e04e4debae1d00d1482dbd00239f6ff5c54420dd3bc8f7ccd96726700314aae5

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Size

372KB
MD5

4a05b218ed84c7c633485ae937916bde
SHA1

bc44d706e05f965fe55412b5b29cb1eb4ea1ec60
SHA256

e04e4debae1d00d1482dbd00239f6ff5c54420dd3bc8f7ccd96726700314aae5
SHA512

386ccc1a1c611bb47ce56d2f4aff3d4d9bdd00042c7155ded93402ff1e63fbe01a5e762617c8c7b8234782a46710a9b69b2a4ce5a5dae9c4ee28359d55450c53
SSDEEP

3072:CEGh0o+lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGglkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d59-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0025000000016013-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0026000000016013-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0026000000016013-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000016013-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0025000000016122-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000016013-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0026000000016122-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0029000000016013-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2572E262-058D-4849-A58A-0DF443E54D25}	{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2572E262-058D-4849-A58A-0DF443E54D25}\stubpath = "C:\\Windows\\{2572E262-058D-4849-A58A-0DF443E54D25}.exe"	{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA3D08B-F537-4440-8433-4148FDD1226C}\stubpath = "C:\\Windows\\{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe"	{2572E262-058D-4849-A58A-0DF443E54D25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4035840F-170B-4927-ADEF-C55BBB499FDD}\stubpath = "C:\\Windows\\{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe"	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DCA8FD3-881C-4399-90B7-077F3701D48B}	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DCA8FD3-881C-4399-90B7-077F3701D48B}\stubpath = "C:\\Windows\\{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe"	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C1C558A-28B0-4391-ADF6-85F1005774D0}\stubpath = "C:\\Windows\\{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe"	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}\stubpath = "C:\\Windows\\{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe"	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}	{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}\stubpath = "C:\\Windows\\{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}.exe"	{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6778EE2-7E01-49fb-BD23-65398287AB47}\stubpath = "C:\\Windows\\{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe"	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA3D08B-F537-4440-8433-4148FDD1226C}	{2572E262-058D-4849-A58A-0DF443E54D25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}\stubpath = "C:\\Windows\\{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe"	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFD3805E-10D6-4459-B9CF-24804E438AEB}	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFD3805E-10D6-4459-B9CF-24804E438AEB}\stubpath = "C:\\Windows\\{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe"	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6778EE2-7E01-49fb-BD23-65398287AB47}	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4035840F-170B-4927-ADEF-C55BBB499FDD}	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}\stubpath = "C:\\Windows\\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe"	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C1C558A-28B0-4391-ADF6-85F1005774D0}	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe

Deletes itself 1 IoCs

pid	Process
2248	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe
2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe
2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe
2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe
2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe
2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe
1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe
324	{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe
1544	{2572E262-058D-4849-A58A-0DF443E54D25}.exe
2880	{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe
2632	{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
File created	C:\Windows\{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe
File created	C:\Windows\{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe
File created	C:\Windows\{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe
File created	C:\Windows\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe
File created	C:\Windows\{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe
File created	C:\Windows\{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe
File created	C:\Windows\{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe
File created	C:\Windows\{2572E262-058D-4849-A58A-0DF443E54D25}.exe	{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe
File created	C:\Windows\{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe	{2572E262-058D-4849-A58A-0DF443E54D25}.exe
File created	C:\Windows\{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}.exe	{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe
Token: SeIncBasePriorityPrivilege	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe
Token: SeIncBasePriorityPrivilege	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe
Token: SeIncBasePriorityPrivilege	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe
Token: SeIncBasePriorityPrivilege	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe
Token: SeIncBasePriorityPrivilege	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe
Token: SeIncBasePriorityPrivilege	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe
Token: SeIncBasePriorityPrivilege	324	{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe
Token: SeIncBasePriorityPrivilege	1544	{2572E262-058D-4849-A58A-0DF443E54D25}.exe
Token: SeIncBasePriorityPrivilege	2880	{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1976	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	28
PID 2852 wrote to memory of 1976	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	28
PID 2852 wrote to memory of 1976	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	28
PID 2852 wrote to memory of 1976	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	28
PID 2852 wrote to memory of 2248	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	29
PID 2852 wrote to memory of 2248	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	29
PID 2852 wrote to memory of 2248	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	29
PID 2852 wrote to memory of 2248	2852	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	29
PID 1976 wrote to memory of 2668	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	30
PID 1976 wrote to memory of 2668	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	30
PID 1976 wrote to memory of 2668	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	30
PID 1976 wrote to memory of 2668	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	30
PID 1976 wrote to memory of 2696	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	31
PID 1976 wrote to memory of 2696	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	31
PID 1976 wrote to memory of 2696	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	31
PID 1976 wrote to memory of 2696	1976	{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe	31
PID 2668 wrote to memory of 2392	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	32
PID 2668 wrote to memory of 2392	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	32
PID 2668 wrote to memory of 2392	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	32
PID 2668 wrote to memory of 2392	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	32
PID 2668 wrote to memory of 2592	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	33
PID 2668 wrote to memory of 2592	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	33
PID 2668 wrote to memory of 2592	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	33
PID 2668 wrote to memory of 2592	2668	{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe	33
PID 2392 wrote to memory of 2208	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	36
PID 2392 wrote to memory of 2208	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	36
PID 2392 wrote to memory of 2208	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	36
PID 2392 wrote to memory of 2208	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	36
PID 2392 wrote to memory of 3052	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	37
PID 2392 wrote to memory of 3052	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	37
PID 2392 wrote to memory of 3052	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	37
PID 2392 wrote to memory of 3052	2392	{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe	37
PID 2208 wrote to memory of 2528	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	38
PID 2208 wrote to memory of 2528	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	38
PID 2208 wrote to memory of 2528	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	38
PID 2208 wrote to memory of 2528	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	38
PID 2208 wrote to memory of 2740	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	39
PID 2208 wrote to memory of 2740	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	39
PID 2208 wrote to memory of 2740	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	39
PID 2208 wrote to memory of 2740	2208	{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe	39
PID 2528 wrote to memory of 2232	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	40
PID 2528 wrote to memory of 2232	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	40
PID 2528 wrote to memory of 2232	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	40
PID 2528 wrote to memory of 2232	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	40
PID 2528 wrote to memory of 784	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	41
PID 2528 wrote to memory of 784	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	41
PID 2528 wrote to memory of 784	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	41
PID 2528 wrote to memory of 784	2528	{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe	41
PID 2232 wrote to memory of 1800	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	42
PID 2232 wrote to memory of 1800	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	42
PID 2232 wrote to memory of 1800	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	42
PID 2232 wrote to memory of 1800	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	42
PID 2232 wrote to memory of 2256	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	43
PID 2232 wrote to memory of 2256	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	43
PID 2232 wrote to memory of 2256	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	43
PID 2232 wrote to memory of 2256	2232	{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe	43
PID 1800 wrote to memory of 324	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	44
PID 1800 wrote to memory of 324	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	44
PID 1800 wrote to memory of 324	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	44
PID 1800 wrote to memory of 324	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	44
PID 1800 wrote to memory of 696	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	45
PID 1800 wrote to memory of 696	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	45
PID 1800 wrote to memory of 696	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	45
PID 1800 wrote to memory of 696	1800	{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe
  C:\Windows\{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe
    C:\Windows\{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe
      C:\Windows\{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe
        
        C:\Windows\{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe
        
        C:\Windows\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe
        
        C:\Windows\{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe
        
        C:\Windows\{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe
        
        C:\Windows\{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\{2572E262-058D-4849-A58A-0DF443E54D25}.exe
        
        C:\Windows\{2572E262-058D-4849-A58A-0DF443E54D25}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe
        
        C:\Windows\{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}.exe
        
        C:\Windows\{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}.exe
        12⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA3D~1.EXE > nul
        12⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2572E~1.EXE > nul
        11⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6778~1.EXE > nul
        10⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5E6A~1.EXE > nul
        9⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C1C5~1.EXE > nul
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49A8C~1.EXE > nul
        7⤵
        
        PID:784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DCA8~1.EXE > nul
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFD38~1.EXE > nul
        5⤵
        
        PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{40358~1.EXE > nul
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CD0F~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C1C558A-28B0-4391-ADF6-85F1005774D0}.exe

Filesize
372KB

MD5
0bd6222ce119023d5157fa46a10bef68

SHA1
ed3196f0d5d7460c8b764fb3f28756afdb3c8d3e

SHA256
07fd54f0daf9b23415a1fd7fa912df13ee17f9880e1b86248f58ef6440911d60

SHA512
853438ec538761c5d41c224aba6c0ef37ea7df39e90c2e85844c5ad4de46d4bac4afc4dcbc80a47f9d9de0ff2b931fcd2a1c4bdfa9da2486abb08051ba7df256

Download Submit
C:\Windows\{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe

Filesize
372KB

MD5
a2add9e391cb4c624e5578ec1151a9ca

SHA1
31bd2bce69341f443ef2a49de954bc31d7c53425

SHA256
cea45a9663671bf530e86db9868eeb4b59aab4efd525d99adf739911adbac8b8

SHA512
0825ff832fc735cf53d2779e8305bd267abc2cb78cdb0ce277a61d287cd4ca2e696ab7b128c73641da38c0b02b1b0e99841113290a922e47ba12030f8923ffe3

Download Submit
C:\Windows\{0DCA8FD3-881C-4399-90B7-077F3701D48B}.exe

Filesize
93KB

MD5
9478fb30314cdf4797c552e645a624ab

SHA1
05a082b45f58f2b98722fdb70528353ef97855cd

SHA256
4481980a590097af33afa3a5013537ab2abe4c45fe7d82d0d2e006d1094d0c37

SHA512
77af23ac573e730b2a9da62c4ca890a908ea441c22da7324597edc8e62fe895ee341b4b8b15b68edf8dd6728b26e08c013704b72f149bda2d667c51944ea2786

Download Submit
C:\Windows\{2572E262-058D-4849-A58A-0DF443E54D25}.exe

Filesize
372KB

MD5
828ffdcd27fd0b3bcac9b598aa2b65ad

SHA1
dd71c8185fc59555fbc11261b91b7c59391297ac

SHA256
8c16e8720ad1cd9e79f4ab1576fd85cca0bb587356e23521dc54828ab756920c

SHA512
866a292fec61387e55bc1caff028e9fd48e5b3db23637a5a187ac3cc135eabb59140fbf7616782bbb67872eb3f793be259f5a0d22a12b6c60bdcf9300025f7dd

Download Submit
C:\Windows\{4035840F-170B-4927-ADEF-C55BBB499FDD}.exe

Filesize
372KB

MD5
f8272d1e0807af98e87a4292bb42a58a

SHA1
3c44fb10178ce478ddf8331d9e16c51f78fa1165

SHA256
28f31e97dc0ff01522dc6057fbabe1765f3825a3374ca1ffeec3e5a5fe1310ba

SHA512
cf331149251737c10673d94c1213682cd13cf38b6ea7c92b37915065b12a334a5ab43de0fbf95a3eead83dc6f4654dbaa8020ecc3dec4a3a5d1fd32ebfdffd23

Download Submit
C:\Windows\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe

Filesize
20KB

MD5
187ec9e77711a26844752a573164b73e

SHA1
ac409b74ed6849baecbd420d753ef08abb5ba14d

SHA256
cf8ac0fbdd25928acfb89e3d7e03e15e83d7c5a936ac05d8f5715fb81890e24b

SHA512
48d8947c10e093c14a51f6fc9cb37a716578da2aefd50a9a842edf66020d0f4f36b4ca50f6fb26c59bf59dbdba4c8d01548b05b997d932a74d9d199202917055

Download Submit
C:\Windows\{49A8CC54-2C83-4042-8B83-331A80C8DBA1}.exe

Filesize
372KB

MD5
e395fffb70e414fa896fd26f289cfc87

SHA1
ba2c62a1280079fefa914c3cb4841d9f3e62391f

SHA256
0e1b2fce86765cf938ad7b1898bbe22a5868701bc1641bc404b2ec7208bfcf86

SHA512
13874f4cb09ebe22fe7f33f59a751590a4d81afa921bc5c581dbf6df90bf8058e4530885965451ab28abf4a094309e21bdd5f662c6ec6530f110ac14770b5ef9

Download Submit
C:\Windows\{8CA3D08B-F537-4440-8433-4148FDD1226C}.exe

Filesize
372KB

MD5
6a63aebf321d623076b63dffdc62df48

SHA1
9cbff1408a45b9da3f9a4a495b6d4cc33cc8275d

SHA256
4658b42530df817a531d4f8a759b7574382d4f67f135a0f72748f22470fac571

SHA512
d0e4644dac9ae24b34ec167542403a07ee0b77052ddd0d64ad4e5314346c8c097a53f318eb3a730053fb457e445921b2d5c0aae28340174ec6312cbed2677512

Download Submit
C:\Windows\{9CD0F9E2-D94D-4f14-8EA9-66CD6924CC82}.exe

Filesize
372KB

MD5
aa3842bbb8604810a9a0883b054f0f2e

SHA1
a25d630a61d09fa51abfd374f0c9feba35e3b995

SHA256
63d47fe67ea1476ae98c3afbb730d25fbc94b4c6a71713fb8a922fbfcb2bd2cd

SHA512
73839ad3d14c2c74822572b57abb7b65cd2cab2eaa70332606f770ebe9b6b134fcd2cbd74ddc00744121452f8e26261d1fa37142c66ad2ad8fa913e5302566c6

Download Submit
C:\Windows\{ADD77EB0-C1E3-492f-AFB7-926D659ECE3E}.exe

Filesize
372KB

MD5
729a5ec8c26c1bd1df5139b146e121b1

SHA1
d1e12b6376a2938640688647238b92562c55955b

SHA256
5ecd9e386acde447916850b146360462b975d5125ca55146037ab03a78f80117

SHA512
d698421e10067984b77416fbff55fcfabcb7923703974aca0ca022131f9642e933fb53a87e9e2cf72dd0bf02c4e26bc16a33f2cd8cb5ea913da0155c37ec1340

Download Submit
C:\Windows\{AFD3805E-10D6-4459-B9CF-24804E438AEB}.exe

Filesize
372KB

MD5
eca90c81a4b68b3b7e8e98c1c46f9089

SHA1
f8bdd1fae21493d9341f22a96205a4021390121b

SHA256
011eebcd0db9c52db5e1e8daa898e65288b8557ee19e8d412549211f6b598f22

SHA512
6f2f1100641f1a4b85d0690b6b1f488deafe0f41369034ec18bf87c129b3e70e389310834f3b8ad9ea2f3f55858eef6c95cb11f92a18691d7642dd364e9e6a91

Download Submit
C:\Windows\{B5E6AEDC-3D4E-477c-8861-B63A8A1D1159}.exe

Filesize
372KB

MD5
52b79df7742cb16bc888d54cbb3b438b

SHA1
505eeb502cef18d79a01f46d549db6c3d400370a

SHA256
e019ab55f46798ef815f2da364db86b995da4357e98e2405ec44508ff1285046

SHA512
0641ca3926cf0044dc659a24bd97682250ec55d1f0f5dee12043aaa64da85b2cc7bdec11f2b54085376b5badc38ebf0a204813cce462750a9ce33408f688cc25

Download Submit
C:\Windows\{C6778EE2-7E01-49fb-BD23-65398287AB47}.exe

Filesize
372KB

MD5
06116be0949e25aea88d72cba7047254

SHA1
0b4d7f45c7ed700a71039e9543fae00e3658a66b

SHA256
56270f2776eb5b9f812860f2488061589873238cdeff6aa6ef9091827bc71473

SHA512
a5eda7b5bb73a2bba7f498abb33eb7854cbcc970ec6f3a1ce0da5cd44e6e36088a25dce1aa372944b72ef0dde9dc9e59a3ba4954c10f79aa8df3e939b0b2895d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads