a0e25487c45b5618b5bc3dccf208408a551cfbe711ccab8e132ac313f5f80bc1

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe
Size

204KB
MD5

5411f6e88d09a13925c7a54903e66ce1
SHA1

202a59ed93edc2264c978bcc2d539ec00eabb139
SHA256

a0e25487c45b5618b5bc3dccf208408a551cfbe711ccab8e132ac313f5f80bc1
SHA512

830bba3b8f3b5b24afb861450ed62107c820570f7f5f6cc8270a1b22a98def84555f0e5399ab1f84da7e807a693ed166cabe4a63c166aa05db96b9229f8f8b09
SSDEEP

1536:1EGh0oGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oGl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001418d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016056-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001418d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001418d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001418d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001418d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001418d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}\stubpath = "C:\\Windows\\{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe"	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}\stubpath = "C:\\Windows\\{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe"	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6BF6344-D826-4cb6-89E7-6116D5F54E91}	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6BF6344-D826-4cb6-89E7-6116D5F54E91}\stubpath = "C:\\Windows\\{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe"	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5DF715-4990-4ba4-8198-7728B50A8BCC}\stubpath = "C:\\Windows\\{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe"	{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}\stubpath = "C:\\Windows\\{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}.exe"	{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}\stubpath = "C:\\Windows\\{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe"	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3927058E-8012-4405-B3EC-7DD05DCC7E52}	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3927058E-8012-4405-B3EC-7DD05DCC7E52}\stubpath = "C:\\Windows\\{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe"	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE970085-65A4-42d4-9516-B4E1582A7486}	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}\stubpath = "C:\\Windows\\{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe"	{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}	{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC176F94-B3FF-4e6c-A922-D4FB200305D6}\stubpath = "C:\\Windows\\{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe"	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC176F94-B3FF-4e6c-A922-D4FB200305D6}	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}	{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5DF715-4990-4ba4-8198-7728B50A8BCC}	{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}\stubpath = "C:\\Windows\\{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe"	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE970085-65A4-42d4-9516-B4E1582A7486}\stubpath = "C:\\Windows\\{EE970085-65A4-42d4-9516-B4E1582A7486}.exe"	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe
2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe
2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe
1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe
2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe
792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe
2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe
2300	{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe
2728	{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe
2332	{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe
1664	{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe
File created	C:\Windows\{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe
File created	C:\Windows\{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe	{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe
File created	C:\Windows\{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}.exe	{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe
File created	C:\Windows\{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe
File created	C:\Windows\{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe
File created	C:\Windows\{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe
File created	C:\Windows\{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe
File created	C:\Windows\{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe
File created	C:\Windows\{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe
File created	C:\Windows\{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe	{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe
Token: SeIncBasePriorityPrivilege	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe
Token: SeIncBasePriorityPrivilege	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe
Token: SeIncBasePriorityPrivilege	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe
Token: SeIncBasePriorityPrivilege	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe
Token: SeIncBasePriorityPrivilege	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe
Token: SeIncBasePriorityPrivilege	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe
Token: SeIncBasePriorityPrivilege	2300	{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe
Token: SeIncBasePriorityPrivilege	2728	{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe
Token: SeIncBasePriorityPrivilege	2332	{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2076	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	28
PID 2932 wrote to memory of 2076	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	28
PID 2932 wrote to memory of 2076	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	28
PID 2932 wrote to memory of 2076	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	28
PID 2932 wrote to memory of 2524	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	29
PID 2932 wrote to memory of 2524	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	29
PID 2932 wrote to memory of 2524	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	29
PID 2932 wrote to memory of 2524	2932	2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe	29
PID 2076 wrote to memory of 2528	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	30
PID 2076 wrote to memory of 2528	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	30
PID 2076 wrote to memory of 2528	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	30
PID 2076 wrote to memory of 2528	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	30
PID 2076 wrote to memory of 2500	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	31
PID 2076 wrote to memory of 2500	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	31
PID 2076 wrote to memory of 2500	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	31
PID 2076 wrote to memory of 2500	2076	{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe	31
PID 2528 wrote to memory of 2404	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	32
PID 2528 wrote to memory of 2404	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	32
PID 2528 wrote to memory of 2404	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	32
PID 2528 wrote to memory of 2404	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	32
PID 2528 wrote to memory of 2644	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	33
PID 2528 wrote to memory of 2644	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	33
PID 2528 wrote to memory of 2644	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	33
PID 2528 wrote to memory of 2644	2528	{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe	33
PID 2404 wrote to memory of 1360	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	36
PID 2404 wrote to memory of 1360	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	36
PID 2404 wrote to memory of 1360	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	36
PID 2404 wrote to memory of 1360	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	36
PID 2404 wrote to memory of 2120	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	37
PID 2404 wrote to memory of 2120	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	37
PID 2404 wrote to memory of 2120	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	37
PID 2404 wrote to memory of 2120	2404	{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe	37
PID 1360 wrote to memory of 2452	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	38
PID 1360 wrote to memory of 2452	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	38
PID 1360 wrote to memory of 2452	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	38
PID 1360 wrote to memory of 2452	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	38
PID 1360 wrote to memory of 2276	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	39
PID 1360 wrote to memory of 2276	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	39
PID 1360 wrote to memory of 2276	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	39
PID 1360 wrote to memory of 2276	1360	{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe	39
PID 2452 wrote to memory of 792	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	40
PID 2452 wrote to memory of 792	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	40
PID 2452 wrote to memory of 792	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	40
PID 2452 wrote to memory of 792	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	40
PID 2452 wrote to memory of 1536	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	41
PID 2452 wrote to memory of 1536	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	41
PID 2452 wrote to memory of 1536	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	41
PID 2452 wrote to memory of 1536	2452	{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe	41
PID 792 wrote to memory of 2268	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	42
PID 792 wrote to memory of 2268	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	42
PID 792 wrote to memory of 2268	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	42
PID 792 wrote to memory of 2268	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	42
PID 792 wrote to memory of 2272	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	43
PID 792 wrote to memory of 2272	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	43
PID 792 wrote to memory of 2272	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	43
PID 792 wrote to memory of 2272	792	{EE970085-65A4-42d4-9516-B4E1582A7486}.exe	43
PID 2268 wrote to memory of 2300	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	44
PID 2268 wrote to memory of 2300	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	44
PID 2268 wrote to memory of 2300	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	44
PID 2268 wrote to memory of 2300	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	44
PID 2268 wrote to memory of 2012	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	45
PID 2268 wrote to memory of 2012	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	45
PID 2268 wrote to memory of 2012	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	45
PID 2268 wrote to memory of 2012	2268	{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_5411f6e88d09a13925c7a54903e66ce1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe
  C:\Windows\{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe
    C:\Windows\{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe
      C:\Windows\{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe
        
        C:\Windows\{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe
        
        C:\Windows\{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{EE970085-65A4-42d4-9516-B4E1582A7486}.exe
        
        C:\Windows\{EE970085-65A4-42d4-9516-B4E1582A7486}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe
        
        C:\Windows\{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe
        
        C:\Windows\{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe
        
        C:\Windows\{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe
        
        C:\Windows\{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}.exe
        
        C:\Windows\{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A5DF~1.EXE > nul
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E16CB~1.EXE > nul
        11⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6BF6~1.EXE > nul
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2244A~1.EXE > nul
        9⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE970~1.EXE > nul
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C47FC~1.EXE > nul
        7⤵
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39270~1.EXE > nul
        6⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{305E2~1.EXE > nul
        5⤵
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD8E~1.EXE > nul
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC176~1.EXE > nul
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2244A5BB-BDE5-4812-9E1A-8F1A2AAF6E6D}.exe

Filesize
204KB

MD5
7a24b061d3832097ecc58d4337c52898

SHA1
6d142b73c588e1f8c1859c16d0e055b618e90986

SHA256
29ff61be7371170ffe927ed148754cf4a05fa41a40ff7931e5a1e19e3ee26642

SHA512
35aa2a5f86a982b942ea882c57b3c50487ba0974b8882e80c7eaca46ed99bd2c3a4a022e6afef2dda2e85ae1d16bb03daab0bfb330963b9b6486d462661a6f86

Download Submit
C:\Windows\{305E2FCC-8BE3-4ffe-8ED6-EB3FD29AA453}.exe

Filesize
204KB

MD5
e275b09adbca928236b7b46dbb3fefe2

SHA1
547503367ee07a7514065a232e9281c764184df9

SHA256
6200d2a0f5b47a70b4fdee11d23f6b10dd40f4c84cb796d534172eb239b62ea1

SHA512
268ec324b6e6a890e818cc200e0f5217530d9fdc94a2209eb62aa44f61362670bb87824be6872f5678f571ce7c93cee45700bb1c74bbd365ce8f6eda32515384

Download Submit
C:\Windows\{3927058E-8012-4405-B3EC-7DD05DCC7E52}.exe

Filesize
204KB

MD5
3cae21047ae4b60872d3a044c71b95f9

SHA1
1700bec3b06e4e0dda093d32aa4553fed2ff2b04

SHA256
d47b808f3d88592676ad34eb356d80d0ce33e64bd9ab415f275629de54aca1ac

SHA512
51b6b222eb3124be7dae2877703f834e479800b7123132387ba36f7b71af1398c62969c24b61862cbcc22ffdf7f844e24becbdf58f0a3d4ef7d57873d0f8e9b6

Download Submit
C:\Windows\{3CD8E34E-CBAC-44ce-87AD-CFC2FDA49C6F}.exe

Filesize
204KB

MD5
578c45d4e415168dfbade93a17686ba4

SHA1
c628b66b184e2bab36a65e71064765aa792a5090

SHA256
fd73bb346ae7e2c4cdbaf32939140576ccdf8c22ca6dd34e2e7885e04f46f305

SHA512
93a81d9892153fcace5d8fc6860d7571b005aaf3a544ac1d0d509d2175d046863d322775ebb8ce200f09ac5d19081d74e44bf4238a89599002920c6abb94ab88

Download Submit
C:\Windows\{8A5DF715-4990-4ba4-8198-7728B50A8BCC}.exe

Filesize
204KB

MD5
e3e7be897e940866f42c690916af3622

SHA1
c668f5cafe90c2a13c8305086245f480bdb49eee

SHA256
9b9c2f16a42bcdefc8556f60a583da07f7dc12ef0e218e3bc2aa25167612501d

SHA512
85a0fc630c497aa216c4eb0e6f14c7d77fd416751cf6045e38cb6e25cbcd9f78fa1497fb40ac289d6e7f36f77993105bad5107323c444ee70e460666a935e6a0

Download Submit
C:\Windows\{B6BF6344-D826-4cb6-89E7-6116D5F54E91}.exe

Filesize
204KB

MD5
0dc01c72864713481bc4a70cd0b76288

SHA1
69bc5a9bdf1115d5560e692a7b4973aaeec27edc

SHA256
f2e6702d4bc32083903fbd8e543219e62826a1bb6132268fe161b3dd8aa98c36

SHA512
ae718e8fcf7bd1edd6dd6ef4c9e35fa4565820e0271701f36029531d863ff6aae6dc68a004a70d0371f1b629ecf35da78ee37103a43607f3b6c106e2765c7b42

Download Submit
C:\Windows\{C47FCABC-B0B6-4808-9C9B-B786CC0B543A}.exe

Filesize
204KB

MD5
906d5705c75cef647b1081f5b6cef76d

SHA1
a4bb0e6ac82ce14a2dec00c794e08b8cd2152032

SHA256
c98617f86a6c702f4bce6c90aa2c29ef1eba006ca47682fb0fe07f6c9e7becbb

SHA512
3174e2bcb062bc1f72ec8c067270f7414ca7f745652a9ebceb8bc3bda6380268fefe78f0a24e3367e3d5335ee1f9ca6d6797c9717281ba57dbd91114a00144f4

Download Submit
C:\Windows\{D17C3CA8-D944-4faf-BEB1-1340E4672CA5}.exe

Filesize
128KB

MD5
3e299990cc8b957ce4ffb90b21e9d94b

SHA1
1eda6217de89a2153715448b94a35065f41ee027

SHA256
92c250633652fb49eb35a9fde631dfd07b166ead12f0a14bc2809a941d24eabd

SHA512
b5ec17317907c81f91990ae036f5205f292ae1cac76e189b529f0adbe20feaf3fab4d5019e9f22b0b0beb6a5ef90b45d25d168ad74ea6eaff1d91016b0e5b61e

Download Submit
C:\Windows\{DC176F94-B3FF-4e6c-A922-D4FB200305D6}.exe

Filesize
204KB

MD5
0b4eacec6b3827e15760cf8a2eb61c08

SHA1
4ddad6baea19406830470405b539c8f2c5d802b7

SHA256
4215351e12b367eb37f358e4f77d7e567407f58659d2be46e83311e888960c26

SHA512
a09144d1cf8e141ebd242608632d8aeadbed6d46c50a2f7af9942d9ae466a26b4e27627f69eea60f47a38ffb5dbf6a2d87e9313de410967737c475b5ad9d9870

Download Submit
C:\Windows\{E16CB4B2-9454-4e73-9AAD-2B8441E786FE}.exe

Filesize
204KB

MD5
7078063473eb05fe5ef2b11c7a4d2b06

SHA1
0c1166055a10194e9f3103e242bcf4cec79adcbb

SHA256
d3d0f6daa88232a0e2fb589f7dd90e3417fae913f8148aafbddec4375f56eb18

SHA512
7b5564569233d7705c1338beab64e7eb5bc984c71ae21ec36eb740fde4a6513c5e36b0f2012f9162c380ea70a6fd1723b1f9b5d5fb0ea5d41f4b653bb0a8438e

Download Submit
C:\Windows\{EE970085-65A4-42d4-9516-B4E1582A7486}.exe

Filesize
204KB

MD5
644c0c55a4e2289637db26bb11b3b6b1

SHA1
b7fce662c949b559750e56664ab5ff956cc4f48f

SHA256
599192422b0d8093503120ed7b0b30ae58c36c56fee07cc02c93f75c5920bc15

SHA512
3d72f385f36afa8e51d7cb88e48d3ad8d056f7bd12d2aa4b311f91e6c61589d7c33c4958714747d1a23f0a1f2d9fe42c7cfd9500f77ea6c5d3dc798553fd97b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads