6ec5d25dbc6d6660a7e9198c4cc385fc1e4af5ff5d1b24e82ef68bad9790074c

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Size

408KB
MD5

f505d3e7ca60e7462c7bebb3cc2e217f
SHA1

f99e476cf714ac9b066fee8da25859f44bbf85b7
SHA256

6ec5d25dbc6d6660a7e9198c4cc385fc1e4af5ff5d1b24e82ef68bad9790074c
SHA512

9a0cda05ef092b71ef583e0630606ff19e7515782f0ff1997db1a360ccad964111add0d946c27bf95aff9992128e0fbf578533a60461dd298c7236a8d2b3873c
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001439d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016d58-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001439d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016d58-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016d62-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000016d6a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016d62-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000016d6a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}\stubpath = "C:\\Windows\\{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe"	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE22607-3050-4d8c-80B2-21F14B2498AD}	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}	{A3142727-8364-4a11-852C-281F239EBCF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}\stubpath = "C:\\Windows\\{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe"	{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2457622D-3D02-4009-A18A-DCC1B6931106}	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A2F675-122E-4c66-869B-A323D9071A7F}	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A396A956-4D20-4e7f-B58A-67D4D8CFC952}	{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A396A956-4D20-4e7f-B58A-67D4D8CFC952}\stubpath = "C:\\Windows\\{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe"	{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}\stubpath = "C:\\Windows\\{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}.exe"	{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB2B3C12-F90E-4e32-8E35-281161BEF370}\stubpath = "C:\\Windows\\{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe"	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE22607-3050-4d8c-80B2-21F14B2498AD}\stubpath = "C:\\Windows\\{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe"	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}\stubpath = "C:\\Windows\\{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe"	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3142727-8364-4a11-852C-281F239EBCF9}	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}\stubpath = "C:\\Windows\\{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe"	{A3142727-8364-4a11-852C-281F239EBCF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}	{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}	{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB2B3C12-F90E-4e32-8E35-281161BEF370}	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3142727-8364-4a11-852C-281F239EBCF9}\stubpath = "C:\\Windows\\{A3142727-8364-4a11-852C-281F239EBCF9}.exe"	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2457622D-3D02-4009-A18A-DCC1B6931106}\stubpath = "C:\\Windows\\{2457622D-3D02-4009-A18A-DCC1B6931106}.exe"	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A2F675-122E-4c66-869B-A323D9071A7F}\stubpath = "C:\\Windows\\{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe"	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe
2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe
2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe
664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe
1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe
2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe
1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe
1860	{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe
2212	{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe
2036	{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe
1400	{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe
File created	C:\Windows\{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe
File created	C:\Windows\{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe
File created	C:\Windows\{A3142727-8364-4a11-852C-281F239EBCF9}.exe	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe
File created	C:\Windows\{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe	{A3142727-8364-4a11-852C-281F239EBCF9}.exe
File created	C:\Windows\{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe	{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe
File created	C:\Windows\{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe	{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe
File created	C:\Windows\{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}.exe	{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe
File created	C:\Windows\{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
File created	C:\Windows\{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe
File created	C:\Windows\{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe
Token: SeIncBasePriorityPrivilege	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe
Token: SeIncBasePriorityPrivilege	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe
Token: SeIncBasePriorityPrivilege	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe
Token: SeIncBasePriorityPrivilege	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe
Token: SeIncBasePriorityPrivilege	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe
Token: SeIncBasePriorityPrivilege	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe
Token: SeIncBasePriorityPrivilege	1860	{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe
Token: SeIncBasePriorityPrivilege	2212	{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe
Token: SeIncBasePriorityPrivilege	2036	{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3000	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	28
PID 2208 wrote to memory of 3000	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	28
PID 2208 wrote to memory of 3000	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	28
PID 2208 wrote to memory of 3000	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	28
PID 2208 wrote to memory of 2652	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	29
PID 2208 wrote to memory of 2652	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	29
PID 2208 wrote to memory of 2652	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	29
PID 2208 wrote to memory of 2652	2208	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	29
PID 3000 wrote to memory of 2536	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	30
PID 3000 wrote to memory of 2536	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	30
PID 3000 wrote to memory of 2536	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	30
PID 3000 wrote to memory of 2536	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	30
PID 3000 wrote to memory of 2520	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	31
PID 3000 wrote to memory of 2520	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	31
PID 3000 wrote to memory of 2520	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	31
PID 3000 wrote to memory of 2520	3000	{2457622D-3D02-4009-A18A-DCC1B6931106}.exe	31
PID 2536 wrote to memory of 2524	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	34
PID 2536 wrote to memory of 2524	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	34
PID 2536 wrote to memory of 2524	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	34
PID 2536 wrote to memory of 2524	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	34
PID 2536 wrote to memory of 2972	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	35
PID 2536 wrote to memory of 2972	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	35
PID 2536 wrote to memory of 2972	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	35
PID 2536 wrote to memory of 2972	2536	{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe	35
PID 2524 wrote to memory of 664	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	36
PID 2524 wrote to memory of 664	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	36
PID 2524 wrote to memory of 664	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	36
PID 2524 wrote to memory of 664	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	36
PID 2524 wrote to memory of 580	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	37
PID 2524 wrote to memory of 580	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	37
PID 2524 wrote to memory of 580	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	37
PID 2524 wrote to memory of 580	2524	{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe	37
PID 664 wrote to memory of 1564	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	38
PID 664 wrote to memory of 1564	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	38
PID 664 wrote to memory of 1564	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	38
PID 664 wrote to memory of 1564	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	38
PID 664 wrote to memory of 2608	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	39
PID 664 wrote to memory of 2608	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	39
PID 664 wrote to memory of 2608	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	39
PID 664 wrote to memory of 2608	664	{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe	39
PID 1564 wrote to memory of 2752	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	40
PID 1564 wrote to memory of 2752	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	40
PID 1564 wrote to memory of 2752	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	40
PID 1564 wrote to memory of 2752	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	40
PID 1564 wrote to memory of 2580	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	41
PID 1564 wrote to memory of 2580	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	41
PID 1564 wrote to memory of 2580	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	41
PID 1564 wrote to memory of 2580	1564	{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe	41
PID 2752 wrote to memory of 1948	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	42
PID 2752 wrote to memory of 1948	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	42
PID 2752 wrote to memory of 1948	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	42
PID 2752 wrote to memory of 1948	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	42
PID 2752 wrote to memory of 2236	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	43
PID 2752 wrote to memory of 2236	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	43
PID 2752 wrote to memory of 2236	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	43
PID 2752 wrote to memory of 2236	2752	{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe	43
PID 1948 wrote to memory of 1860	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	44
PID 1948 wrote to memory of 1860	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	44
PID 1948 wrote to memory of 1860	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	44
PID 1948 wrote to memory of 1860	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	44
PID 1948 wrote to memory of 1680	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	45
PID 1948 wrote to memory of 1680	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	45
PID 1948 wrote to memory of 1680	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	45
PID 1948 wrote to memory of 1680	1948	{A3142727-8364-4a11-852C-281F239EBCF9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\{2457622D-3D02-4009-A18A-DCC1B6931106}.exe
  C:\Windows\{2457622D-3D02-4009-A18A-DCC1B6931106}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe
    C:\Windows\{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe
      C:\Windows\{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe
        
        C:\Windows\{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe
        
        C:\Windows\{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe
        
        C:\Windows\{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{A3142727-8364-4a11-852C-281F239EBCF9}.exe
        
        C:\Windows\{A3142727-8364-4a11-852C-281F239EBCF9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe
        
        C:\Windows\{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe
        
        C:\Windows\{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe
        
        C:\Windows\{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}.exe
        
        C:\Windows\{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A396A~1.EXE > nul
        12⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D0AA~1.EXE > nul
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F7FE~1.EXE > nul
        10⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3142~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C5F3~1.EXE > nul
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE22~1.EXE > nul
        7⤵
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90E11~1.EXE > nul
        6⤵
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB2B3~1.EXE > nul
        5⤵
        
        PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9A2F~1.EXE > nul
      4⤵
      PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24576~1.EXE > nul
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2457622D-3D02-4009-A18A-DCC1B6931106}.exe

Filesize
408KB

MD5
27151e48120e9f22a2bb4a0d5d775d7b

SHA1
e712192f6d26c8c14e1ec2e440d7ce64ea78a739

SHA256
415f86c3b531da88745c6f6ffc29977679d0c185479bababe1cfed1259b21390

SHA512
9403f2d396c514ad44a5be35a958b7334d04ba82549b445dccd5515a5b8e7dc30612e202dbfbe2426182fe26106baa168e9a0fd32382d7e46945b80244cf1b3a

Download Submit
C:\Windows\{2BE22607-3050-4d8c-80B2-21F14B2498AD}.exe

Filesize
408KB

MD5
3b550ef5e1d0b86890865ed088e662ef

SHA1
8e8973464f8578b516a1fd66665996fd752058f6

SHA256
8f5fcb2ac88daa87c8ec6e135e66471777fe995bbeb46fd6d00a026269ac431d

SHA512
d8dfb00653b4cb99b770d844cd2fbb303eb151c70194a6ec478d00879f30e24aa25b6f728bfce570febfed78b44b0a102ffba1da5682cbfdb5686acf78311505

Download Submit
C:\Windows\{2D0AA762-5F6D-4efa-B637-6C0B5C7E2641}.exe

Filesize
408KB

MD5
d58f4abf912b2863edcbf39172647467

SHA1
2aa94c866d4f27e0efd291928067166b744f38f1

SHA256
bcb769babdfd247a72c79a3fcffac7ce7368bd7a6fbbfcbaf9b34350a718ec72

SHA512
9e8df7008a289eba5c8dc24428396e0af9acfc1b68abeae10379b8bec3746444bf2ff8a014f55e090adc3bfde82c00149617199f7c0dbc7dab9916cab4fd77e4

Download Submit
C:\Windows\{35842E2A-C2F9-4c2b-BEF6-0A87349C5740}.exe

Filesize
408KB

MD5
fe1275336f94f8567d91241399fe87b3

SHA1
988c5201ecc363cd6b3ce7500e3df2b055de5b75

SHA256
8a3de4acdf5910d06c03fe1d344d63c26c401eb25f4d75132f867d3b3d9cb73b

SHA512
73cc258ea5cba4147a95294bf72f5732688f4b4b94a54aed19da44e995df865c8b0eb46ff9188e471421bc40d0ee12a111e0d713010eb5ba8a2604bf61c105e2

Download Submit
C:\Windows\{5C5F32FF-700E-4c09-95A4-BC03A069D6F4}.exe

Filesize
408KB

MD5
cf3df3a57953a60872a866f293e7f3bf

SHA1
a1c2e5bb6f49dbe168a8a5ec9196717018f541c6

SHA256
c3de14bf44bc265e8a8165e63e0ffb0224f91722bbc7a0825d626dbcbc3cb44b

SHA512
ef74f8bcac2a8edcfd14b334ed34cd8ffdd35487e94d45cffde380b993d96aa3ce49ede4a49cbf6c192b2c5095a4aa317bc6b2535bdae000cfa4f86e4cb3a608

Download Submit
C:\Windows\{90E11F7B-5F0B-4909-B57D-EE2F4C0DE68E}.exe

Filesize
408KB

MD5
0ef224832ba133608c5b4b8202ceb31d

SHA1
bb979447bac203cceeb967d5c80dba160d9ed0d6

SHA256
f0d70d6ae1e9779a49f76470c226498054c8f031ccdafab162138515d567353a

SHA512
a2fa980a195c87cfbf147dd97766f1619938fc9a0abe509f0f1d7380db507d4d5772ac949f1390ca6c7e22f83472c981e3cc3b4c536ec7a0d8a527aa5e285ed2

Download Submit
C:\Windows\{9F7FE461-7A5E-4a27-9DE1-0E84C71BA8E6}.exe

Filesize
408KB

MD5
8532e8a587f74cd2bd7fe8b8c4218483

SHA1
4f02fbfbc71b1abbc03927bbe7ffdc4d4a1b3050

SHA256
5a4342139e32cd56cb858b0150171a9147c37a647b3f034e110fa3ead1450e0a

SHA512
dc61d0d1a98c42d519bb5e0f9c0d2e1d728d48359b20001ab50d21d98b250cbb137bad01ea450f5839c919d2bcbd3b8669e6d358cef8472328cb3bd1b980df60

Download Submit
C:\Windows\{A3142727-8364-4a11-852C-281F239EBCF9}.exe

Filesize
408KB

MD5
12c56c64ec8c35ef6bc7ca014cf0b809

SHA1
2ff87cb055980376f8b13d191e32e7ebfb013256

SHA256
c4a6eeea33fe06f7e04ca4733305d10505827bbf79644ba1cd940639c56ff495

SHA512
c4958c6b0e4ec29449b86cc4776926548303b2dc5c6894846cb2373f488a4fc9ed6efb6101fb4541bedb3c4f7c54f6d6aefe60c39d76a74f3cc3aea85f56fe0d

Download Submit
C:\Windows\{A396A956-4D20-4e7f-B58A-67D4D8CFC952}.exe

Filesize
408KB

MD5
f4ff0bb8d7771ffecf58a9a211ab935e

SHA1
88173a034d070f444e5ed69f4027f49976c13059

SHA256
0fddbe7868399086406c05d3c869ce3d9cf4545193c4994e94c89643ff334efe

SHA512
a76de01e9b0676c7f4ec7e7c2a12ba77ab13b0ea5689bb33be07f22103bece33c7613222347ae8d3c6ef629fd5ff534ed5187638586c017a760c0fac92854c6e

Download Submit
C:\Windows\{DB2B3C12-F90E-4e32-8E35-281161BEF370}.exe

Filesize
408KB

MD5
9368c9de00dd50a15ef885c33c26d5f2

SHA1
0bf5e307a77b98250142400e271cf13287c2af4f

SHA256
528ceb68879293fc0d16d0f40eb593a3d1a96b18f8f4438ad61e4bc163beb7ef

SHA512
429e3983831a5505bfd431c1184573754165833ecfaa7087652b599973b0c11d8d25b03554893b4776982ccc8bf4f3bf3940c3f12af81952c1804b7707bb257f

Download Submit
C:\Windows\{E9A2F675-122E-4c66-869B-A323D9071A7F}.exe

Filesize
408KB

MD5
f6f8a9c6dda098708e623f6892bbfeb3

SHA1
395da41452960534aa110a54e1a85bd21fc31b08

SHA256
a1605e3d1c562b0be307c6647842baf437d2c789c83d4bb171432c67c617dad4

SHA512
ca1ef263e0fe7fb038cecfb901d0383d9106b358277016dbc1c9a22913d0ff4c4c5a73741e006467a550ed3744378151c76ae6bf642633314ed21d39bcaed76a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads