005a1cf4c6a461f930be9635339ae9428fc5bbfd6317a0de6097b08fc856fd04

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 07:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe
Size

216KB
MD5

7c3182f58ef9188a8a807e45b2505b94
SHA1

d92b9eadca12e64d2ed645227e9ad0a0027970bf
SHA256

005a1cf4c6a461f930be9635339ae9428fc5bbfd6317a0de6097b08fc856fd04
SHA512

ff164afafdf59ab4b18984d4ffc320f96153ef1e685a366fd7155da9412cebdd73100f49431a5befb0a7e0669e3806d2053c211e7a037606fb136164cfaf9f8c
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGRlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001227e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}\stubpath = "C:\\Windows\\{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe"	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD9D2B7E-53D8-416d-A865-F9594F00A812}	{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4946CAE-73E7-437e-B59D-E90422A7EDB6}	{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}\stubpath = "C:\\Windows\\{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe"	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4290607C-9BCD-442c-8479-682FE8D95A53}	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{659124B9-63BE-4173-9492-A272CF5E98D6}	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CC73D8-0B08-4e29-8712-16863BABEC70}\stubpath = "C:\\Windows\\{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe"	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}\stubpath = "C:\\Windows\\{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe"	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4290607C-9BCD-442c-8479-682FE8D95A53}\stubpath = "C:\\Windows\\{4290607C-9BCD-442c-8479-682FE8D95A53}.exe"	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{659124B9-63BE-4173-9492-A272CF5E98D6}\stubpath = "C:\\Windows\\{659124B9-63BE-4173-9492-A272CF5E98D6}.exe"	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD9D2B7E-53D8-416d-A865-F9594F00A812}\stubpath = "C:\\Windows\\{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe"	{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}\stubpath = "C:\\Windows\\{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe"	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CC73D8-0B08-4e29-8712-16863BABEC70}	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{464B8540-EAB3-40dd-974B-993681074397}	{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4946CAE-73E7-437e-B59D-E90422A7EDB6}\stubpath = "C:\\Windows\\{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe"	{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{464B8540-EAB3-40dd-974B-993681074397}\stubpath = "C:\\Windows\\{464B8540-EAB3-40dd-974B-993681074397}.exe"	{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}\stubpath = "C:\\Windows\\{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe"	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe
2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe
2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe
2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe
2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe
1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe
2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe
868	{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe
2968	{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe
572	{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe
2900	{464B8540-EAB3-40dd-974B-993681074397}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe
File created	C:\Windows\{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe
File created	C:\Windows\{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe
File created	C:\Windows\{464B8540-EAB3-40dd-974B-993681074397}.exe	{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe
File created	C:\Windows\{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe
File created	C:\Windows\{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe
File created	C:\Windows\{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe
File created	C:\Windows\{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe
File created	C:\Windows\{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe
File created	C:\Windows\{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe	{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe
File created	C:\Windows\{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe	{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe
Token: SeIncBasePriorityPrivilege	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe
Token: SeIncBasePriorityPrivilege	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe
Token: SeIncBasePriorityPrivilege	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe
Token: SeIncBasePriorityPrivilege	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe
Token: SeIncBasePriorityPrivilege	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe
Token: SeIncBasePriorityPrivilege	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe
Token: SeIncBasePriorityPrivilege	868	{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe
Token: SeIncBasePriorityPrivilege	2968	{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe
Token: SeIncBasePriorityPrivilege	572	{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3068	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	28
PID 2512 wrote to memory of 3068	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	28
PID 2512 wrote to memory of 3068	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	28
PID 2512 wrote to memory of 3068	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	28
PID 2512 wrote to memory of 2628	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	29
PID 2512 wrote to memory of 2628	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	29
PID 2512 wrote to memory of 2628	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	29
PID 2512 wrote to memory of 2628	2512	2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe	29
PID 3068 wrote to memory of 2440	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	30
PID 3068 wrote to memory of 2440	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	30
PID 3068 wrote to memory of 2440	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	30
PID 3068 wrote to memory of 2440	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	30
PID 3068 wrote to memory of 2548	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	31
PID 3068 wrote to memory of 2548	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	31
PID 3068 wrote to memory of 2548	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	31
PID 3068 wrote to memory of 2548	3068	{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe	31
PID 2440 wrote to memory of 2596	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	32
PID 2440 wrote to memory of 2596	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	32
PID 2440 wrote to memory of 2596	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	32
PID 2440 wrote to memory of 2596	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	32
PID 2440 wrote to memory of 2488	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	33
PID 2440 wrote to memory of 2488	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	33
PID 2440 wrote to memory of 2488	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	33
PID 2440 wrote to memory of 2488	2440	{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe	33
PID 2596 wrote to memory of 2420	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	36
PID 2596 wrote to memory of 2420	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	36
PID 2596 wrote to memory of 2420	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	36
PID 2596 wrote to memory of 2420	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	36
PID 2596 wrote to memory of 2748	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	37
PID 2596 wrote to memory of 2748	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	37
PID 2596 wrote to memory of 2748	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	37
PID 2596 wrote to memory of 2748	2596	{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe	37
PID 2420 wrote to memory of 2804	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	38
PID 2420 wrote to memory of 2804	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	38
PID 2420 wrote to memory of 2804	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	38
PID 2420 wrote to memory of 2804	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	38
PID 2420 wrote to memory of 1812	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	39
PID 2420 wrote to memory of 1812	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	39
PID 2420 wrote to memory of 1812	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	39
PID 2420 wrote to memory of 1812	2420	{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe	39
PID 2804 wrote to memory of 1644	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	40
PID 2804 wrote to memory of 1644	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	40
PID 2804 wrote to memory of 1644	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	40
PID 2804 wrote to memory of 1644	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	40
PID 2804 wrote to memory of 1868	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	41
PID 2804 wrote to memory of 1868	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	41
PID 2804 wrote to memory of 1868	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	41
PID 2804 wrote to memory of 1868	2804	{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe	41
PID 1644 wrote to memory of 2180	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	42
PID 1644 wrote to memory of 2180	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	42
PID 1644 wrote to memory of 2180	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	42
PID 1644 wrote to memory of 2180	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	42
PID 1644 wrote to memory of 664	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	43
PID 1644 wrote to memory of 664	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	43
PID 1644 wrote to memory of 664	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	43
PID 1644 wrote to memory of 664	1644	{4290607C-9BCD-442c-8479-682FE8D95A53}.exe	43
PID 2180 wrote to memory of 868	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	44
PID 2180 wrote to memory of 868	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	44
PID 2180 wrote to memory of 868	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	44
PID 2180 wrote to memory of 868	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	44
PID 2180 wrote to memory of 632	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	45
PID 2180 wrote to memory of 632	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	45
PID 2180 wrote to memory of 632	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	45
PID 2180 wrote to memory of 632	2180	{659124B9-63BE-4173-9492-A272CF5E98D6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_7c3182f58ef9188a8a807e45b2505b94_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe
  C:\Windows\{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe
    C:\Windows\{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe
      C:\Windows\{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe
        
        C:\Windows\{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe
        
        C:\Windows\{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{4290607C-9BCD-442c-8479-682FE8D95A53}.exe
        
        C:\Windows\{4290607C-9BCD-442c-8479-682FE8D95A53}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{659124B9-63BE-4173-9492-A272CF5E98D6}.exe
        
        C:\Windows\{659124B9-63BE-4173-9492-A272CF5E98D6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe
        
        C:\Windows\{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe
        
        C:\Windows\{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe
        
        C:\Windows\{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{464B8540-EAB3-40dd-974B-993681074397}.exe
        
        C:\Windows\{464B8540-EAB3-40dd-974B-993681074397}.exe
        12⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4946~1.EXE > nul
        12⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD9D2~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95D40~1.EXE > nul
        10⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65912~1.EXE > nul
        9⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42906~1.EXE > nul
        8⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E62C1~1.EXE > nul
        7⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09CC7~1.EXE > nul
        6⤵
        
        PID:1812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1E08~1.EXE > nul
        5⤵
        
        PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DDE6D~1.EXE > nul
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4C14~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09CC73D8-0B08-4e29-8712-16863BABEC70}.exe

Filesize
216KB

MD5
95cea778d91883fce4c7a205a0cbb3f8

SHA1
64c214712cb114afec5ea42e9b4e7d473e5922d8

SHA256
65d03a6bc0a8d347fb294f5d25c2b9af80d2dde83757549967f2fa51b309637c

SHA512
6febd6eb99b776068002f1fc24dc495202369f531bae87d98e84976413f739d31ed87ac6c09a756350187c759b30641b990bb7fb5957397ea2d1c3b14bea52df

Download Submit
C:\Windows\{4290607C-9BCD-442c-8479-682FE8D95A53}.exe

Filesize
216KB

MD5
db8f42dae220fb1ef524481dd5692c43

SHA1
9dc733b88936250904cc259de02e363401779245

SHA256
9a4674157f80462124c907eeeeb9203782d24335355962577c337996cbcf90bf

SHA512
7ae67f42f2ccd900da20245085ab689da0bfacb80968e8deb65c8edac2feb1f15cdee383ed5f70ad1d722463b04e3bb09fa0faa97a5e1c7c181f4442fd390109

Download Submit
C:\Windows\{464B8540-EAB3-40dd-974B-993681074397}.exe

Filesize
216KB

MD5
65ca3163f02c80646d6d878d0732771c

SHA1
7ba8295726268d43f77d2d9c451ae71c57befa4c

SHA256
cd0d6b77dcbcbf67ae0f4d2c1038c4257a969d06a0eca8fbb59e8304db07ec67

SHA512
7029015ed7ebaf26c8ec8621c292ddc3ce6d737c35966fc6da5e672299261382e982e21b7e3ea72b3d92ffe5810851e6c533ad14281816891cb43bf1954e5568

Download Submit
C:\Windows\{659124B9-63BE-4173-9492-A272CF5E98D6}.exe

Filesize
216KB

MD5
2e74163792232ea25d608daf74bf673e

SHA1
d07db5f3538d6e4e15737c6062285350dd839b0e

SHA256
96b636f8b248552757a1db61bdfaf62712c0fc3651201e288b1c51b3efe3625c

SHA512
aa9e2777ef69a2f0f9c62438ed3211305ca172efa44700cf24b71548dc2e139e5fb941f3606d41346c492607fb63d552cf74e6e4a75923b2b4033ad9e4dbb4d1

Download Submit
C:\Windows\{95D408A4-3A18-4c08-AAB9-7AD53FD69CA1}.exe

Filesize
216KB

MD5
fea4f03366f05871638e30ecf5e83b66

SHA1
7fecfd503741bcbf47bf46555b3511d0a5b74f58

SHA256
f986b9b649596899528e5a23102eba85220c477de8f5029dbc2aa723ccc0b2a8

SHA512
e777840377d9e025dee8ade6d5f2927f0b57844b230febd4373535fa49e89008aef56aa8006b712e32ffb4c75b65d126d80b48df4ef333e88cde235c84466bd2

Download Submit
C:\Windows\{C4C1487F-75FC-43b3-8515-AB9F9CF94EE2}.exe

Filesize
216KB

MD5
c4a19db7c369ceac856bdc9b9c18ae40

SHA1
aff4119733b1e6632a86df994430e810d8dbc549

SHA256
1918afb3e74f9daba42e15136faa16db3c755a0c3c1b76e245172686bf7c6c9b

SHA512
df000e70abcefe46ab200456b2e4cecb1445e25f6e17053f43c90a8376d548e6c18c1b5100a40119287f25c99e786d3704d7ca8e2022c14df73d6d74415b1bc0

Download Submit
C:\Windows\{D4946CAE-73E7-437e-B59D-E90422A7EDB6}.exe

Filesize
216KB

MD5
addb05aff284ac1fa250e73f5fc7adea

SHA1
c707a0d17de04ecbe09224159cfdeea4202382bc

SHA256
34b88cbc944cc68b2c89add0888f39dd6167fe224910b70425e2a24d85367c9d

SHA512
612f557870c77c3428cda5dbcefaddcada0d425c58a1a9a0cb1315d181e3a5c12547c18674f7c4ebf69ebf7d5cc0565aaab44c7f9cd3f748de5705d10b927f5f

Download Submit
C:\Windows\{DD9D2B7E-53D8-416d-A865-F9594F00A812}.exe

Filesize
216KB

MD5
4180a2a80e53fe26ac1a7ed56f48754d

SHA1
aa002f04b7c25ac84cdbbe4fb9b4bb7be5d85ab7

SHA256
eabdce22f3609714662c3ba82f6c5945f2dd1b2d7733fe8532d30e678a7aeb9e

SHA512
6067a03447a2b66051b311deff0ec122ca78745a6d7373b811cfedb42c20c70b1202cf3f16629546ee72d6368dc66bc74ae01631dd9b79e8db0ee9f5cdc6a5bc

Download Submit
C:\Windows\{DDE6DFF9-3E88-4fe6-9533-EE991E3CCE2D}.exe

Filesize
216KB

MD5
b07e6abcac430335fb8fa3f549c2779c

SHA1
23fe8b9aaf218ba2c665f25f86b4b1b79408621c

SHA256
25d0b88b0b80f182bf079c15b4cad6f0c33b3e822a18791da1edd244b1e70072

SHA512
262d01f9006e538a578c72ff0f2c48c720b958156e549bcd7ce61fa4663081e5305170444579b9b1e080d0de73457c76c07c7a182ab13f42acb599cdd3186e0f

Download Submit
C:\Windows\{E62C1E3C-FD9B-4c83-983F-C2740F97CB7C}.exe

Filesize
216KB

MD5
1ea64a5af4cc0982f9502fdda6d83f01

SHA1
7371dcf26cb1c56bb0d8aa45e962ad872c3730bb

SHA256
8bb16d7d6166e3d445d9c075a4f7aea3969e43b0d86fa5a4d51300ae6896ef0e

SHA512
b5b9dd53775eddf9f9608ee1e8fe713043c147bf7115f5e86384c407340269196d8974f0fa71cfddd89471a0726bd2795e62f90f2659125a42074f5eb7d8c984

Download Submit
C:\Windows\{F1E08BFD-5B12-47af-8DB9-25B25DF3FAF8}.exe

Filesize
216KB

MD5
27fd985296f6173f1540bde5ae37078e

SHA1
d3e099a559c407462b6b6f3bf66b1fa7a3b92fd6

SHA256
fdf8b68cef1c7893487adec8e4c15fb7ad22e5b3636232b31b1db796cf423bdd

SHA512
6f61eecf63aff94b6d69f4b64206bf1f1156a8f9c21a36b35f531f02ed113bcc790c6ef30222cb1999e179508973b4c48325ec32d0ef27d65d781db6d27d5bba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads