7bb3594cf8f723474b16c91577c265a7a02af27281b58175f2be5356c2a974f1

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Size

168KB
MD5

8e895d4e260cbe3f849f54928b14f0f3
SHA1

147f76bd4bd5194cac8ba2e3bb72b50470e6bbaf
SHA256

7bb3594cf8f723474b16c91577c265a7a02af27281b58175f2be5356c2a974f1
SHA512

58834cceb3111539682223ac25ea39c4a0365407028dfe5f96cda9307c3a27c009d250d4d19f74247a4f9ed5db8100df26b6ca1558ccd91609a5c47f3fffc560
SSDEEP

1536:1EGh0oXli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012272-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001643c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016584-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016584-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016584-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016ace-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016b92-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000016ace-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016b92-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}	{45145044-07BE-40b5-9525-9C653ADFC385}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FD4E82F-DC77-447b-9450-C2CC99FBF848}	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FD4E82F-DC77-447b-9450-C2CC99FBF848}\stubpath = "C:\\Windows\\{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe"	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}	{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}\stubpath = "C:\\Windows\\{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}.exe"	{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112EA666-BB08-4855-95F8-2C36F33C6EF9}	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45145044-07BE-40b5-9525-9C653ADFC385}	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45145044-07BE-40b5-9525-9C653ADFC385}\stubpath = "C:\\Windows\\{45145044-07BE-40b5-9525-9C653ADFC385}.exe"	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D07799E1-D372-4dd8-A9B6-B7CA498789B1}	{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90FC7854-6184-4e71-9BBA-520A6FB376C2}\stubpath = "C:\\Windows\\{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe"	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}\stubpath = "C:\\Windows\\{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe"	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C46F2A91-B797-4203-94B9-D2023F3FA5FE}	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C46F2A91-B797-4203-94B9-D2023F3FA5FE}\stubpath = "C:\\Windows\\{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe"	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}\stubpath = "C:\\Windows\\{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe"	{45145044-07BE-40b5-9525-9C653ADFC385}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}\stubpath = "C:\\Windows\\{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe"	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3E146C2-4ACD-4508-860C-5503BD2914D6}	{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112EA666-BB08-4855-95F8-2C36F33C6EF9}\stubpath = "C:\\Windows\\{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe"	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90FC7854-6184-4e71-9BBA-520A6FB376C2}	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D07799E1-D372-4dd8-A9B6-B7CA498789B1}\stubpath = "C:\\Windows\\{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe"	{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3E146C2-4ACD-4508-860C-5503BD2914D6}\stubpath = "C:\\Windows\\{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe"	{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe
2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe
2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe
1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe
2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe
2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe
1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe
1724	{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe
1692	{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe
2248	{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe
1316	{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe
File created	C:\Windows\{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe
File created	C:\Windows\{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe
File created	C:\Windows\{45145044-07BE-40b5-9525-9C653ADFC385}.exe	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe
File created	C:\Windows\{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	{45145044-07BE-40b5-9525-9C653ADFC385}.exe
File created	C:\Windows\{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
File created	C:\Windows\{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe
File created	C:\Windows\{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe
File created	C:\Windows\{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe	{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe
File created	C:\Windows\{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe	{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe
File created	C:\Windows\{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}.exe	{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe
Token: SeIncBasePriorityPrivilege	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe
Token: SeIncBasePriorityPrivilege	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe
Token: SeIncBasePriorityPrivilege	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe
Token: SeIncBasePriorityPrivilege	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe
Token: SeIncBasePriorityPrivilege	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe
Token: SeIncBasePriorityPrivilege	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe
Token: SeIncBasePriorityPrivilege	1724	{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe
Token: SeIncBasePriorityPrivilege	1692	{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe
Token: SeIncBasePriorityPrivilege	2248	{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2864	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	28
PID 2816 wrote to memory of 2864	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	28
PID 2816 wrote to memory of 2864	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	28
PID 2816 wrote to memory of 2864	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	28
PID 2816 wrote to memory of 2476	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	29
PID 2816 wrote to memory of 2476	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	29
PID 2816 wrote to memory of 2476	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	29
PID 2816 wrote to memory of 2476	2816	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	29
PID 2864 wrote to memory of 2492	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	30
PID 2864 wrote to memory of 2492	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	30
PID 2864 wrote to memory of 2492	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	30
PID 2864 wrote to memory of 2492	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	30
PID 2864 wrote to memory of 2484	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	31
PID 2864 wrote to memory of 2484	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	31
PID 2864 wrote to memory of 2484	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	31
PID 2864 wrote to memory of 2484	2864	{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe	31
PID 2492 wrote to memory of 2584	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	32
PID 2492 wrote to memory of 2584	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	32
PID 2492 wrote to memory of 2584	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	32
PID 2492 wrote to memory of 2584	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	32
PID 2492 wrote to memory of 2172	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	33
PID 2492 wrote to memory of 2172	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	33
PID 2492 wrote to memory of 2172	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	33
PID 2492 wrote to memory of 2172	2492	{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe	33
PID 2584 wrote to memory of 1952	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	36
PID 2584 wrote to memory of 1952	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	36
PID 2584 wrote to memory of 1952	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	36
PID 2584 wrote to memory of 1952	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	36
PID 2584 wrote to memory of 268	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	37
PID 2584 wrote to memory of 268	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	37
PID 2584 wrote to memory of 268	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	37
PID 2584 wrote to memory of 268	2584	{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe	37
PID 1952 wrote to memory of 2428	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	38
PID 1952 wrote to memory of 2428	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	38
PID 1952 wrote to memory of 2428	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	38
PID 1952 wrote to memory of 2428	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	38
PID 1952 wrote to memory of 2660	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	39
PID 1952 wrote to memory of 2660	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	39
PID 1952 wrote to memory of 2660	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	39
PID 1952 wrote to memory of 2660	1952	{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe	39
PID 2428 wrote to memory of 2688	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	40
PID 2428 wrote to memory of 2688	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	40
PID 2428 wrote to memory of 2688	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	40
PID 2428 wrote to memory of 2688	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	40
PID 2428 wrote to memory of 364	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	41
PID 2428 wrote to memory of 364	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	41
PID 2428 wrote to memory of 364	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	41
PID 2428 wrote to memory of 364	2428	{45145044-07BE-40b5-9525-9C653ADFC385}.exe	41
PID 2688 wrote to memory of 1784	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	42
PID 2688 wrote to memory of 1784	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	42
PID 2688 wrote to memory of 1784	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	42
PID 2688 wrote to memory of 1784	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	42
PID 2688 wrote to memory of 1032	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	43
PID 2688 wrote to memory of 1032	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	43
PID 2688 wrote to memory of 1032	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	43
PID 2688 wrote to memory of 1032	2688	{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe	43
PID 1784 wrote to memory of 1724	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	44
PID 1784 wrote to memory of 1724	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	44
PID 1784 wrote to memory of 1724	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	44
PID 1784 wrote to memory of 1724	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	44
PID 1784 wrote to memory of 976	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	45
PID 1784 wrote to memory of 976	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	45
PID 1784 wrote to memory of 976	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	45
PID 1784 wrote to memory of 976	1784	{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe
  C:\Windows\{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe
    C:\Windows\{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe
      C:\Windows\{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe
        
        C:\Windows\{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\{45145044-07BE-40b5-9525-9C653ADFC385}.exe
        
        C:\Windows\{45145044-07BE-40b5-9525-9C653ADFC385}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe
        
        C:\Windows\{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe
        
        C:\Windows\{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe
        
        C:\Windows\{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe
        
        C:\Windows\{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe
        
        C:\Windows\{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}.exe
        
        C:\Windows\{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0779~1.EXE > nul
        12⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3E14~1.EXE > nul
        11⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E92F4~1.EXE > nul
        10⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FD4E~1.EXE > nul
        9⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DA06~1.EXE > nul
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45145~1.EXE > nul
        7⤵
        
        PID:364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C46F2~1.EXE > nul
        6⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93DEB~1.EXE > nul
        5⤵
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{90FC7~1.EXE > nul
      4⤵
      PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{112EA~1.EXE > nul
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{112EA666-BB08-4855-95F8-2C36F33C6EF9}.exe

Filesize
168KB

MD5
2befc1d704d77605a316a306aa957fa7

SHA1
c17890ade6ca7eaec5a2021eaa83f98a1f7f1e78

SHA256
f613d90f0debf02eeee04a7d12634b6a017acc9a3dfd9cd9af024829d282f0a1

SHA512
ff323a2eaf51842e00b9aab40ea78a3b015ee7c8bab17680d0a776adc7d74581728a9f20f3bbfdc98a40f5856303c97d27ed41bdd0a520a599ac65c1f921dab8

Download Submit
C:\Windows\{45145044-07BE-40b5-9525-9C653ADFC385}.exe

Filesize
168KB

MD5
0c361a94d91bc06d6b8f0c960088592c

SHA1
935a4bbf0fb8c079cd084279c1783bc7ea004a01

SHA256
e3de576c15a6a10b77433420865f6240d57e6e518669956c2ab85e7f2f4011f3

SHA512
36632f852a64186cd630f921e1a764b6a90882d2f9b04c027bff50ca51391db0d450a5446688a7c76bdf670911aafd7f751e0eb4bc6eb3d9531a1ee4243c94f8

Download Submit
C:\Windows\{6FD4E82F-DC77-447b-9450-C2CC99FBF848}.exe

Filesize
168KB

MD5
6a88f415f1044d2c4c71f4141644bb13

SHA1
8dd0ac3fb3bc3d8a3f219a78b4fb679f2ab4b326

SHA256
704104b275a8a6a8398af68688e16dd0c84002fdc82ac30dbce02870464f9a31

SHA512
eb84558720e64bf48638d46475859d345057040bfc584a0cf2585dd256f47610a236fa09825485f6a0e7e38fd0af88fd9364f57d28022c303e7143921551b189

Download Submit
C:\Windows\{90FC7854-6184-4e71-9BBA-520A6FB376C2}.exe

Filesize
168KB

MD5
ea47c51635868d7e8622aafd283ca4fd

SHA1
f06933f440a09e0f912d356a101acc3de2ff27be

SHA256
c697557eb86058500c632cf98c9cc3e2fe0871300a52379a81ae63aba4ae8cd0

SHA512
deb7fd41fc01d7651773575ced3977dbb241029afc4fcaf5f5f7487cec4abd1485dcd182bcc66f13928e147f1aa8cd92bc906b9ea9b5cf6f37620dd7f4b74636

Download Submit
C:\Windows\{93DEB7FB-A743-40d1-8E8B-60DBCECAFA24}.exe

Filesize
168KB

MD5
6112763c8cd1b29742822e0a5cc8faa3

SHA1
2e3d150f1f1eab8b1afb796132711ac166c0dc62

SHA256
0e490315ef52b4beb12c11ce94963e3cc426cf0a172cc575e87f5e584f49a57b

SHA512
baa7933c7aa6a05e09bd00ec2195160e071a4d218c93bbf1c17728657f96eb7fe0044b43c795d712050f9565e71580224b379e9fe2255a00d47a900f29878afc

Download Submit
C:\Windows\{9A5ECFE0-CAFF-4331-851C-CC08BF4692CA}.exe

Filesize
168KB

MD5
54878839970a68723b1031a0d0b16917

SHA1
deb48ed2fa0498d1cb81e1ff957e24eb94fc5f62

SHA256
8b5d94e141edb4c9a58d6dfe39f320b3eb22927067b89e95c78b9421d0a3971f

SHA512
cba924c45ad1fc20dabfb4747cba067134b0eec181c47658d5496b937ca7d49bb2d4b70a6b8f19ca15e9e98e2d492bc301072650819db87261990b523c8fdeca

Download Submit
C:\Windows\{9DA06A75-4BF2-4a9b-BAF8-169E8E20B276}.exe

Filesize
168KB

MD5
628eca5ba49d79ef8ea789874c66e702

SHA1
3788a45a17f3fc0b7661ee0de7814311b86103f2

SHA256
98cde4578b11c8793bf825d1d8bdc9b13d15c985041510ea2056a1c6047bc268

SHA512
34b960190041e3e6f3725204fa10ffc7797dd56d0d299859c04a38b520a4e1672f4260b8fbb0fd68116dc8db23346ba3c7f041dc0c956b4ed655ada7b9c76814

Download Submit
C:\Windows\{C46F2A91-B797-4203-94B9-D2023F3FA5FE}.exe

Filesize
168KB

MD5
3de778f3648964ab22021cf220aa249c

SHA1
2e6824779f4a7f903c6ef453dd7de976030867b8

SHA256
f78d535bc9067b4d121d908ba5c43c578f4eeba389bb9901ae946729bdc74983

SHA512
8d1f827929948dacb11d4ea47ba8e0a1a830879e797b9b25b1d92147850d9afd2ef7b49b556cc8feedba9626b1088a57900d3540f820fc97aa7e330e5681afde

Download Submit
C:\Windows\{D07799E1-D372-4dd8-A9B6-B7CA498789B1}.exe

Filesize
168KB

MD5
a0b2166870f293a02ea2ed00c1a9fea7

SHA1
bbc85b7a3f35c8e5e53e57e72c9af2ecd015d92c

SHA256
4a37d9442de4cef78391eb2c893074113d13c8e1095deb4929cc95ab4e404f09

SHA512
3f6f8aacf183af5d4ef089d542cf89dd3d5cf49ad37596fcb065578670a361fa0d0eb3fb41e2767272c99ea2bf2ec9e9f4aef3371c8635f32ce8deb6fe4768a4

Download Submit
C:\Windows\{E3E146C2-4ACD-4508-860C-5503BD2914D6}.exe

Filesize
168KB

MD5
6017616b3e2000086260316838bed28b

SHA1
7de87bdb49f769ef24b90141ca2dffba55eba82d

SHA256
6a99f63a2d7b0ca3a86b28577e330f65b80895bec6b818b230e2f80026fc68ca

SHA512
538a97ed578c2f64956e5a5a262d433b31656d11558109fd108113d74698165354486f2772180117fb0540bcd5fca53a9d39057b49d2f352054de81122893e3c

Download Submit
C:\Windows\{E92F48BA-11E1-4f3e-84B5-3CFD9CED3AEE}.exe

Filesize
168KB

MD5
09ff334bcbf997c3c3762d1097725a7b

SHA1
a8ff203f4db49bdd8e6e3724d740e5b3cfce36ba

SHA256
f6499d4f9244eb0b7fb0e933323f9124761cabe69238c1359707f20b311a6870

SHA512
20b9ccd2d02db7eab30fcba58798ab940f4ded12f9fa3cffaf0bccb95889041e3c31f10be47d6ccb2620953ef9facca37bbdfcb8dbba59a5bc5ffc014a3c5e6a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads