596209f15b44b5ada9f5fa81745975535e9fabf891b27084e403d2ec51888120

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Size

408KB
MD5

043fe5808c3ba6299c20a8934c730461
SHA1

c227f9010a442c196df89dcd3a643ecc5ef9dd67
SHA256

596209f15b44b5ada9f5fa81745975535e9fabf891b27084e403d2ec51888120
SHA512

e1641b7e83b43168b57eb3d0e6f23496616ca4bbc3472a6774f8eb007e8a6764ba9c3d6e7af121030ab62a2c5507d21a506b71f674f61279cb9305a09945319c
SSDEEP

3072:CEGh0ohl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGHldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001232e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014665-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224e-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A698208-3637-44ee-BE9E-E63339E1B02B}\stubpath = "C:\\Windows\\{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe"	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}\stubpath = "C:\\Windows\\{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe"	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E119DC27-18C4-4970-A870-199FA750539C}	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE5F453-5DAE-456e-A36B-45C810210347}\stubpath = "C:\\Windows\\{ADE5F453-5DAE-456e-A36B-45C810210347}.exe"	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72579C3D-4A08-488b-A3EB-83FC293218AC}\stubpath = "C:\\Windows\\{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe"	{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADF2098F-39AB-4242-8124-14366A5C4FD1}	{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADF2098F-39AB-4242-8124-14366A5C4FD1}\stubpath = "C:\\Windows\\{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe"	{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DB11AF5-D4FC-456f-A904-797B709AACB7}	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DB11AF5-D4FC-456f-A904-797B709AACB7}\stubpath = "C:\\Windows\\{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe"	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AAB391-ED11-4e86-B90A-A5548B859D78}	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72579C3D-4A08-488b-A3EB-83FC293218AC}	{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5587D02D-D8FD-41d6-9626-44087952B9B3}\stubpath = "C:\\Windows\\{5587D02D-D8FD-41d6-9626-44087952B9B3}.exe"	{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AAB391-ED11-4e86-B90A-A5548B859D78}\stubpath = "C:\\Windows\\{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe"	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E119DC27-18C4-4970-A870-199FA750539C}\stubpath = "C:\\Windows\\{E119DC27-18C4-4970-A870-199FA750539C}.exe"	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}	{E119DC27-18C4-4970-A870-199FA750539C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89981AA7-64EE-40a6-9ACF-B10348E28317}	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5587D02D-D8FD-41d6-9626-44087952B9B3}	{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A698208-3637-44ee-BE9E-E63339E1B02B}	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}\stubpath = "C:\\Windows\\{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe"	{E119DC27-18C4-4970-A870-199FA750539C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADE5F453-5DAE-456e-A36B-45C810210347}	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89981AA7-64EE-40a6-9ACF-B10348E28317}\stubpath = "C:\\Windows\\{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe"	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe

Deletes itself 1 IoCs

pid	Process
2512	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe
2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe
2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe
3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe
2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe
2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe
1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe
2852	{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe
1244	{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe
2900	{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe
784	{5587D02D-D8FD-41d6-9626-44087952B9B3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe
File created	C:\Windows\{5587D02D-D8FD-41d6-9626-44087952B9B3}.exe	{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe
File created	C:\Windows\{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	{E119DC27-18C4-4970-A870-199FA750539C}.exe
File created	C:\Windows\{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe
File created	C:\Windows\{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe
File created	C:\Windows\{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe	{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe
File created	C:\Windows\{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
File created	C:\Windows\{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe
File created	C:\Windows\{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe
File created	C:\Windows\{E119DC27-18C4-4970-A870-199FA750539C}.exe	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe
File created	C:\Windows\{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe	{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe
Token: SeIncBasePriorityPrivilege	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe
Token: SeIncBasePriorityPrivilege	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe
Token: SeIncBasePriorityPrivilege	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe
Token: SeIncBasePriorityPrivilege	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe
Token: SeIncBasePriorityPrivilege	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe
Token: SeIncBasePriorityPrivilege	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe
Token: SeIncBasePriorityPrivilege	2852	{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe
Token: SeIncBasePriorityPrivilege	1244	{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe
Token: SeIncBasePriorityPrivilege	2900	{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2156	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	28
PID 2880 wrote to memory of 2156	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	28
PID 2880 wrote to memory of 2156	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	28
PID 2880 wrote to memory of 2156	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	28
PID 2880 wrote to memory of 2512	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	29
PID 2880 wrote to memory of 2512	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	29
PID 2880 wrote to memory of 2512	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	29
PID 2880 wrote to memory of 2512	2880	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	29
PID 2156 wrote to memory of 2644	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	30
PID 2156 wrote to memory of 2644	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	30
PID 2156 wrote to memory of 2644	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	30
PID 2156 wrote to memory of 2644	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	30
PID 2156 wrote to memory of 2628	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	31
PID 2156 wrote to memory of 2628	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	31
PID 2156 wrote to memory of 2628	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	31
PID 2156 wrote to memory of 2628	2156	{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe	31
PID 2644 wrote to memory of 2716	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	32
PID 2644 wrote to memory of 2716	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	32
PID 2644 wrote to memory of 2716	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	32
PID 2644 wrote to memory of 2716	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	32
PID 2644 wrote to memory of 1784	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	33
PID 2644 wrote to memory of 1784	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	33
PID 2644 wrote to memory of 1784	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	33
PID 2644 wrote to memory of 1784	2644	{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe	33
PID 2716 wrote to memory of 3068	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	36
PID 2716 wrote to memory of 3068	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	36
PID 2716 wrote to memory of 3068	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	36
PID 2716 wrote to memory of 3068	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	36
PID 2716 wrote to memory of 2992	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	37
PID 2716 wrote to memory of 2992	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	37
PID 2716 wrote to memory of 2992	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	37
PID 2716 wrote to memory of 2992	2716	{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe	37
PID 3068 wrote to memory of 2968	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	38
PID 3068 wrote to memory of 2968	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	38
PID 3068 wrote to memory of 2968	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	38
PID 3068 wrote to memory of 2968	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	38
PID 3068 wrote to memory of 3008	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	39
PID 3068 wrote to memory of 3008	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	39
PID 3068 wrote to memory of 3008	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	39
PID 3068 wrote to memory of 3008	3068	{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe	39
PID 2968 wrote to memory of 2144	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	40
PID 2968 wrote to memory of 2144	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	40
PID 2968 wrote to memory of 2144	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	40
PID 2968 wrote to memory of 2144	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	40
PID 2968 wrote to memory of 1744	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	41
PID 2968 wrote to memory of 1744	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	41
PID 2968 wrote to memory of 1744	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	41
PID 2968 wrote to memory of 1744	2968	{E119DC27-18C4-4970-A870-199FA750539C}.exe	41
PID 2144 wrote to memory of 1440	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	42
PID 2144 wrote to memory of 1440	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	42
PID 2144 wrote to memory of 1440	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	42
PID 2144 wrote to memory of 1440	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	42
PID 2144 wrote to memory of 2664	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	43
PID 2144 wrote to memory of 2664	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	43
PID 2144 wrote to memory of 2664	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	43
PID 2144 wrote to memory of 2664	2144	{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe	43
PID 1440 wrote to memory of 2852	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	44
PID 1440 wrote to memory of 2852	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	44
PID 1440 wrote to memory of 2852	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	44
PID 1440 wrote to memory of 2852	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	44
PID 1440 wrote to memory of 1704	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	45
PID 1440 wrote to memory of 1704	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	45
PID 1440 wrote to memory of 1704	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	45
PID 1440 wrote to memory of 1704	1440	{ADE5F453-5DAE-456e-A36B-45C810210347}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe
  C:\Windows\{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe
    C:\Windows\{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe
      C:\Windows\{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe
        
        C:\Windows\{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\{E119DC27-18C4-4970-A870-199FA750539C}.exe
        
        C:\Windows\{E119DC27-18C4-4970-A870-199FA750539C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe
        
        C:\Windows\{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{ADE5F453-5DAE-456e-A36B-45C810210347}.exe
        
        C:\Windows\{ADE5F453-5DAE-456e-A36B-45C810210347}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe
        
        C:\Windows\{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe
        
        C:\Windows\{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe
        
        C:\Windows\{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{5587D02D-D8FD-41d6-9626-44087952B9B3}.exe
        
        C:\Windows\{5587D02D-D8FD-41d6-9626-44087952B9B3}.exe
        12⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADF20~1.EXE > nul
        12⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72579~1.EXE > nul
        11⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89981~1.EXE > nul
        10⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE5F~1.EXE > nul
        9⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C74D~1.EXE > nul
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E119D~1.EXE > nul
        7⤵
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AAB~1.EXE > nul
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3994~1.EXE > nul
        5⤵
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4DB11~1.EXE > nul
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A698~1.EXE > nul
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A698208-3637-44ee-BE9E-E63339E1B02B}.exe

Filesize
408KB

MD5
636346f1f99e699b4bd0eea9267d59e3

SHA1
1f383fa83a5dfffbcd3ec6f8ef4de068e89afe9a

SHA256
47557ae5638fdcb7c7b9070f1acaf5c31991fd5e795a7fcc9e57efae2706b62c

SHA512
2b7746093a3ef7c453bca979fa3adaef9a7c76e8ff597f923c164c8c297f71981a086fb1014e6e2199bcfaaf98ab8346e232323d80786416f80f07637368d9f5

Download Submit
C:\Windows\{4DB11AF5-D4FC-456f-A904-797B709AACB7}.exe

Filesize
408KB

MD5
a80af5684f72e35068ccb891728bc69d

SHA1
6eb9b66adf106bcc875743aa6776a24010b968f0

SHA256
4172aef792da438c8ff2e1d049c76e02284ed1d573a008cb7f0b28c74c825b93

SHA512
375253f2faa0a350183586697037b4bd06efc4c78cc3d6c40a02e7d98b1feeeed0a86e08431a3484314fa16aac5036e8da1d9f19599a8c561f50c967bffa6c9f

Download Submit
C:\Windows\{5587D02D-D8FD-41d6-9626-44087952B9B3}.exe

Filesize
408KB

MD5
8f8d081aeea85234b5047ec37c214ed4

SHA1
08798b33ba5923db553967f180d7783f2dafa347

SHA256
905730c32a7a0febd8d6a4ed052f87a276103875ae06622dfa3cc44359a1faeb

SHA512
5a6bc1b11dfbfc8804a0395678c2ea99561d3e0e4804fd77baf4c4910fddb3c355241d0c097d6122635b276e9a46939c7ff6791d3d7c34838316f88bb59e691c

Download Submit
C:\Windows\{5C74D9B5-E4E1-4df0-9D34-9950B26D6079}.exe

Filesize
408KB

MD5
642dd6f6f19dac6f443eecf0ede08bd1

SHA1
eb8ea4947e9b996cc2a96c9b13568ae24966b1d1

SHA256
d005fcc5e56858e278d8ca72576ea984659adb163ecabd777117e6b434e5a431

SHA512
5a9744dcabc525895bc82bb9083c98229c4e0ddb14ed523901bafc77617fb1d21fb8cdc6dcf895818af33898d518032bba21535b9a16937f9ff45dcfe8e7897d

Download Submit
C:\Windows\{72579C3D-4A08-488b-A3EB-83FC293218AC}.exe

Filesize
408KB

MD5
9591b8dd408e2bc8039e2710d2127e81

SHA1
5dee11dfb83e37b4ac66ff9d0886d122c9f1bfbe

SHA256
f75b1ce8bb2c8184b50c2bb4808c87739f8a08a5a61e28a6cce39ae64b7207c6

SHA512
58b17a120ff63c3b7ae2c584f0ee4cc1581aa54fc587812bc85921058f7543121b2e9ecffa261523104d26a3b5a9d4fe0fb8f4a38665ad3912e9fa9fa248adc8

Download Submit
C:\Windows\{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe

Filesize
273KB

MD5
0cf3d611d0a6784b8a40c447c87f90da

SHA1
c266c0d0c51a78a42eb97c9ab72f9a31207bc1d5

SHA256
9461a05f1195515fdda1ae36aa087104dc90a44e63075d80d9f5d05d4238438a

SHA512
6d6053513f5ae008da2428cc1bc587fdee3e34013e95641496d9060dd578961a53227eb90d14bc75ef19fb999d9b988ff12103decd68aa0816e147e99bfdd36b

Download Submit
C:\Windows\{89981AA7-64EE-40a6-9ACF-B10348E28317}.exe

Filesize
408KB

MD5
da778cf80c7b4805e133a7b7af53efb2

SHA1
df4c07603cfe895d660b8ce6f88fb5f19cb16a24

SHA256
0586f35a9eb9b50ff2832f57c0ff306385ac43ef17c1089239f2e68d2fcc6688

SHA512
118acc0a106eafb4e892cb641cf90d3298bb09a8cf366673ed599921580b4922596732d385a692e3191d6b6849b37c7bc7a6f7fcfcbd1389442cb69df7659d04

Download Submit
C:\Windows\{ADE5F453-5DAE-456e-A36B-45C810210347}.exe

Filesize
408KB

MD5
bf036c073c85c9434eadf2cd954072a1

SHA1
9ce7d4b4f5d1cbccbd5c799b3c43cf615c4930a6

SHA256
5cdee4ac852286bbf8bcd2a5333b05ce1f059aa90fc5fd25d46aed442ee1e87b

SHA512
f3551d020af30be961cad4bf15879131fff63fbef4707e247ef9bf400af949187186d527ceb5b0091131d302cd89b28b78ade05f44e2144feda1355bf7f5cbf4

Download Submit
C:\Windows\{ADF2098F-39AB-4242-8124-14366A5C4FD1}.exe

Filesize
408KB

MD5
dfc4825263ee621fa879249b22ea543d

SHA1
53b28ff83d42967be5e82de23a624d08151dacd2

SHA256
aedeb67962a1d74a0404f607d130361fd7afe6ad2faebbb4f3bfcf9e178f49f9

SHA512
a03ecf963dc34c0e39f5a2eb7ba82c2b5cc467bb58b0da47053b9a97949c53267583aba30d86c2e1087a23c89297b487a2641aab7a008ee8a6cbd70624bc71c8

Download Submit
C:\Windows\{C8AAB391-ED11-4e86-B90A-A5548B859D78}.exe

Filesize
408KB

MD5
1ea6193a0cea1363095efc01ac8a0439

SHA1
07461a440a626cb57aa12dcf6518e886ba16b684

SHA256
67cffddef06846a105573f434526cd8daac58f12b4ea8252c2f139a2ee8b0461

SHA512
da11a51af52e590ad517e97ce54c557f7f16c3331cc7db0546b534d41da69b00c8ce0e6f520fd0f52c767dab5375c6ee0edfcf58139069f20591dc0334607b0a

Download Submit
C:\Windows\{E119DC27-18C4-4970-A870-199FA750539C}.exe

Filesize
408KB

MD5
06f789f82ad12604bc4f7a95680b9730

SHA1
9affbd55741911d77c52a294b58bae8801bb2150

SHA256
5c85eaf136aa1b57e4ea9338d005668d5b1ff7a45c5300d124c2d729dd0b5c8a

SHA512
a317d2d0403399af3ca1b9bbf57f7e5a9c9bcc7c6f22119a8090f2a49d3f3f2f3d8391e6dd714b467df9f521d4f2b0d6a943e2d2c235f2fc635e455496f3024e

Download Submit
C:\Windows\{E3994D7F-6E54-4c3e-80C6-A2FEA988CFAF}.exe

Filesize
408KB

MD5
850719e0c576c7763d6ad183dfdda8ad

SHA1
c6eae8a8fb5f41d41fe619e652075a94328ef0b9

SHA256
0e0c79d5bbe12c0c7788a71616a92fc6b3e10a15ecb4faba823e59ec95ac2e0b

SHA512
3b707942cecab5e12a35625122f964a0de4ec433d9bb88fd5b9177f14cbb6bcbf933a88a9580df53e8da73464a3deda6c7e0b61208c447a3cf26b118fd2a6cf4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads