46b4d5fc9231f02c5bdc4f4604b9b6eab9dd8e839fc3c7125daad0dd15f2b3e7

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Size

197KB
MD5

5952356f685433b6aa42d214df5668a0
SHA1

66856e420956e11e7ac440f841d1ac0c9ad164c9
SHA256

46b4d5fc9231f02c5bdc4f4604b9b6eab9dd8e839fc3c7125daad0dd15f2b3e7
SHA512

af092ac42a06bf849b9f7aebf3082605dc99107e0f70967554c1dd7febfae48597b725be75d71121c69673bf1805ca00c7dfe03365bbcd3f73b5a4de29b42001
SSDEEP

3072:jEGh0o8l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGOlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012250-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001450b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012250-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014983-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012250-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012250-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012250-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2487753D-2032-4cb5-A958-5297ED2DFEB9}\stubpath = "C:\\Windows\\{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe"	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7FB592A-C043-4106-8F22-0E5D162E941C}	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45737E92-8253-4c3e-A41D-7C0525531F73}	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}	{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920FA55E-00C8-4c25-A084-DB8B84E4C72A}\stubpath = "C:\\Windows\\{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe"	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96AE878A-192F-4b60-BEEF-DC28E506FA28}	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}\stubpath = "C:\\Windows\\{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe"	{45737E92-8253-4c3e-A41D-7C0525531F73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{369CC716-5A8E-459c-98F9-A55070329F1D}	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{369CC716-5A8E-459c-98F9-A55070329F1D}\stubpath = "C:\\Windows\\{369CC716-5A8E-459c-98F9-A55070329F1D}.exe"	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D9C74A-6768-4737-906B-005C579F3AC3}	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D9C74A-6768-4737-906B-005C579F3AC3}\stubpath = "C:\\Windows\\{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe"	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920FA55E-00C8-4c25-A084-DB8B84E4C72A}	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}\stubpath = "C:\\Windows\\{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe"	{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}	{45737E92-8253-4c3e-A41D-7C0525531F73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}	{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}\stubpath = "C:\\Windows\\{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}.exe"	{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7FB592A-C043-4106-8F22-0E5D162E941C}\stubpath = "C:\\Windows\\{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe"	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}\stubpath = "C:\\Windows\\{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe"	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96AE878A-192F-4b60-BEEF-DC28E506FA28}\stubpath = "C:\\Windows\\{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe"	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45737E92-8253-4c3e-A41D-7C0525531F73}\stubpath = "C:\\Windows\\{45737E92-8253-4c3e-A41D-7C0525531F73}.exe"	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2487753D-2032-4cb5-A958-5297ED2DFEB9}	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe

Deletes itself 1 IoCs

pid	Process
2460	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe
2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe
2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe
876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe
2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe
284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe
1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe
2028	{45737E92-8253-4c3e-A41D-7C0525531F73}.exe
1924	{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe
1036	{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe
576	{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe	{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe
File created	C:\Windows\{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
File created	C:\Windows\{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe
File created	C:\Windows\{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe
File created	C:\Windows\{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe
File created	C:\Windows\{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe	{45737E92-8253-4c3e-A41D-7C0525531F73}.exe
File created	C:\Windows\{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}.exe	{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe
File created	C:\Windows\{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe
File created	C:\Windows\{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe
File created	C:\Windows\{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe
File created	C:\Windows\{45737E92-8253-4c3e-A41D-7C0525531F73}.exe	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe
Token: SeIncBasePriorityPrivilege	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe
Token: SeIncBasePriorityPrivilege	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe
Token: SeIncBasePriorityPrivilege	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe
Token: SeIncBasePriorityPrivilege	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe
Token: SeIncBasePriorityPrivilege	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe
Token: SeIncBasePriorityPrivilege	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe
Token: SeIncBasePriorityPrivilege	2028	{45737E92-8253-4c3e-A41D-7C0525531F73}.exe
Token: SeIncBasePriorityPrivilege	1924	{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe
Token: SeIncBasePriorityPrivilege	1036	{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2944	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	28
PID 1876 wrote to memory of 2944	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	28
PID 1876 wrote to memory of 2944	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	28
PID 1876 wrote to memory of 2944	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	28
PID 1876 wrote to memory of 2460	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	29
PID 1876 wrote to memory of 2460	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	29
PID 1876 wrote to memory of 2460	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	29
PID 1876 wrote to memory of 2460	1876	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	29
PID 2944 wrote to memory of 2072	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	30
PID 2944 wrote to memory of 2072	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	30
PID 2944 wrote to memory of 2072	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	30
PID 2944 wrote to memory of 2072	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	30
PID 2944 wrote to memory of 2564	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	31
PID 2944 wrote to memory of 2564	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	31
PID 2944 wrote to memory of 2564	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	31
PID 2944 wrote to memory of 2564	2944	{369CC716-5A8E-459c-98F9-A55070329F1D}.exe	31
PID 2072 wrote to memory of 2492	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	32
PID 2072 wrote to memory of 2492	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	32
PID 2072 wrote to memory of 2492	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	32
PID 2072 wrote to memory of 2492	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	32
PID 2072 wrote to memory of 2260	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	33
PID 2072 wrote to memory of 2260	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	33
PID 2072 wrote to memory of 2260	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	33
PID 2072 wrote to memory of 2260	2072	{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe	33
PID 2492 wrote to memory of 876	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	36
PID 2492 wrote to memory of 876	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	36
PID 2492 wrote to memory of 876	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	36
PID 2492 wrote to memory of 876	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	36
PID 2492 wrote to memory of 1356	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	37
PID 2492 wrote to memory of 1356	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	37
PID 2492 wrote to memory of 1356	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	37
PID 2492 wrote to memory of 1356	2492	{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe	37
PID 876 wrote to memory of 2676	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	38
PID 876 wrote to memory of 2676	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	38
PID 876 wrote to memory of 2676	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	38
PID 876 wrote to memory of 2676	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	38
PID 876 wrote to memory of 2240	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	39
PID 876 wrote to memory of 2240	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	39
PID 876 wrote to memory of 2240	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	39
PID 876 wrote to memory of 2240	876	{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe	39
PID 2676 wrote to memory of 284	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	40
PID 2676 wrote to memory of 284	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	40
PID 2676 wrote to memory of 284	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	40
PID 2676 wrote to memory of 284	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	40
PID 2676 wrote to memory of 108	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	41
PID 2676 wrote to memory of 108	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	41
PID 2676 wrote to memory of 108	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	41
PID 2676 wrote to memory of 108	2676	{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe	41
PID 284 wrote to memory of 1568	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	42
PID 284 wrote to memory of 1568	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	42
PID 284 wrote to memory of 1568	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	42
PID 284 wrote to memory of 1568	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	42
PID 284 wrote to memory of 1324	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	43
PID 284 wrote to memory of 1324	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	43
PID 284 wrote to memory of 1324	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	43
PID 284 wrote to memory of 1324	284	{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe	43
PID 1568 wrote to memory of 2028	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	44
PID 1568 wrote to memory of 2028	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	44
PID 1568 wrote to memory of 2028	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	44
PID 1568 wrote to memory of 2028	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	44
PID 1568 wrote to memory of 2004	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	45
PID 1568 wrote to memory of 2004	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	45
PID 1568 wrote to memory of 2004	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	45
PID 1568 wrote to memory of 2004	1568	{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\{369CC716-5A8E-459c-98F9-A55070329F1D}.exe
  C:\Windows\{369CC716-5A8E-459c-98F9-A55070329F1D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe
    C:\Windows\{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe
      C:\Windows\{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe
        
        C:\Windows\{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Windows\{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe
        
        C:\Windows\{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe
        
        C:\Windows\{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe
        
        C:\Windows\{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{45737E92-8253-4c3e-A41D-7C0525531F73}.exe
        
        C:\Windows\{45737E92-8253-4c3e-A41D-7C0525531F73}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe
        
        C:\Windows\{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe
        
        C:\Windows\{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}.exe
        
        C:\Windows\{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69BA1~1.EXE > nul
        12⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8A5C~1.EXE > nul
        11⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45737~1.EXE > nul
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96AE8~1.EXE > nul
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{920FA~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9D9C~1.EXE > nul
        7⤵
        
        PID:108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C68C~1.EXE > nul
        6⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7FB5~1.EXE > nul
        5⤵
        
        PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{24877~1.EXE > nul
      4⤵
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{369CC~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2487753D-2032-4cb5-A958-5297ED2DFEB9}.exe

Filesize
197KB

MD5
74bfaf78ef85840b9801299e508ad389

SHA1
7dea74d9b9c739d5c1e6c5221224aacbc71e9e24

SHA256
a04d0b50d8971db2d4ae20d05e95ef1b608159b6fceaa0f3990ea6f5504c674e

SHA512
2f275ece1f3d4975e891a3edaa346ca5da3ed92481ee67affbacc3725ee05db37fcc79da7fa955a4c80000dfce949cb23427d08146fbdc315c0fa4e1491a8e8f

Download Submit
C:\Windows\{369CC716-5A8E-459c-98F9-A55070329F1D}.exe

Filesize
197KB

MD5
21b35abf999a57c59ff24e4478ffd459

SHA1
8646106ccdee8b61f4806dc51dd1cca42ef4f073

SHA256
371256129d750778abdee8bcdbe70e18541a5497c0be81696c630543526845b5

SHA512
c1b84ab1b27c76d1ac78a50e3cbcf4c81c7f61cc3c95e0f3f333b7601e17ebc77a15973030c29987c38e98b88bdc7451d88e18cd39a2522e08febf66717cf7b0

Download Submit
C:\Windows\{45737E92-8253-4c3e-A41D-7C0525531F73}.exe

Filesize
197KB

MD5
4f1ae03493ce2e8c6518dc454a43d1bc

SHA1
06f4f53bb9ed9985ce46258e4984fb33e68a1af9

SHA256
25997f8669fdf5510445a0c4603d83eceaaeebc4d8aec52812a16dd6d3b8b106

SHA512
cab7bc2b2e582880b29950bf057f151d76a05031e8b229558db150bdf4f7462646e76e5c7dea0f33ab9dc06e144459c5cb03dd0b0fe4e8d9933c06d1c85a0372

Download Submit
C:\Windows\{69BA16C0-B2F7-4146-B2A3-47B441C8A72F}.exe

Filesize
197KB

MD5
8a3e3021b39b82f99740ff9139ac5b0b

SHA1
e5df4c41adc9eccd81fb2b8efc05812e69e335c8

SHA256
5baf204b279055af0fa9e218cd9c26b8510f9a5bad085ef446b27a7f1afc5461

SHA512
34b42ceee892501813ca49374247eef73c75e4997420587183d03a4ca1d75d34f5932c22e6282020d395387cbda018c95fb1790d310c62e49a4300b0f29b3609

Download Submit
C:\Windows\{7C68CDAB-1CD2-4cf5-B76F-EDC4804DD151}.exe

Filesize
197KB

MD5
064d439f9c659dde4c8d8b99c791d33a

SHA1
972e69bf2cb79911d216cabf7a90da86ff3837cd

SHA256
2bb95e4524ab9515469a850b2fd45e739d9457cc592ce88a121980497871e3fe

SHA512
52b7865621f52c1e33a160d8306294e530f8bc3f7149e6f50bf6cab93168933b3743f2cd6da87748210eb0692edb10ee8f9f7df5567e9c8cfcecff91eca07015

Download Submit
C:\Windows\{920FA55E-00C8-4c25-A084-DB8B84E4C72A}.exe

Filesize
197KB

MD5
de1385c31d09aeb468713ad338f4e17c

SHA1
3d4daf356fe7e47c11394cb3b89bd9b942ec744e

SHA256
9159d1191867d3be7e74dd1d84ae61bbbf03c18a94e9b7f46b71677cfe635cbf

SHA512
ce1b9c540e055e285b6ce886d825ce2ad28bd2f36ddff34120d39bc6f92572dd5a75081db80752d4c9482bf4a94bda62235cb4ca5be7b1ef81ebbb9f4e2fab55

Download Submit
C:\Windows\{96AE878A-192F-4b60-BEEF-DC28E506FA28}.exe

Filesize
197KB

MD5
786e6222e56d10f8ee1f2aee6d60a25f

SHA1
b2c851e830a6363399a2d53d7863575aba6ab9bd

SHA256
ab5b1f3b8d6e94e7b18c2592711f00d7817a6d7f03e6f5f6bd97b145ffbbf671

SHA512
72da526f206a5de373360593a77ef777a71bb1d67ea5916f865c5d8ddc5d361279f6b5ab67deacbdfd79de4a6fe58d70c9a176b00ea16a6dec164d2f20edbdb3

Download Submit
C:\Windows\{B8A5CDE0-A8C1-4819-BCDF-6624564DA336}.exe

Filesize
197KB

MD5
a09965fdd47a2baf25ca19d098a7d21f

SHA1
ae1b15907b2d15739d259f22b3c4ce9a15c071eb

SHA256
6829cd5a4a09ed0db5e62b8cd9eb0b979b87efb22e657dc8558ac63cc3cfe5e4

SHA512
7f5d708620407873a272706b832172f4d229a36f4351bd6b24f53bf003954e4d727211d49ac7ba67fff989558cfb3749d5c435af719d27b4dab4bcdb93ebfa94

Download Submit
C:\Windows\{BAB38204-2F7E-43a1-8C14-1051ABC1FB1D}.exe

Filesize
197KB

MD5
88e9622049575bc91117b287760dd1ab

SHA1
b04b9bd4d44b8a1cf6b2458d5fa29f8c4e01e8ca

SHA256
7cd9399915778a965af4e63c7402362cacc275f8eb815d7882022054a84de03c

SHA512
698d15e8adaf75d2d20c977b3afc8781f7034ee05b92cf7f789468e459eda681c132582991398acf5b89332c870919fdc3439dd758ee5b27f7efe4f2d7fbb592

Download Submit
C:\Windows\{F7FB592A-C043-4106-8F22-0E5D162E941C}.exe

Filesize
197KB

MD5
bba2a332491ee697f8a0526a95a555c5

SHA1
7d2e9db695e808494fab6df2f1861cff41ca0791

SHA256
0b693aabd8171ed77c8eb77487b080f1bb8c4edf07ee2231518b4d3411bd330d

SHA512
eec8a5236d5b9bb16f21a2f127e8e973b7611f96161660aff8bf355c417b4eee902f618a65e50f669885ab84719a2fc2fc072f051921a622a5cf33288567465e

Download Submit
C:\Windows\{F9D9C74A-6768-4737-906B-005C579F3AC3}.exe

Filesize
197KB

MD5
be37615719f28b1047b49ea2697ef888

SHA1
90981bf358d74835450b420a1b096771a99a9a4c

SHA256
f4395092d8c9b6a1b226dd15b6cd06ef3221a1d87d4e6800aff4d7b61990346e

SHA512
67aae93fd2b7a652f7dd34b395f32835907d1e6a1257a08e5522047fb1c6f0ec35fba9f5035728a7d8143fdfcfcc690445f0d7cc85f24fb489cca87537c36d2b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads