b99a2da4f705e65ecc9d8451d1f4c7211794ba529ac6127667c748de2707f0da

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe
Size

192KB
MD5

055945108df4cd038697d29fd33c788a
SHA1

7b18f3f14f3997620d82e8e662a723b1ae6f8582
SHA256

b99a2da4f705e65ecc9d8451d1f4c7211794ba529ac6127667c748de2707f0da
SHA512

d27724ed0f91f13df4c09d0717f55a3a6bd685091c92c91d36fe8b0c7c1738262784d75fe246453d823aaf4dd44944905022c388fe186c8f84ad5e8c3eefbf57
SSDEEP

1536:1EGh0oFnl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oFnl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001445e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000014698-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014698-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014698-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014698-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014698-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014a55-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6B140C-C443-48bf-8767-D26BBF9A5324}\stubpath = "C:\\Windows\\{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe"	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4868FAF4-2B80-4021-B437-DD0379ED8A52}	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}\stubpath = "C:\\Windows\\{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe"	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CDE738-B9EE-44ab-B138-47C4BF658360}	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D06B4C7B-E72D-47b5-97DA-04F86058E761}	{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D747D15F-0CDF-4d37-8322-324148B54C04}\stubpath = "C:\\Windows\\{D747D15F-0CDF-4d37-8322-324148B54C04}.exe"	{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D018E8B-B863-4d1f-8B81-E2437E626F76}	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F209003-4AC9-4b7b-8D58-A868ECA298A8}\stubpath = "C:\\Windows\\{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe"	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}\stubpath = "C:\\Windows\\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe"	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4868FAF4-2B80-4021-B437-DD0379ED8A52}\stubpath = "C:\\Windows\\{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe"	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D06B4C7B-E72D-47b5-97DA-04F86058E761}\stubpath = "C:\\Windows\\{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe"	{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6B140C-C443-48bf-8767-D26BBF9A5324}	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F209003-4AC9-4b7b-8D58-A868ECA298A8}	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B43EFA55-FAF8-40ce-8207-CD2E6A445207}\stubpath = "C:\\Windows\\{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe"	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CDE738-B9EE-44ab-B138-47C4BF658360}\stubpath = "C:\\Windows\\{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe"	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5489C4B5-416D-430e-8B67-0F0A00C56939}	{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5489C4B5-416D-430e-8B67-0F0A00C56939}\stubpath = "C:\\Windows\\{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe"	{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D747D15F-0CDF-4d37-8322-324148B54C04}	{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D018E8B-B863-4d1f-8B81-E2437E626F76}\stubpath = "C:\\Windows\\{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe"	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B43EFA55-FAF8-40ce-8207-CD2E6A445207}	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe
2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe
2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe
2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe
1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe
2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe
1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe
1952	{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe
2204	{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe
3040	{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe
3000	{D747D15F-0CDF-4d37-8322-324148B54C04}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe	{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe
File created	C:\Windows\{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe
File created	C:\Windows\{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe
File created	C:\Windows\{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe
File created	C:\Windows\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe
File created	C:\Windows\{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe
File created	C:\Windows\{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe
File created	C:\Windows\{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe	{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe
File created	C:\Windows\{D747D15F-0CDF-4d37-8322-324148B54C04}.exe	{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe
File created	C:\Windows\{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe
File created	C:\Windows\{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe
Token: SeIncBasePriorityPrivilege	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe
Token: SeIncBasePriorityPrivilege	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe
Token: SeIncBasePriorityPrivilege	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe
Token: SeIncBasePriorityPrivilege	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe
Token: SeIncBasePriorityPrivilege	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe
Token: SeIncBasePriorityPrivilege	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe
Token: SeIncBasePriorityPrivilege	1952	{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe
Token: SeIncBasePriorityPrivilege	2204	{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe
Token: SeIncBasePriorityPrivilege	3040	{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3016	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	28
PID 2244 wrote to memory of 3016	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	28
PID 2244 wrote to memory of 3016	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	28
PID 2244 wrote to memory of 3016	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	28
PID 2244 wrote to memory of 2548	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	29
PID 2244 wrote to memory of 2548	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	29
PID 2244 wrote to memory of 2548	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	29
PID 2244 wrote to memory of 2548	2244	2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe	29
PID 3016 wrote to memory of 2588	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	30
PID 3016 wrote to memory of 2588	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	30
PID 3016 wrote to memory of 2588	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	30
PID 3016 wrote to memory of 2588	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	30
PID 3016 wrote to memory of 1932	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	31
PID 3016 wrote to memory of 1932	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	31
PID 3016 wrote to memory of 1932	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	31
PID 3016 wrote to memory of 1932	3016	{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe	31
PID 2588 wrote to memory of 2368	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	34
PID 2588 wrote to memory of 2368	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	34
PID 2588 wrote to memory of 2368	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	34
PID 2588 wrote to memory of 2368	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	34
PID 2588 wrote to memory of 2664	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	35
PID 2588 wrote to memory of 2664	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	35
PID 2588 wrote to memory of 2664	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	35
PID 2588 wrote to memory of 2664	2588	{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe	35
PID 2368 wrote to memory of 2392	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	36
PID 2368 wrote to memory of 2392	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	36
PID 2368 wrote to memory of 2392	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	36
PID 2368 wrote to memory of 2392	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	36
PID 2368 wrote to memory of 1828	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	37
PID 2368 wrote to memory of 1828	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	37
PID 2368 wrote to memory of 1828	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	37
PID 2368 wrote to memory of 1828	2368	{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe	37
PID 2392 wrote to memory of 1728	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	38
PID 2392 wrote to memory of 1728	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	38
PID 2392 wrote to memory of 1728	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	38
PID 2392 wrote to memory of 1728	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	38
PID 2392 wrote to memory of 2320	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	39
PID 2392 wrote to memory of 2320	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	39
PID 2392 wrote to memory of 2320	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	39
PID 2392 wrote to memory of 2320	2392	{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe	39
PID 1728 wrote to memory of 2468	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	40
PID 1728 wrote to memory of 2468	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	40
PID 1728 wrote to memory of 2468	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	40
PID 1728 wrote to memory of 2468	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	40
PID 1728 wrote to memory of 2604	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	41
PID 1728 wrote to memory of 2604	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	41
PID 1728 wrote to memory of 2604	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	41
PID 1728 wrote to memory of 2604	1728	{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe	41
PID 2468 wrote to memory of 1248	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	42
PID 2468 wrote to memory of 1248	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	42
PID 2468 wrote to memory of 1248	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	42
PID 2468 wrote to memory of 1248	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	42
PID 2468 wrote to memory of 932	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	43
PID 2468 wrote to memory of 932	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	43
PID 2468 wrote to memory of 932	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	43
PID 2468 wrote to memory of 932	2468	{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe	43
PID 1248 wrote to memory of 1952	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	44
PID 1248 wrote to memory of 1952	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	44
PID 1248 wrote to memory of 1952	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	44
PID 1248 wrote to memory of 1952	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	44
PID 1248 wrote to memory of 2236	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	45
PID 1248 wrote to memory of 2236	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	45
PID 1248 wrote to memory of 2236	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	45
PID 1248 wrote to memory of 2236	1248	{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_055945108df4cd038697d29fd33c788a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe
  C:\Windows\{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe
    C:\Windows\{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe
      C:\Windows\{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe
        
        C:\Windows\{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe
        
        C:\Windows\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe
        
        C:\Windows\{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe
        
        C:\Windows\{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe
        
        C:\Windows\{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe
        
        C:\Windows\{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe
        
        C:\Windows\{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{D747D15F-0CDF-4d37-8322-324148B54C04}.exe
        
        C:\Windows\{D747D15F-0CDF-4d37-8322-324148B54C04}.exe
        12⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D06B4~1.EXE > nul
        12⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5489C~1.EXE > nul
        11⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74CDE~1.EXE > nul
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1CA9~1.EXE > nul
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4868F~1.EXE > nul
        8⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98BEF~1.EXE > nul
        7⤵
        
        PID:2604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F209~1.EXE > nul
        6⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E6B1~1.EXE > nul
        5⤵
        
        PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B43EF~1.EXE > nul
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D018~1.EXE > nul
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F209003-4AC9-4b7b-8D58-A868ECA298A8}.exe

Filesize
192KB

MD5
b6072a6718aa96665307d31f35f824d8

SHA1
93cb4866a5fa12d22c536f60dcf9339493427f92

SHA256
1f19ba1e2619ece082b72bd6c8ae0a47371b474df8cd336fb7342b2556b67cbb

SHA512
fd43670a62a7bdad45d0daa75a98c042dd5144d53c509774af945c3fe29d8e115a9a48b80fa1a88b74600c59fdf4c8306b25b2c0fb546c9da727bd1b83d5ccef

Download Submit
C:\Windows\{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe

Filesize
49KB

MD5
622f0b4df243d6c1a357fbc8ec82c894

SHA1
ea6a0b2c30cc66a06d3ae9e4af3fc065ccb1e335

SHA256
0cac0811ab516b7568b1f93a582ea047ec903440be11117add10803844a5a15c

SHA512
fe324d07e96fc34989899642e245ebde52aa0c5c18fe54c4da05b7e815bff7201744aacf33bf2c20102dbce427dc5a75a84058046f8a541acebc04b3a59b7f28

Download Submit
C:\Windows\{4868FAF4-2B80-4021-B437-DD0379ED8A52}.exe

Filesize
192KB

MD5
1f2428deff943a5cf91870e064c6d1f5

SHA1
e68b719e45155dea9881a8aaaaaf7c2e6f0d1ccd

SHA256
6d4521a1e21ccda265ca36ef285364104dd92d76e0a67e570a24f4e7f9a1467a

SHA512
167339c551dca1471ba36ef05797fca24609a51362bb10a08afbd899162d95d27f804a9c8fb7b4f094b77b4a43ccbc4b023c4516cbc9b525112fb5d75b036484

Download Submit
C:\Windows\{5489C4B5-416D-430e-8B67-0F0A00C56939}.exe

Filesize
192KB

MD5
c1c28467e5d519cc24e1f6b10485265e

SHA1
a701a85c7e8dfe84aa660e8929638050903ee3ad

SHA256
ddf06693d34d80bdbf57879c2fc97998233129d5deba875866168505452a3606

SHA512
d19df419e261820aa69bbb033dbb81755b37269b7640e65d31ae82402c8d05c9b48fd6ea4ce0b26889c1569b945451c8a188fb210f0fd666514e2104902b9da0

Download Submit
C:\Windows\{74CDE738-B9EE-44ab-B138-47C4BF658360}.exe

Filesize
192KB

MD5
47e8b248a8dc4b7f6e2b677bc2ebbb35

SHA1
3adbb76f9d0bf2154138b38748a8fd4f51f0347b

SHA256
f43a87c1d5d0df89e208670d5e03c3c6eb246ee46d21b5981caafd6b35b48ce4

SHA512
12214069b92dbcaf7e91fcd4fbd6a883cfea194d3e776246bbcd4091347bd07da844aa30a9a08ee0ab56ca632831c342166eec50de1287c31f0030272330d996

Download Submit
C:\Windows\{7E6B140C-C443-48bf-8767-D26BBF9A5324}.exe

Filesize
192KB

MD5
d7def235d28959fa8b6518337cb1b2f7

SHA1
f804981f563a9c0606af4591255d8c6af76e888c

SHA256
0aa671436afe1ea3777a65d5e9ca9fd710ad765742f1411b0a62792a3b0b7554

SHA512
8ddea0b4bc44350da948adc5dfdf3784fd471f74b1742cdd6b918df4ecc9e898ed0adda7b2f472e8039b1f20a58974ac8c1fb444e4c9d19bd165736f2bdfbe15

Download Submit
C:\Windows\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe

Filesize
192KB

MD5
80a95252c8bbc9e35f898a312ee53f3f

SHA1
4dc8a0bf5cc5453b60e761c5d95730955a48295c

SHA256
3d8aee88e12bc7a80ef0b9ced56cdd031c3b19dd9278fa59231174537a71658f

SHA512
fcdc74bddc305cc730e9288b28511d4ba9e5adade9029ce2127a1a9f813214c7463b91b4371d68b980cd4aed6cb2015664c8ac5fe879af34ed373d662fe96fc5

Download Submit
C:\Windows\{98BEFC6B-471F-4dbd-9DE5-8321B9431EE5}.exe

Filesize
113KB

MD5
464892b19cd28bf6a29a45e58a85d787

SHA1
ce70206ecd9a8d66a7b6b4486d414ceb2de33d40

SHA256
6d3d216b61bce24fc158adafdda442e497b67d1cb9d557b9c346ab9c93606090

SHA512
a83bdcc51da1b4bde9d68099738186776b466a7a68c611d860200c6512b798a7427e14c3909c94829d375700147f4b3d30bc5360e08824ff9426627a01e155ee

Download Submit
C:\Windows\{9D018E8B-B863-4d1f-8B81-E2437E626F76}.exe

Filesize
192KB

MD5
5c7d7500e22025ad1bd284b909ec4e8b

SHA1
efcb1f6448ff592e0701a581c278844b78b7ee63

SHA256
39bd4325d2f1ef20e98dcc414bd243e13e5d70fd9a6e115e545017077fc6bbcf

SHA512
b261c4f63d6eea0402daf26efa7c2d1da8d6d5b6c1c488c0b53d08cd74acbf5adcfe1bc699066b20656254dd123de7ef80665e045d1d11bf8bc8c67a8c21909c

Download Submit
C:\Windows\{A1CA9825-69FE-47f9-8975-6EF76F85A6D8}.exe

Filesize
192KB

MD5
056793eba6a9daa45e0c271de55f6c25

SHA1
140e20d66edfec6c3d4583e8d5d6c5220d45c23a

SHA256
92605f9a6ab8731d4c55dba5bbafedad5f6a1eb86661273c140a371c32db65c2

SHA512
76b92f62fe54332e66ed301d0af227f41c424424075c17847272b0b2b81501e8c3f89fdf27f294ddbaa94d43466551d99a7e01b444e63efc2c67ef61c04ae238

Download Submit
C:\Windows\{B43EFA55-FAF8-40ce-8207-CD2E6A445207}.exe

Filesize
192KB

MD5
19451e3abfba0338a75960a9a26221b1

SHA1
83e9901858e8166ce69f60f0c32ecef3a07e1d96

SHA256
79e45619afe8bc7fa32a7188da82929d61250e015615cbc49ece766a43b86afb

SHA512
b9cd34a17c0bc29f9e26518e788ebfcc6d35f670d6d4843bd62b1a300d28bbf908e375949fefe41e69e509df8f2664e551a0265fdec368eb2bd67c72a23467cb

Download Submit
C:\Windows\{D06B4C7B-E72D-47b5-97DA-04F86058E761}.exe

Filesize
192KB

MD5
0fdb48880aa249e8caebeb80d59a4f15

SHA1
50f6472aa09a996dc77bff71c4ec08d864e78571

SHA256
cb9c54c3570a26a9a97aba001d86f28a125f40c7d8ccef2212b947a2c332c01e

SHA512
966d07db39731488aacb56b38e6717c3c2fd19f780308de6d6d9d02f2690542366e54b9e21b46718a17dccce987a1f8d98697d9efed844cacce1ae47d4955b64

Download Submit
C:\Windows\{D747D15F-0CDF-4d37-8322-324148B54C04}.exe

Filesize
192KB

MD5
e44baa3637b9e69e1846daebb1f9dd84

SHA1
c076b3e847985198b9073002eef8191b0b09a868

SHA256
bfb263d220f35ef27ed34912df2286632b6d6feec57b67bf36a2bc184f15c5b5

SHA512
63a5b96753d54597968d443880d090b17bcbb821476b15b147d58d40cc9f5664fa10642a0646cdd660211026a0db530e4e2371b1e890ef1e8964c21f126d510e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads