6161667d6c524900e1e80e39b8f80ca9e096baba50e3a275cb1f1e95b03f8af5

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Size

197KB
MD5

0f1a1c037ae7b55f6a8cd6c77b65627c
SHA1

77541e8cb53e000c036f062e8b713ae285c18cc3
SHA256

6161667d6c524900e1e80e39b8f80ca9e096baba50e3a275cb1f1e95b03f8af5
SHA512

18a7985b6bfa09771b9c481c25673a2b2f0d0333f2e687adc86a324f4891e863e07f48fb1305c6f2e6944e76c9adf70b8c8207b90ccb55773c56293c73687c16
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG9lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015ca5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012255-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012255-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012255-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012255-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F17286E-724C-447f-BA55-EDC10D9DAF8B}	{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCE6CF71-5562-4533-91EA-30A607956713}	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12C422DE-FF5A-4844-978B-2856FDE76E99}\stubpath = "C:\\Windows\\{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe"	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}\stubpath = "C:\\Windows\\{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe"	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1049DC88-B1B8-4ffb-8C48-E150463C6648}\stubpath = "C:\\Windows\\{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe"	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}	{DCE6CF71-5562-4533-91EA-30A607956713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D836E4C-37EF-4050-9076-E8A1B882A6D8}	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D836E4C-37EF-4050-9076-E8A1B882A6D8}\stubpath = "C:\\Windows\\{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe"	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12C422DE-FF5A-4844-978B-2856FDE76E99}	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1049DC88-B1B8-4ffb-8C48-E150463C6648}	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}\stubpath = "C:\\Windows\\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe"	{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F17286E-724C-447f-BA55-EDC10D9DAF8B}\stubpath = "C:\\Windows\\{8F17286E-724C-447f-BA55-EDC10D9DAF8B}.exe"	{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A339097-30A9-4040-94E1-95F7E0A110FC}	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A339097-30A9-4040-94E1-95F7E0A110FC}\stubpath = "C:\\Windows\\{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe"	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}\stubpath = "C:\\Windows\\{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe"	{DCE6CF71-5562-4533-91EA-30A607956713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F8445D-B5D0-48b4-831F-3DFBA3C00629}	{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F8445D-B5D0-48b4-831F-3DFBA3C00629}\stubpath = "C:\\Windows\\{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe"	{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}\stubpath = "C:\\Windows\\{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe"	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCE6CF71-5562-4533-91EA-30A607956713}\stubpath = "C:\\Windows\\{DCE6CF71-5562-4533-91EA-30A607956713}.exe"	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}	{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe
2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe
2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe
1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe
2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe
2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe
2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe
1608	{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe
1280	{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe
1708	{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe
1504	{8F17286E-724C-447f-BA55-EDC10D9DAF8B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
File created	C:\Windows\{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe
File created	C:\Windows\{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe
File created	C:\Windows\{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe	{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe
File created	C:\Windows\{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe
File created	C:\Windows\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe	{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe
File created	C:\Windows\{8F17286E-724C-447f-BA55-EDC10D9DAF8B}.exe	{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe
File created	C:\Windows\{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe
File created	C:\Windows\{DCE6CF71-5562-4533-91EA-30A607956713}.exe	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe
File created	C:\Windows\{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	{DCE6CF71-5562-4533-91EA-30A607956713}.exe
File created	C:\Windows\{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe
Token: SeIncBasePriorityPrivilege	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe
Token: SeIncBasePriorityPrivilege	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe
Token: SeIncBasePriorityPrivilege	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe
Token: SeIncBasePriorityPrivilege	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe
Token: SeIncBasePriorityPrivilege	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe
Token: SeIncBasePriorityPrivilege	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe
Token: SeIncBasePriorityPrivilege	1608	{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe
Token: SeIncBasePriorityPrivilege	1280	{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe
Token: SeIncBasePriorityPrivilege	1708	{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2972	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	28
PID 2196 wrote to memory of 2972	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	28
PID 2196 wrote to memory of 2972	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	28
PID 2196 wrote to memory of 2972	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	28
PID 2196 wrote to memory of 2968	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	29
PID 2196 wrote to memory of 2968	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	29
PID 2196 wrote to memory of 2968	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	29
PID 2196 wrote to memory of 2968	2196	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	29
PID 2972 wrote to memory of 2584	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	30
PID 2972 wrote to memory of 2584	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	30
PID 2972 wrote to memory of 2584	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	30
PID 2972 wrote to memory of 2584	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	30
PID 2972 wrote to memory of 2444	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	31
PID 2972 wrote to memory of 2444	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	31
PID 2972 wrote to memory of 2444	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	31
PID 2972 wrote to memory of 2444	2972	{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe	31
PID 2584 wrote to memory of 2888	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	32
PID 2584 wrote to memory of 2888	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	32
PID 2584 wrote to memory of 2888	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	32
PID 2584 wrote to memory of 2888	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	32
PID 2584 wrote to memory of 2604	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	33
PID 2584 wrote to memory of 2604	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	33
PID 2584 wrote to memory of 2604	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	33
PID 2584 wrote to memory of 2604	2584	{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe	33
PID 2888 wrote to memory of 1956	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	36
PID 2888 wrote to memory of 1956	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	36
PID 2888 wrote to memory of 1956	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	36
PID 2888 wrote to memory of 1956	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	36
PID 2888 wrote to memory of 2424	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	37
PID 2888 wrote to memory of 2424	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	37
PID 2888 wrote to memory of 2424	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	37
PID 2888 wrote to memory of 2424	2888	{DCE6CF71-5562-4533-91EA-30A607956713}.exe	37
PID 1956 wrote to memory of 2752	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	38
PID 1956 wrote to memory of 2752	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	38
PID 1956 wrote to memory of 2752	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	38
PID 1956 wrote to memory of 2752	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	38
PID 1956 wrote to memory of 2256	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	39
PID 1956 wrote to memory of 2256	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	39
PID 1956 wrote to memory of 2256	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	39
PID 1956 wrote to memory of 2256	1956	{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe	39
PID 2752 wrote to memory of 2012	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	40
PID 2752 wrote to memory of 2012	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	40
PID 2752 wrote to memory of 2012	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	40
PID 2752 wrote to memory of 2012	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	40
PID 2752 wrote to memory of 320	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	41
PID 2752 wrote to memory of 320	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	41
PID 2752 wrote to memory of 320	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	41
PID 2752 wrote to memory of 320	2752	{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe	41
PID 2012 wrote to memory of 2252	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	42
PID 2012 wrote to memory of 2252	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	42
PID 2012 wrote to memory of 2252	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	42
PID 2012 wrote to memory of 2252	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	42
PID 2012 wrote to memory of 1452	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	43
PID 2012 wrote to memory of 1452	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	43
PID 2012 wrote to memory of 1452	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	43
PID 2012 wrote to memory of 1452	2012	{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe	43
PID 2252 wrote to memory of 1608	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	44
PID 2252 wrote to memory of 1608	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	44
PID 2252 wrote to memory of 1608	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	44
PID 2252 wrote to memory of 1608	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	44
PID 2252 wrote to memory of 1704	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	45
PID 2252 wrote to memory of 1704	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	45
PID 2252 wrote to memory of 1704	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	45
PID 2252 wrote to memory of 1704	2252	{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe
  C:\Windows\{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe
    C:\Windows\{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{DCE6CF71-5562-4533-91EA-30A607956713}.exe
      C:\Windows\{DCE6CF71-5562-4533-91EA-30A607956713}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe
        
        C:\Windows\{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe
        
        C:\Windows\{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe
        
        C:\Windows\{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe
        
        C:\Windows\{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe
        
        C:\Windows\{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe
        
        C:\Windows\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe
        
        C:\Windows\{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\{8F17286E-724C-447f-BA55-EDC10D9DAF8B}.exe
        
        C:\Windows\{8F17286E-724C-447f-BA55-EDC10D9DAF8B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16F84~1.EXE > nul
        12⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6735~1.EXE > nul
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D836~1.EXE > nul
        10⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1049D~1.EXE > nul
        9⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3F0~1.EXE > nul
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12C42~1.EXE > nul
        7⤵
        
        PID:320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F221F~1.EXE > nul
        6⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCE6C~1.EXE > nul
        5⤵
        
        PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D415~1.EXE > nul
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A339~1.EXE > nul
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1049DC88-B1B8-4ffb-8C48-E150463C6648}.exe

Filesize
197KB

MD5
332e1d5a78475f53356f203da87d0ebe

SHA1
fa6eb730c1381132527eed50351701e2ed7c859f

SHA256
1d92bf986ff283bd2f09f9998277439c345b4deef94a192f23ecd3516db1b211

SHA512
d380095c2302787fad3028ba1a32741cf29549b76e3fd3445e78bfcc3ce51cdf7ab91c26235733e89386b47291591eab7af067c712f181ab3617f795e34b2a3d

Download Submit
C:\Windows\{12C422DE-FF5A-4844-978B-2856FDE76E99}.exe

Filesize
197KB

MD5
01fdfc6980fa5ca4225df2ef02a6d00e

SHA1
25b90d1dc9bb4cb7278d38b45d762706b850fb62

SHA256
ba779119c8f48e5475a794cb4c1ebb949eee3dc9ae5c4e60822ebb48186ee014

SHA512
4c3c9c24c100ad7c577e4caf9ac1bdcadbb029e913a0e4514ad54d48bd2a298b6c91e7fc5d04dfdc0466ce6ab64104fbeaca69b6c5a72a498bb703c8df6595d2

Download Submit
C:\Windows\{16F8445D-B5D0-48b4-831F-3DFBA3C00629}.exe

Filesize
197KB

MD5
e3922f0706c91234fe7d800cd57c2b2d

SHA1
230a4f9c6787690c833a96b69f365f26c14a2e5b

SHA256
4b5e1e11296115fc97e91e507723f6ef8be4fed81e9c9d1be979fbcc9cb8eab6

SHA512
3952510a00b4a2662c1e3c4a61672a355259e53684c9999575fb6998bc13aa8848da4adcb8d09ecbbf685d09fe6b0fd1c8f1df2422d5980e17f80ea0658ea568

Download Submit
C:\Windows\{4D41563B-5C65-48ec-97AC-6F2BA042F5A5}.exe

Filesize
197KB

MD5
c0eda94ab0d525ca327e9acf154bf593

SHA1
89542eaba6cd66ed0aecabf4d913c62c8d341b09

SHA256
c92556cdecff7ea0bc04237fa72b1ad555ca87151027b73612c2f8a3de7bf8b5

SHA512
aa3192ec95f8470c0dffdd5cce0cf50dbf595d8d46af3168335918816110607597178755e125b3d2c7a24b9d7d3dfd07e9e2bd3706b678bf7ed4b9b5c1e9b4ea

Download Submit
C:\Windows\{4D836E4C-37EF-4050-9076-E8A1B882A6D8}.exe

Filesize
197KB

MD5
6f0c3c1ca219c144dfb7679b94ab4e40

SHA1
1746229b83c48b8a6a41c7b5181aa64ba42f92fa

SHA256
2097aeae6f1f0875100c3254a56f30372d4c126c434469f97be1cfdd9e8837c8

SHA512
0a120793c63208a7485557c50018be081e2b6182b357feffbf47f58d7feeb0ddf3b8bc7dcd4c5401d1c366a65b8e855353b4b99d5eb8a43c4f41b745d3004ab9

Download Submit
C:\Windows\{5A339097-30A9-4040-94E1-95F7E0A110FC}.exe

Filesize
197KB

MD5
16d2d80ceb571040d655d281a1fbe40a

SHA1
3dbdf5cc9ec5da1828531397eae73ad8257c3a5b

SHA256
1d7330f2e38ba08f308b5936015af75c96bd571cde6c91b58012b02e28f72c6b

SHA512
4cb5de767a1051569369506fb484551bbd595f56c20ac89541a16988cc0b0974767406419cc9bd35f584c04796e410b59fa2cc8277f0848845bf4f9968bf7670

Download Submit
C:\Windows\{8F17286E-724C-447f-BA55-EDC10D9DAF8B}.exe

Filesize
197KB

MD5
1a417ace26e0635836b9debcf6657712

SHA1
eaf67327f028d9405d9d93c0c18fa217b38079cb

SHA256
5cbcd2ef682097775b04e88e7da42272773cd1756f0f2b9683594a1546b1d9ca

SHA512
683fbfd1ea3c351be4cd08e1eb9ae751b863b8e425f748117a8c1ef1397de2ecff2078b9f9c554147d3210489e368f941db5d34f0ceef0caaf3cc934268f358d

Download Submit
C:\Windows\{DCE6CF71-5562-4533-91EA-30A607956713}.exe

Filesize
197KB

MD5
d49a3ab1d0fd34f3615c76cba15fcddd

SHA1
574bb9bb217445548e599fab43ea42530feb2f19

SHA256
4797b3d582992ff9cf57d3081cff6614fe71ba4572bc31557f15d05e6d4bb96d

SHA512
91d23fb0e715ccd1c95488152d8a362582a8801f1f69869b33aad9994e2c54a1aa63c61a036765f733b24f2ce9ae1a42d7862826a555b43f0815a998effc69d0

Download Submit
C:\Windows\{EB3F0131-E6BE-4279-A0B2-CE34C4210DD4}.exe

Filesize
197KB

MD5
72302cf2df0502ee8140a93e6421708c

SHA1
8f64d980c349da9cb068c5c2d620b9141ff65e89

SHA256
99fec563c589f259d8054316db04a4090523ab3d33444b10e7bc11b86c262f5a

SHA512
0ba9ee484a83b8f365ef43c9779d6a8145e94d1f39cfa4846390b25822e3f5663aead77db782ed838ac944d93ca62aacc920fbc828bca4437fccdf7f0b37bc66

Download Submit
C:\Windows\{F221F1A5-7536-45d9-B139-1CFC77B4EAB7}.exe

Filesize
197KB

MD5
3ad4c0842e813bdb7120266ffaca41cd

SHA1
9bd12ba4cc75f1c76c1681ac0af058e5e9a3c7a9

SHA256
cb9def9461c95c47a6a1af895312dfd547044c5a5f367a15c66fde021e48d450

SHA512
76680965469b433411ac1e8b0dea8a51b549a2ac1092a99bbe9f74e632fa3ec86da045dede87b779877286fb835bc2bd2e5af80a0f15372a978a008dc5a443c3

Download Submit
C:\Windows\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe

Filesize
197KB

MD5
454948e7ccda6a39e6e1d99ea64f99dd

SHA1
848c5dd3103ec1f18f0dd0c10442afaa3388c93f

SHA256
2adc2243756c7c88c506541319f4b4e820ec8f1a8345feb6c42180c0fcbeb3ed

SHA512
3de0c219497922b69b68640dc132785b6c51b33a42cfafdf70908d2f030f1405440329467ad85d9294e7ec0a507d555c40d121497ddcff07df432919c6800248

Download Submit
C:\Windows\{F6735E18-EA58-499c-B0E6-D1B69D722A0D}.exe

Filesize
186KB

MD5
73c74d00cf8dd4957f496eb5274f8383

SHA1
00d88f1f77d1916883104298024b005248d48f31

SHA256
22533f14a1da010e5b14fb106dde06f23b4d2a2dcfa42a5b88057c4144ddd3b4

SHA512
60687b330e16c253e6408d6ad100f89ec932d788bf3c1dfe7c9c4527540f8ae28ef571c790f539b34663d9e66d573d714037cbbb1a6e89fe2afbae1c1ad677de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads