000242af7be11235970c26a74bce257449cd77cdedfcaa9ed23967e3263ec515

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Size

192KB
MD5

97956a24a74ce4a359c9900765acd7fc
SHA1

0819963aa5612561925e4f6c1cf90ffaaf3cd71d
SHA256

000242af7be11235970c26a74bce257449cd77cdedfcaa9ed23967e3263ec515
SHA512

ef8f5bf0b63f9efb5983923ae363e93840190d7ef5d66681f64d9c25a16ca7b05f09d58548f5370ce5b77c5fd15ea3e78f37261c4cab7de5ea74fd6d4fcb757d
SSDEEP

1536:1EGh0oul15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oul1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000146fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014b18-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BD40B8-AB71-44e8-96C5-25A016325356}\stubpath = "C:\\Windows\\{F0BD40B8-AB71-44e8-96C5-25A016325356}.exe"	{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F926C36-F558-43f1-8E32-04B25F25B8E1}	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49352C85-B885-4e8d-B911-E124D9EDB2B7}	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}\stubpath = "C:\\Windows\\{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe"	{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BD40B8-AB71-44e8-96C5-25A016325356}	{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F277B8AE-429C-41a6-96E2-A531064EC1F9}\stubpath = "C:\\Windows\\{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe"	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}\stubpath = "C:\\Windows\\{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe"	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4D33BF5-1215-48f9-A61C-49AD59BDB107}\stubpath = "C:\\Windows\\{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe"	{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA383982-B97F-4d2d-8684-4C7DE776C5C9}	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}\stubpath = "C:\\Windows\\{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe"	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F277B8AE-429C-41a6-96E2-A531064EC1F9}	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49352C85-B885-4e8d-B911-E124D9EDB2B7}\stubpath = "C:\\Windows\\{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe"	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAC64DED-8C13-43e4-B587-0D31CFCC050E}	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAC64DED-8C13-43e4-B587-0D31CFCC050E}\stubpath = "C:\\Windows\\{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe"	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}	{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}\stubpath = "C:\\Windows\\{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe"	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F926C36-F558-43f1-8E32-04B25F25B8E1}\stubpath = "C:\\Windows\\{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe"	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA383982-B97F-4d2d-8684-4C7DE776C5C9}\stubpath = "C:\\Windows\\{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe"	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4D33BF5-1215-48f9-A61C-49AD59BDB107}	{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe
2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe
2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe
1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe
1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe
1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe
2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe
1484	{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe
1996	{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe
592	{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe
2764	{F0BD40B8-AB71-44e8-96C5-25A016325356}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
File created	C:\Windows\{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe
File created	C:\Windows\{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe
File created	C:\Windows\{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe
File created	C:\Windows\{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe	{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe
File created	C:\Windows\{F0BD40B8-AB71-44e8-96C5-25A016325356}.exe	{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe
File created	C:\Windows\{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe
File created	C:\Windows\{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe
File created	C:\Windows\{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe
File created	C:\Windows\{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe
File created	C:\Windows\{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe	{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe
Token: SeIncBasePriorityPrivilege	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe
Token: SeIncBasePriorityPrivilege	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe
Token: SeIncBasePriorityPrivilege	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe
Token: SeIncBasePriorityPrivilege	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe
Token: SeIncBasePriorityPrivilege	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe
Token: SeIncBasePriorityPrivilege	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe
Token: SeIncBasePriorityPrivilege	1484	{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe
Token: SeIncBasePriorityPrivilege	1996	{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe
Token: SeIncBasePriorityPrivilege	592	{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2520	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	28
PID 2832 wrote to memory of 2520	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	28
PID 2832 wrote to memory of 2520	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	28
PID 2832 wrote to memory of 2520	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	28
PID 2832 wrote to memory of 2608	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	29
PID 2832 wrote to memory of 2608	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	29
PID 2832 wrote to memory of 2608	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	29
PID 2832 wrote to memory of 2608	2832	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	29
PID 2520 wrote to memory of 2648	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	30
PID 2520 wrote to memory of 2648	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	30
PID 2520 wrote to memory of 2648	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	30
PID 2520 wrote to memory of 2648	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	30
PID 2520 wrote to memory of 2480	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	31
PID 2520 wrote to memory of 2480	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	31
PID 2520 wrote to memory of 2480	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	31
PID 2520 wrote to memory of 2480	2520	{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe	31
PID 2648 wrote to memory of 2564	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	32
PID 2648 wrote to memory of 2564	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	32
PID 2648 wrote to memory of 2564	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	32
PID 2648 wrote to memory of 2564	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	32
PID 2648 wrote to memory of 2408	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	33
PID 2648 wrote to memory of 2408	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	33
PID 2648 wrote to memory of 2408	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	33
PID 2648 wrote to memory of 2408	2648	{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe	33
PID 2564 wrote to memory of 1620	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	36
PID 2564 wrote to memory of 1620	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	36
PID 2564 wrote to memory of 1620	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	36
PID 2564 wrote to memory of 1620	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	36
PID 2564 wrote to memory of 276	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	37
PID 2564 wrote to memory of 276	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	37
PID 2564 wrote to memory of 276	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	37
PID 2564 wrote to memory of 276	2564	{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe	37
PID 1620 wrote to memory of 1548	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	38
PID 1620 wrote to memory of 1548	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	38
PID 1620 wrote to memory of 1548	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	38
PID 1620 wrote to memory of 1548	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	38
PID 1620 wrote to memory of 2704	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	39
PID 1620 wrote to memory of 2704	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	39
PID 1620 wrote to memory of 2704	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	39
PID 1620 wrote to memory of 2704	1620	{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe	39
PID 1548 wrote to memory of 1724	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	40
PID 1548 wrote to memory of 1724	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	40
PID 1548 wrote to memory of 1724	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	40
PID 1548 wrote to memory of 1724	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	40
PID 1548 wrote to memory of 2308	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	41
PID 1548 wrote to memory of 2308	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	41
PID 1548 wrote to memory of 2308	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	41
PID 1548 wrote to memory of 2308	1548	{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe	41
PID 1724 wrote to memory of 2828	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	42
PID 1724 wrote to memory of 2828	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	42
PID 1724 wrote to memory of 2828	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	42
PID 1724 wrote to memory of 2828	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	42
PID 1724 wrote to memory of 544	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	43
PID 1724 wrote to memory of 544	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	43
PID 1724 wrote to memory of 544	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	43
PID 1724 wrote to memory of 544	1724	{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe	43
PID 2828 wrote to memory of 1484	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	44
PID 2828 wrote to memory of 1484	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	44
PID 2828 wrote to memory of 1484	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	44
PID 2828 wrote to memory of 1484	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	44
PID 2828 wrote to memory of 1696	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	45
PID 2828 wrote to memory of 1696	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	45
PID 2828 wrote to memory of 1696	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	45
PID 2828 wrote to memory of 1696	2828	{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe
  C:\Windows\{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe
    C:\Windows\{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe
      C:\Windows\{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe
        
        C:\Windows\{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe
        
        C:\Windows\{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe
        
        C:\Windows\{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe
        
        C:\Windows\{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe
        
        C:\Windows\{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe
        
        C:\Windows\{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe
        
        C:\Windows\{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{F0BD40B8-AB71-44e8-96C5-25A016325356}.exe
        
        C:\Windows\{F0BD40B8-AB71-44e8-96C5-25A016325356}.exe
        12⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ADCD~1.EXE > nul
        12⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D33~1.EXE > nul
        11⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBF03~1.EXE > nul
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAC64~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49352~1.EXE > nul
        8⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F277B~1.EXE > nul
        7⤵
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2767~1.EXE > nul
        6⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA383~1.EXE > nul
        5⤵
        
        PID:276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5F926~1.EXE > nul
      4⤵
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC5AC~1.EXE > nul
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1ADCD1BB-C090-48d1-B320-67FB7C6143D7}.exe

Filesize
192KB

MD5
e2428f9b8105a4d4399aaef3aab329e9

SHA1
7c4bfc7c055a27af474f21c78b5f1ccc312676ed

SHA256
bc629dbd9b8c392770c29f98e4b6e05340bebfc4fe76636da159309031a1d4d7

SHA512
1ed6b896ff56bd7b453e76fa2050d19878e09d9e1a29cc6d33025834364efb3a8ffc7e151548c84c374bf48ed335603a94414142b252af80af08e2119988332b

Download Submit
C:\Windows\{49352C85-B885-4e8d-B911-E124D9EDB2B7}.exe

Filesize
192KB

MD5
6329618945a3060cc56b4d6cd01e3339

SHA1
c3553f7ab13d8b68c7455ab06a6772896fc4eae3

SHA256
801a97ad48263b77dd12a8232374c11656bd92ee9cb36631169917ca8b5abbe6

SHA512
5fff94a273ae50aadd52ea599838f2e4030384e15b02e5602c7395ce5c4895cb4109e40d5f2f992311ed105c44e83157619dfe84dd0f89c6b3ef6b1456adcbf3

Download Submit
C:\Windows\{5F926C36-F558-43f1-8E32-04B25F25B8E1}.exe

Filesize
192KB

MD5
94590d5080d1a4364813a6f76778aa4b

SHA1
3f5aafec9571d82642025e2bbbdabfc993213989

SHA256
7015f7bff4005586e452d836473da4477bef32c2e22cbdb2eccc2c38906ad2c4

SHA512
df8422d6b24f06fc7032c07dc3855d874ffc3ba0d74a584864cbfa98e42ed7908ca28757dee8bab6b2bc709ace5a94a001f7d7df6af6f48a7d76f7ee5854a91b

Download Submit
C:\Windows\{CBF03C5F-D722-4f87-A30A-8AF6111A3AAC}.exe

Filesize
192KB

MD5
e00f5bf409ffea544deccfc266911b3d

SHA1
c8186483196f4f4cb920b09e5958cc1d0c451f7c

SHA256
eb97a932d684f55aa02c743983deaf6cd20f4498f1893319e88dada47d29740f

SHA512
470b8dfc5c864650ba8f26fcd71979b2d4b8c4e4ff3811b7357addafd43801c7673e0c87d37e9670fbd2e9262b6c20d4f01bb2c76d6a4d6e9e3d4307b424bc67

Download Submit
C:\Windows\{E4D33BF5-1215-48f9-A61C-49AD59BDB107}.exe

Filesize
192KB

MD5
fb7d8bfe34d538599e55eab1dff0a141

SHA1
53e6838686ea0aa2f08406bb1165a96b054f1e90

SHA256
01b9a3d7d0a25090731746c5bc360967830f07a3b80452ff2dad76cbdfbdc8ed

SHA512
1a29fb870dc418c9d1248168cbc0e37b54347161bdf5211895abb4e6b26b0a26d4bb3e32bdb5373de1d8953ce3e9ce1cff91b29b4f176de4d99b80cb31467dfc

Download Submit
C:\Windows\{EAC64DED-8C13-43e4-B587-0D31CFCC050E}.exe

Filesize
192KB

MD5
3b18f9b340b52861d41cd9135a432f44

SHA1
7df2eda622c838f2cf362555705e3c8a4a50f87a

SHA256
650728bd0479ae8380592a0dc259555ee5ff284239260c8e29162eac40c39006

SHA512
9203af5a9c5753e8bcc2f3509ca2feeea28ccde22f5573e12189d7fd886adb1961786bad31457a450bd197022bb0934a2a47bb50529852d4d982d1fe48d0d3e7

Download Submit
C:\Windows\{F0BD40B8-AB71-44e8-96C5-25A016325356}.exe

Filesize
192KB

MD5
a08bb4a2e2a3ab60224ec63dd595dda6

SHA1
59770ddc817be785239d7fe57afdd001fea490e8

SHA256
60b84caf0ce130c315c069b3df2cf990fcc1d5f5d9b80326a9360c271c32cb6c

SHA512
857b8f9953349bc074dd2668504bef08a41e8e40e987c86c845fc06d290f41924406a5e0ace0106f2d7ab90e90855dc9e59c7a314385835a96037ebfb3ea8360

Download Submit
C:\Windows\{F27678AB-FB0B-4d2b-B20D-8CD17D6229A7}.exe

Filesize
192KB

MD5
553bd99d5a9b848c8aac8a5cc2715737

SHA1
b7cf67d071638b0773fdb027cf78ee9b06a41e3d

SHA256
b887c26ac162f3376131f5157060e2742b14cd387b047db84806f45baf573313

SHA512
16571e198476299bfc88f22361b3c422249046c543f863596c61d0621ecc374b28705335db884c3618328e2798c6c3d1e8648f7767e83f49d9f8ac3f51f8ac91

Download Submit
C:\Windows\{F277B8AE-429C-41a6-96E2-A531064EC1F9}.exe

Filesize
192KB

MD5
a28a03ea32250046b84bc5dda2c3e87c

SHA1
b102cac0b60750c09874e6655847d2e01a839964

SHA256
54837ac2ec9bf6beb56a50adcc146aa9996c0aed64db9ae80f60da12fe829832

SHA512
f443e832b93b3cb2c9e3864daa3f43213d86ab3482c0549d57b1ae412303edf0c67e590918219cdf79d4aa28a876dfa49a09df54147ae0c3898d27b61f2f7994

Download Submit
C:\Windows\{FA383982-B97F-4d2d-8684-4C7DE776C5C9}.exe

Filesize
192KB

MD5
2876617118b1d60ddcdadfbc1651a0fd

SHA1
34ef553c2b83d33eaff5a6fe79b2441ab8bf0248

SHA256
aa0a987550a291f972a1a078ed1538cb8cbeb13ecaf9752410781f0fbb65cbdd

SHA512
76bc264ced217b556c797e6643014e7eb8a918550afb1c8e65666a47a435424448889cb1608872db19e15cb4887c068a682cdcfb22b48269d3adcfbd91f5d80f

Download Submit
C:\Windows\{FC5AC8B8-0981-4f82-9D09-B0EFEE289799}.exe

Filesize
192KB

MD5
c6525d5abc4657f856075d9883402f1e

SHA1
2a3130b4dc9d6dca02bf79afde864082d40440c1

SHA256
382217aaa070472e9efb7ec42eff2c747af23a2fa3c12fe9b66e24a893cb1d43

SHA512
e38c02706d8de40d6a2edf09f45198bfec28f5b48263cee2829ac7f3b4d9baef9308b6c263cbc2640d1ec762484a81d3cf1ae56263471882d961d6a91d29f341

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads