a8bdf3d6b0bc76b842cd692b7d0f7886579bc329566d11c99a451afe7290fbdc

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 02:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe
Size

197KB
MD5

facf51a349e853ebed1b4b11813f1517
SHA1

a00c2da39cd83b4fea199aa1922f0469cb097533
SHA256

a8bdf3d6b0bc76b842cd692b7d0f7886579bc329566d11c99a451afe7290fbdc
SHA512

4e02aaa4f38d1b6d23ce92b66314e460aba5d0e81bc6a2220d7f7545443e026497c94193b4c655665790e66fb4dbf70279c1468d0a119c8c77dbcd0f6718b0b3
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014909-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000014c67-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014c67-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000014c67-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014c67-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014c67-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014fe1-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73087DE4-7883-465d-B90B-24C22CFD4029}\stubpath = "C:\\Windows\\{73087DE4-7883-465d-B90B-24C22CFD4029}.exe"	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}	{1228D812-25D2-48bc-8276-86828445EF38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB2A050-586D-474d-92CE-34B491BB4CA3}\stubpath = "C:\\Windows\\{1BB2A050-586D-474d-92CE-34B491BB4CA3}.exe"	{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE970668-CDF2-400d-A8E6-B622C3AABC1D}\stubpath = "C:\\Windows\\{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe"	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1EB666A-1748-47d1-95A0-AF297676E489}	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}\stubpath = "C:\\Windows\\{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe"	{1228D812-25D2-48bc-8276-86828445EF38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}\stubpath = "C:\\Windows\\{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe"	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}\stubpath = "C:\\Windows\\{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe"	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}\stubpath = "C:\\Windows\\{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe"	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3DD238C-B721-454a-8135-D37DA669B2BA}	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3DD238C-B721-454a-8135-D37DA669B2BA}\stubpath = "C:\\Windows\\{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe"	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1228D812-25D2-48bc-8276-86828445EF38}	{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE970668-CDF2-400d-A8E6-B622C3AABC1D}	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1228D812-25D2-48bc-8276-86828445EF38}\stubpath = "C:\\Windows\\{1228D812-25D2-48bc-8276-86828445EF38}.exe"	{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB2A050-586D-474d-92CE-34B491BB4CA3}	{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73087DE4-7883-465d-B90B-24C22CFD4029}	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1EB666A-1748-47d1-95A0-AF297676E489}\stubpath = "C:\\Windows\\{E1EB666A-1748-47d1-95A0-AF297676E489}.exe"	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}\stubpath = "C:\\Windows\\{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe"	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe
2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe
2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe
2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe
1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe
2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe
2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe
2508	{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe
1616	{1228D812-25D2-48bc-8276-86828445EF38}.exe
2596	{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe
2128	{1BB2A050-586D-474d-92CE-34B491BB4CA3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe
File created	C:\Windows\{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe
File created	C:\Windows\{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe
File created	C:\Windows\{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe
File created	C:\Windows\{1228D812-25D2-48bc-8276-86828445EF38}.exe	{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe
File created	C:\Windows\{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe	{1228D812-25D2-48bc-8276-86828445EF38}.exe
File created	C:\Windows\{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe
File created	C:\Windows\{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe
File created	C:\Windows\{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe
File created	C:\Windows\{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe
File created	C:\Windows\{1BB2A050-586D-474d-92CE-34B491BB4CA3}.exe	{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe
Token: SeIncBasePriorityPrivilege	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe
Token: SeIncBasePriorityPrivilege	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe
Token: SeIncBasePriorityPrivilege	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe
Token: SeIncBasePriorityPrivilege	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe
Token: SeIncBasePriorityPrivilege	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe
Token: SeIncBasePriorityPrivilege	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe
Token: SeIncBasePriorityPrivilege	2508	{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe
Token: SeIncBasePriorityPrivilege	1616	{1228D812-25D2-48bc-8276-86828445EF38}.exe
Token: SeIncBasePriorityPrivilege	2596	{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2528	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	28
PID 1760 wrote to memory of 2528	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	28
PID 1760 wrote to memory of 2528	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	28
PID 1760 wrote to memory of 2528	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	28
PID 1760 wrote to memory of 2700	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	29
PID 1760 wrote to memory of 2700	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	29
PID 1760 wrote to memory of 2700	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	29
PID 1760 wrote to memory of 2700	1760	2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe	29
PID 2528 wrote to memory of 2848	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	30
PID 2528 wrote to memory of 2848	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	30
PID 2528 wrote to memory of 2848	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	30
PID 2528 wrote to memory of 2848	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	30
PID 2528 wrote to memory of 2104	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	31
PID 2528 wrote to memory of 2104	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	31
PID 2528 wrote to memory of 2104	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	31
PID 2528 wrote to memory of 2104	2528	{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe	31
PID 2848 wrote to memory of 2976	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	34
PID 2848 wrote to memory of 2976	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	34
PID 2848 wrote to memory of 2976	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	34
PID 2848 wrote to memory of 2976	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	34
PID 2848 wrote to memory of 2944	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	35
PID 2848 wrote to memory of 2944	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	35
PID 2848 wrote to memory of 2944	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	35
PID 2848 wrote to memory of 2944	2848	{E1EB666A-1748-47d1-95A0-AF297676E489}.exe	35
PID 2976 wrote to memory of 2400	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	36
PID 2976 wrote to memory of 2400	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	36
PID 2976 wrote to memory of 2400	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	36
PID 2976 wrote to memory of 2400	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	36
PID 2976 wrote to memory of 436	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	37
PID 2976 wrote to memory of 436	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	37
PID 2976 wrote to memory of 436	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	37
PID 2976 wrote to memory of 436	2976	{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe	37
PID 2400 wrote to memory of 1640	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	38
PID 2400 wrote to memory of 1640	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	38
PID 2400 wrote to memory of 1640	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	38
PID 2400 wrote to memory of 1640	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	38
PID 2400 wrote to memory of 2732	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	39
PID 2400 wrote to memory of 2732	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	39
PID 2400 wrote to memory of 2732	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	39
PID 2400 wrote to memory of 2732	2400	{73087DE4-7883-465d-B90B-24C22CFD4029}.exe	39
PID 1640 wrote to memory of 2460	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	40
PID 1640 wrote to memory of 2460	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	40
PID 1640 wrote to memory of 2460	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	40
PID 1640 wrote to memory of 2460	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	40
PID 1640 wrote to memory of 2488	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	41
PID 1640 wrote to memory of 2488	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	41
PID 1640 wrote to memory of 2488	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	41
PID 1640 wrote to memory of 2488	1640	{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe	41
PID 2460 wrote to memory of 2632	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	42
PID 2460 wrote to memory of 2632	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	42
PID 2460 wrote to memory of 2632	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	42
PID 2460 wrote to memory of 2632	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	42
PID 2460 wrote to memory of 2160	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	43
PID 2460 wrote to memory of 2160	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	43
PID 2460 wrote to memory of 2160	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	43
PID 2460 wrote to memory of 2160	2460	{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe	43
PID 2632 wrote to memory of 2508	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	44
PID 2632 wrote to memory of 2508	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	44
PID 2632 wrote to memory of 2508	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	44
PID 2632 wrote to memory of 2508	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	44
PID 2632 wrote to memory of 2676	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	45
PID 2632 wrote to memory of 2676	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	45
PID 2632 wrote to memory of 2676	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	45
PID 2632 wrote to memory of 2676	2632	{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_facf51a349e853ebed1b4b11813f1517_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe
  C:\Windows\{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\{E1EB666A-1748-47d1-95A0-AF297676E489}.exe
    C:\Windows\{E1EB666A-1748-47d1-95A0-AF297676E489}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe
      C:\Windows\{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{73087DE4-7883-465d-B90B-24C22CFD4029}.exe
        
        C:\Windows\{73087DE4-7883-465d-B90B-24C22CFD4029}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe
        
        C:\Windows\{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe
        
        C:\Windows\{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe
        
        C:\Windows\{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe
        
        C:\Windows\{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{1228D812-25D2-48bc-8276-86828445EF38}.exe
        
        C:\Windows\{1228D812-25D2-48bc-8276-86828445EF38}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe
        
        C:\Windows\{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{1BB2A050-586D-474d-92CE-34B491BB4CA3}.exe
        
        C:\Windows\{1BB2A050-586D-474d-92CE-34B491BB4CA3}.exe
        12⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33FC1~1.EXE > nul
        12⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1228D~1.EXE > nul
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3DD2~1.EXE > nul
        10⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5885B~1.EXE > nul
        9⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D187D~1.EXE > nul
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E09F~1.EXE > nul
        7⤵
        
        PID:2488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73087~1.EXE > nul
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79D66~1.EXE > nul
        5⤵
        
        PID:436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1EB6~1.EXE > nul
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FE970~1.EXE > nul
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1228D812-25D2-48bc-8276-86828445EF38}.exe

Filesize
197KB

MD5
b5087ad83599b7d16437dc4777df8600

SHA1
bb9c541c75ebecef02365485c80e2f458efe1367

SHA256
0972948774149550e0eaf206b1ee2a87c9514f6ce0545dbe37a34220fde91a7f

SHA512
3784f622d287bac7b1629e37221c04475fcf9a34c62e547b93b7ced6ed6e71078b38974fabec73a13dd51864e5f7f7b23c1b284d67b1f0866bc8a8c356ccc8c8

Download Submit
C:\Windows\{1BB2A050-586D-474d-92CE-34B491BB4CA3}.exe

Filesize
197KB

MD5
298bc1b26db5e4b3564b3ae7c4175f10

SHA1
c0963d4c3751ceb1825d3fc1d79458ced137e2c6

SHA256
49dbdb8ccfd282f7b9e3bc6a6c0b3077121876674179443c7a96b30417f1df8b

SHA512
6cf00b0b0d74d119b2747df6f9bae04d197711bbe95cfadced8afe4c988ce164ee9918d8ea9245656ea0662685e010131758a612a0d41c055fc521c2404e5d16

Download Submit
C:\Windows\{33FC12C2-BC5F-4cfa-9F5B-6C7A26D02A97}.exe

Filesize
197KB

MD5
f7a386086e68cc6abb7e2fe049e17163

SHA1
560ead44fa6b4c7ef71994a1e4cc55528760bee8

SHA256
cbb2683bfb0438e32a83df7ed3c441593fcc2d5b4736e122173254702e6da3a4

SHA512
2d5edbac20360d154986c79f97a55830c700e6b30a6724c31acb82b955024377976247d6b4c682aeadb90b2692401e3f66610476d2fb269ca0fca4a6b7578ae2

Download Submit
C:\Windows\{5885BBDF-B18C-4e57-9D21-6E7DDE265BAA}.exe

Filesize
197KB

MD5
2d957fa9d1135255c14e98e5aaa4ea75

SHA1
623ba12eae1761047cd8c7850a6b29280b175dcb

SHA256
a07e1fc71a85f070b3f415a9268234936ad875a2ceffddb678de013f9c760500

SHA512
1a41580aa88d548d4f8c7336d2fc744b7a3c91aa7853308c2ddd88b7cc4692181ba9ece920674bc3faa1f9d3af17de7cbb7a19bb7d0d78b90c1f5e994e67391a

Download Submit
C:\Windows\{73087DE4-7883-465d-B90B-24C22CFD4029}.exe

Filesize
197KB

MD5
8f68a2d8589fae43cbd1e47a9ddaa5f6

SHA1
3b47769ee8c9bb557b1fb6cc5a5ca342f27566da

SHA256
2ebd6c4e2ddf75525298e893752fb4e1ba5093d021a6be1104b3ccac3d703b04

SHA512
17d9fa4a01194cd35c6128199dbb4c31a7b9878693e6f9324436980f3886f64a3dd250dca57a41d6d76de097cb1553bf41252ced1930da338bc1d540334bc874

Download Submit
C:\Windows\{79D664E2-FA6F-46eb-ADF4-ED8C8DE1A069}.exe

Filesize
197KB

MD5
cdc615b109e86a0e561328bff5605cd0

SHA1
d871266dc13e0f08c926e61a18d09823c65d4e71

SHA256
eb1454d3786a8957588cfc71111a9631248c268ac90335f70bb0f1a128199413

SHA512
f7d7b2cd132174d0fed91d7428d57b81e839f51d19bca8758446b007b075228838d9c068fcbb51c7c39bc63822bcb781808446a4ae27baaffcd97101405b0647

Download Submit
C:\Windows\{8E09F2F6-7A27-453d-9FA8-CFE408B91A5B}.exe

Filesize
197KB

MD5
f728e55516449f2b3aea0d5549d7a87a

SHA1
18f5d76932b9416511442d8af30a208987eca961

SHA256
92aa6d2ace8b85dff8626f95d25119f8ccd70203fb19a92582ee47cfc2d665fc

SHA512
c5568e6511a8f35bae1a841c76da0434e83381b3547921d95fb0cecdfe3b0e77ed9636a43ed5873e454c9fbe652178543e4594e04b4fbf527944f9b3ed3fae6b

Download Submit
C:\Windows\{D187D1A0-9E5D-457c-BEC0-6051B2D3177A}.exe

Filesize
197KB

MD5
a6de23d88113da26b358909fcd3f9ae3

SHA1
cd333c9f41969aa0aaaf8df2cefb7fb8548ac955

SHA256
dcb4d8493085de778c65960748799abaec206c03c477f685171fa54673758155

SHA512
99af07a1446c06cdb6d7310316279ab2dd8eae7a13809819889f8b3d67048ea81be3a3f201a703f166e7f0cf552128b1c9cb557afc2917e4f9aacbdf4cb8986e

Download Submit
C:\Windows\{E1EB666A-1748-47d1-95A0-AF297676E489}.exe

Filesize
197KB

MD5
3f181efca3db125659cd35eebfb28f92

SHA1
5dae4b618fb753484b18851c3bf57e06a83d0a3d

SHA256
12156ce9f931b04c0925bcb823f488ad6aaa27abf1ea3bcb77bc8aeb3f0183f9

SHA512
f5182c40f157b5e0ffbc2c48282524632cafa70da0aea363476a3a06c1bd75c7d3ec114ebddd599ed398f9e5a449c30f52780a2c7407d38f18a50bfced1bbbfe

Download Submit
C:\Windows\{F3DD238C-B721-454a-8135-D37DA669B2BA}.exe

Filesize
197KB

MD5
37e731aaa9cf794f1b24aac8ca42e009

SHA1
f9439f2d93e68b933012e4488a4f5c0ac9f96c10

SHA256
73accb6438b4f4d45b5fe773de40ebce1002fed9ebeceeb271128b018837996b

SHA512
716469a3355167845ec6b0dc62fa8bebc4003cc9b051a69a6be5f2b44e1c8eee46b0ed0dbd779ce941f280f07184307f444da1951255c71a4eb7d999578fc8ea

Download Submit
C:\Windows\{FE970668-CDF2-400d-A8E6-B622C3AABC1D}.exe

Filesize
197KB

MD5
c5c99de7439c60a2baaac0ab60b9e639

SHA1
e1cfd292cdaa36179eae01cb7b7a12a5713d6943

SHA256
1114267e6f4e2553f888db0cd2554cbe61479bd57be812db1ac26427d18ba8f9

SHA512
5e5c17248eacc06e9bb58e5c5cd57941684cec92fb691909296e0ab2209c1493139bf30d8054af7793d1cb77769cbf50fea5c7d7291c112d4fd5a59bf94c2435

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads