7fdc3c20c0c0768db8fa8fed004347939efedd38a7765ad9b07624d1f82495c0

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Size

216KB
MD5

78a599ab1577100535807503ea1ee25c
SHA1

90295cc8ff505753fb1bca5420f486a2d40ad261
SHA256

7fdc3c20c0c0768db8fa8fed004347939efedd38a7765ad9b07624d1f82495c0
SHA512

0bbfa043dc80ffeb8db600c2746527245ce11c8746b7790e9064f9f078509a703c5d8c31f8ce0e408ac60222126c9419583736cc4565153bbc49c94b6f8ff493
SSDEEP

3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGzlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130fc-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000162f3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000162f3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000162f3-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00350000000162f3-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00360000000162f3-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7BB0C34-96CC-4858-8910-276F4133023B}\stubpath = "C:\\Windows\\{B7BB0C34-96CC-4858-8910-276F4133023B}.exe"	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}	{B7BB0C34-96CC-4858-8910-276F4133023B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}	{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}\stubpath = "C:\\Windows\\{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}.exe"	{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F948747-F232-4410-B555-3571B1FEDE1B}	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F948747-F232-4410-B555-3571B1FEDE1B}\stubpath = "C:\\Windows\\{8F948747-F232-4410-B555-3571B1FEDE1B}.exe"	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F59268E9-827B-4523-9CD8-A2588C318BE6}\stubpath = "C:\\Windows\\{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe"	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE4C987-3948-4b88-A107-2A3858B96007}	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}\stubpath = "C:\\Windows\\{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe"	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28253653-D5DC-4fdf-B869-54F31AB7C5A8}\stubpath = "C:\\Windows\\{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe"	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5A902F-9C98-4478-8CB1-05745D7AC32D}\stubpath = "C:\\Windows\\{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe"	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C668C2-BF4D-4e96-A524-A13B04E98BE3}\stubpath = "C:\\Windows\\{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe"	{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C668C2-BF4D-4e96-A524-A13B04E98BE3}	{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79B46A28-A06B-4285-BA5B-095ABBE47BCD}	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79B46A28-A06B-4285-BA5B-095ABBE47BCD}\stubpath = "C:\\Windows\\{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe"	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F5A902F-9C98-4478-8CB1-05745D7AC32D}	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7BB0C34-96CC-4858-8910-276F4133023B}	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}\stubpath = "C:\\Windows\\{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe"	{B7BB0C34-96CC-4858-8910-276F4133023B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F59268E9-827B-4523-9CD8-A2588C318BE6}	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28253653-D5DC-4fdf-B869-54F31AB7C5A8}	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE4C987-3948-4b88-A107-2A3858B96007}\stubpath = "C:\\Windows\\{8DE4C987-3948-4b88-A107-2A3858B96007}.exe"	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe
2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe
2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe
580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe
1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe
2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe
1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe
1784	{B7BB0C34-96CC-4858-8910-276F4133023B}.exe
1520	{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe
2004	{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe
1864	{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe
File created	C:\Windows\{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe
File created	C:\Windows\{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe
File created	C:\Windows\{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}.exe	{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe
File created	C:\Windows\{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
File created	C:\Windows\{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe
File created	C:\Windows\{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe
File created	C:\Windows\{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe
File created	C:\Windows\{B7BB0C34-96CC-4858-8910-276F4133023B}.exe	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe
File created	C:\Windows\{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe	{B7BB0C34-96CC-4858-8910-276F4133023B}.exe
File created	C:\Windows\{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe	{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe
Token: SeIncBasePriorityPrivilege	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe
Token: SeIncBasePriorityPrivilege	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe
Token: SeIncBasePriorityPrivilege	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe
Token: SeIncBasePriorityPrivilege	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe
Token: SeIncBasePriorityPrivilege	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe
Token: SeIncBasePriorityPrivilege	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe
Token: SeIncBasePriorityPrivilege	1784	{B7BB0C34-96CC-4858-8910-276F4133023B}.exe
Token: SeIncBasePriorityPrivilege	1520	{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe
Token: SeIncBasePriorityPrivilege	2004	{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2488	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	28
PID 1988 wrote to memory of 2488	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	28
PID 1988 wrote to memory of 2488	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	28
PID 1988 wrote to memory of 2488	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	28
PID 1988 wrote to memory of 2052	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	29
PID 1988 wrote to memory of 2052	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	29
PID 1988 wrote to memory of 2052	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	29
PID 1988 wrote to memory of 2052	1988	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	29
PID 2488 wrote to memory of 2640	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	30
PID 2488 wrote to memory of 2640	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	30
PID 2488 wrote to memory of 2640	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	30
PID 2488 wrote to memory of 2640	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	30
PID 2488 wrote to memory of 2932	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	31
PID 2488 wrote to memory of 2932	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	31
PID 2488 wrote to memory of 2932	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	31
PID 2488 wrote to memory of 2932	2488	{8F948747-F232-4410-B555-3571B1FEDE1B}.exe	31
PID 2640 wrote to memory of 2516	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	34
PID 2640 wrote to memory of 2516	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	34
PID 2640 wrote to memory of 2516	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	34
PID 2640 wrote to memory of 2516	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	34
PID 2640 wrote to memory of 2820	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	35
PID 2640 wrote to memory of 2820	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	35
PID 2640 wrote to memory of 2820	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	35
PID 2640 wrote to memory of 2820	2640	{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe	35
PID 2516 wrote to memory of 580	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	36
PID 2516 wrote to memory of 580	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	36
PID 2516 wrote to memory of 580	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	36
PID 2516 wrote to memory of 580	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	36
PID 2516 wrote to memory of 816	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	37
PID 2516 wrote to memory of 816	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	37
PID 2516 wrote to memory of 816	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	37
PID 2516 wrote to memory of 816	2516	{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe	37
PID 580 wrote to memory of 1452	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	38
PID 580 wrote to memory of 1452	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	38
PID 580 wrote to memory of 1452	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	38
PID 580 wrote to memory of 1452	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	38
PID 580 wrote to memory of 2484	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	39
PID 580 wrote to memory of 2484	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	39
PID 580 wrote to memory of 2484	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	39
PID 580 wrote to memory of 2484	580	{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe	39
PID 1452 wrote to memory of 2492	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	40
PID 1452 wrote to memory of 2492	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	40
PID 1452 wrote to memory of 2492	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	40
PID 1452 wrote to memory of 2492	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	40
PID 1452 wrote to memory of 1120	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	41
PID 1452 wrote to memory of 1120	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	41
PID 1452 wrote to memory of 1120	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	41
PID 1452 wrote to memory of 1120	1452	{8DE4C987-3948-4b88-A107-2A3858B96007}.exe	41
PID 2492 wrote to memory of 1952	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	42
PID 2492 wrote to memory of 1952	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	42
PID 2492 wrote to memory of 1952	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	42
PID 2492 wrote to memory of 1952	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	42
PID 2492 wrote to memory of 1984	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	43
PID 2492 wrote to memory of 1984	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	43
PID 2492 wrote to memory of 1984	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	43
PID 2492 wrote to memory of 1984	2492	{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe	43
PID 1952 wrote to memory of 1784	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	44
PID 1952 wrote to memory of 1784	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	44
PID 1952 wrote to memory of 1784	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	44
PID 1952 wrote to memory of 1784	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	44
PID 1952 wrote to memory of 1628	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	45
PID 1952 wrote to memory of 1628	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	45
PID 1952 wrote to memory of 1628	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	45
PID 1952 wrote to memory of 1628	1952	{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\{8F948747-F232-4410-B555-3571B1FEDE1B}.exe
  C:\Windows\{8F948747-F232-4410-B555-3571B1FEDE1B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe
    C:\Windows\{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe
      C:\Windows\{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe
        
        C:\Windows\{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Windows\{8DE4C987-3948-4b88-A107-2A3858B96007}.exe
        
        C:\Windows\{8DE4C987-3948-4b88-A107-2A3858B96007}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe
        
        C:\Windows\{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe
        
        C:\Windows\{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{B7BB0C34-96CC-4858-8910-276F4133023B}.exe
        
        C:\Windows\{B7BB0C34-96CC-4858-8910-276F4133023B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe
        
        C:\Windows\{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe
        
        C:\Windows\{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}.exe
        
        C:\Windows\{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}.exe
        12⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C66~1.EXE > nul
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0358~1.EXE > nul
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7BB0~1.EXE > nul
        10⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F5A9~1.EXE > nul
        9⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79B46~1.EXE > nul
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE4C~1.EXE > nul
        7⤵
        
        PID:1120
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28253~1.EXE > nul
        6⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5926~1.EXE > nul
        5⤵
        
        PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E614C~1.EXE > nul
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F948~1.EXE > nul
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28253653-D5DC-4fdf-B869-54F31AB7C5A8}.exe

Filesize
216KB

MD5
d8287278b80c4bf3dea1093ac281ffb4

SHA1
4704132e21d5fd99dc8dabc6651aea2cb0a261a0

SHA256
ab301cfee33bcf835d8da4bbea923bd0b92a5652fa86d00bdd62bf26dcf42ab5

SHA512
8af17549b20bf7dca58dd2493deea1ea03de48da1409311c6702094e600e629438c58a110cfa444c38c680b39dbc8f13de8c0ae321605144c4bd3e5197098f5d

Download Submit
C:\Windows\{2E3430E3-C0CF-40fb-A46E-EF069CAC3D43}.exe

Filesize
216KB

MD5
84a40b52f2c82ce3c5bbb9f51c34f23f

SHA1
7205447022e3fd129a1d9b1d24628f831f1d82fb

SHA256
66799b35d839be42038caba50085954920118ef5f883fafc4b82d0a27a29f28a

SHA512
8f17a94394f94fdd77525c2e5dbb726242075d61803d76a501f99dcb2d0c92651d696df5f8799f0f71171b0eadd325150181f90514ddc08312a6ade170004aea

Download Submit
C:\Windows\{64C668C2-BF4D-4e96-A524-A13B04E98BE3}.exe

Filesize
216KB

MD5
80201750e1041a148e6b60a1a80fe5e3

SHA1
4cc697e9ddb2ca0645f56868486e2f91d2967504

SHA256
b42e2391c2b6c040949601a4402a0088121bc84e32eca9ab3eff404951aa7d36

SHA512
4b15b2ec930a1ddb6feb08eeb380ced74f4feb11ea255a848e1b351eb16bf5573437244b084918020cd2460145ddc3aad4e30ab53b5140d36d0093a3db39fc59

Download Submit
C:\Windows\{79B46A28-A06B-4285-BA5B-095ABBE47BCD}.exe

Filesize
216KB

MD5
85809bbcc032ed28341408e29054080c

SHA1
560f8887fdeaa30d0a37aee241cef4f69800d654

SHA256
d81d83ada2242d09ac2b76b6748aaee55228acf1ed1fa2b1719ccc9c95b86b79

SHA512
20b86753a16f8bd922f8d1fe286c3e11a7cf7d889adcdae91ede011473c5855deca2c593f8b28280ba0b73d74fd5745e6125a79b94aa878959e0b467c3202bfa

Download Submit
C:\Windows\{8DE4C987-3948-4b88-A107-2A3858B96007}.exe

Filesize
216KB

MD5
709c0bde16d948cbb035580a7ab04e53

SHA1
77543cad7c52668dbee3503d3d22adf18646d142

SHA256
0a206605af4a69fe20fd1d572c265afafa6e83b5c566c9f854c02e81e5c99d0f

SHA512
e6da4a454a0011e34e842c1ad0492c3728e27c05a3616af9fae2c6532a4b1d433477530ced2cbef5cd31a00fdf5f0a564160949d46a2986a092f39a4c897ecd1

Download Submit
C:\Windows\{8F5A902F-9C98-4478-8CB1-05745D7AC32D}.exe

Filesize
216KB

MD5
ede41cc8b12412ec5db9a1f7ff1b5ee5

SHA1
674a829af4017d3ef853ff17b6a331c9a73c4951

SHA256
2f0723089713a71ff9f2d1134a16c2b04e8a9cd9b6ec41507066c501152a3e54

SHA512
a5f16fdfe3fccfbfafa2b98af042b974ead755828d7a48e3aa81d898ca6d0d1f8b80d35e59b772270a3c28311e409f58c142aa2ba2e33b99255a9128f8ca196e

Download Submit
C:\Windows\{8F948747-F232-4410-B555-3571B1FEDE1B}.exe

Filesize
216KB

MD5
fcfba5c7fc7b285d4ec7a4bd0bec50c8

SHA1
9d66cf7c58abe67ccb9690f3284c55982aef1613

SHA256
2e96fa233b37cd51028a6901ab5be38b3f5acb60c8f16cf8058e382af66a61a2

SHA512
20acda7d11a4b420b0fbcfa445eebe5892079141285423f5b6649572c3eb1a763a10faa2990d347a087ac60de48145162f0d1f0d7c5aea16f1fc937578cb19b0

Download Submit
C:\Windows\{B7BB0C34-96CC-4858-8910-276F4133023B}.exe

Filesize
216KB

MD5
3534382ec8bc9918601469ca9106ff7e

SHA1
e3af2469b0508ed6f7652bf2a699e7ee9b5a70f1

SHA256
3eff8414fbe88ebbf216121c2cc3aee76e31d1ba18ff0f0ef5fd25bedf652b7a

SHA512
ab5d556c55d215e17af5e1cb83fad722a281b96743191c68ef9fde1707164f4bce793f0e276eb95836898e63697886e32313e4b6181e7fc63edbda989512c9fc

Download Submit
C:\Windows\{C0358AF9-AFAA-49cb-AFF9-51E3A7F0B83F}.exe

Filesize
216KB

MD5
f26c61e449a0f2028d8568a69b7eaa85

SHA1
5fd8f13719f3601220ab6e2d1306c57a2b67c5e0

SHA256
b16a7c1058c34d87825c72f0db0fbbdf637cd69900e97207231196117ad9426c

SHA512
bfaf3b9b5d04c97e888dd5143d66c99e8d733d714c42297347e027f285d4da32533cbf6d0a4dff2291cb33196fa1c18da012d3b23c949e5a602da07cb3e63ba3

Download Submit
C:\Windows\{E614C1EC-B3D0-43d4-A19C-767E1A1CFDD4}.exe

Filesize
216KB

MD5
b6dcc7f49320820b919cd9cd7b28d035

SHA1
c25ffb11b9f741c9c40d58fe77492e9ee01aa016

SHA256
d246331dc5cb889173da1d96b7b10fbc26d67898367d877c5401428534fe9627

SHA512
5d6c2f186868467849e1ef7b4e354cdb40b47cdb1635e50269434236a20f08e847c94a7de20a3d8bb71a7c2aac8f4bf34835fbedc92ea41c53c63eb8d894673a

Download Submit
C:\Windows\{F59268E9-827B-4523-9CD8-A2588C318BE6}.exe

Filesize
216KB

MD5
31e2832ce3a49b284ea08fbf0a329896

SHA1
b1781884091c0f1db62a7a65c2a7da3b77f511db

SHA256
4b5f924da58c51384882c67668bcfe4cb8480abf625f19f6d0e441439ba3023c

SHA512
3cdb23a6c454f3a1e480f0df01035be1d04a3c3a47a0a6baa7cf406171644b5df94a1a58ff30774c081f9fc8aa34ac20328d935b36552d4bfff3944abc30ae63

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads