33a50d979b7ab424b63fd51ae8367e7cdfce3cd3883cd4fd1db90de84f5eef69

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe
Size

168KB
MD5

4ddf5a1ba7143aacf45cce74957eee06
SHA1

30022294478c68698a469068914e862e0bc889c5
SHA256

33a50d979b7ab424b63fd51ae8367e7cdfce3cd3883cd4fd1db90de84f5eef69
SHA512

e5760d825b06ab9df1705c2892c2f7d4da40ab1ce239053cb570b0607c9360e83dad6b9539f6bb5a26a416dd61f7b4a6d4c5a634f9c872d09cf0a5e59efc4653
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000000e610-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001220d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001220d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001220d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001220d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001220d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}\stubpath = "C:\\Windows\\{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe"	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4299B550-C941-4486-BB24-36BEE2E17EA1}	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}\stubpath = "C:\\Windows\\{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe"	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4299B550-C941-4486-BB24-36BEE2E17EA1}\stubpath = "C:\\Windows\\{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe"	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C783C45-73A3-4281-8C02-D50E40C9A31F}	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C783C45-73A3-4281-8C02-D50E40C9A31F}\stubpath = "C:\\Windows\\{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe"	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69133709-25EA-4a9a-BB74-D5F7E0E80581}\stubpath = "C:\\Windows\\{69133709-25EA-4a9a-BB74-D5F7E0E80581}.exe"	{589CE97E-925C-4a84-A58D-60584375E119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE9358B-71E2-4401-8078-4131A6F96B04}	{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE9358B-71E2-4401-8078-4131A6F96B04}\stubpath = "C:\\Windows\\{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe"	{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58976224-0EC2-4ffa-852A-7BBDA0D8781B}	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD801AF5-E68A-458f-BA0D-C957C1BABE13}\stubpath = "C:\\Windows\\{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe"	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58976224-0EC2-4ffa-852A-7BBDA0D8781B}\stubpath = "C:\\Windows\\{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe"	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}\stubpath = "C:\\Windows\\{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe"	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C134B726-9C88-48f0-85AB-266F3A0C5EF4}	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C134B726-9C88-48f0-85AB-266F3A0C5EF4}\stubpath = "C:\\Windows\\{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe"	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{589CE97E-925C-4a84-A58D-60584375E119}	{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{589CE97E-925C-4a84-A58D-60584375E119}\stubpath = "C:\\Windows\\{589CE97E-925C-4a84-A58D-60584375E119}.exe"	{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD801AF5-E68A-458f-BA0D-C957C1BABE13}	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69133709-25EA-4a9a-BB74-D5F7E0E80581}	{589CE97E-925C-4a84-A58D-60584375E119}.exe

Deletes itself 1 IoCs

pid	Process
3016	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe
2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe
2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe
1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe
1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe
2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe
2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe
952	{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe
1548	{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe
1688	{589CE97E-925C-4a84-A58D-60584375E119}.exe
1904	{69133709-25EA-4a9a-BB74-D5F7E0E80581}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe
File created	C:\Windows\{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe
File created	C:\Windows\{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe
File created	C:\Windows\{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe
File created	C:\Windows\{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe
File created	C:\Windows\{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe
File created	C:\Windows\{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe
File created	C:\Windows\{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe	{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe
File created	C:\Windows\{589CE97E-925C-4a84-A58D-60584375E119}.exe	{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe
File created	C:\Windows\{69133709-25EA-4a9a-BB74-D5F7E0E80581}.exe	{589CE97E-925C-4a84-A58D-60584375E119}.exe
File created	C:\Windows\{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe
Token: SeIncBasePriorityPrivilege	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe
Token: SeIncBasePriorityPrivilege	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe
Token: SeIncBasePriorityPrivilege	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe
Token: SeIncBasePriorityPrivilege	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe
Token: SeIncBasePriorityPrivilege	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe
Token: SeIncBasePriorityPrivilege	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe
Token: SeIncBasePriorityPrivilege	952	{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe
Token: SeIncBasePriorityPrivilege	1548	{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe
Token: SeIncBasePriorityPrivilege	1688	{589CE97E-925C-4a84-A58D-60584375E119}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2644	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	28
PID 2948 wrote to memory of 2644	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	28
PID 2948 wrote to memory of 2644	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	28
PID 2948 wrote to memory of 2644	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	28
PID 2948 wrote to memory of 3016	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	29
PID 2948 wrote to memory of 3016	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	29
PID 2948 wrote to memory of 3016	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	29
PID 2948 wrote to memory of 3016	2948	2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe	29
PID 2644 wrote to memory of 2696	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	30
PID 2644 wrote to memory of 2696	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	30
PID 2644 wrote to memory of 2696	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	30
PID 2644 wrote to memory of 2696	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	30
PID 2644 wrote to memory of 2624	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	31
PID 2644 wrote to memory of 2624	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	31
PID 2644 wrote to memory of 2624	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	31
PID 2644 wrote to memory of 2624	2644	{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe	31
PID 2696 wrote to memory of 2268	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	34
PID 2696 wrote to memory of 2268	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	34
PID 2696 wrote to memory of 2268	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	34
PID 2696 wrote to memory of 2268	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	34
PID 2696 wrote to memory of 2528	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	35
PID 2696 wrote to memory of 2528	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	35
PID 2696 wrote to memory of 2528	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	35
PID 2696 wrote to memory of 2528	2696	{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe	35
PID 2268 wrote to memory of 1884	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	36
PID 2268 wrote to memory of 1884	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	36
PID 2268 wrote to memory of 1884	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	36
PID 2268 wrote to memory of 1884	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	36
PID 2268 wrote to memory of 584	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	37
PID 2268 wrote to memory of 584	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	37
PID 2268 wrote to memory of 584	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	37
PID 2268 wrote to memory of 584	2268	{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe	37
PID 1884 wrote to memory of 1636	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	38
PID 1884 wrote to memory of 1636	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	38
PID 1884 wrote to memory of 1636	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	38
PID 1884 wrote to memory of 1636	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	38
PID 1884 wrote to memory of 1752	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	39
PID 1884 wrote to memory of 1752	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	39
PID 1884 wrote to memory of 1752	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	39
PID 1884 wrote to memory of 1752	1884	{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe	39
PID 1636 wrote to memory of 2376	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	40
PID 1636 wrote to memory of 2376	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	40
PID 1636 wrote to memory of 2376	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	40
PID 1636 wrote to memory of 2376	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	40
PID 1636 wrote to memory of 2016	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	41
PID 1636 wrote to memory of 2016	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	41
PID 1636 wrote to memory of 2016	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	41
PID 1636 wrote to memory of 2016	1636	{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe	41
PID 2376 wrote to memory of 2264	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	42
PID 2376 wrote to memory of 2264	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	42
PID 2376 wrote to memory of 2264	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	42
PID 2376 wrote to memory of 2264	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	42
PID 2376 wrote to memory of 2024	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	43
PID 2376 wrote to memory of 2024	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	43
PID 2376 wrote to memory of 2024	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	43
PID 2376 wrote to memory of 2024	2376	{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe	43
PID 2264 wrote to memory of 952	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	44
PID 2264 wrote to memory of 952	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	44
PID 2264 wrote to memory of 952	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	44
PID 2264 wrote to memory of 952	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	44
PID 2264 wrote to memory of 864	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	45
PID 2264 wrote to memory of 864	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	45
PID 2264 wrote to memory of 864	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	45
PID 2264 wrote to memory of 864	2264	{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_4ddf5a1ba7143aacf45cce74957eee06_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe
  C:\Windows\{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe
    C:\Windows\{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe
      C:\Windows\{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe
        
        C:\Windows\{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe
        
        C:\Windows\{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe
        
        C:\Windows\{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe
        
        C:\Windows\{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe
        
        C:\Windows\{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe
        
        C:\Windows\{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\{589CE97E-925C-4a84-A58D-60584375E119}.exe
        
        C:\Windows\{589CE97E-925C-4a84-A58D-60584375E119}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\{69133709-25EA-4a9a-BB74-D5F7E0E80581}.exe
        
        C:\Windows\{69133709-25EA-4a9a-BB74-D5F7E0E80581}.exe
        12⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{589CE~1.EXE > nul
        12⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AE93~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C783~1.EXE > nul
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4299B~1.EXE > nul
        9⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B06~1.EXE > nul
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C134B~1.EXE > nul
        7⤵
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C17D~1.EXE > nul
        6⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C18E7~1.EXE > nul
        5⤵
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58976~1.EXE > nul
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FD801~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3AE9358B-71E2-4401-8078-4131A6F96B04}.exe

Filesize
168KB

MD5
c4d4047cc5db4ab68b967f9b87dfe49f

SHA1
2164ed14231c58b0a4a5bacbb8c2e9d8267bbe7f

SHA256
b4031738de13bb4731041d32f0a5c7903a7e951b4d76633e8d58fae585058d0e

SHA512
ce18914a7b12173290b43885807a00e4e3d4399e3d0a6f05ab5a03b79b59e63d42d78399770554caa5d9560d951d6dabcb6d8edfbef0d9fe7411e85a8612aaee

Download Submit
C:\Windows\{4299B550-C941-4486-BB24-36BEE2E17EA1}.exe

Filesize
168KB

MD5
4ce532ef8f385e084917e7632e5e6c66

SHA1
c3c301ae44b6c3a546fe9f0f7af1aa90e3bafcad

SHA256
94b1f9771a94f42c2df716d2db0ebdcde886a6e54854d5a88410e9e668c24d8c

SHA512
da7c73f463e160be86bb303e11587f62e06dbc4123b375e2b6d197938c74ef765ca520eacc3431526c0bb7161519ad1f8806b9e76683139696282f4e653dc819

Download Submit
C:\Windows\{58976224-0EC2-4ffa-852A-7BBDA0D8781B}.exe

Filesize
168KB

MD5
8a1a5e4715116922d21af17239d526b9

SHA1
b23318ce505e32ad7a2a7cea771fcf78ee34ba9b

SHA256
cc193f3fcaae91d633ebdf5747a11ef8db34fbdaec9d92834ce268a909108c3b

SHA512
6c9bc0e4982609c90c3f18ec90ae8d9e37a57626c7f8971ce8b37e3750407622908e2e7287d2c3eab694f98c7f265442483eefc64a45d4f8651a1fcd8114c0ac

Download Submit
C:\Windows\{589CE97E-925C-4a84-A58D-60584375E119}.exe

Filesize
168KB

MD5
9ccb914e457fc226caa7e55ea79e7a19

SHA1
5c7bc4c9e649d99a6df2f5db0b2d0ccf25bae240

SHA256
51fb2f722b9bfd40b291adb14b1ef509ac4fd7125bb3c725d4ed20f027208cad

SHA512
b48f59cbb427187f21e0e2a816093f1f58ffafb3a5986af0309f87bb50ade1fbf4e9e7637f730ad52f75078a3333ad2b5c69bc8a4b30fbf79678c37e557e9536

Download Submit
C:\Windows\{5C783C45-73A3-4281-8C02-D50E40C9A31F}.exe

Filesize
168KB

MD5
1d8bb9da598f6eeae3a7622aa1bf95dc

SHA1
aa0d3861b14e3cc47d30e7f2816ba583f8a74e81

SHA256
999abf9bca55a07de9d159088f88aaeba5224e601f3ef5905fb839e59bb9697b

SHA512
790965edf69290979dead2f40a2788d0a017a8d255372e28314b14f49977ab80e130fc97667ca9f85207175722f157da9e8eeb4eded72cd56c6d5dfd305af61c

Download Submit
C:\Windows\{69133709-25EA-4a9a-BB74-D5F7E0E80581}.exe

Filesize
168KB

MD5
5cce0b9e7da679e6d3b632d487d40b01

SHA1
d2e9dbb98817dfbe08e3d2b841e3853080a69f9d

SHA256
28d788f46905cc5442fa6df165a770ba5e12ee13994f80e181c1b9ad37b0d8ec

SHA512
739557f53dbc664c1b07b1c0c98c4636c31662e29204575b969d57e18d5bbada2f967942dd83fff535c0ac64bc8552727dca625ce0b03ed81c9d53753c7049fd

Download Submit
C:\Windows\{6C17DFA3-1B3B-4513-AA0C-3951C587D62E}.exe

Filesize
168KB

MD5
4a5acde56b42ff515525340ba01c611c

SHA1
32adca0091608dcdad8df844583925cb63192c30

SHA256
e4b438770d00c51fe60a0248fb46b3fa0654a43b9ac98665cd9f0492df45d6aa

SHA512
87e2ff5bd11fb80109e408a564a718ce80470854661a3167a27f5219d51cda379c49541e7023da0712026716836401b72d87b52b25a8715c92995cb936f8991e

Download Submit
C:\Windows\{92B06C88-B85E-4a15-A9C6-D16A9C24B3CB}.exe

Filesize
168KB

MD5
ff6504a8c5a2436af2d3d024ec606c41

SHA1
44d6845a39ccc54a07e083ff7ca54ce4589b7ce1

SHA256
e0a2c1fff60b9328c4deb1aee3d005e3ee9159a10eacb9f24b49033715a8e43a

SHA512
5d10bc7007baa7231af0fe2fef014718e7109fa2f4177df2dd45a021fb0efa66df0b2dde9e99da0ba8635a0956620ec4b45e33b24b3bb1fc8c1be1b73807ba0c

Download Submit
C:\Windows\{C134B726-9C88-48f0-85AB-266F3A0C5EF4}.exe

Filesize
168KB

MD5
21d54bf36dad70f2415d648d37ad8972

SHA1
e81ecce33bb6c1b86ed450f3b3357bd13e92909f

SHA256
d63723a0b59264f6e29f66c274db39d097374e7ff963f8e72d7667050c5d97fd

SHA512
c662bde672bf0755a178e0c97554a8ead449e233653beb84a8db08647df1f232d15e336c129d613524e20b0943192568971724b9c921d6189c9cccff5dca8613

Download Submit
C:\Windows\{C18E76B7-C785-46cd-8CEE-F00BAACF10E2}.exe

Filesize
168KB

MD5
9c3ef3db45cd61f2d5671073065dee39

SHA1
36c9ebbe28e0ca967a97e5b0ba5536ba1c31ba01

SHA256
d05c157c793ab39f21f2aed869890b609ccc1328cdbc9cbb6f292751329f8851

SHA512
b14da6c38d1ca9e3661ccf9ab87be608be687ae955654f9d12e17ac6cc5dd1f986bf89af6d902c92a097deee5e86ea17d190a5a5320cadc7826a63a4efd47d9c

Download Submit
C:\Windows\{FD801AF5-E68A-458f-BA0D-C957C1BABE13}.exe

Filesize
168KB

MD5
824f50802635dd0ec9be71cff2faa678

SHA1
945669cf016af8c5628a946312685957a0fa9a1d

SHA256
4f3cc8a03eb7c62213cd1174af171308e4424f94ff827a2446ebaea33ed2e7ac

SHA512
e8680c10b2b12c27838cf1672913eab1eab061e0144a4c48c3642638ece0e4aee06b805e48125893a594c245ff3fc508d89a5b2b42479588310ab80f00460a38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads