712ab9efdc8c1230b388f5b4490bb41db65fed7ae7c69a97b65aaf7abd5c9d28

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Size

372KB
MD5

337779f6852849e54d48d95649d09d25
SHA1

0f0f8538a1fd9070d7624ca4c11f19214cef9e40
SHA256

712ab9efdc8c1230b388f5b4490bb41db65fed7ae7c69a97b65aaf7abd5c9d28
SHA512

b7b67c0015b51726dbda78eece9b24ffbef01bf0471c91298c1c6fbf795b402923dfa0c0ad4b9aa036f2156d7ef4d427ac7fb17fd604e31a18426f95b19bd70f
SSDEEP

3072:CEGh0oQlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG+lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015d85-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012251-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12DBA199-0650-4b8f-8D3A-197214BA2DA4}\stubpath = "C:\\Windows\\{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe"	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D19B99B-9501-4701-99DE-BC7216856357}\stubpath = "C:\\Windows\\{0D19B99B-9501-4701-99DE-BC7216856357}.exe"	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A0E24C1-D998-4447-B391-5A2615DCCC69}\stubpath = "C:\\Windows\\{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe"	{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}	{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}\stubpath = "C:\\Windows\\{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}.exe"	{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B0B2EE2-8788-43d7-B90E-B6B411220742}	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B0B2EE2-8788-43d7-B90E-B6B411220742}\stubpath = "C:\\Windows\\{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe"	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5251D915-CB05-4029-B78E-3EEBD4D69433}	{0D19B99B-9501-4701-99DE-BC7216856357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A0E24C1-D998-4447-B391-5A2615DCCC69}	{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDB4022-414C-4bce-A761-68AE3B1D197C}	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23358141-A315-4005-A1CA-EFDEC39BD30E}	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2290C342-DAF5-4fbd-9294-CA2806377DC0}\stubpath = "C:\\Windows\\{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe"	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D19B99B-9501-4701-99DE-BC7216856357}	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5251D915-CB05-4029-B78E-3EEBD4D69433}\stubpath = "C:\\Windows\\{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe"	{0D19B99B-9501-4701-99DE-BC7216856357}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}\stubpath = "C:\\Windows\\{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe"	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}\stubpath = "C:\\Windows\\{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe"	{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}	{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDB4022-414C-4bce-A761-68AE3B1D197C}\stubpath = "C:\\Windows\\{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe"	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23358141-A315-4005-A1CA-EFDEC39BD30E}\stubpath = "C:\\Windows\\{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe"	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12DBA199-0650-4b8f-8D3A-197214BA2DA4}	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2290C342-DAF5-4fbd-9294-CA2806377DC0}	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe
2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe
2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe
2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe
624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe
1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe
2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe
1964	{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe
2692	{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe
2756	{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe
2800	{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe
File created	C:\Windows\{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe
File created	C:\Windows\{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe
File created	C:\Windows\{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe
File created	C:\Windows\{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe	{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe
File created	C:\Windows\{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe	{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe
File created	C:\Windows\{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
File created	C:\Windows\{0D19B99B-9501-4701-99DE-BC7216856357}.exe	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe
File created	C:\Windows\{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	{0D19B99B-9501-4701-99DE-BC7216856357}.exe
File created	C:\Windows\{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}.exe	{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe
File created	C:\Windows\{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe
Token: SeIncBasePriorityPrivilege	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe
Token: SeIncBasePriorityPrivilege	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe
Token: SeIncBasePriorityPrivilege	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe
Token: SeIncBasePriorityPrivilege	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe
Token: SeIncBasePriorityPrivilege	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe
Token: SeIncBasePriorityPrivilege	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe
Token: SeIncBasePriorityPrivilege	1964	{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe
Token: SeIncBasePriorityPrivilege	2692	{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe
Token: SeIncBasePriorityPrivilege	2756	{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2892	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	28
PID 2732 wrote to memory of 2892	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	28
PID 2732 wrote to memory of 2892	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	28
PID 2732 wrote to memory of 2892	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	28
PID 2732 wrote to memory of 2920	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	29
PID 2732 wrote to memory of 2920	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	29
PID 2732 wrote to memory of 2920	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	29
PID 2732 wrote to memory of 2920	2732	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	29
PID 2892 wrote to memory of 2672	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	30
PID 2892 wrote to memory of 2672	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	30
PID 2892 wrote to memory of 2672	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	30
PID 2892 wrote to memory of 2672	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	30
PID 2892 wrote to memory of 2588	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	31
PID 2892 wrote to memory of 2588	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	31
PID 2892 wrote to memory of 2588	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	31
PID 2892 wrote to memory of 2588	2892	{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe	31
PID 2672 wrote to memory of 2552	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	32
PID 2672 wrote to memory of 2552	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	32
PID 2672 wrote to memory of 2552	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	32
PID 2672 wrote to memory of 2552	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	32
PID 2672 wrote to memory of 2708	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	33
PID 2672 wrote to memory of 2708	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	33
PID 2672 wrote to memory of 2708	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	33
PID 2672 wrote to memory of 2708	2672	{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe	33
PID 2552 wrote to memory of 2860	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	36
PID 2552 wrote to memory of 2860	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	36
PID 2552 wrote to memory of 2860	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	36
PID 2552 wrote to memory of 2860	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	36
PID 2552 wrote to memory of 2016	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	37
PID 2552 wrote to memory of 2016	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	37
PID 2552 wrote to memory of 2016	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	37
PID 2552 wrote to memory of 2016	2552	{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe	37
PID 2860 wrote to memory of 624	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	38
PID 2860 wrote to memory of 624	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	38
PID 2860 wrote to memory of 624	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	38
PID 2860 wrote to memory of 624	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	38
PID 2860 wrote to memory of 1252	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	39
PID 2860 wrote to memory of 1252	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	39
PID 2860 wrote to memory of 1252	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	39
PID 2860 wrote to memory of 1252	2860	{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe	39
PID 624 wrote to memory of 1836	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	40
PID 624 wrote to memory of 1836	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	40
PID 624 wrote to memory of 1836	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	40
PID 624 wrote to memory of 1836	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	40
PID 624 wrote to memory of 2232	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	41
PID 624 wrote to memory of 2232	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	41
PID 624 wrote to memory of 2232	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	41
PID 624 wrote to memory of 2232	624	{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe	41
PID 1836 wrote to memory of 2348	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	42
PID 1836 wrote to memory of 2348	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	42
PID 1836 wrote to memory of 2348	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	42
PID 1836 wrote to memory of 2348	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	42
PID 1836 wrote to memory of 2200	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	43
PID 1836 wrote to memory of 2200	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	43
PID 1836 wrote to memory of 2200	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	43
PID 1836 wrote to memory of 2200	1836	{0D19B99B-9501-4701-99DE-BC7216856357}.exe	43
PID 2348 wrote to memory of 1964	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	44
PID 2348 wrote to memory of 1964	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	44
PID 2348 wrote to memory of 1964	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	44
PID 2348 wrote to memory of 1964	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	44
PID 2348 wrote to memory of 336	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	45
PID 2348 wrote to memory of 336	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	45
PID 2348 wrote to memory of 336	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	45
PID 2348 wrote to memory of 336	2348	{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe
  C:\Windows\{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe
    C:\Windows\{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe
      C:\Windows\{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe
        
        C:\Windows\{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe
        
        C:\Windows\{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{0D19B99B-9501-4701-99DE-BC7216856357}.exe
        
        C:\Windows\{0D19B99B-9501-4701-99DE-BC7216856357}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe
        
        C:\Windows\{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe
        
        C:\Windows\{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe
        
        C:\Windows\{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe
        
        C:\Windows\{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}.exe
        
        C:\Windows\{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82CCB~1.EXE > nul
        12⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A0E2~1.EXE > nul
        11⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE0B9~1.EXE > nul
        10⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5251D~1.EXE > nul
        9⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D19B~1.EXE > nul
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2290C~1.EXE > nul
        7⤵
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12DBA~1.EXE > nul
        6⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23358~1.EXE > nul
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B0B2~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDB4~1.EXE > nul
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BFF6275-4792-4fbb-84D0-F7FD1F0C1D4F}.exe

Filesize
372KB

MD5
2798c747b6e5aefbe1c4e1e6ec81ab71

SHA1
75211d5b46f045f984356af8c5a0232827f1fd2a

SHA256
600b855b9b7962888285b43979c2710663893c1b8e2c2b547a0989f0770ebadd

SHA512
d0d4e0d2de67bbedfa62ebbcbdd39c0c54c428996c754511ceae9d40785dad5b8b21a047f4ebb8219c3c59f32786bf5e8b06448f3fd448076a51e595a5b7361d

Download Submit
C:\Windows\{0D19B99B-9501-4701-99DE-BC7216856357}.exe

Filesize
372KB

MD5
1ed985a0c60be6a4401789140f5ea21b

SHA1
ae1c221ae06d2d587310515e8c1efc0e5517699d

SHA256
0451e7e8ba0428e9d2b3f6add7088845ebc7d563c22c48410ea9af1c240d309c

SHA512
e6bddb3658364979534c4d6646f778c2795198145ffb80292e93bb276d40da2b02a284ba1d6f81f2ad2a7ba639880d9e10fb24d0125f32ad1e5df37fdbe13293

Download Submit
C:\Windows\{12DBA199-0650-4b8f-8D3A-197214BA2DA4}.exe

Filesize
372KB

MD5
86dcd17fd30a99ae204abb0b46188384

SHA1
091ee11b7ef6da71de4e2b25a6024888ab276b8a

SHA256
622973ce4decd2eb6cc8e51b509784ccdf6bff2e176de68b2ca28b20648518c4

SHA512
43c296d34e029b75a154f947c35a461feb64e4ecc24ca91a7b7b721887c9577583041a68b1da0a8ce56a7a36af66909232c57d4e08c30fcc2746d570ca1ce87b

Download Submit
C:\Windows\{2290C342-DAF5-4fbd-9294-CA2806377DC0}.exe

Filesize
372KB

MD5
419e796e80064b8bb4d7ab00e6e59f67

SHA1
1d2b620d092dc1574d355bc65db7d4c2fbaddc83

SHA256
150722237f7fca08197dffcd4d9568b35073fb29cb050fcef4050802a0681e87

SHA512
182e5b87ac0af788326de0fc796e7e6263116c693a4fd42e059cd57bd587d7144cbf217f9a68f4007325e58f17ec5b9a8b3569090b7b6b2968b44a9f7d5f2e9d

Download Submit
C:\Windows\{23358141-A315-4005-A1CA-EFDEC39BD30E}.exe

Filesize
372KB

MD5
33b0d008f21ada839cc865b374dd8511

SHA1
b333fb2e1b9a58c42589450d3f5f0df3b0ca1f19

SHA256
afe176fdf7b9c01d19933c0dc011da73a32b1f5d912605f517f6d31a335507d9

SHA512
c42c34fffd36b18124afb62c585982517f47fb15e4449c1cadf355c54a5e7fe4a16729e29015eb8ace4dd9c42d918ff5c3cbe34aa98a9d029e43eaa12e12a469

Download Submit
C:\Windows\{4A0E24C1-D998-4447-B391-5A2615DCCC69}.exe

Filesize
372KB

MD5
874bcb0b7e520340b7bc10536ddd00d9

SHA1
0bbcc37689249effb62210d6766eedcb400496fb

SHA256
2d9765ff7ff82300618ef66b4c25991e18cb5fae9705c9c5ba3e1cf690f137ef

SHA512
ee4ee93371ef0b34277bb24e3c98d668f431e5177b7a4a7110c17290395a508f522cc20affc38d2de38bc535adde38f8f31411ea7c10bbbf42be53009f938bec

Download Submit
C:\Windows\{4B0B2EE2-8788-43d7-B90E-B6B411220742}.exe

Filesize
372KB

MD5
bdb944af256f43a64b0f4323556c2693

SHA1
c3812060408a90a6bff8b7234fb0e802eaee05c6

SHA256
24020de093e90bb592de2e72c2812ad296bbeda315aa0478eaf1e5a90c839648

SHA512
e43964bf956fe4df95273466c71e70166affd6af398098b808d882d10680ac49eda37b01ddde1380922bab0125cbbd966c704fc48a6a72ae3d79dd97a2232d6a

Download Submit
C:\Windows\{5251D915-CB05-4029-B78E-3EEBD4D69433}.exe

Filesize
372KB

MD5
fe9b83d8a2cd26c9cc0fc53e06284893

SHA1
740fba09283fa8f27873fc9c9a49fb0593360230

SHA256
33f935ed93bb9540943d26c886477a49a65d866a941c4ae5b7330cab2309a072

SHA512
d2dfe8bff02758f82d511d93d5609865bd88200a4b8eb6c3f3f101ec4fe6f76abf554b723ce061fc5ceb538d60180d97c48c786ae97d7b2eb02efd7c888314d5

Download Submit
C:\Windows\{7EDB4022-414C-4bce-A761-68AE3B1D197C}.exe

Filesize
372KB

MD5
01ab419345d890a89e6173ef6a489c50

SHA1
d489c67250ed6d9bcd47b35848fdab1df9e6cbaa

SHA256
923655e012ab5fa63a46941c5e98fc478e55fe2161ca0bd4808e68b2292458bf

SHA512
7f87bac83feea85c756e49c347031904e3580302fe7915da7fb2297c60e5a3fe41105cf06ab330c8d6b025c3f392461ae0b730fb5e893bfeed77b5feaeea6a1e

Download Submit
C:\Windows\{82CCB3B6-86BE-4fb0-B3EA-A84CF7952C12}.exe

Filesize
372KB

MD5
08909e38bdb582eba05748e6634068fc

SHA1
d23cd927b46d5cc127e7c9cf07a0ec1da26198dc

SHA256
8828a8ab352fc55debe360b9de6182f0b4e8cc513e7711cd42ff427c5520b88a

SHA512
8a68f9439ecb2c6ba8ceef2e938badf1082d37b08f6c0baa8e525c87074e6848caf1be4959031a164345ac32e1e4d0b6e80cba97b54c6054c745c6c55a7547a4

Download Submit
C:\Windows\{FE0B979F-9965-4f38-ABA1-D32FC608B4BC}.exe

Filesize
372KB

MD5
47e937a65ff03db16db3ec325c7f1685

SHA1
8579df917ed60a22f4c58f9982fade48630080be

SHA256
c5198f49f4844d323a92108cb43e0b8fbffb5b12d991b6a4cdae5880308cae1d

SHA512
f6bd69546b4fd129e76b89d141ecff62e09bcb528073562285cd02059acca0901a7cc8995a60f159d8d03d770688862fbd9907c91e68add7a805b6f012c56e4c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads