9d5cc7a85e7dcf27b6489c8312ae10bb856ced98aaee12b7de2ce33e672cd969

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 01:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Size

192KB
MD5

7bc9f8b3099be0d18cb06ab6f0a1e5f4
SHA1

f799e9c264f219e16ed91addcae7912c04a7b130
SHA256

9d5cc7a85e7dcf27b6489c8312ae10bb856ced98aaee12b7de2ce33e672cd969
SHA512

c8715c576753cc54a15f3d8a8ac733afab68a7d8c91887c52dde3621ccfef2bea961d7b76073a234ac4e15deaf3b40688a68ab1fc9040ed6611dd6d2c8f9a3c5
SSDEEP

1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oRl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012256-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001566b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001567f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001568c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015cd5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015cd5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433618D3-9054-4466-87D9-CB1065013A35}\stubpath = "C:\\Windows\\{433618D3-9054-4466-87D9-CB1065013A35}.exe"	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6507675-8DE8-459e-90E4-4AF117FE9F46}	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F17733C4-100C-4536-AA5C-679DF115E3B8}\stubpath = "C:\\Windows\\{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe"	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}\stubpath = "C:\\Windows\\{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe"	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D327EEF5-30C1-4565-991E-D4A78F36817A}\stubpath = "C:\\Windows\\{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe"	{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1402A255-3B31-4c34-B55E-05CE35BE2E71}\stubpath = "C:\\Windows\\{1402A255-3B31-4c34-B55E-05CE35BE2E71}.exe"	{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}\stubpath = "C:\\Windows\\{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe"	{433618D3-9054-4466-87D9-CB1065013A35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC06BB59-505B-4598-8670-11568D6FD7A0}\stubpath = "C:\\Windows\\{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe"	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F681A0CA-D366-45fb-AD8B-54F24B442653}	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{433618D3-9054-4466-87D9-CB1065013A35}	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6507675-8DE8-459e-90E4-4AF117FE9F46}\stubpath = "C:\\Windows\\{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe"	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}\stubpath = "C:\\Windows\\{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe"	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78A5CAB8-82E5-4799-86EF-505A0392A110}	{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78A5CAB8-82E5-4799-86EF-505A0392A110}\stubpath = "C:\\Windows\\{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe"	{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F681A0CA-D366-45fb-AD8B-54F24B442653}\stubpath = "C:\\Windows\\{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe"	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}	{433618D3-9054-4466-87D9-CB1065013A35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F17733C4-100C-4536-AA5C-679DF115E3B8}	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC06BB59-505B-4598-8670-11568D6FD7A0}	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D327EEF5-30C1-4565-991E-D4A78F36817A}	{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1402A255-3B31-4c34-B55E-05CE35BE2E71}	{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe
2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe
2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe
2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe
2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe
1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe
1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe
2700	{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe
1964	{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe
2304	{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe
2052	{1402A255-3B31-4c34-B55E-05CE35BE2E71}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe	{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe
File created	C:\Windows\{1402A255-3B31-4c34-B55E-05CE35BE2E71}.exe	{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe
File created	C:\Windows\{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
File created	C:\Windows\{433618D3-9054-4466-87D9-CB1065013A35}.exe	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe
File created	C:\Windows\{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe
File created	C:\Windows\{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe
File created	C:\Windows\{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe
File created	C:\Windows\{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	{433618D3-9054-4466-87D9-CB1065013A35}.exe
File created	C:\Windows\{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe
File created	C:\Windows\{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe
File created	C:\Windows\{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe	{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe
Token: SeIncBasePriorityPrivilege	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe
Token: SeIncBasePriorityPrivilege	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe
Token: SeIncBasePriorityPrivilege	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe
Token: SeIncBasePriorityPrivilege	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe
Token: SeIncBasePriorityPrivilege	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe
Token: SeIncBasePriorityPrivilege	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe
Token: SeIncBasePriorityPrivilege	2700	{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe
Token: SeIncBasePriorityPrivilege	1964	{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe
Token: SeIncBasePriorityPrivilege	2304	{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3052	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	28
PID 2208 wrote to memory of 3052	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	28
PID 2208 wrote to memory of 3052	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	28
PID 2208 wrote to memory of 3052	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	28
PID 2208 wrote to memory of 3048	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	29
PID 2208 wrote to memory of 3048	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	29
PID 2208 wrote to memory of 3048	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	29
PID 2208 wrote to memory of 3048	2208	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	29
PID 3052 wrote to memory of 2584	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	30
PID 3052 wrote to memory of 2584	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	30
PID 3052 wrote to memory of 2584	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	30
PID 3052 wrote to memory of 2584	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	30
PID 3052 wrote to memory of 2468	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	31
PID 3052 wrote to memory of 2468	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	31
PID 3052 wrote to memory of 2468	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	31
PID 3052 wrote to memory of 2468	3052	{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe	31
PID 2584 wrote to memory of 2800	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	32
PID 2584 wrote to memory of 2800	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	32
PID 2584 wrote to memory of 2800	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	32
PID 2584 wrote to memory of 2800	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	32
PID 2584 wrote to memory of 2632	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	33
PID 2584 wrote to memory of 2632	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	33
PID 2584 wrote to memory of 2632	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	33
PID 2584 wrote to memory of 2632	2584	{433618D3-9054-4466-87D9-CB1065013A35}.exe	33
PID 2800 wrote to memory of 2252	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	36
PID 2800 wrote to memory of 2252	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	36
PID 2800 wrote to memory of 2252	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	36
PID 2800 wrote to memory of 2252	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	36
PID 2800 wrote to memory of 2696	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	37
PID 2800 wrote to memory of 2696	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	37
PID 2800 wrote to memory of 2696	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	37
PID 2800 wrote to memory of 2696	2800	{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe	37
PID 2252 wrote to memory of 2940	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	38
PID 2252 wrote to memory of 2940	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	38
PID 2252 wrote to memory of 2940	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	38
PID 2252 wrote to memory of 2940	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	38
PID 2252 wrote to memory of 2996	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	39
PID 2252 wrote to memory of 2996	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	39
PID 2252 wrote to memory of 2996	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	39
PID 2252 wrote to memory of 2996	2252	{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe	39
PID 2940 wrote to memory of 1340	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	40
PID 2940 wrote to memory of 1340	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	40
PID 2940 wrote to memory of 1340	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	40
PID 2940 wrote to memory of 1340	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	40
PID 2940 wrote to memory of 2348	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	41
PID 2940 wrote to memory of 2348	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	41
PID 2940 wrote to memory of 2348	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	41
PID 2940 wrote to memory of 2348	2940	{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe	41
PID 1340 wrote to memory of 1028	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	42
PID 1340 wrote to memory of 1028	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	42
PID 1340 wrote to memory of 1028	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	42
PID 1340 wrote to memory of 1028	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	42
PID 1340 wrote to memory of 1044	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	43
PID 1340 wrote to memory of 1044	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	43
PID 1340 wrote to memory of 1044	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	43
PID 1340 wrote to memory of 1044	1340	{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe	43
PID 1028 wrote to memory of 2700	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	44
PID 1028 wrote to memory of 2700	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	44
PID 1028 wrote to memory of 2700	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	44
PID 1028 wrote to memory of 2700	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	44
PID 1028 wrote to memory of 492	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	45
PID 1028 wrote to memory of 492	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	45
PID 1028 wrote to memory of 492	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	45
PID 1028 wrote to memory of 492	1028	{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe
  C:\Windows\{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\{433618D3-9054-4466-87D9-CB1065013A35}.exe
    C:\Windows\{433618D3-9054-4466-87D9-CB1065013A35}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe
      C:\Windows\{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe
        
        C:\Windows\{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe
        
        C:\Windows\{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe
        
        C:\Windows\{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe
        
        C:\Windows\{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe
        
        C:\Windows\{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe
        
        C:\Windows\{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe
        
        C:\Windows\{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{1402A255-3B31-4c34-B55E-05CE35BE2E71}.exe
        
        C:\Windows\{1402A255-3B31-4c34-B55E-05CE35BE2E71}.exe
        12⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D327E~1.EXE > nul
        12⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78A5C~1.EXE > nul
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E309D~1.EXE > nul
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC06B~1.EXE > nul
        9⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EE40~1.EXE > nul
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1773~1.EXE > nul
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6507~1.EXE > nul
        6⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A7BE~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{43361~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F681A~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1402A255-3B31-4c34-B55E-05CE35BE2E71}.exe

Filesize
192KB

MD5
1ec7008dcf8b650ff2978350699e2eb7

SHA1
e9183ceefd412d7c0875bc5859364ef0e6094d33

SHA256
c1e523496e3293b3a7b91440847815823ceeef8b13123fde40121866e4a53055

SHA512
3d0ca9c5c0c0645f1d03d61d49599cff684e869e0146144a71781642c6123679090b374918d6ac5b65b67c01d88fd407bc89403e3304412662d3be3e9810fb41

Download Submit
C:\Windows\{1EE408DA-CACE-4e5b-A552-8B37EAFD7E48}.exe

Filesize
192KB

MD5
83d97e542f31b0c48de4cf26a1f92233

SHA1
fba5c80b6f8ab056c9b010290c4302b3022124e4

SHA256
908a651c236c2df83c9189a2cdf7c437ed4debb2f9ca2218169df1f69aefccd8

SHA512
53fabf86332f5a253d10e58939e32dcaef5eea7a57b5ea0ac4d6116fa04b1d3459e1284fd3c4c5ed8a09c52444af5b38362f09dbb1c264cee2536b9bdf3a6649

Download Submit
C:\Windows\{433618D3-9054-4466-87D9-CB1065013A35}.exe

Filesize
192KB

MD5
c41ea807521d1d9eb5680499aac601bc

SHA1
fcbda932ee94bbff56f0f710dd816f9ec93cdb13

SHA256
487f82759fe56afd47d8259ad80b60bef2ac8e546d123ca41041c514fe74a691

SHA512
67450ce3361601a2aebd5591ef5c84165eedf05068379835749d8ab93f1123ab5e450a48b0a6eb8f8b62db6fd8fa5bef1dc39de4bf179ab72980b906aa333b90

Download Submit
C:\Windows\{4A7BE31B-AA3D-47c1-B1DA-1BE1482BF65E}.exe

Filesize
192KB

MD5
1acfbcb37eca0bc0934d88c87959a5a8

SHA1
07a035d5fb3227935c5d973a10e5d51d5d0af1dd

SHA256
1333d57023bca0b08228c0d812ed43b5e4076a08269309d27225213e700be544

SHA512
ef88cbb578223026cc2287b47fe65b05c653cce7f271bee7fab82cac354fab343e1f489705b28a5cf3c9d4b4d4317e293a8b7196fee330ec751207f9e1c4d35b

Download Submit
C:\Windows\{78A5CAB8-82E5-4799-86EF-505A0392A110}.exe

Filesize
192KB

MD5
235906cb193e3122bfd9de9cfbd116c6

SHA1
ffd06abd26d99a259a55c7b37f40e2fe69a61665

SHA256
9e0558c2920fa676ef13f102c94249edbcce8e46767bcd71a82a9ebe56fad4b2

SHA512
639828bca1a9f56afb0df594920f65f90abd9e6413d3d2a628f432cf7bb98e928103087e21d2b665d102d26ac5b8feb5dad6cda0884472111e4b56d74ad38ca8

Download Submit
C:\Windows\{CC06BB59-505B-4598-8670-11568D6FD7A0}.exe

Filesize
192KB

MD5
1bf0d69e0d62f72103ca4e92842e2084

SHA1
5a72f45d5ecc5fd11225f8761ff5bb14cc103cb1

SHA256
3196a0cfd40e4a2c413515dba8d5ee5207e440c7900f50a186e1d5b6cf9af90b

SHA512
747878f14aa5d4fd0ef296931785b5cfe2f7373442ef70d444095bc60ac35af0d4e3f228b5e1ced97df339b9094726f5117e17e3ea04ac800b11b2ce3eab8c51

Download Submit
C:\Windows\{D327EEF5-30C1-4565-991E-D4A78F36817A}.exe

Filesize
192KB

MD5
1521a25522a9024b46f4833f71506866

SHA1
3e31e5ab4fa089972ab4f6dcd509578e3b443134

SHA256
44226f2d73f50d44536f32fd91172540f19aa47c6148db2f4f79791d250e9521

SHA512
d962943d5e9b47aa66104d6913e0e19327779757b8d2ba3a72dd0bd492f716b0bfc587ef84c596126440f54022d3fad33873a42c5802395c1c6ff32142803c50

Download Submit
C:\Windows\{E309DFE6-0D2F-4e02-8FA6-05A42A63CA09}.exe

Filesize
192KB

MD5
9538de0ccb9171b29c5ddd9a333495f1

SHA1
6cbb8d3409bdf79867e809960c3dd4919e6fa672

SHA256
e8843cce1852115abb65d17419d8d8667321c399e85476b5befa2bb33d115c08

SHA512
a628016ebd254116c43802cd1a94c2ced16528581618cab6ba6df6d2b340ec034d29ba641ea4b789175e8339551f2412beaf32e9ad139a62876539766b6cf0ef

Download Submit
C:\Windows\{F17733C4-100C-4536-AA5C-679DF115E3B8}.exe

Filesize
192KB

MD5
5ad9c42f299cfcc69ef3776730aa1aac

SHA1
8578797ebd36dc0375ca1f192d45fa3472ac90c7

SHA256
75378b2242bca11292352a63dd405c71d0f8cacd27d5a18fb4d77076f1a3fa0a

SHA512
8ffad2ab2953e60bcefbb4eac1b8d3b62ab18014e8d271a9ea06509ad5c268ee69a8bb461c8f56ca2f2c8e13fca727883f0b9d8d90f7f2b7920c54bb427eefe1

Download Submit
C:\Windows\{F6507675-8DE8-459e-90E4-4AF117FE9F46}.exe

Filesize
192KB

MD5
7c430fb8acb871a1ee2e07de974be301

SHA1
a42726745c058fa36415a5c9a65c0c111d199f43

SHA256
29e35f06524c592fd9f8595c6c92bb7cb2fe07a4ce3ccb7c286351e30abf7f11

SHA512
7d31682bfc7b1d4fe61ffa803394cdc531d8c3a795bdecaa7f79b759927b2bedaa6af2fd0a7d2b4f9959e4596faa9958cdbbe2dd5578a49766ce1db073d72a6a

Download Submit
C:\Windows\{F681A0CA-D366-45fb-AD8B-54F24B442653}.exe

Filesize
192KB

MD5
18f10b117d4e6bfe032b002e11edb236

SHA1
3deff06c36dc0656ee47c179a4ef2bba99884b49

SHA256
a900f79b8cbef240af680a0f11a8fa7e9195f1bda589a44a978e441d6f6879ff

SHA512
b218e960ee629abdc8c12a082f0d15eb455bea9c53c17a48b965762dadaf928b2fab33f365c6746d7c475a955c9753a276b1b3d243e52dd5bc7c26b4aca8c4f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads