        
        C:\Windows\{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\{1C928729-B814-44d9-8E39-12190752B077}.exe
        
        C:\Windows\{1C928729-B814-44d9-8E39-12190752B077}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe
        
        C:\Windows\{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe
        
        C:\Windows\{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{F0B88FD5-693E-4bad-9151-A9D228580765}.exe
        
        C:\Windows\{F0B88FD5-693E-4bad-9151-A9D228580765}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe
        
        C:\Windows\{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe
        
        C:\Windows\{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{CE44749E-31E5-4057-AE06-8FC6629EF640}.exe
        
        C:\Windows\{CE44749E-31E5-4057-AE06-8FC6629EF640}.exe
        12⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2DFA~1.EXE > nul
        12⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CBA4~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0B88~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E46C9~1.EXE > nul
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28F81~1.EXE > nul
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C928~1.EXE > nul
        7⤵
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E71~1.EXE > nul
        6⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9748~1.EXE > nul
        5⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A567D~1.EXE > nul
      4⤵
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0910~1.EXE > nul
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C928729-B814-44d9-8E39-12190752B077}.exe

Filesize
372KB

MD5
73c902e58c74546cd5b2430738eebff9

SHA1
6e11da176a5b330d2c7fa85dec1f2abcd00a0fe5

SHA256
d0865e7610e68572d006fd99830f1df7a9059b5143f3f12d0f057d2914453e74

SHA512
4af1149439ec8f00c5c571bbb2f337739561a53566792ecbfb2d93b582f7ed0b0db89d0f2d78357d7a70668fe6113c896bb9e8dbf99d4420ed5be127455952d2

Download Submit
C:\Windows\{28F813F7-69F9-4473-9D02-8B037A6DBCB2}.exe

Filesize
372KB

MD5
b95670e052eb23e85bb4fe4104d17530

SHA1
898fe575bc5f96d39c8080aac42133977c562806

SHA256
c1cb3e2d3e3fb7a49236f36791d6fa80142bda53f57e4991d5a6a7bad6e61fd2

SHA512
a595ce9c8eb2332059b93bef75a1161306e5ffe4d4e43a7b38ddc2063044f710b6aebad1b80f5edb480df0adb05b5731b647d19afcaf8ac48230e14e84a512f2

Download Submit
C:\Windows\{6CBA4327-4394-41d8-B1D3-FBD14DE0B83A}.exe

Filesize
372KB

MD5
d3d04f53c99a8ac625754b4a9271a964

SHA1
2953d628b6714b54c44bfdc12a0b2ca528329d47

SHA256
bc2e98340f432690da0fb4a4fb20168940b8aea9ceb53aee3d109615f55260a4

SHA512
232078df7b9ff259954e72d74f709e37a41793db565feff8080135a852add6358a4cfd041c8daa407137d845ca609c1598260a2acca69d6e4659e1f8f2c67ad8

Download Submit
C:\Windows\{A2DFA403-EB0F-4046-8AFD-C5592436272D}.exe

Filesize
372KB

MD5
ca5d93b7431a2af9eb340a8d89770884

SHA1
2b069d18354f798ddec854dc1b8d8a2e7b9e1d23

SHA256
66ebad9faa8dce17527605bd564327c391b9c1d9ed57429f964e1e91bce9c09b

SHA512
c1b66d9f11a56be0511a6a596701320932c7b373ee69344fa6f11c1bdcb3dfa6bd5a8250a180b8e50a4bb764ac97f2adeda2e443a1ab5d6817373e0997e47c9c

Download Submit
C:\Windows\{A567D4BE-8E88-4534-8C04-4CCF00B24B69}.exe

Filesize
372KB

MD5
edd64940c7fe6bdc3cae904a97cad5be

SHA1
a7b15a40dfc25b0acce48405d7cfe1e95ab4704c

SHA256
58c2f6c6bed166c677bc1438a886144f467c340101138c89eda72188339d07af

SHA512
ccc98a0d3780a5ed7e2018f437d6de8974453cc0643848dcfcb142bfdbfe8862aea3341e9d88b55b93d62a4d820b409d2c5ddb771b47654049c390bcc50678ef

Download Submit
C:\Windows\{B9748B42-EF67-493a-9363-9E3A8301BFE5}.exe

Filesize
372KB

MD5
b8746a0797aeaa25bffc1e2a20602310

SHA1
3222fb332d45262cb2bd093266705cb05c48d4d4

SHA256
b46a6943ee67b8234816cccb4ee5d9dc78c325bbdc3a1512d623400484ba2754

SHA512
15f585aebb66063a964f8dfc55add50d04073a527c2f37f3f0e0c8863664d3828237116f02ea036c3408b5dde1c6c2c306dcb31aa8d1fc2c934de6710e17e234

Download Submit
C:\Windows\{CE44749E-31E5-4057-AE06-8FC6629EF640}.exe

Filesize
372KB

MD5
e5ba6a57d894ed7fe055954d768cdcf1

SHA1
41941a8b394d0ea129bf4df009576690f13f32e9

SHA256
62e4030a25fe6da23aa304e1b5a544cb1d50c518768618b881488c9c104180ca

SHA512
25871fa7d0f29c6a6df0569e8a0b7624a12f8874e50b78a7d18d7b7c156bd5b4dd6a0ed12e6a3b9c8971d745c3771847af9f9e1e1ba446b4135d0f8f2697a25c

Download Submit
C:\Windows\{D091009C-83E6-4299-BA07-07E4698F1FFB}.exe

Filesize
372KB

MD5
8aeddd5b3618e29284252ee17ded5999

SHA1
36432d2c5c8e53f2fe87730826082db4ba124aa5

SHA256
6685803932fe329f537ab6d7adf6684abfeea2312c94b0d7a23417de559ed109

SHA512
75d66fb72d0ca4d72e15ecbdc0af58d54f01aef9ce6480a18430f310174392c42ce01ec99b5c6c597f0fc034387977999d2e6c825016354b1f5139a27e85f684

Download Submit
C:\Windows\{E46C9F3F-024C-457b-9558-297335AE1E9B}.exe

Filesize
372KB

MD5
2e2bf19cf17d9981a12cc43840b9bfe4

SHA1
f2ac1da53d23659706f69cd08203a85c0cb74679

SHA256
91925aeba192c92a0efc2a2787619637a9fb3c9422842d752aa58cb3d439fde6

SHA512
52ffaba7e7756b23edd041e967215be50087ce4345933d4312e1f7b63dafc37b195c67520f231d5e03c706f5969fc525bbb734bded56116162d7f97d5c696d96

Download Submit
C:\Windows\{E7E711D4-B68C-47eb-88E8-AD96F14A9A62}.exe

Filesize
372KB

MD5
6fcd1a925fe94403a6792588654805fd

SHA1
0514714161048198f7e388be78302de5c3d8490e

SHA256
e88390207d813176920a79db4f7a324a00da644b6b5221dee6edbbc6c0439806

SHA512
63418bedafba142bda82307ef63d67eeeca21e4765a6a57317b6cecc32d48600aaa33b8378d6a6a56128649a3b0b376dc77694624183054e26a79a18003fe8a0

Download Submit
C:\Windows\{F0B88FD5-693E-4bad-9151-A9D228580765}.exe

Filesize
372KB

MD5
ccc87a0865ae2ac1f852c60912b9bc33

SHA1
e396e9ac59f230179d486fd3b47961bdf219e3a6

SHA256
60f63dcb5eff0b3f547245aa5b1c9551fba21989b9c516cdc297e0888e6586fa

SHA512
5b7fcaefb7a520699e5b2ee00d28bc3425bb14b2d0a3ffc77c1762e71da40da1569cd769dfbb06e4a047e96b19c1a0b8f04a552844d9f41d1b15d92a5d116271

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads