efb0f6dd12a891f4e2ebcd6e06e05addcba95971dd9429290ad748b1434f87c4

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe
Size

204KB
MD5

a988db91e2f0672a64a8d46d0a18267f
SHA1

5d44441bc12dd224f1fcf46a3b3adb00a09215e2
SHA256

efb0f6dd12a891f4e2ebcd6e06e05addcba95971dd9429290ad748b1434f87c4
SHA512

17f1387332a4332eb07dfc6e354393ff206401d418e530251f53cf518341048684eee099e31021578cb2f2736719463ca0a9e737a1f83c9c7ef3439ac1783893
SSDEEP

1536:1EGh0onl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0onl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012262-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012262-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0014000000015c52-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012262-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012262-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0015000000015c52-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0016000000015c52-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0016000000015c52-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}\stubpath = "C:\\Windows\\{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe"	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}\stubpath = "C:\\Windows\\{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe"	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F4E498-2508-427b-B321-E83627FEBBE3}\stubpath = "C:\\Windows\\{83F4E498-2508-427b-B321-E83627FEBBE3}.exe"	{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0753370-9A04-4b8b-83F0-C07198814767}	{83F4E498-2508-427b-B321-E83627FEBBE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F475A336-BB9C-4898-8992-3369B2D6FB2F}	{456CD828-E777-4aa9-B284-912CBEB2667B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}\stubpath = "C:\\Windows\\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe"	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{456CD828-E777-4aa9-B284-912CBEB2667B}\stubpath = "C:\\Windows\\{456CD828-E777-4aa9-B284-912CBEB2667B}.exe"	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}\stubpath = "C:\\Windows\\{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe"	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0753370-9A04-4b8b-83F0-C07198814767}\stubpath = "C:\\Windows\\{E0753370-9A04-4b8b-83F0-C07198814767}.exe"	{83F4E498-2508-427b-B321-E83627FEBBE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}\stubpath = "C:\\Windows\\{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe"	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}\stubpath = "C:\\Windows\\{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe"	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}\stubpath = "C:\\Windows\\{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe"	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{456CD828-E777-4aa9-B284-912CBEB2667B}	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F475A336-BB9C-4898-8992-3369B2D6FB2F}\stubpath = "C:\\Windows\\{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe"	{456CD828-E777-4aa9-B284-912CBEB2667B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F4E498-2508-427b-B321-E83627FEBBE3}	{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe
1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe
1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe
1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe
828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe
1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe
1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe
1756	{456CD828-E777-4aa9-B284-912CBEB2667B}.exe
1180	{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe
564	{83F4E498-2508-427b-B321-E83627FEBBE3}.exe
1440	{E0753370-9A04-4b8b-83F0-C07198814767}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe
File created	C:\Windows\{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe
File created	C:\Windows\{456CD828-E777-4aa9-B284-912CBEB2667B}.exe	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe
File created	C:\Windows\{83F4E498-2508-427b-B321-E83627FEBBE3}.exe	{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe
File created	C:\Windows\{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe
File created	C:\Windows\{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe
File created	C:\Windows\{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe
File created	C:\Windows\{E0753370-9A04-4b8b-83F0-C07198814767}.exe	{83F4E498-2508-427b-B321-E83627FEBBE3}.exe
File created	C:\Windows\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe
File created	C:\Windows\{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe
File created	C:\Windows\{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe	{456CD828-E777-4aa9-B284-912CBEB2667B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe
Token: SeIncBasePriorityPrivilege	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe
Token: SeIncBasePriorityPrivilege	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe
Token: SeIncBasePriorityPrivilege	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe
Token: SeIncBasePriorityPrivilege	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe
Token: SeIncBasePriorityPrivilege	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe
Token: SeIncBasePriorityPrivilege	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe
Token: SeIncBasePriorityPrivilege	1756	{456CD828-E777-4aa9-B284-912CBEB2667B}.exe
Token: SeIncBasePriorityPrivilege	1180	{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe
Token: SeIncBasePriorityPrivilege	564	{83F4E498-2508-427b-B321-E83627FEBBE3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2940	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	28
PID 2740 wrote to memory of 2940	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	28
PID 2740 wrote to memory of 2940	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	28
PID 2740 wrote to memory of 2940	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	28
PID 2740 wrote to memory of 2520	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	29
PID 2740 wrote to memory of 2520	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	29
PID 2740 wrote to memory of 2520	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	29
PID 2740 wrote to memory of 2520	2740	2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe	29
PID 2940 wrote to memory of 1972	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	32
PID 2940 wrote to memory of 1972	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	32
PID 2940 wrote to memory of 1972	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	32
PID 2940 wrote to memory of 1972	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	32
PID 2940 wrote to memory of 2428	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	33
PID 2940 wrote to memory of 2428	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	33
PID 2940 wrote to memory of 2428	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	33
PID 2940 wrote to memory of 2428	2940	{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe	33
PID 1972 wrote to memory of 1908	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	34
PID 1972 wrote to memory of 1908	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	34
PID 1972 wrote to memory of 1908	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	34
PID 1972 wrote to memory of 1908	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	34
PID 1972 wrote to memory of 3008	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	35
PID 1972 wrote to memory of 3008	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	35
PID 1972 wrote to memory of 3008	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	35
PID 1972 wrote to memory of 3008	1972	{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe	35
PID 1908 wrote to memory of 1672	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	36
PID 1908 wrote to memory of 1672	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	36
PID 1908 wrote to memory of 1672	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	36
PID 1908 wrote to memory of 1672	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	36
PID 1908 wrote to memory of 1656	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	37
PID 1908 wrote to memory of 1656	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	37
PID 1908 wrote to memory of 1656	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	37
PID 1908 wrote to memory of 1656	1908	{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe	37
PID 1672 wrote to memory of 828	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	38
PID 1672 wrote to memory of 828	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	38
PID 1672 wrote to memory of 828	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	38
PID 1672 wrote to memory of 828	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	38
PID 1672 wrote to memory of 1452	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	39
PID 1672 wrote to memory of 1452	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	39
PID 1672 wrote to memory of 1452	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	39
PID 1672 wrote to memory of 1452	1672	{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe	39
PID 828 wrote to memory of 1620	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	40
PID 828 wrote to memory of 1620	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	40
PID 828 wrote to memory of 1620	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	40
PID 828 wrote to memory of 1620	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	40
PID 828 wrote to memory of 1760	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	41
PID 828 wrote to memory of 1760	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	41
PID 828 wrote to memory of 1760	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	41
PID 828 wrote to memory of 1760	828	{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe	41
PID 1620 wrote to memory of 1800	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	42
PID 1620 wrote to memory of 1800	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	42
PID 1620 wrote to memory of 1800	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	42
PID 1620 wrote to memory of 1800	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	42
PID 1620 wrote to memory of 2288	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	43
PID 1620 wrote to memory of 2288	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	43
PID 1620 wrote to memory of 2288	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	43
PID 1620 wrote to memory of 2288	1620	{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe	43
PID 1800 wrote to memory of 1756	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	44
PID 1800 wrote to memory of 1756	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	44
PID 1800 wrote to memory of 1756	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	44
PID 1800 wrote to memory of 1756	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	44
PID 1800 wrote to memory of 1340	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	45
PID 1800 wrote to memory of 1340	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	45
PID 1800 wrote to memory of 1340	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	45
PID 1800 wrote to memory of 1340	1800	{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_a988db91e2f0672a64a8d46d0a18267f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe
  C:\Windows\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe
    C:\Windows\{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe
      C:\Windows\{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe
        
        C:\Windows\{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe
        
        C:\Windows\{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe
        
        C:\Windows\{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe
        
        C:\Windows\{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{456CD828-E777-4aa9-B284-912CBEB2667B}.exe
        
        C:\Windows\{456CD828-E777-4aa9-B284-912CBEB2667B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe
        
        C:\Windows\{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\{83F4E498-2508-427b-B321-E83627FEBBE3}.exe
        
        C:\Windows\{83F4E498-2508-427b-B321-E83627FEBBE3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\{E0753370-9A04-4b8b-83F0-C07198814767}.exe
        
        C:\Windows\{E0753370-9A04-4b8b-83F0-C07198814767}.exe
        12⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F4E~1.EXE > nul
        12⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F475A~1.EXE > nul
        11⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{456CD~1.EXE > nul
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B13A9~1.EXE > nul
        9⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EBB~1.EXE > nul
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFD3~1.EXE > nul
        7⤵
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98CE9~1.EXE > nul
        6⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39871~1.EXE > nul
        5⤵
        
        PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5D92E~1.EXE > nul
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CDA9~1.EXE > nul
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{39871CD6-66B7-4cff-9ACE-70DEEC284BB2}.exe

Filesize
204KB

MD5
8a064f8587756e5df0069c019ddaecd2

SHA1
9e82ff2fd53e9ad514ee777789a5e4b0efbfeae4

SHA256
c58755f3325f0b9948d77e832c8f0b4d845007b0c0b065fd19b6d0a3f849c3be

SHA512
78c8a4d4d8d65bc3be3b9af01ca293a47b55384ff77a91f11beedf19b9bbb9791fde4f1ebf077f68e8ae8bbcc78820a4803ccb6d46809cabac536e529065a56c

Download Submit
C:\Windows\{3FFD314C-E8D6-4b98-BD92-8225A88B8D57}.exe

Filesize
204KB

MD5
33237ec0809022cc3381092b3e6bc845

SHA1
3c2cbd7b57e2a98ee07b15094b996b2ed9048627

SHA256
6cf18b8245d70e68bd90aa5a29d3362f8c4e294f142cf59371154b3cde9ef0f9

SHA512
252a75c33322a6f7184e4b67fd7ee335e54709c5ddd26332364b03c063dfc79d84600ecfe5e31471997fd867aa33db5eb25c5dcf74228e35872220feb3f88e1f

Download Submit
C:\Windows\{456CD828-E777-4aa9-B284-912CBEB2667B}.exe

Filesize
204KB

MD5
04e5108f9cf7b87fe1ea3c444b9af229

SHA1
b1ef31fb50958adcd60992c7fd17fe87cf6d7121

SHA256
99ccb653f2c619bc9713a864d189680616a712801358b8b29a6ce3bf5e826d22

SHA512
db57ccf8dc899a9d4fbd09611792de76ff994dbdeba532652710eda9718147d23aab3591adf10fcc6b24b071629a0e48f0f1f6628ed74c671dfe8d1293551285

Download Submit
C:\Windows\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe

Filesize
204KB

MD5
8f479167816b9ab651bbcc18bba84b70

SHA1
bb714b828976b8baf4b913b1657a93a0bd70454a

SHA256
18f1698d0b485ef91428f204e177fee78898f76e3d08b8ee40abe6cd391d0b55

SHA512
c3f419aadd21d392b23ef8d840330b83b2309fe737bb0023e2dba0c307c460f23ce86866e2440c06c442963f97f3efd000f22045972a66b4f5bb25295800cb5e

Download Submit
C:\Windows\{4CDA9483-D5C5-4e75-8D24-BCC8684634FB}.exe

Filesize
167KB

MD5
c10a938d0b5f0028fb37c550be6f7b4c

SHA1
a0b49be6e347d7b778ae2aea4fcd7e743206a2e2

SHA256
dae856499e9ec90255c87eb65c2c788ae7ba9d662a3fe6ae0b5904d02cb04c7a

SHA512
2c7a2b49aa9b357878a21f209281708b479f40b118b1acffdba973f9ef1c3511655baa91b8e209a0bfd40bf9ef4bd34d5d59583e4809cfa58340c04b1ab7d701

Download Submit
C:\Windows\{5D92E2F7-8F0C-457c-A92E-1D1459EDE335}.exe

Filesize
204KB

MD5
d81d6c86486386d12a1cb32c76476848

SHA1
e3e856096667a86a59b73b854629fb2421a5e8c1

SHA256
c6c4cf1d4b833330f0da3377b7902ada69838216b2cc5d28f1db3f1220e964db

SHA512
d69047802fa0eccf468d4670f99e54d9ceb253632e9b378ab9c2b59cdd13de6e5434ef3f91f28bc188f11ba962d0d71b0a748d33de32c49058d94e6fc132a029

Download Submit
C:\Windows\{83F4E498-2508-427b-B321-E83627FEBBE3}.exe

Filesize
191KB

MD5
2ad3641fb37f80957da4568418b7ccb7

SHA1
600c0c513ec4ad8253d9da7b5f941e72dd626c90

SHA256
2f8228ca24fdce3c51b941153e81f633c81b4a08eff5895f0cc1b12279e89324

SHA512
3bbe7d287916f1069054a9cf31f5276b9598e8a7b016811c07e934355a44353c56e321f9c53edbb3ecd85d0eab1d01e0fa7f8e6648f2a7552b59b9aaff22e947

Download Submit
C:\Windows\{83F4E498-2508-427b-B321-E83627FEBBE3}.exe

Filesize
204KB

MD5
589645ec75c7a1f56307d276d7b2533a

SHA1
b0708d8199572ac3dd2015d4ac4dab73b65aeb94

SHA256
72c57a6412f324c9f3f17460e806ee51ffcc2b9e29c02ddb3a3aa29313a085c1

SHA512
45e0e6f6ec4d888a00e294f0e15bca97bccedc0bc388cf03aeb62075793e51bf4792392096e09b9e4562cc2ac56f92070a173f4ada5d714681e72758d64d0a5d

Download Submit
C:\Windows\{98CE9773-562D-4b56-88C5-BE2B3C4ACB5C}.exe

Filesize
204KB

MD5
3870dbe870bf14e25381be3c45b5bcaf

SHA1
77e761a65b53c4faef80c152d9d8574d35a9dd2d

SHA256
3c51c43f088f04d88a73c94ca4a57a05a7ad9aa4ce4e3b177482e6e601e2b934

SHA512
9b32a3489e40a877619c00624dcd1ad9358af49af624e9592934ff9e2be1a7056da0e421051f3563009bb827c1211a5bf5bb01df50e8b75fca9ff49dc7d01fd2

Download Submit
C:\Windows\{B13A9834-B316-4816-B0DA-FD4EA25B1A3C}.exe

Filesize
204KB

MD5
72b04834d13dc9cd27ec0b44530762c5

SHA1
1a21e50b6173bf7519bae2b814eb0f3065013aef

SHA256
5959fa89cbe4012a09729e04d4256c7cdfe762ed87609236d8df82711829fc34

SHA512
f4385dd170a8c5794335f15cf93045aa4b3acf4f5936e47b75b7a8564208e0f2ce64e7185de66248c2325be87f5d2343cfd5432a6b60b0977c8c38eeae32308b

Download Submit
C:\Windows\{D9EBBDCF-5ECC-49e7-A4E1-A431CB3F173A}.exe

Filesize
204KB

MD5
07f01cca1203551fdbbf0be0fe304f80

SHA1
241167f68cefc6558d19b2bf9e392cf470c0dc04

SHA256
4dc1dca8d9232383c75788106bb8cad12fc42779613be042b01bb66eefaa44d9

SHA512
c20b820a1a673473975c122f03870812943fa0b44ebf36ed5bd10d1e57447e335b4d1eae6661517831ed832a90b116f7985426457692c05635da19ce56e86bc0

Download Submit
C:\Windows\{E0753370-9A04-4b8b-83F0-C07198814767}.exe

Filesize
204KB

MD5
4d7f72af7b4bd5af4c685a6ca294128f

SHA1
173166fee556f343e99f191588ddc726b69c2f8c

SHA256
2bf8851391000b9091af5b11354bc30b498caf3feea9e3a3d9d7b9cbf676fe05

SHA512
51081276c6ea2799b4d88611a13c863723a9959157e346c5b263e8ac262a5fe1e53bead4dc695d43c489de55c6b3b44d0742f19801b26b2a1b86fc5c6a604903

Download Submit
C:\Windows\{F475A336-BB9C-4898-8992-3369B2D6FB2F}.exe

Filesize
204KB

MD5
cd9dc29ba8cb2f4beb7717dce19509cd

SHA1
fd08dface66649d3af80e5348b2b27e1d7664f60

SHA256
b11f6dcdf0c2b9fec22dfa3ff71b375ff5f8072b6570698ee382f34f79da45aa

SHA512
106e14de89b66561a70d6a5d18dca9e177190960d1319f09a035df864f3e82f9e825c7d386c9b48b84a83fd0a0bbbb4351a9d17754dad055764b260938c6c456

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads