a0f584bf5ed22c6fb9e6650fc2112bc5631105d05a492d0feca08220107dc0a4

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 20:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Size

380KB
MD5

c9cebb7ce9efc1224f7b6dbffab2bb44
SHA1

44a8c1cf0b89fb069c3713a09d808004c726486a
SHA256

a0f584bf5ed22c6fb9e6650fc2112bc5631105d05a492d0feca08220107dc0a4
SHA512

0e8a7530054cf0aa27dd917982e41d0120e4f3c041cef7e3ad82c6127ae11403d7b3d08ca97ce840111fb292e1687a12e5a8ae32d967fa6570f669ca063e3cdd
SSDEEP

3072:mEGh0oilPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGgl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012248-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001231a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012248-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a3d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012248-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012248-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012248-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D26388D-214E-4dc7-BF9D-78319919A563}	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}\stubpath = "C:\\Windows\\{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe"	{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}\stubpath = "C:\\Windows\\{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe"	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69016A2A-7321-4020-8F68-E26EB137EAC7}\stubpath = "C:\\Windows\\{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe"	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD8EDD2-E30B-444f-A27C-CFB172253D05}	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}\stubpath = "C:\\Windows\\{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe"	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{782099AD-FB81-4a22-8493-0A757B8371CD}\stubpath = "C:\\Windows\\{782099AD-FB81-4a22-8493-0A757B8371CD}.exe"	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}	{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}\stubpath = "C:\\Windows\\{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}.exe"	{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}	{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}\stubpath = "C:\\Windows\\{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe"	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD8EDD2-E30B-444f-A27C-CFB172253D05}\stubpath = "C:\\Windows\\{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe"	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}\stubpath = "C:\\Windows\\{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe"	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D26388D-214E-4dc7-BF9D-78319919A563}\stubpath = "C:\\Windows\\{2D26388D-214E-4dc7-BF9D-78319919A563}.exe"	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}	{2D26388D-214E-4dc7-BF9D-78319919A563}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}\stubpath = "C:\\Windows\\{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe"	{2D26388D-214E-4dc7-BF9D-78319919A563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69016A2A-7321-4020-8F68-E26EB137EAC7}	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{782099AD-FB81-4a22-8493-0A757B8371CD}	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe

Deletes itself 1 IoCs

pid	Process
2196	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe
2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe
2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe
2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe
2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe
2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe
2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe
1960	{2D26388D-214E-4dc7-BF9D-78319919A563}.exe
2108	{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe
2848	{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe
1260	{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe
File created	C:\Windows\{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe
File created	C:\Windows\{2D26388D-214E-4dc7-BF9D-78319919A563}.exe	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe
File created	C:\Windows\{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe
File created	C:\Windows\{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe
File created	C:\Windows\{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe	{2D26388D-214E-4dc7-BF9D-78319919A563}.exe
File created	C:\Windows\{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe	{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe
File created	C:\Windows\{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}.exe	{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe
File created	C:\Windows\{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
File created	C:\Windows\{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe
File created	C:\Windows\{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe
Token: SeIncBasePriorityPrivilege	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe
Token: SeIncBasePriorityPrivilege	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe
Token: SeIncBasePriorityPrivilege	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe
Token: SeIncBasePriorityPrivilege	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe
Token: SeIncBasePriorityPrivilege	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe
Token: SeIncBasePriorityPrivilege	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe
Token: SeIncBasePriorityPrivilege	1960	{2D26388D-214E-4dc7-BF9D-78319919A563}.exe
Token: SeIncBasePriorityPrivilege	2108	{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe
Token: SeIncBasePriorityPrivilege	2848	{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1768	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	28
PID 2412 wrote to memory of 1768	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	28
PID 2412 wrote to memory of 1768	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	28
PID 2412 wrote to memory of 1768	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	28
PID 2412 wrote to memory of 2196	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	29
PID 2412 wrote to memory of 2196	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	29
PID 2412 wrote to memory of 2196	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	29
PID 2412 wrote to memory of 2196	2412	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	29
PID 1768 wrote to memory of 2564	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	30
PID 1768 wrote to memory of 2564	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	30
PID 1768 wrote to memory of 2564	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	30
PID 1768 wrote to memory of 2564	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	30
PID 1768 wrote to memory of 2828	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	31
PID 1768 wrote to memory of 2828	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	31
PID 1768 wrote to memory of 2828	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	31
PID 1768 wrote to memory of 2828	1768	{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe	31
PID 2564 wrote to memory of 2724	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	32
PID 2564 wrote to memory of 2724	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	32
PID 2564 wrote to memory of 2724	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	32
PID 2564 wrote to memory of 2724	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	32
PID 2564 wrote to memory of 2952	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	33
PID 2564 wrote to memory of 2952	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	33
PID 2564 wrote to memory of 2952	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	33
PID 2564 wrote to memory of 2952	2564	{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe	33
PID 2724 wrote to memory of 2628	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	36
PID 2724 wrote to memory of 2628	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	36
PID 2724 wrote to memory of 2628	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	36
PID 2724 wrote to memory of 2628	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	36
PID 2724 wrote to memory of 2020	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	37
PID 2724 wrote to memory of 2020	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	37
PID 2724 wrote to memory of 2020	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	37
PID 2724 wrote to memory of 2020	2724	{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe	37
PID 2628 wrote to memory of 2768	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	38
PID 2628 wrote to memory of 2768	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	38
PID 2628 wrote to memory of 2768	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	38
PID 2628 wrote to memory of 2768	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	38
PID 2628 wrote to memory of 2792	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	39
PID 2628 wrote to memory of 2792	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	39
PID 2628 wrote to memory of 2792	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	39
PID 2628 wrote to memory of 2792	2628	{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe	39
PID 2768 wrote to memory of 2004	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	40
PID 2768 wrote to memory of 2004	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	40
PID 2768 wrote to memory of 2004	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	40
PID 2768 wrote to memory of 2004	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	40
PID 2768 wrote to memory of 1804	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	41
PID 2768 wrote to memory of 1804	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	41
PID 2768 wrote to memory of 1804	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	41
PID 2768 wrote to memory of 1804	2768	{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe	41
PID 2004 wrote to memory of 2352	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	42
PID 2004 wrote to memory of 2352	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	42
PID 2004 wrote to memory of 2352	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	42
PID 2004 wrote to memory of 2352	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	42
PID 2004 wrote to memory of 788	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	43
PID 2004 wrote to memory of 788	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	43
PID 2004 wrote to memory of 788	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	43
PID 2004 wrote to memory of 788	2004	{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe	43
PID 2352 wrote to memory of 1960	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	44
PID 2352 wrote to memory of 1960	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	44
PID 2352 wrote to memory of 1960	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	44
PID 2352 wrote to memory of 1960	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	44
PID 2352 wrote to memory of 1600	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	45
PID 2352 wrote to memory of 1600	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	45
PID 2352 wrote to memory of 1600	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	45
PID 2352 wrote to memory of 1600	2352	{782099AD-FB81-4a22-8493-0A757B8371CD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe
  C:\Windows\{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe
    C:\Windows\{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe
      C:\Windows\{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe
        
        C:\Windows\{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe
        
        C:\Windows\{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe
        
        C:\Windows\{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{782099AD-FB81-4a22-8493-0A757B8371CD}.exe
        
        C:\Windows\{782099AD-FB81-4a22-8493-0A757B8371CD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{2D26388D-214E-4dc7-BF9D-78319919A563}.exe
        
        C:\Windows\{2D26388D-214E-4dc7-BF9D-78319919A563}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe
        
        C:\Windows\{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe
        
        C:\Windows\{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}.exe
        
        C:\Windows\{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}.exe
        12⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35DB1~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A37D7~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D263~1.EXE > nul
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78209~1.EXE > nul
        9⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2ED7~1.EXE > nul
        8⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD8E~1.EXE > nul
        7⤵
        
        PID:1804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69016~1.EXE > nul
        6⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{434D0~1.EXE > nul
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9AEC8~1.EXE > nul
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{49C2E~1.EXE > nul
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D26388D-214E-4dc7-BF9D-78319919A563}.exe

Filesize
380KB

MD5
5817f9c9d8ace160f8dd5183a436117f

SHA1
7f7ea19302c8076ae336e9e3698181e7312f9185

SHA256
f89cc342b8dc023e65edce3e567af4f9c6551b6b44301f107229e63728d7e2da

SHA512
a7adf6d3eb285e30ff2b1678e041683b966cb55670f4e3f6d12cadfb370a3c81d663c454be97121d7bcc5a42b5d5ed9970c0620f715bd4168f29ded992e662bd

Download Submit
C:\Windows\{35DB1F42-FE5D-44ee-81FC-ACD16F1869A3}.exe

Filesize
380KB

MD5
3e9558a62eda0d4b5aba924ad496178d

SHA1
6ab525164863fb5e6e2135ebb50d7c2961a0f8fa

SHA256
12ca67eca46c914b2a8502a74ddcd62e97d3bcb7edc2f3437a84ca5cf9eb78cc

SHA512
199f0796c4abd1007aba8b24c06612c928f1daca3c219b35c9b279a83c1c2e6e7bd142c13c773c8aed67dd6dc6c73c853411f49b07c5b63479b8e7553556d328

Download Submit
C:\Windows\{434D04D6-CD47-4785-BFC0-8B8A5AED1CD0}.exe

Filesize
380KB

MD5
9504e0fbab007a9bbeaae2641de2efc4

SHA1
1d7b68561deaa94f1873ced01e5b05affe9cd476

SHA256
3c90e0e4ce22900a46728ce1375d76e4d426028e5e4d9b4d8a86251b12af8b65

SHA512
5ba36ba704c310f943f67ad870ef6b0d07d01b43f90a977d5574cfb3dd102a0dae4e26dfd7d26a5a3e47360bda351c3812e2359c913d944e1ae347e9cc71b294

Download Submit
C:\Windows\{49C2EFC5-EBC2-434c-83AB-0A16F6BB084B}.exe

Filesize
380KB

MD5
679d8676c7c3a1496d3c24906be3af7f

SHA1
4f1b91d52347cf31bb1ae3a08d9a6927848f338e

SHA256
624d71ef87cafd3deeb43c8f49b6bc529c6a93a9ec41fd32453cfcf75e788a5a

SHA512
e440aaa7cae8027e0fe543ce9908af72f7e02af8c6624e8ba18f9cca0e3af5d27a4f02a4690fc1c5d0f541e76e75751a121afba6a1cefd2c3b901518ae0c1d03

Download Submit
C:\Windows\{4AD8EDD2-E30B-444f-A27C-CFB172253D05}.exe

Filesize
380KB

MD5
0262a024d2024b89e65dc0f0b66c7015

SHA1
1a61229cb20ed0f3af3765a940da26f138ba943a

SHA256
ff53fe906d2b8a324b7f40eca03eaa2e97b1bad3ace2ff448a93fd5675e90fbd

SHA512
48c180aaa5aceb6d2f7a9ed84b7ed69dc0cdcec3f8ce0c56a94d2eb13922f65063a0df8e64e5c037fbc47db078608393cacee7c99458b4aee424c3129c9f8be7

Download Submit
C:\Windows\{69016A2A-7321-4020-8F68-E26EB137EAC7}.exe

Filesize
380KB

MD5
b17511c59421724dcc614b5c0ba09c9a

SHA1
cf5d6c5d1df8204e0cb842dd33cb1483a7f15361

SHA256
5a79f20faba9b8ae0edf24a1fd6697cccb702a74d09a1c75f0f89ecb287b2f4e

SHA512
143975f45af08322b77dd9dc8cbb87cdb2019cae86fc5666ac83af4e273da40c744a757347110c854a9a062183a314fdceb86530f1a976445390068cf91e4dca

Download Submit
C:\Windows\{782099AD-FB81-4a22-8493-0A757B8371CD}.exe

Filesize
380KB

MD5
f17ce19acb6a6004b3cf85738f3c2259

SHA1
b17ff6983c7a4ec51fa7b035ace7a3511bae52ba

SHA256
cc5855ee8d4f077c250579cb665f39aab940435a4cda8745c9fd9a9b4bada288

SHA512
889de41994d9b68b9fa4653302a8334f2473217606181ebb2d14b36457be73397fdcf9926ec9839903ce893e378753cb2a31f7af6489296d4c93fe39cd3979fd

Download Submit
C:\Windows\{9043777F-67E1-4d31-AAD6-9F6D74F5CB54}.exe

Filesize
380KB

MD5
d597ebca8acdb77768bd391685503070

SHA1
b0f8bda525b59aa9e84caf30cd6f0cdb637cfefe

SHA256
5c017b5a82187115b43c81dfb5f390ce07cde3b502d45cb713b40551f01d63be

SHA512
1dca59c5e8e7ac57b33d099d297ed4064547015c7cdae83aa5742386b4d7d00c4fc978dbbc9b0bd9a98faeb29deb0e24b85dbb29e3e2696930676d84657d5ba4

Download Submit
C:\Windows\{9AEC8141-7EDB-4c7a-BBED-961CAA30380B}.exe

Filesize
380KB

MD5
ee91fee673e0a56f8f4bf521aed74035

SHA1
57fd9bc55e9775dc83863393cd59ab9bfebd344a

SHA256
90f69e2d141fdb8d5600a2a74fee918fca8381dac23039a0c6a9043059cedd34

SHA512
d159442bb6d744917bcccdee56478fa2391999293eda57b415c1008584f7614b7cbc6e66881b5f44cbe7367549c17369265a201a7835bcebc9c57c225f16b507

Download Submit
C:\Windows\{A37D7FE6-0E69-43c7-B700-7978AC7AF6AE}.exe

Filesize
380KB

MD5
84833c9f34bbe2db986859b330d6259b

SHA1
2775d527ea064d062382caea6bb9591941dc3645

SHA256
591dbfe2dc45ea6fed0babb1f0f577ac03368a48d66564c533bba7f0089ea09f

SHA512
72883f0aad9c5224639956c55024c0107c918b43372e9c4231481bb4b8f558610d025ee3d61da45ff6b614b2f30050e0d8a29916817a60c98cd2a8a91085cb7b

Download Submit
C:\Windows\{E2ED7EC6-54D4-45a9-9DEA-3E451DE8DE2C}.exe

Filesize
380KB

MD5
99435759081526e66fd00d528835ac06

SHA1
0189c7cd7829b768552383e45dc59a194b9a7ef3

SHA256
cb70881312dd6d8d32877678f2bd0a9f24b9513827b135e570d8fd3f5812d5c6

SHA512
3bca0475987e3d430a555fa0d325ed991048c57c04edb68ab7ba5c4ffa46b2e811ce6fce92a179825671065bee90f543d5e97d06c9796261ce51bf4976448979

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads