69819a224bf188617a17bff077b14326b8bac0a73e7dabfe62c749a3aeef4bea

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe
Size

408KB
MD5

b25fb5a82ea3daf14a35dce0df8a2c9f
SHA1

821a80804c0526f05a843bd9b85789c08e221dd5
SHA256

69819a224bf188617a17bff077b14326b8bac0a73e7dabfe62c749a3aeef4bea
SHA512

72e63f763c7292f0bb40f22db04f659d8ecbbfa4256944d7fdfedcf3c465dd3776b0263d625dc573934d8ab0baf752b675c6c5d99cda6d7389d7f331b4b83205
SSDEEP

3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGpldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122dd-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122dd-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122dd-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000149f4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122dd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E386D77-05B2-4a03-92B7-0AC8638470DC}	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07871B4-B11C-4faf-B831-E88D1352ABEF}	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E881142-94F5-4770-B02D-D02A66AA6F49}\stubpath = "C:\\Windows\\{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe"	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147BD8E3-3160-429a-B530-50F1976711E0}	{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}\stubpath = "C:\\Windows\\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe"	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E386D77-05B2-4a03-92B7-0AC8638470DC}\stubpath = "C:\\Windows\\{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe"	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E881142-94F5-4770-B02D-D02A66AA6F49}	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68A501E2-0047-43b2-B6E3-E52A581C0181}	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68A501E2-0047-43b2-B6E3-E52A581C0181}\stubpath = "C:\\Windows\\{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe"	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}\stubpath = "C:\\Windows\\{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe"	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}\stubpath = "C:\\Windows\\{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe"	{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147BD8E3-3160-429a-B530-50F1976711E0}\stubpath = "C:\\Windows\\{147BD8E3-3160-429a-B530-50F1976711E0}.exe"	{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC7FC8D0-322F-4a99-B25D-46D1A8918177}	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC7FC8D0-322F-4a99-B25D-46D1A8918177}\stubpath = "C:\\Windows\\{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe"	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07871B4-B11C-4faf-B831-E88D1352ABEF}\stubpath = "C:\\Windows\\{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe"	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}\stubpath = "C:\\Windows\\{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe"	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}	{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094A71D9-0B6E-42a5-A6C3-F2943539E010}	{147BD8E3-3160-429a-B530-50F1976711E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094A71D9-0B6E-42a5-A6C3-F2943539E010}\stubpath = "C:\\Windows\\{094A71D9-0B6E-42a5-A6C3-F2943539E010}.exe"	{147BD8E3-3160-429a-B530-50F1976711E0}.exe

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe
2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe
2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe
2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe
2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe
1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe
1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe
1468	{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe
1560	{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe
1272	{147BD8E3-3160-429a-B530-50F1976711E0}.exe
2080	{094A71D9-0B6E-42a5-A6C3-F2943539E010}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe
File created	C:\Windows\{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe
File created	C:\Windows\{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe
File created	C:\Windows\{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe
File created	C:\Windows\{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe
File created	C:\Windows\{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe
File created	C:\Windows\{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe
File created	C:\Windows\{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe
File created	C:\Windows\{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe	{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe
File created	C:\Windows\{094A71D9-0B6E-42a5-A6C3-F2943539E010}.exe	{147BD8E3-3160-429a-B530-50F1976711E0}.exe
File created	C:\Windows\{147BD8E3-3160-429a-B530-50F1976711E0}.exe	{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe
Token: SeIncBasePriorityPrivilege	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe
Token: SeIncBasePriorityPrivilege	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe
Token: SeIncBasePriorityPrivilege	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe
Token: SeIncBasePriorityPrivilege	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe
Token: SeIncBasePriorityPrivilege	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe
Token: SeIncBasePriorityPrivilege	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe
Token: SeIncBasePriorityPrivilege	1468	{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe
Token: SeIncBasePriorityPrivilege	1560	{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe
Token: SeIncBasePriorityPrivilege	1272	{147BD8E3-3160-429a-B530-50F1976711E0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2176	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	28
PID 2036 wrote to memory of 2176	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	28
PID 2036 wrote to memory of 2176	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	28
PID 2036 wrote to memory of 2176	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	28
PID 2036 wrote to memory of 2928	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	29
PID 2036 wrote to memory of 2928	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	29
PID 2036 wrote to memory of 2928	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	29
PID 2036 wrote to memory of 2928	2036	2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe	29
PID 2176 wrote to memory of 2708	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	30
PID 2176 wrote to memory of 2708	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	30
PID 2176 wrote to memory of 2708	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	30
PID 2176 wrote to memory of 2708	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	30
PID 2176 wrote to memory of 2792	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	31
PID 2176 wrote to memory of 2792	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	31
PID 2176 wrote to memory of 2792	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	31
PID 2176 wrote to memory of 2792	2176	{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe	31
PID 2708 wrote to memory of 2492	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	32
PID 2708 wrote to memory of 2492	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	32
PID 2708 wrote to memory of 2492	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	32
PID 2708 wrote to memory of 2492	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	32
PID 2708 wrote to memory of 2544	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	33
PID 2708 wrote to memory of 2544	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	33
PID 2708 wrote to memory of 2544	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	33
PID 2708 wrote to memory of 2544	2708	{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe	33
PID 2492 wrote to memory of 2388	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	36
PID 2492 wrote to memory of 2388	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	36
PID 2492 wrote to memory of 2388	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	36
PID 2492 wrote to memory of 2388	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	36
PID 2492 wrote to memory of 1716	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	37
PID 2492 wrote to memory of 1716	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	37
PID 2492 wrote to memory of 1716	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	37
PID 2492 wrote to memory of 1716	2492	{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe	37
PID 2388 wrote to memory of 2640	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	38
PID 2388 wrote to memory of 2640	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	38
PID 2388 wrote to memory of 2640	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	38
PID 2388 wrote to memory of 2640	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	38
PID 2388 wrote to memory of 2752	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	39
PID 2388 wrote to memory of 2752	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	39
PID 2388 wrote to memory of 2752	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	39
PID 2388 wrote to memory of 2752	2388	{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe	39
PID 2640 wrote to memory of 1712	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	40
PID 2640 wrote to memory of 1712	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	40
PID 2640 wrote to memory of 1712	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	40
PID 2640 wrote to memory of 1712	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	40
PID 2640 wrote to memory of 2216	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	41
PID 2640 wrote to memory of 2216	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	41
PID 2640 wrote to memory of 2216	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	41
PID 2640 wrote to memory of 2216	2640	{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe	41
PID 1712 wrote to memory of 1740	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	42
PID 1712 wrote to memory of 1740	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	42
PID 1712 wrote to memory of 1740	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	42
PID 1712 wrote to memory of 1740	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	42
PID 1712 wrote to memory of 2196	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	43
PID 1712 wrote to memory of 2196	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	43
PID 1712 wrote to memory of 2196	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	43
PID 1712 wrote to memory of 2196	1712	{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe	43
PID 1740 wrote to memory of 1468	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	44
PID 1740 wrote to memory of 1468	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	44
PID 1740 wrote to memory of 1468	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	44
PID 1740 wrote to memory of 1468	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	44
PID 1740 wrote to memory of 1836	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	45
PID 1740 wrote to memory of 1836	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	45
PID 1740 wrote to memory of 1836	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	45
PID 1740 wrote to memory of 1836	1740	{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_b25fb5a82ea3daf14a35dce0df8a2c9f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe
  C:\Windows\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe
    C:\Windows\{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe
      C:\Windows\{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe
        
        C:\Windows\{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe
        
        C:\Windows\{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe
        
        C:\Windows\{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe
        
        C:\Windows\{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe
        
        C:\Windows\{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe
        
        C:\Windows\{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\{147BD8E3-3160-429a-B530-50F1976711E0}.exe
        
        C:\Windows\{147BD8E3-3160-429a-B530-50F1976711E0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\{094A71D9-0B6E-42a5-A6C3-F2943539E010}.exe
        
        C:\Windows\{094A71D9-0B6E-42a5-A6C3-F2943539E010}.exe
        12⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{147BD~1.EXE > nul
        12⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73E94~1.EXE > nul
        11⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E881~1.EXE > nul
        10⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F6E~1.EXE > nul
        9⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0787~1.EXE > nul
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC7FC~1.EXE > nul
        7⤵
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53E8A~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68A50~1.EXE > nul
        5⤵
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5E386~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D3AA~1.EXE > nul
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{094A71D9-0B6E-42a5-A6C3-F2943539E010}.exe

Filesize
408KB

MD5
4404e6d5d31d498e9f79fdf65ccdc35f

SHA1
4c8bca24f08c449cbd1d306746f7483d415c536e

SHA256
3dbffa2cfab9b6dfcc73f690bde4b48ee139eba3ac842134a3d16621190a63c2

SHA512
f2f8a183e18a7d249d17e654795c4a6d2d52ccf299cb2ae78d053c3fdccc18ccf7f860f7e95e3c9e2ebc2875b148c70c85fcda36471e24ca0a430d48600c3d9b

Download Submit
C:\Windows\{147BD8E3-3160-429a-B530-50F1976711E0}.exe

Filesize
408KB

MD5
45f6be230b759075cb3aa340b1bf2aac

SHA1
5a7914a3fe92336ae741085589a898629f5d3536

SHA256
97747ce722b11279f884fbb5684ce7260f5a0df5b10ef14135caa5b12790b378

SHA512
165f0c5a56e8497ee497107c7ac6a0223442d75d63ae87e852d3ade41a7518f937937bb81518db8e23a7aff3110db8f89fe2202ecbbe938bf98c06d8cda271f0

Download Submit
C:\Windows\{3E881142-94F5-4770-B02D-D02A66AA6F49}.exe

Filesize
408KB

MD5
97bf0bb6037b600c0273df375ada3737

SHA1
cfb4f8cf06612e23a9f759dc08e79408e1512294

SHA256
678155763a994bd0f316aa60195af0bb77c6bf2ffb2d3d472fba1f17c8a8beac

SHA512
f7f5d2282a3be32d78808f5cd95e542fa113dc785e044bbc50b71ef07c30bbb229adaa6c76edcd394809058fc3f1a7358d7dda573834738f9e85fac05c6f0048

Download Submit
C:\Windows\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe

Filesize
64KB

MD5
7f7e793d2b264a32e2d675e3d36d0ee6

SHA1
d50408df2a73b9759c80bd21096da18bb9dfcea8

SHA256
2d7429ee7c51c73f9e6a14658399b6c571cb6b6ed6e64a3fb02e3e882cc5c6d9

SHA512
bc7f560b3530cc46c1fc8ce864235b4b173ab8108a40282cf725b334dae155f2e49e6caae305740155b79bd5708a01728350f8bb8904cfb6f417c65917512b9f

Download Submit
C:\Windows\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe

Filesize
28KB

MD5
f7c70184959dd2431c471dba2699dbb8

SHA1
292fb9769ebe83c20940feebd040f5aafe9c62bc

SHA256
0f32d5d6974ffc0999bf4ec89a11901712cc944af663bcf38dd20f41782bbeca

SHA512
cc3ad03bd013057bbc1e7ebbc5e45950d4ccaf88124717c4d854e3b1863b85d88b3e4eaee3c58531cdc3047c3f17ca233dd590afe595d88801250346ab5a5234

Download Submit
C:\Windows\{4D3AAB2D-2B3C-49f3-AC2C-BE3009AE686C}.exe

Filesize
408KB

MD5
86e6b14f90325c8ed664a8b87b5bcfcc

SHA1
e5ad22d4ed7885cc3a62be09cc7b30c301dbc0d8

SHA256
d65678836ffaacc73ac106cae5eafb4d361c57971dd2c34db3dbd722694d9529

SHA512
755fbc4fa7408be1a7cbf4edc3081523115bbc7cd20998a1a9d861b9de2a41d4465ab9761f79c3ecea6fcc44bb730d5fdb8841f31202bf46518eeb1273ff9508

Download Submit
C:\Windows\{53E8AB54-395C-4539-9B45-AEAB3FA0B1B1}.exe

Filesize
408KB

MD5
7e89c27226d8fddd5b7ce7ec920a5232

SHA1
94cd473c12c034017c9f4636047f9ae5fe32987f

SHA256
3478dd147e16708b544343c2bf1d5b223acdec3c9d4ead31753157e5230902f5

SHA512
251d5f7c4ba470512940aa9547cc65a3fdd991fbc39ecd8bacd46b1be498ee19e8fbce7136bea5068037be487192c6ca1581d663f07dc4f0484b52a5409d7a66

Download Submit
C:\Windows\{5E386D77-05B2-4a03-92B7-0AC8638470DC}.exe

Filesize
408KB

MD5
b05fc5d268433e2632006f6d65a43142

SHA1
b9881d97340054bd28aed44c767df1c3f76bcc36

SHA256
2d803807aa6b2bff75807fb02dd696eace666b9cd21ad3b8e6bf2b5e6c71d6e6

SHA512
78c90ed26002ea56186d4f5b46d886a072e35c012f64c10d8600cf76e6e54c67630cc60146a711f9f3b9c7c668f57a98d11a50207ea4c0b76a513fec216eb8eb

Download Submit
C:\Windows\{68A501E2-0047-43b2-B6E3-E52A581C0181}.exe

Filesize
408KB

MD5
c5cfca6f0ed329c64b318cab17f9795f

SHA1
a4cfa0493aed8828370dafc4c06667fedd2719f5

SHA256
5415d5b4aaabdb4920b3c19ad412045fd75bfeb57b6fdad0a5fe1f338aeba37e

SHA512
d710337ad61e5a6ecf57f84aa1610525fda3d0ed6d2e514315d0ce17d9131ff512666b2c5ed9f833c8da5efedc0365215138e4968e713860784e67bd8b71231a

Download Submit
C:\Windows\{73E94381-7B71-47c1-A5A1-C7289AEAFBBB}.exe

Filesize
408KB

MD5
9666fd8b3468cdd6fd624e8ebbd82c7b

SHA1
efd317861158f4ec80e9c82e1295995dfde7e23a

SHA256
720f8f68fcc32588d937111ce0bb8a8eb41269fe8e035a9a57ee9992eb0cbb79

SHA512
d41c5ee39b5676e665ae7051b0646403dc04fa241dc50f4d7c57c8ffa244abb5cf38dabc4838880fef8006e9b9c059b292525d26b3abae86ea21c612ba3ee9c0

Download Submit
C:\Windows\{91F6E546-5BC2-4df4-BA37-AA8DE4E8502B}.exe

Filesize
408KB

MD5
5cd8e7333fd51fc0ffbc0555a03db951

SHA1
a8a5856faadcada36800539abde125d5a41d7811

SHA256
b88ff73414859ed01d8f1aa6706e6c6dc528f2aa6cd4e0292e9f2baef773535f

SHA512
fd28b7c55910e2bc0e887c8fe1327430241fde8037b38f19fdff42371d23263963f32e1b3ddecd4de18917db09387e1fa61d892e9d93ed237162d0f9f2b46a00

Download Submit
C:\Windows\{B07871B4-B11C-4faf-B831-E88D1352ABEF}.exe

Filesize
408KB

MD5
4a1ebddb9e6117ca6bbea66564ca2167

SHA1
2691cf83f0bf78ed936b8fa83db1b58cc6aff1ed

SHA256
c29df57950eab350c574710116c90e8cc6815db3c16d4403fa690d5926383ced

SHA512
a30d5bc47241f4d69fbbfd73b92d40752dc98e0b1e9f4e298360b56554f7ea027586e54aa9278be59552c21f16faf5de1fa4930a3fb2413729a381be157d681f

Download Submit
C:\Windows\{DC7FC8D0-322F-4a99-B25D-46D1A8918177}.exe

Filesize
408KB

MD5
ab2b9b575d21c7915c27ca51e8f2cf70

SHA1
dfb276415efe12c666ef0a6e039b2d42a42b99de

SHA256
0b16df6ac4cdfa661d056019423061634b27481f181194a0846a1c1abcdf49fa

SHA512
9510c2cbbbbc2a8fd466774db805b4d93ff971e627a0a1a2957e5374a7e45d8e3d5ed46a3551acd5de5376fd0f1b59137a24bb99f57d1bfb36fa617226533aa0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads