74749ef120073254a57b32bd1331424daaefa26892f72b600500acd7e6dc07e8

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe
Size

344KB
MD5

9905d16e5bae467eebe0942154f0cbc9
SHA1

67354613ab27f0b07ce07bc4d32c6857fdcca43d
SHA256

74749ef120073254a57b32bd1331424daaefa26892f72b600500acd7e6dc07e8
SHA512

85b7e689d15b52b300d67b935985642455e1c18a3ddeed6cc0c24883a4533075cf50ccf4422339ef6197a06978d8b9be05eb9417f75897a8dbe92e8094fbfac7
SSDEEP

3072:mEGh0o6lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG4lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000167bf-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000016c84-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000016c84-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000016c84-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016c84-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016c84-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4039FD7E-EC71-4139-85C7-E4505918B206}\stubpath = "C:\\Windows\\{4039FD7E-EC71-4139-85C7-E4505918B206}.exe"	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{569B4899-4CDA-4fec-AF5F-97C2E64675FC}	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{569B4899-4CDA-4fec-AF5F-97C2E64675FC}\stubpath = "C:\\Windows\\{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe"	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}\stubpath = "C:\\Windows\\{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe"	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}	{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F9167D0-DFE8-4898-9376-1655637190FD}	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}	{6F9167D0-DFE8-4898-9376-1655637190FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4039FD7E-EC71-4139-85C7-E4505918B206}	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE0F078-2DD1-4952-94A9-4831503F0804}	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE0F078-2DD1-4952-94A9-4831503F0804}\stubpath = "C:\\Windows\\{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe"	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}\stubpath = "C:\\Windows\\{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe"	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB8BED83-2AB2-431a-B87F-A5970492C042}\stubpath = "C:\\Windows\\{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe"	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}\stubpath = "C:\\Windows\\{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe"	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F10B7FE-9108-4b38-A80D-707D18939FAA}	{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F9167D0-DFE8-4898-9376-1655637190FD}\stubpath = "C:\\Windows\\{6F9167D0-DFE8-4898-9376-1655637190FD}.exe"	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}\stubpath = "C:\\Windows\\{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe"	{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F10B7FE-9108-4b38-A80D-707D18939FAA}\stubpath = "C:\\Windows\\{8F10B7FE-9108-4b38-A80D-707D18939FAA}.exe"	{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB8BED83-2AB2-431a-B87F-A5970492C042}	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}\stubpath = "C:\\Windows\\{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe"	{6F9167D0-DFE8-4898-9376-1655637190FD}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe
2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe
2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe
652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe
1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe
2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe
2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe
332	{6F9167D0-DFE8-4898-9376-1655637190FD}.exe
1548	{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe
2772	{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe
2052	{8F10B7FE-9108-4b38-A80D-707D18939FAA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe
File created	C:\Windows\{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe
File created	C:\Windows\{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe
File created	C:\Windows\{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe
File created	C:\Windows\{6F9167D0-DFE8-4898-9376-1655637190FD}.exe	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe
File created	C:\Windows\{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe	{6F9167D0-DFE8-4898-9376-1655637190FD}.exe
File created	C:\Windows\{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe	{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe
File created	C:\Windows\{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe
File created	C:\Windows\{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe
File created	C:\Windows\{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe
File created	C:\Windows\{8F10B7FE-9108-4b38-A80D-707D18939FAA}.exe	{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe
Token: SeIncBasePriorityPrivilege	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe
Token: SeIncBasePriorityPrivilege	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe
Token: SeIncBasePriorityPrivilege	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe
Token: SeIncBasePriorityPrivilege	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe
Token: SeIncBasePriorityPrivilege	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe
Token: SeIncBasePriorityPrivilege	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe
Token: SeIncBasePriorityPrivilege	332	{6F9167D0-DFE8-4898-9376-1655637190FD}.exe
Token: SeIncBasePriorityPrivilege	1548	{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe
Token: SeIncBasePriorityPrivilege	2772	{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3020	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	28
PID 2276 wrote to memory of 3020	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	28
PID 2276 wrote to memory of 3020	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	28
PID 2276 wrote to memory of 3020	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	28
PID 2276 wrote to memory of 2540	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	29
PID 2276 wrote to memory of 2540	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	29
PID 2276 wrote to memory of 2540	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	29
PID 2276 wrote to memory of 2540	2276	2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe	29
PID 3020 wrote to memory of 2660	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	30
PID 3020 wrote to memory of 2660	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	30
PID 3020 wrote to memory of 2660	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	30
PID 3020 wrote to memory of 2660	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	30
PID 3020 wrote to memory of 2752	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	31
PID 3020 wrote to memory of 2752	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	31
PID 3020 wrote to memory of 2752	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	31
PID 3020 wrote to memory of 2752	3020	{4039FD7E-EC71-4139-85C7-E4505918B206}.exe	31
PID 2660 wrote to memory of 2836	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	34
PID 2660 wrote to memory of 2836	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	34
PID 2660 wrote to memory of 2836	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	34
PID 2660 wrote to memory of 2836	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	34
PID 2660 wrote to memory of 3032	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	35
PID 2660 wrote to memory of 3032	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	35
PID 2660 wrote to memory of 3032	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	35
PID 2660 wrote to memory of 3032	2660	{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe	35
PID 2836 wrote to memory of 652	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	36
PID 2836 wrote to memory of 652	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	36
PID 2836 wrote to memory of 652	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	36
PID 2836 wrote to memory of 652	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	36
PID 2836 wrote to memory of 1152	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	37
PID 2836 wrote to memory of 1152	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	37
PID 2836 wrote to memory of 1152	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	37
PID 2836 wrote to memory of 1152	2836	{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe	37
PID 652 wrote to memory of 1244	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	38
PID 652 wrote to memory of 1244	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	38
PID 652 wrote to memory of 1244	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	38
PID 652 wrote to memory of 1244	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	38
PID 652 wrote to memory of 2716	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	39
PID 652 wrote to memory of 2716	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	39
PID 652 wrote to memory of 2716	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	39
PID 652 wrote to memory of 2716	652	{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe	39
PID 1244 wrote to memory of 2848	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	40
PID 1244 wrote to memory of 2848	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	40
PID 1244 wrote to memory of 2848	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	40
PID 1244 wrote to memory of 2848	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	40
PID 1244 wrote to memory of 2040	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	41
PID 1244 wrote to memory of 2040	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	41
PID 1244 wrote to memory of 2040	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	41
PID 1244 wrote to memory of 2040	1244	{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe	41
PID 2848 wrote to memory of 2372	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	42
PID 2848 wrote to memory of 2372	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	42
PID 2848 wrote to memory of 2372	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	42
PID 2848 wrote to memory of 2372	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	42
PID 2848 wrote to memory of 340	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	43
PID 2848 wrote to memory of 340	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	43
PID 2848 wrote to memory of 340	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	43
PID 2848 wrote to memory of 340	2848	{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe	43
PID 2372 wrote to memory of 332	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	44
PID 2372 wrote to memory of 332	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	44
PID 2372 wrote to memory of 332	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	44
PID 2372 wrote to memory of 332	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	44
PID 2372 wrote to memory of 1716	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	45
PID 2372 wrote to memory of 1716	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	45
PID 2372 wrote to memory of 1716	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	45
PID 2372 wrote to memory of 1716	2372	{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_9905d16e5bae467eebe0942154f0cbc9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{4039FD7E-EC71-4139-85C7-E4505918B206}.exe
  C:\Windows\{4039FD7E-EC71-4139-85C7-E4505918B206}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe
    C:\Windows\{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe
      C:\Windows\{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe
        
        C:\Windows\{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Windows\{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe
        
        C:\Windows\{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe
        
        C:\Windows\{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe
        
        C:\Windows\{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{6F9167D0-DFE8-4898-9376-1655637190FD}.exe
        
        C:\Windows\{6F9167D0-DFE8-4898-9376-1655637190FD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe
        
        C:\Windows\{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe
        
        C:\Windows\{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{8F10B7FE-9108-4b38-A80D-707D18939FAA}.exe
        
        C:\Windows\{8F10B7FE-9108-4b38-A80D-707D18939FAA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C221B~1.EXE > nul
        12⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AF51~1.EXE > nul
        11⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F916~1.EXE > nul
        10⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB5F~1.EXE > nul
        9⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB8BE~1.EXE > nul
        8⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFFDD~1.EXE > nul
        7⤵
        
        PID:2040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14798~1.EXE > nul
        6⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{569B4~1.EXE > nul
        5⤵
        
        PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0EE0F~1.EXE > nul
      4⤵
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4039F~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EE0F078-2DD1-4952-94A9-4831503F0804}.exe

Filesize
344KB

MD5
6516fdfd3cf64474486d08517e8e4b51

SHA1
ed94b9f6869df1f8f520830743e687cec0dbf8ba

SHA256
0740ba743dc99fe7bc09dfc9407e68f20f4055685e0ad4c69647f6380a89e188

SHA512
eeb0acb75e1e994700808db3000d30ee461af3e382dc30bcbfe58d7824c4d208910170af62d38e37c5023f1c8f481c75cd34524e2dc7e54f9026a0e62fa522bc

Download Submit
C:\Windows\{147980AE-BDAF-4edf-9EB7-6F75F0B1DB17}.exe

Filesize
344KB

MD5
0269a73d5ca203f218128b82172082ac

SHA1
e7ae2c597fc1a3b2c66512a4ba3e45b96bd298fd

SHA256
17df54d535aa22d5c8f2066ef452060330dec427f7b2c42c019fdccd6aefc194

SHA512
783ace23c8983af4573b73042111eb9e990a511f15d3c1c0af07e967450a13ce968be5041cc545aad362073287d0030921af62a4bb3753d58a88e1f213c34eda

Download Submit
C:\Windows\{3AF51A30-4705-47ac-8BCC-3A81EAE582EC}.exe

Filesize
344KB

MD5
ed291a65bb9e19ea207d66cc8b87cdf5

SHA1
4a1114264baa28d34018fbcf903e489965d3eff8

SHA256
6fbde88a0efe5f9c7662b35250edc9c93dc238ae4044b7c8b810d52c494b3727

SHA512
b2a16fa018e55274e3a1ef5c87cb904990dd373f564872b8d697fa12fa0edc6d7d9d97978e3f1b5b0214b5701f5812e9b4808866f44a724bf44bdeb784972838

Download Submit
C:\Windows\{4039FD7E-EC71-4139-85C7-E4505918B206}.exe

Filesize
344KB

MD5
5fd97ee8f3d77dbda977665ed2cd7ba7

SHA1
dc517b3348addfbf97c2691e731236d48e77c398

SHA256
52e271c256dea1e8e8a29669c253046b45a2b72a2737de40652db3673071d639

SHA512
07800763f68f40cdbbe508a73453c00806c526fe46b7bc119d731d2c2eda920a9c13d193ef0ad3af0a325a57911e4ebba037ef6e6b10ef5367babb59560529cd

Download Submit
C:\Windows\{569B4899-4CDA-4fec-AF5F-97C2E64675FC}.exe

Filesize
344KB

MD5
139e7d72996b22fb56dbb80827c60441

SHA1
3caaf5f34c4e16d9cb92489118b844043b828616

SHA256
d78a90863b5b10ddd6a81f1bbd29aae8f929f4f4a8f08bf422426b70e4f31f9c

SHA512
28f82bbc954827c7b7130e0ed91e8cb53c3ddc8c46ea0608743703a0765415988dd8ba50a524b744def6e4ffd6f9ab7e6c613ee5d6e7cb79a2a087f546f79206

Download Submit
C:\Windows\{5BB5F4AF-80C7-4a42-A6CC-2980C5C65992}.exe

Filesize
344KB

MD5
78b88b549d23217aa9ae54e8d29e880c

SHA1
6428efffe109753b78f4b1524ec51f95757261b3

SHA256
6d0dd45becbe3e4833af7993ff063c5d4370424557500221813ea14bb27a8f51

SHA512
377535f8ffcee906a4fef88fbcd129e14b5a39855d30dca6487d93fb6b38fbbce648cae5712476277f48d2febba1c36216cd4d53622e40377da2f1b8d33faa43

Download Submit
C:\Windows\{6F9167D0-DFE8-4898-9376-1655637190FD}.exe

Filesize
344KB

MD5
e2e27dc097e56969f360287627d7b15d

SHA1
c459b516c87df0963d589fd8eeb96f3d2ba9e741

SHA256
5dbe4629cda0cbf0aae5d4434f84302f61d30631b2e1b851cb39e9676ccee277

SHA512
cf7c6d9b539a8bd8d94db675d06ade257c39cb705f4d68e7ea291897e92e731bfae16c73730dd6eb00ed6eadb32d84d70716364388a4114f03d89429dbb39444

Download Submit
C:\Windows\{8F10B7FE-9108-4b38-A80D-707D18939FAA}.exe

Filesize
344KB

MD5
77b24ee2b180e07bfeddf29718f9efc2

SHA1
8f36e7171f27af7a46b815d6763bf3884413a8d2

SHA256
7dc598577311ec736a75a51e2ba01840ca0c1ee00cfa6a3919acba43e13598bf

SHA512
b8b112667fa7b054ed5d0532dfa8dd61d83843aa0106de4420f0c23085030f70655e1ad07f34c9f35dd6eb972aea2b5ae1d007c94c363310b6a3e35b4b67ffe5

Download Submit
C:\Windows\{C221B35E-D6CB-46f0-BCC2-5D0DA811976D}.exe

Filesize
344KB

MD5
3edac9f05cab3c5149b2c686586e843e

SHA1
cc7af00340d446ee0aa3490a6ea19b4ae55a6da3

SHA256
7aba68be5742cd3aedd56458bdf525876b74d8ebff8629c9262eda6a7c9e38f3

SHA512
3db94eba8fab350904f93280b9ecdda0dbcbda848cc5c982b714b4bce5482c45b416623aa4fee04e178374ba054540bb66322c57973fd354c2176997b9ce6405

Download Submit
C:\Windows\{FB8BED83-2AB2-431a-B87F-A5970492C042}.exe

Filesize
344KB

MD5
123085f5734c32d8e56146f0a4e464d1

SHA1
e6f09a31e80f310de585e528e24604a880866a9b

SHA256
8a590e6aa16651d691b2003c7f596a30baef46364e04d9af4d6be253a271f64b

SHA512
46ecdee20d6f457c6541bc449185ff8a21140885eeae6ab954de3aa9210fbcea6749050baae332a3bb4fa0be8f669b3870c53f942c7f5970114ddd12ebc1f841

Download Submit
C:\Windows\{FFFDDCE3-9A7F-4fae-B613-F57BCD51DC23}.exe

Filesize
344KB

MD5
097076176b0ec7ce182ce60cf5b8cd71

SHA1
e17341330873bd50bbe4ceccc0761b79fb1ac520

SHA256
8337565b690292a06a622a73dd746bc84c37dd92141293a1cf82c3ed6de2fec6

SHA512
18d798acc2cbd5e308b6a5c41b5a5491936522767bc5ed6f6ebad54a8d5ed0302399025afdb20aec4b744c00d4bba2368046f98b65823c87f73eee7dce40a6b7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads