e1a8ae76a860d0ed762222ed64d6e9f6b3a8d1be52a83b4d448087f6c428c1da

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 19:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe
Size

216KB
MD5

af9e0517c70c6cd8a3bbadd478ceb2d0
SHA1

3f34dfcea92cc8b68eab4233cb98aa3855a024d1
SHA256

e1a8ae76a860d0ed762222ed64d6e9f6b3a8d1be52a83b4d448087f6c428c1da
SHA512

b99c9c32a3040b691964978d98dd31c7aa51d5cdf510a1bacc4b5a22b6ae7d195c12b110b39548d1324a17c54244fe3058b15ffadfe5527fc2bca4334684e574
SSDEEP

3072:jEGh0o5l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000133b0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000133b0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a21-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000133b0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000133b0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000133b0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779E683B-993F-4945-94EB-CEFAADCC2298}\stubpath = "C:\\Windows\\{779E683B-993F-4945-94EB-CEFAADCC2298}.exe"	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7411FF76-F4D3-4811-B711-9AC5319AA287}	{779E683B-993F-4945-94EB-CEFAADCC2298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}	{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}\stubpath = "C:\\Windows\\{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe"	{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4633634-5854-4c0c-88A6-DC52FB03CA36}\stubpath = "C:\\Windows\\{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe"	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A2E8323-06DE-4214-879D-248B74B5E734}	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F5B98BE-938A-4da3-8212-17DD62A19D99}\stubpath = "C:\\Windows\\{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe"	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{799E45D8-BF33-4c24-A828-9A218F932D22}	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}\stubpath = "C:\\Windows\\{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}.exe"	{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}	{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4633634-5854-4c0c-88A6-DC52FB03CA36}	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A2E8323-06DE-4214-879D-248B74B5E734}\stubpath = "C:\\Windows\\{0A2E8323-06DE-4214-879D-248B74B5E734}.exe"	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7176E8C-3B7C-4c46-9193-26F96A1C2586}\stubpath = "C:\\Windows\\{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe"	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{799E45D8-BF33-4c24-A828-9A218F932D22}\stubpath = "C:\\Windows\\{799E45D8-BF33-4c24-A828-9A218F932D22}.exe"	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{779E683B-993F-4945-94EB-CEFAADCC2298}	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7411FF76-F4D3-4811-B711-9AC5319AA287}\stubpath = "C:\\Windows\\{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe"	{779E683B-993F-4945-94EB-CEFAADCC2298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34D73555-7953-4833-B929-E6A05923CEF9}\stubpath = "C:\\Windows\\{34D73555-7953-4833-B929-E6A05923CEF9}.exe"	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}	{34D73555-7953-4833-B929-E6A05923CEF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}\stubpath = "C:\\Windows\\{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe"	{34D73555-7953-4833-B929-E6A05923CEF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F5B98BE-938A-4da3-8212-17DD62A19D99}	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34D73555-7953-4833-B929-E6A05923CEF9}	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7176E8C-3B7C-4c46-9193-26F96A1C2586}	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe
2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe
2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe
768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe
2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe
2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe
2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe
1636	{779E683B-993F-4945-94EB-CEFAADCC2298}.exe
2684	{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe
2412	{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe
1600	{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe
File created	C:\Windows\{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe
File created	C:\Windows\{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe
File created	C:\Windows\{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe
File created	C:\Windows\{779E683B-993F-4945-94EB-CEFAADCC2298}.exe	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe
File created	C:\Windows\{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe	{779E683B-993F-4945-94EB-CEFAADCC2298}.exe
File created	C:\Windows\{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}.exe	{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe
File created	C:\Windows\{34D73555-7953-4833-B929-E6A05923CEF9}.exe	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe
File created	C:\Windows\{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	{34D73555-7953-4833-B929-E6A05923CEF9}.exe
File created	C:\Windows\{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe
File created	C:\Windows\{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe	{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe
Token: SeIncBasePriorityPrivilege	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe
Token: SeIncBasePriorityPrivilege	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe
Token: SeIncBasePriorityPrivilege	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe
Token: SeIncBasePriorityPrivilege	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe
Token: SeIncBasePriorityPrivilege	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe
Token: SeIncBasePriorityPrivilege	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe
Token: SeIncBasePriorityPrivilege	1636	{779E683B-993F-4945-94EB-CEFAADCC2298}.exe
Token: SeIncBasePriorityPrivilege	2684	{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe
Token: SeIncBasePriorityPrivilege	2412	{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1136	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	28
PID 2188 wrote to memory of 1136	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	28
PID 2188 wrote to memory of 1136	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	28
PID 2188 wrote to memory of 1136	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	28
PID 2188 wrote to memory of 2220	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	29
PID 2188 wrote to memory of 2220	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	29
PID 2188 wrote to memory of 2220	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	29
PID 2188 wrote to memory of 2220	2188	2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe	29
PID 1136 wrote to memory of 2660	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	30
PID 1136 wrote to memory of 2660	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	30
PID 1136 wrote to memory of 2660	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	30
PID 1136 wrote to memory of 2660	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	30
PID 1136 wrote to memory of 2676	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	31
PID 1136 wrote to memory of 2676	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	31
PID 1136 wrote to memory of 2676	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	31
PID 1136 wrote to memory of 2676	1136	{34D73555-7953-4833-B929-E6A05923CEF9}.exe	31
PID 2660 wrote to memory of 2812	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	32
PID 2660 wrote to memory of 2812	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	32
PID 2660 wrote to memory of 2812	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	32
PID 2660 wrote to memory of 2812	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	32
PID 2660 wrote to memory of 2384	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	33
PID 2660 wrote to memory of 2384	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	33
PID 2660 wrote to memory of 2384	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	33
PID 2660 wrote to memory of 2384	2660	{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe	33
PID 2812 wrote to memory of 768	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	36
PID 2812 wrote to memory of 768	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	36
PID 2812 wrote to memory of 768	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	36
PID 2812 wrote to memory of 768	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	36
PID 2812 wrote to memory of 2960	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	37
PID 2812 wrote to memory of 2960	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	37
PID 2812 wrote to memory of 2960	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	37
PID 2812 wrote to memory of 2960	2812	{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe	37
PID 768 wrote to memory of 2000	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	38
PID 768 wrote to memory of 2000	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	38
PID 768 wrote to memory of 2000	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	38
PID 768 wrote to memory of 2000	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	38
PID 768 wrote to memory of 1700	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	39
PID 768 wrote to memory of 1700	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	39
PID 768 wrote to memory of 1700	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	39
PID 768 wrote to memory of 1700	768	{0A2E8323-06DE-4214-879D-248B74B5E734}.exe	39
PID 2000 wrote to memory of 2064	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	40
PID 2000 wrote to memory of 2064	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	40
PID 2000 wrote to memory of 2064	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	40
PID 2000 wrote to memory of 2064	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	40
PID 2000 wrote to memory of 816	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	41
PID 2000 wrote to memory of 816	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	41
PID 2000 wrote to memory of 816	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	41
PID 2000 wrote to memory of 816	2000	{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe	41
PID 2064 wrote to memory of 2244	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	42
PID 2064 wrote to memory of 2244	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	42
PID 2064 wrote to memory of 2244	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	42
PID 2064 wrote to memory of 2244	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	42
PID 2064 wrote to memory of 1196	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	43
PID 2064 wrote to memory of 1196	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	43
PID 2064 wrote to memory of 1196	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	43
PID 2064 wrote to memory of 1196	2064	{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe	43
PID 2244 wrote to memory of 1636	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	44
PID 2244 wrote to memory of 1636	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	44
PID 2244 wrote to memory of 1636	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	44
PID 2244 wrote to memory of 1636	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	44
PID 2244 wrote to memory of 1684	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	45
PID 2244 wrote to memory of 1684	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	45
PID 2244 wrote to memory of 1684	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	45
PID 2244 wrote to memory of 1684	2244	{799E45D8-BF33-4c24-A828-9A218F932D22}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_af9e0517c70c6cd8a3bbadd478ceb2d0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{34D73555-7953-4833-B929-E6A05923CEF9}.exe
  C:\Windows\{34D73555-7953-4833-B929-E6A05923CEF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe
    C:\Windows\{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe
      C:\Windows\{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{0A2E8323-06DE-4214-879D-248B74B5E734}.exe
        
        C:\Windows\{0A2E8323-06DE-4214-879D-248B74B5E734}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe
        
        C:\Windows\{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe
        
        C:\Windows\{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{799E45D8-BF33-4c24-A828-9A218F932D22}.exe
        
        C:\Windows\{799E45D8-BF33-4c24-A828-9A218F932D22}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{779E683B-993F-4945-94EB-CEFAADCC2298}.exe
        
        C:\Windows\{779E683B-993F-4945-94EB-CEFAADCC2298}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe
        
        C:\Windows\{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe
        
        C:\Windows\{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}.exe
        
        C:\Windows\{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B2B5~1.EXE > nul
        12⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7411F~1.EXE > nul
        11⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{779E6~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{799E4~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7176~1.EXE > nul
        8⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F5B9~1.EXE > nul
        7⤵
        
        PID:816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A2E8~1.EXE > nul
        6⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4633~1.EXE > nul
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7EAEE~1.EXE > nul
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{34D73~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A2E8323-06DE-4214-879D-248B74B5E734}.exe

Filesize
216KB

MD5
1e049b265fd5b68b3f199f90dd52f232

SHA1
e1fb6976c8b78cd1710bd6fafb4d05d19665975b

SHA256
c6ccc05d090fd3872baebb45e63f1de9b7ad665072ad69539b103d391b09c32f

SHA512
83d404b192bceca3a61338f4ff6508ef3c05e3a3b3c48a230eeead89835f3ebf6d509d355c87f7601f4b1e6f6c3faab8b33c9a182f0de97d92b70e6c85cc8d7f

Download Submit
C:\Windows\{2F36676C-BC08-44bb-85B4-233B2F1BE1AA}.exe

Filesize
216KB

MD5
fba5944a20872e5fcddc5759226b9e7f

SHA1
dac1f4b375c0b8b718a93969f622129526b9b87f

SHA256
aff777d899dc4774645b786b4e458cc7d290cfcaa6e1b0541e3c633a7d29ff1e

SHA512
54135b453006c58ef7e7c2528f56b6169c8ff64765528f1988e97a642ceb06220610f18d59ed79bcd3d93177828bb2423fabac5a0afe31613eeb91d970f249e7

Download Submit
C:\Windows\{34D73555-7953-4833-B929-E6A05923CEF9}.exe

Filesize
216KB

MD5
e4b74f932c3e79dab63a9a6394ad8038

SHA1
d8d27ea2e0f82c7e237a07740a0025d88ac6c2d3

SHA256
5f3f625c8880d8b90e0a36a10df620c9f2df30d6c37004685f02c5574fe5650c

SHA512
d0bf87f36eac0a240271fa09c06c48c2e3222841ee43c112cd392a338a6d22efc765068408d2b37a1a462d588bafcdb4c2aaec46659899acfa5edc44b226b44a

Download Submit
C:\Windows\{3B2B5F0A-558E-49d2-B1A5-C9370DB984BA}.exe

Filesize
216KB

MD5
52e578a203cb40cb453b3d7d0b7dda25

SHA1
bf5b4cb6992ca1b864c9285b5cbc5c4011ce89b2

SHA256
44f277872f02ae16ca093aa3f195362ebeb4aafabedc17acab0f70d80a5b6467

SHA512
7ae798711504d7310293b4a23bf35b39d37b26d14cabd8179d2b8f9babfd03f43203134ff787be9e9a79ecd2646d639df2ddfa88ce9ac79f5e3fcdacfa0dc1a1

Download Submit
C:\Windows\{6F5B98BE-938A-4da3-8212-17DD62A19D99}.exe

Filesize
216KB

MD5
69e155023a0e424495381709b3ae2410

SHA1
ac2d9d8e83d63ee765116b03d10bd9f179c9fb51

SHA256
db4766d9712029e58fa59eb0f997e79de664a3a8dd9d1e7394da398e472e9650

SHA512
edfbf18c6d85c4efbed759e43e1553de960f7dc1b286662330bca7d1df939d9456d53f78bee41f40e2d9065c4105b3f3c9a107cf0b0a9f5fb11f2ce594232659

Download Submit
C:\Windows\{7411FF76-F4D3-4811-B711-9AC5319AA287}.exe

Filesize
216KB

MD5
9be07b717224989407aebc5e3599f4a9

SHA1
73d856d7b40218d389595eb555a35293a83d93ab

SHA256
93031d8b8bbd9f0e933b306838d2d39efb0c375f8a9f8bde1958281afc73197d

SHA512
0cdd2cb5b82a6717589a1856cb32a1fa07f3a369df2c3f2d56c7280e1251f45c39662914cc2822e2f94f793a48b6f08e97f343b6be0ab2574ce09b7a8828611f

Download Submit
C:\Windows\{779E683B-993F-4945-94EB-CEFAADCC2298}.exe

Filesize
216KB

MD5
e68005af584b7aa344c0f9dad2408e7d

SHA1
3b9ca7ed203b17c82fe43ceeb49036db54eb9506

SHA256
2cc709da93fe363a2d8cc00fd39ac180ee1b26845aa8c2f031e0d6b5f5127d24

SHA512
5d01df62bf3b5c265ea978b606c321878b16d70c0dfb86b42322e7f68368e3e5f3a188ae75f87a1f58bd1ece5fc2497da12eff4c566a59bd1abf590e9c20e835

Download Submit
C:\Windows\{799E45D8-BF33-4c24-A828-9A218F932D22}.exe

Filesize
216KB

MD5
51e12676dc61a9e8b04639487d4c5836

SHA1
283c9dd8b47a106a9bb2f606327b32ad9ae6ec22

SHA256
c7dacac1aee4beb0ddcd67d8572889934023865f95660d5fe9b982961f2a4f30

SHA512
f46879f706d1aaa87c4b8a490345141f7ffa835a0a7594a9a37080addd0536d1e2680bb55877d6cb87fe7cdd079dd90c62453be8e600fa733df5ada0a5337ca7

Download Submit
C:\Windows\{7EAEECDA-64B1-4a82-9A62-7A1D488A2470}.exe

Filesize
216KB

MD5
b5a7a594d2329eb3218d9254c79596bc

SHA1
6f4d7eda9b7631862e9d107e5e990aa3181f91ac

SHA256
affe796834ae8f09f81390e6f411d4c0706b2493e5b04cdbe8c8c54f6147a0f3

SHA512
585eba645d70ad5f276d3ade0b9ba69ea8810110e4098aa571eb1317eafd38fcaf1584baeba24162d0fca3fb1179b23d6077af50702818d7ab324aa77ec81430

Download Submit
C:\Windows\{A7176E8C-3B7C-4c46-9193-26F96A1C2586}.exe

Filesize
216KB

MD5
8d6c2059096f045009e86f68dc62b8c3

SHA1
39ac3234664fe527777c9fcfe5ab763057aaefa0

SHA256
040a047538e0e939af72c2ea925a8ff2048d45b6c5e2655f143747b19a3747cc

SHA512
fab72708482f777bb7de210a334c75a085dcc7c3c01125e38e5877dc8c1b21b29f14094d30d29432930692ad73c60cbce1c1ecf7117546544b2f4e9ad37ad84a

Download Submit
C:\Windows\{F4633634-5854-4c0c-88A6-DC52FB03CA36}.exe

Filesize
216KB

MD5
5f91a04e236bac3711a2581a9672f5c9

SHA1
96d16821814a2621fe31d096e2e10452121789f0

SHA256
16314e98a9cf66491cd837c99c0036174a8045aa1afe9b3caec694f7e9930541

SHA512
b0745e90fd2580c7daee782d74468a22819d4283d3c0d60dc1570fcb068f07fcfe95df6097fd3c4fd328e7e7ee97f42fbfc910aab527d912c333cdeddf2bd254

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads