e62a156b891e54a93d78151071927ed8fbda35123f03e7eaca7ebf9cb463dfb5

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe
Size

192KB
MD5

3bed806b5326e661c2e220d40d6c1ae8
SHA1

fd012ce2d06f1a14de88861cf4ed0ba53e75b7ef
SHA256

e62a156b891e54a93d78151071927ed8fbda35123f03e7eaca7ebf9cb463dfb5
SHA512

bd6798767aa1bf9d9abbcb2fed7b2b6dee46a12ebbf1720b6a76c4ad4a83b0cc3b39934b87255bad67c6fac1b6668757274a4e94b41446e1e37baab5c80eb8d0
SSDEEP

1536:1EGh0okl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0okl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012267-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000133d3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016461-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}\stubpath = "C:\\Windows\\{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe"	{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}	{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}	{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}\stubpath = "C:\\Windows\\{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}.exe"	{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9773B844-B41B-48b8-8C7E-CD778E090749}	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}\stubpath = "C:\\Windows\\{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe"	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1F68009-6F55-403b-926D-D3303EF18858}	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C367ED46-06CA-4f70-9B86-A3768DB8BC12}	{A1F68009-6F55-403b-926D-D3303EF18858}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C367ED46-06CA-4f70-9B86-A3768DB8BC12}\stubpath = "C:\\Windows\\{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe"	{A1F68009-6F55-403b-926D-D3303EF18858}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}\stubpath = "C:\\Windows\\{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe"	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}\stubpath = "C:\\Windows\\{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe"	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9773B844-B41B-48b8-8C7E-CD778E090749}\stubpath = "C:\\Windows\\{9773B844-B41B-48b8-8C7E-CD778E090749}.exe"	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{180549E0-65E9-46cf-8AB7-10F353412CE7}	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1F68009-6F55-403b-926D-D3303EF18858}\stubpath = "C:\\Windows\\{A1F68009-6F55-403b-926D-D3303EF18858}.exe"	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}	{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A80592-60BA-4d41-A088-425DC7F3E377}\stubpath = "C:\\Windows\\{17A80592-60BA-4d41-A088-425DC7F3E377}.exe"	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}\stubpath = "C:\\Windows\\{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe"	{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A80592-60BA-4d41-A088-425DC7F3E377}	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{180549E0-65E9-46cf-8AB7-10F353412CE7}\stubpath = "C:\\Windows\\{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe"	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe
2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe
2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe
568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe
2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe
1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe
940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe
2636	{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe
1856	{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe
2884	{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe
2504	{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe
File created	C:\Windows\{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe	{A1F68009-6F55-403b-926D-D3303EF18858}.exe
File created	C:\Windows\{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe	{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe
File created	C:\Windows\{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe	{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe
File created	C:\Windows\{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe
File created	C:\Windows\{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe
File created	C:\Windows\{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe
File created	C:\Windows\{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe
File created	C:\Windows\{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe
File created	C:\Windows\{A1F68009-6F55-403b-926D-D3303EF18858}.exe	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe
File created	C:\Windows\{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}.exe	{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe
Token: SeIncBasePriorityPrivilege	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe
Token: SeIncBasePriorityPrivilege	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe
Token: SeIncBasePriorityPrivilege	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe
Token: SeIncBasePriorityPrivilege	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe
Token: SeIncBasePriorityPrivilege	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe
Token: SeIncBasePriorityPrivilege	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe
Token: SeIncBasePriorityPrivilege	2636	{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe
Token: SeIncBasePriorityPrivilege	1856	{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe
Token: SeIncBasePriorityPrivilege	2884	{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1708	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	28
PID 2084 wrote to memory of 1708	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	28
PID 2084 wrote to memory of 1708	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	28
PID 2084 wrote to memory of 1708	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	28
PID 2084 wrote to memory of 3036	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	29
PID 2084 wrote to memory of 3036	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	29
PID 2084 wrote to memory of 3036	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	29
PID 2084 wrote to memory of 3036	2084	2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe	29
PID 1708 wrote to memory of 2688	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	30
PID 1708 wrote to memory of 2688	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	30
PID 1708 wrote to memory of 2688	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	30
PID 1708 wrote to memory of 2688	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	30
PID 1708 wrote to memory of 2600	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	31
PID 1708 wrote to memory of 2600	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	31
PID 1708 wrote to memory of 2600	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	31
PID 1708 wrote to memory of 2600	1708	{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe	31
PID 2688 wrote to memory of 2528	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	34
PID 2688 wrote to memory of 2528	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	34
PID 2688 wrote to memory of 2528	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	34
PID 2688 wrote to memory of 2528	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	34
PID 2688 wrote to memory of 2940	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	35
PID 2688 wrote to memory of 2940	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	35
PID 2688 wrote to memory of 2940	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	35
PID 2688 wrote to memory of 2940	2688	{17A80592-60BA-4d41-A088-425DC7F3E377}.exe	35
PID 2528 wrote to memory of 568	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	36
PID 2528 wrote to memory of 568	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	36
PID 2528 wrote to memory of 568	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	36
PID 2528 wrote to memory of 568	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	36
PID 2528 wrote to memory of 752	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	37
PID 2528 wrote to memory of 752	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	37
PID 2528 wrote to memory of 752	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	37
PID 2528 wrote to memory of 752	2528	{9773B844-B41B-48b8-8C7E-CD778E090749}.exe	37
PID 568 wrote to memory of 2708	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	38
PID 568 wrote to memory of 2708	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	38
PID 568 wrote to memory of 2708	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	38
PID 568 wrote to memory of 2708	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	38
PID 568 wrote to memory of 2780	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	39
PID 568 wrote to memory of 2780	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	39
PID 568 wrote to memory of 2780	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	39
PID 568 wrote to memory of 2780	568	{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe	39
PID 2708 wrote to memory of 1964	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	40
PID 2708 wrote to memory of 1964	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	40
PID 2708 wrote to memory of 1964	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	40
PID 2708 wrote to memory of 1964	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	40
PID 2708 wrote to memory of 1864	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	41
PID 2708 wrote to memory of 1864	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	41
PID 2708 wrote to memory of 1864	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	41
PID 2708 wrote to memory of 1864	2708	{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe	41
PID 1964 wrote to memory of 940	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	42
PID 1964 wrote to memory of 940	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	42
PID 1964 wrote to memory of 940	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	42
PID 1964 wrote to memory of 940	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	42
PID 1964 wrote to memory of 1868	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	43
PID 1964 wrote to memory of 1868	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	43
PID 1964 wrote to memory of 1868	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	43
PID 1964 wrote to memory of 1868	1964	{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe	43
PID 940 wrote to memory of 2636	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	44
PID 940 wrote to memory of 2636	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	44
PID 940 wrote to memory of 2636	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	44
PID 940 wrote to memory of 2636	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	44
PID 940 wrote to memory of 2952	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	45
PID 940 wrote to memory of 2952	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	45
PID 940 wrote to memory of 2952	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	45
PID 940 wrote to memory of 2952	940	{A1F68009-6F55-403b-926D-D3303EF18858}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_3bed806b5326e661c2e220d40d6c1ae8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe
  C:\Windows\{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\{17A80592-60BA-4d41-A088-425DC7F3E377}.exe
    C:\Windows\{17A80592-60BA-4d41-A088-425DC7F3E377}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{9773B844-B41B-48b8-8C7E-CD778E090749}.exe
      C:\Windows\{9773B844-B41B-48b8-8C7E-CD778E090749}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe
        
        C:\Windows\{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Windows\{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe
        
        C:\Windows\{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe
        
        C:\Windows\{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{A1F68009-6F55-403b-926D-D3303EF18858}.exe
        
        C:\Windows\{A1F68009-6F55-403b-926D-D3303EF18858}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe
        
        C:\Windows\{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe
        
        C:\Windows\{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe
        
        C:\Windows\{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}.exe
        
        C:\Windows\{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}.exe
        12⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0BC7~1.EXE > nul
        12⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9929~1.EXE > nul
        11⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C367E~1.EXE > nul
        10⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1F68~1.EXE > nul
        9⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59CFC~1.EXE > nul
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DCA2~1.EXE > nul
        7⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18054~1.EXE > nul
        6⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9773B~1.EXE > nul
        5⤵
        
        PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17A80~1.EXE > nul
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69D3F~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E0A00E8-1B97-4275-8636-FF14D51D3A0E}.exe

Filesize
192KB

MD5
decff34c8a3655d59f59a4f040aabe0c

SHA1
39d801f7debefacace15ad42f57cd5742d772f3d

SHA256
0a3f0f102b5b08d8177d496ada6d882169f6d3c3ca3c3ae74322c5783675430d

SHA512
237928b021073e8fa951b7e5394e95d60b04a15e9d87cc2c26cfaf572068ec89e2552454145774ce3518649d0648bf9a1a396184676c07aaebc66050547cdb5b

Download Submit
C:\Windows\{17A80592-60BA-4d41-A088-425DC7F3E377}.exe

Filesize
192KB

MD5
8fa90f260e0b29f943e01acf5ea217d3

SHA1
5633f5dcd03907859e767a876746933495874ed3

SHA256
3dbaa9d62f9d63d24fb5b4425ba7f8ad8fb5704fafff2da3cdbf22a11c7c9bec

SHA512
f5d413fb12f97c0df72388f48307436b3335c533cf4a8de8c987c7c21a28062646ea5ec585ce46915054fc048581e7e74b55c7857fa74edfff168368ae911f22

Download Submit
C:\Windows\{180549E0-65E9-46cf-8AB7-10F353412CE7}.exe

Filesize
192KB

MD5
f2b8fb2d6291e8d9378957add64ed108

SHA1
bf171937a4186ccc997f299b842d811b888c361a

SHA256
d43ad263b31de31558431b03ad5939864b6cbbbb7fe2c21b18b84148ea789851

SHA512
5d51d6a13714207acd646422b6dcd0765fe6128f2f856632afb3eb203c488dac50a2cdf134aa4e0215f49c5d1cacba80368dcf69e923d71ae0bcb43e75df9cdb

Download Submit
C:\Windows\{59CFC4B0-FA5A-4496-AFA9-D8911EDBFC7C}.exe

Filesize
192KB

MD5
5e9fc826ccfac28044e6858d80c71d49

SHA1
556b405758d40522e510f3009470810b8d508c8d

SHA256
085e83d539e9e724c26a893f0591201e901e9d1889c797408d55d1fa2bbb8a95

SHA512
d25ee2a58fd3f56bca2506869b70096d631600f4411c13323bf458a0163947d02e1389e7ece47c566d9994df4ad394d876fca37ebaa5755747322b5794cda695

Download Submit
C:\Windows\{69D3F4E8-9AE2-442f-A676-0D7601DD49DD}.exe

Filesize
192KB

MD5
6ad1b8a950b30e37358bbf51d2c3fe50

SHA1
05e496047fcbec7800205fb4194b884cf366018f

SHA256
b921a760edfd2d66e45b9494018f43f9dfa15e5196d64bd0786dbb73d59169d3

SHA512
7abaf411fd7cdddad7c47f4a4ea61a3aadc08f817a65ad6bf463f7d1a4b5987a8cfef6834ff9c792226f3b7be3b4ed6542e1d4715d84170d3e0ea5d6b9cadb3e

Download Submit
C:\Windows\{7DCA2A93-0C0B-46f2-A7C0-6B0D71F6D76C}.exe

Filesize
192KB

MD5
3999f782f6f735b98d8c8ddfd6fd9e0a

SHA1
bea9a754e3d4a07b9a25e217c8daa345712ffe2e

SHA256
2da4703cdc32b46138d431324be87cb64c0db3927e76bc6fbe51f84345125346

SHA512
7e9ae3f0c6f0197e3d02066b5546981b1181a8b349e279eef91114a9cc4b8d9504658153e6603ba2ffe49b05a522a08dc4b6343711bcc5e367b951c39e7b689a

Download Submit
C:\Windows\{9773B844-B41B-48b8-8C7E-CD778E090749}.exe

Filesize
192KB

MD5
7f961b8a1035369eaa58e95bb89faac9

SHA1
e7bf252e5a56547fc7c2bd2aa63cfd720ed418c0

SHA256
65eaa7f20a349e3b39edbd586ced950b1c1ae558ed1f49998917b3b454e772c8

SHA512
c31da6dabd2a3acdc3094be5f01e4bc41ed0b6d1a357d1471eadb1ab0103af35a2f4b67a91fb8411ce4242aca8f474eff382fbcaa3c1546334545a9becbb9f75

Download Submit
C:\Windows\{A0BC70DB-8CC3-4675-ADC0-C738BEA94E8F}.exe

Filesize
192KB

MD5
c86bb2c5033f5ca974aacf57889737ca

SHA1
89e24087c296c0e6608904e9d3f0d0c9802de7a3

SHA256
04a0eb6f2a830119eb30e927a980e7ebadf34a14a7451b99f4ae38cd10c2bb8d

SHA512
bd3847967ab5692faa0acb04d6c606c0be4eab45da5ccf03cbfe1fc81d0ac3d02a43a79e8592fdeea3e4311cb3463053659439d7527c6022584d3b5ecc926741

Download Submit
C:\Windows\{A1F68009-6F55-403b-926D-D3303EF18858}.exe

Filesize
192KB

MD5
9c5f17ffba5c257496183dece6386e06

SHA1
4fbb37436b7831eab34af2b5d2ac996ff4969e59

SHA256
d38470e0fd760eb73c35ae62296d0601f9b8fd48c881c9c8ee301568175d6414

SHA512
8fc98c0e11b383596d3e0ecf5909045d7c06df695eeee3de8bbda5f8157218a77559da8862a869a8b0767b88957c7d875f108f54c6f70c32af2413479ab3265e

Download Submit
C:\Windows\{C367ED46-06CA-4f70-9B86-A3768DB8BC12}.exe

Filesize
192KB

MD5
efec44eae7c322165ee058b6fee5230f

SHA1
7a875dac0700d8e84ec078c716de3375e3f1f307

SHA256
aed6792aea2cc4186de329ecdd370176fa276a31e9f98acf8e1c68feb70a65f6

SHA512
6f58a2316033b17bd0bfedfe72b4e6655ee23c3ff332bf8e9f8bd67bdd08bfc7365893fa1e122b5b9821f182660bc6360206ed612d6441a60f5684484ed85acc

Download Submit
C:\Windows\{D9929D8D-5BD4-42bc-B396-FB4B8C7DF049}.exe

Filesize
192KB

MD5
d9d4480cb5b8d4a9c4415c2e78afd509

SHA1
40a0e4db6a186dc3860748a84d84142788c1a8e3

SHA256
3eb18486a12d45f545e9c4f4dca86669fe55da365f6d90278cfbab953ba86172

SHA512
9fb4025eabfca13e4eded4c17b70f08e01ae6075682e8cde8cfeb088a64d4991b89fcd685b417fcbb8361525fafa761ae292f3149a402216d8eaaed348748b92

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads