daa49dc55d68c38fb3c115ea7ec306738559794f79c982ba75739baabef556c0

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe
Size

380KB
MD5

fa4301a16165c5cd3a6275c547ca7675
SHA1

950e1658d21f74ac82a2ce09301b1bd5d6c97fcc
SHA256

daa49dc55d68c38fb3c115ea7ec306738559794f79c982ba75739baabef556c0
SHA512

7c2eb8038a5e9c7d5440f1802da359e1001490cfdd67fc80cdf11a5ccb670bddcad89e61864f393bc47420c2687d92f6a44677c423e13f205e2b5dff35bbb57c
SSDEEP

3072:mEGh0ojlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGRl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012248-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012333-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012248-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00350000000149ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012248-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012248-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012248-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1631F9E5-68EB-4229-8A44-E6A0CCED5469}\stubpath = "C:\\Windows\\{1631F9E5-68EB-4229-8A44-E6A0CCED5469}.exe"	{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}\stubpath = "C:\\Windows\\{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe"	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E381FA4-90CC-413d-9600-40AE09CC4DD2}	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E381FA4-90CC-413d-9600-40AE09CC4DD2}\stubpath = "C:\\Windows\\{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe"	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85D22B0-2B74-461b-B3A1-E34316E1F246}	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}	{462B569F-0949-434b-A273-CB802BA45357}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}\stubpath = "C:\\Windows\\{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe"	{462B569F-0949-434b-A273-CB802BA45357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1631F9E5-68EB-4229-8A44-E6A0CCED5469}	{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}\stubpath = "C:\\Windows\\{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe"	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E60D066-D812-47b0-A79D-A4418D0E11EA}\stubpath = "C:\\Windows\\{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe"	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}\stubpath = "C:\\Windows\\{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe"	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D437F794-501D-4ffe-9743-1F168B402D55}\stubpath = "C:\\Windows\\{D437F794-501D-4ffe-9743-1F168B402D55}.exe"	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}\stubpath = "C:\\Windows\\{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe"	{D437F794-501D-4ffe-9743-1F168B402D55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462B569F-0949-434b-A273-CB802BA45357}	{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}	{D437F794-501D-4ffe-9743-1F168B402D55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462B569F-0949-434b-A273-CB802BA45357}\stubpath = "C:\\Windows\\{462B569F-0949-434b-A273-CB802BA45357}.exe"	{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E60D066-D812-47b0-A79D-A4418D0E11EA}	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D437F794-501D-4ffe-9743-1F168B402D55}	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85D22B0-2B74-461b-B3A1-E34316E1F246}\stubpath = "C:\\Windows\\{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe"	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe
2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe
2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe
1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe
2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe
884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe
1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe
2644	{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe
2060	{462B569F-0949-434b-A273-CB802BA45357}.exe
2728	{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe
1312	{1631F9E5-68EB-4229-8A44-E6A0CCED5469}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe
File created	C:\Windows\{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe	{462B569F-0949-434b-A273-CB802BA45357}.exe
File created	C:\Windows\{1631F9E5-68EB-4229-8A44-E6A0CCED5469}.exe	{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe
File created	C:\Windows\{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe
File created	C:\Windows\{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe
File created	C:\Windows\{D437F794-501D-4ffe-9743-1F168B402D55}.exe	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe
File created	C:\Windows\{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	{D437F794-501D-4ffe-9743-1F168B402D55}.exe
File created	C:\Windows\{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe
File created	C:\Windows\{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe
File created	C:\Windows\{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe
File created	C:\Windows\{462B569F-0949-434b-A273-CB802BA45357}.exe	{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe
Token: SeIncBasePriorityPrivilege	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe
Token: SeIncBasePriorityPrivilege	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe
Token: SeIncBasePriorityPrivilege	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe
Token: SeIncBasePriorityPrivilege	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe
Token: SeIncBasePriorityPrivilege	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe
Token: SeIncBasePriorityPrivilege	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe
Token: SeIncBasePriorityPrivilege	2644	{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe
Token: SeIncBasePriorityPrivilege	2060	{462B569F-0949-434b-A273-CB802BA45357}.exe
Token: SeIncBasePriorityPrivilege	2728	{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 3060	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	28
PID 1260 wrote to memory of 3060	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	28
PID 1260 wrote to memory of 3060	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	28
PID 1260 wrote to memory of 3060	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	28
PID 1260 wrote to memory of 2116	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	29
PID 1260 wrote to memory of 2116	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	29
PID 1260 wrote to memory of 2116	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	29
PID 1260 wrote to memory of 2116	1260	2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe	29
PID 3060 wrote to memory of 2712	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	30
PID 3060 wrote to memory of 2712	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	30
PID 3060 wrote to memory of 2712	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	30
PID 3060 wrote to memory of 2712	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	30
PID 3060 wrote to memory of 2612	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	31
PID 3060 wrote to memory of 2612	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	31
PID 3060 wrote to memory of 2612	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	31
PID 3060 wrote to memory of 2612	3060	{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe	31
PID 2712 wrote to memory of 2768	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	32
PID 2712 wrote to memory of 2768	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	32
PID 2712 wrote to memory of 2768	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	32
PID 2712 wrote to memory of 2768	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	32
PID 2712 wrote to memory of 2484	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	33
PID 2712 wrote to memory of 2484	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	33
PID 2712 wrote to memory of 2484	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	33
PID 2712 wrote to memory of 2484	2712	{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe	33
PID 2768 wrote to memory of 1424	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	36
PID 2768 wrote to memory of 1424	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	36
PID 2768 wrote to memory of 1424	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	36
PID 2768 wrote to memory of 1424	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	36
PID 2768 wrote to memory of 1668	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	37
PID 2768 wrote to memory of 1668	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	37
PID 2768 wrote to memory of 1668	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	37
PID 2768 wrote to memory of 1668	2768	{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe	37
PID 1424 wrote to memory of 2864	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	38
PID 1424 wrote to memory of 2864	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	38
PID 1424 wrote to memory of 2864	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	38
PID 1424 wrote to memory of 2864	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	38
PID 1424 wrote to memory of 2956	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	39
PID 1424 wrote to memory of 2956	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	39
PID 1424 wrote to memory of 2956	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	39
PID 1424 wrote to memory of 2956	1424	{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe	39
PID 2864 wrote to memory of 884	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	40
PID 2864 wrote to memory of 884	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	40
PID 2864 wrote to memory of 884	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	40
PID 2864 wrote to memory of 884	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	40
PID 2864 wrote to memory of 1664	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	41
PID 2864 wrote to memory of 1664	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	41
PID 2864 wrote to memory of 1664	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	41
PID 2864 wrote to memory of 1664	2864	{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe	41
PID 884 wrote to memory of 1680	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	42
PID 884 wrote to memory of 1680	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	42
PID 884 wrote to memory of 1680	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	42
PID 884 wrote to memory of 1680	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	42
PID 884 wrote to memory of 1632	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	43
PID 884 wrote to memory of 1632	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	43
PID 884 wrote to memory of 1632	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	43
PID 884 wrote to memory of 1632	884	{D437F794-501D-4ffe-9743-1F168B402D55}.exe	43
PID 1680 wrote to memory of 2644	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	44
PID 1680 wrote to memory of 2644	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	44
PID 1680 wrote to memory of 2644	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	44
PID 1680 wrote to memory of 2644	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	44
PID 1680 wrote to memory of 776	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	45
PID 1680 wrote to memory of 776	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	45
PID 1680 wrote to memory of 776	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	45
PID 1680 wrote to memory of 776	1680	{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_fa4301a16165c5cd3a6275c547ca7675_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe
  C:\Windows\{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe
    C:\Windows\{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe
      C:\Windows\{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe
        
        C:\Windows\{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe
        
        C:\Windows\{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{D437F794-501D-4ffe-9743-1F168B402D55}.exe
        
        C:\Windows\{D437F794-501D-4ffe-9743-1F168B402D55}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe
        
        C:\Windows\{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe
        
        C:\Windows\{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{462B569F-0949-434b-A273-CB802BA45357}.exe
        
        C:\Windows\{462B569F-0949-434b-A273-CB802BA45357}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe
        
        C:\Windows\{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{1631F9E5-68EB-4229-8A44-E6A0CCED5469}.exe
        
        C:\Windows\{1631F9E5-68EB-4229-8A44-E6A0CCED5469}.exe
        12⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{379C1~1.EXE > nul
        12⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{462B5~1.EXE > nul
        11⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D85D2~1.EXE > nul
        10⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BC1A~1.EXE > nul
        9⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D437F~1.EXE > nul
        8⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E381~1.EXE > nul
        7⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EA83~1.EXE > nul
        6⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B8DA~1.EXE > nul
        5⤵
        
        PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E60D~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E388~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E388785-7BA4-4a9c-B9FD-BF9790DCA92B}.exe

Filesize
380KB

MD5
eb3e742af2e3407adef7d647d67ca0ec

SHA1
0494603847d1178a3563bcc09f8f1f911f6bcf22

SHA256
072c0cc06679ee1ac8030bfcc6ec8747abdda5b2e5f1a03942771eb542cd39fc

SHA512
95ca564f702e51a2ab642be2ab63fb026ecc175c036be3a3fb3604096e518f81c7837b164b94122d875e246a5494b3d460542ac4e2a5fba7122f7b502b28ac6b

Download Submit
C:\Windows\{1631F9E5-68EB-4229-8A44-E6A0CCED5469}.exe

Filesize
380KB

MD5
8bbe7b3faa188e15e2a91fa8200c5f63

SHA1
3f18f30ad506dab24f0dc9f58a745639894799e5

SHA256
08ad08813a5a464545bddfab26336115d64cbca84b3c627949dea7d721892a77

SHA512
99e3b767ea0bbc7e90cd8ed03b28acba52272ed9a432195596b6ad265fc23067132ff1a9882b2008d0b4732e911e8e3c1a2324965256f63f51d61e693efd081a

Download Submit
C:\Windows\{1B8DA99D-552E-4b43-AD7A-BF94781EA5BC}.exe

Filesize
380KB

MD5
1102c089bb61dbbf52ba26769583198b

SHA1
8434d9b4dbfdb4b5a1a6c7e2cef89a919d4344bb

SHA256
1929760add1714e042c055df17324141f9a818af84956a7904f868cf2b89fa70

SHA512
1025be7a59a93b12d89a9ae22d2646d709e0233cea5f01c4cfa8a2e1bce63b234d07e70c181283f8ebb25d75337b85bed5e92cdddc053e154cbc849aad311870

Download Submit
C:\Windows\{379C1F41-1549-4f4d-8D6B-4A38F3BCF4E7}.exe

Filesize
380KB

MD5
3b4ea624d9d9950e4b32a8afa6ef7c87

SHA1
eaae9e8f93bcfc5d7042849ce9e59b7da68d4307

SHA256
acd8af5a8d5f1cb17b4a718af2f3f8293a7a546eaa28be3ee15f6e69447c064a

SHA512
023a3df210e343513347898aa90c171367789114d73a5449f518c7758c6315d999e2f53e584346d40de5a352a18b928b3e2ad2d2359f0246746d501af86380bb

Download Submit
C:\Windows\{462B569F-0949-434b-A273-CB802BA45357}.exe

Filesize
380KB

MD5
bb91e99bd0f654fc4c0b5aaf11f27c90

SHA1
b2e5d96cd5e7f5b03655ce653291353c96c029a9

SHA256
21b6cef51d21ea092491bcaa4b8d7531355a44d4982eff8bd27dd68e156fcaae

SHA512
55645a31ab6812a5cd0f0b1ebb5e68b17a6b66d76f05856bdffacc4a5cbd9b22d313b90b5540c399bcc8e50c42b51eec07d5abc5a12d5db78098dea9fca90b61

Download Submit
C:\Windows\{4E60D066-D812-47b0-A79D-A4418D0E11EA}.exe

Filesize
380KB

MD5
d5e2971a4cdab2641eb197920bb6900a

SHA1
fbfdbe8f25e870d3009796a533d5377f543a20f5

SHA256
fa48946f372c66d4bd46b978ca36656491ad4c5e00a3886ac8bdf7be1456221c

SHA512
60dff202e7ae35327b5e891fbd7c4753307889e10a9f7fae3582317bfcfc0d948b60498e585f16e8100e38482e6f0688c0d7eae9aade3f29045a8ac3cafc1150

Download Submit
C:\Windows\{5E381FA4-90CC-413d-9600-40AE09CC4DD2}.exe

Filesize
380KB

MD5
295fd066c5c3e58f7d711d394d9031e2

SHA1
b9a7fef1b71b8a787c3aad0e3b97ee987d4fe287

SHA256
53edd8e4f40a88ba2e9c4bad996633a36b6966917f29c85d6b9b00f64c58153e

SHA512
34973375abcdacf038499114382e932f0223c696b097d9bfb17a49b3a7332120ea6b9ab9b2f51e1ecb5f4453c1be4193a059181d8d887881b73b82993d8c92b0

Download Submit
C:\Windows\{7EA830EF-CF44-4b92-A1B0-E730E088C0D8}.exe

Filesize
380KB

MD5
686aae84974a95696ee62ad48ff18a55

SHA1
62d13f4d2efc18eb0f59f020340df3bebba68255

SHA256
2d6200d30e9c75e7aeb518b1a19b47440c4b872895ef31f4af7ee75bca61f80c

SHA512
5248337a64b77185619c8b9b0d4e866c240964b8e705e11a75e6a97c40dc7271f728ced72602a5123d8cfc12f6e8c8899fe3fbfbff2beba3d309d729d25b2805

Download Submit
C:\Windows\{8BC1AED8-9F14-4b0e-B155-9604EF35BD06}.exe

Filesize
380KB

MD5
91b618d3365c04b7a192a2e5e78136dd

SHA1
3a54ce2516b39271f4ba45d6e25512b7b1632373

SHA256
cac7506fc7268029c3abae0a026d6fc47baee1e75ed53547def1ac953b512030

SHA512
4d15439a963f3541934bad034383bfd3cb98e6fccdc5b69d68b49aa8e2536aeecb0dbb115f9a138a9d785e242fd848bc5aa17bcecbe2a338f3430455f17424a1

Download Submit
C:\Windows\{D437F794-501D-4ffe-9743-1F168B402D55}.exe

Filesize
380KB

MD5
c2a43efa4f1b234316634732be513d32

SHA1
154dcf05f4d586b2a960f721a5497cd02c8c3868

SHA256
b15bde9e14654cb4538f01af66f05a8784490bfef370453034bceb39039e885d

SHA512
1f8f3d343c3576794a51592b0eaad5d34e0926ee1f58224155100769125963af7f0288b3ccf64c888c1ad356f2941ddc1215c8bc8cd334765e64f99f9654d949

Download Submit
C:\Windows\{D85D22B0-2B74-461b-B3A1-E34316E1F246}.exe

Filesize
380KB

MD5
e959af9d8846a617eb1311bee947ebd8

SHA1
7e7e8d827ebe5542e84275851a767f350e62be28

SHA256
01a1fcfd2e01027355d26d8121b31371fe1f8442a5eb85215c07c44c2b6d806d

SHA512
3a67f287c6d9ca637a41d40d547f0b0767ea898ebe2b04e2fc8c7effa0cf4aa4957a217857b33253ca98da4c6c88eb5c840313dd274dc773a2c7bdcde6a580a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads