e82981af74d817cb07cdec956bf6a188c179db6491f19c711c26471697ac4e67

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe
Size

180KB
MD5

fa56f836cc4f0ed7c2fcc84002e79ce3
SHA1

36a5556ae87149ccf864525e4c9f2b16b7a9cf5c
SHA256

e82981af74d817cb07cdec956bf6a188c179db6491f19c711c26471697ac4e67
SHA512

3fa04ac243cfa72be5c62307e5d1c2ff9c47878df8b7bbb16991959ddf8c27f4727a0d4b6056ea2530fc6c10ce31c30d694822fa499cd49c7b3d3df1b01ce03b
SSDEEP

3072:jEGh0oMlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGul5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000001224f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}\stubpath = "C:\\Windows\\{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe"	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}	{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{762D2C24-7631-451b-9F77-311BCA662A85}\stubpath = "C:\\Windows\\{762D2C24-7631-451b-9F77-311BCA662A85}.exe"	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E9DAB26-3985-40ce-A3C8-542DF871704F}	{762D2C24-7631-451b-9F77-311BCA662A85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E9DAB26-3985-40ce-A3C8-542DF871704F}\stubpath = "C:\\Windows\\{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe"	{762D2C24-7631-451b-9F77-311BCA662A85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}\stubpath = "C:\\Windows\\{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe"	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}\stubpath = "C:\\Windows\\{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe"	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}\stubpath = "C:\\Windows\\{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe"	{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1D0355A-1079-4e21-85C0-06E8F238736C}\stubpath = "C:\\Windows\\{B1D0355A-1079-4e21-85C0-06E8F238736C}.exe"	{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2361C863-636E-4a33-A644-714678FC9803}\stubpath = "C:\\Windows\\{2361C863-636E-4a33-A644-714678FC9803}.exe"	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A807C3B-B4FA-44c9-8765-36567F54897C}	{2361C863-636E-4a33-A644-714678FC9803}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{762D2C24-7631-451b-9F77-311BCA662A85}	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1D0355A-1079-4e21-85C0-06E8F238736C}	{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2361C863-636E-4a33-A644-714678FC9803}	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A807C3B-B4FA-44c9-8765-36567F54897C}\stubpath = "C:\\Windows\\{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe"	{2361C863-636E-4a33-A644-714678FC9803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}\stubpath = "C:\\Windows\\{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe"	{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}	{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}\stubpath = "C:\\Windows\\{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe"	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{2361C863-636E-4a33-A644-714678FC9803}.exe
2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe
2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe
1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe
2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe
792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe
1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe
1904	{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe
1832	{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe
1968	{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe
1400	{B1D0355A-1079-4e21-85C0-06E8F238736C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe	{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe
File created	C:\Windows\{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe	{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe
File created	C:\Windows\{B1D0355A-1079-4e21-85C0-06E8F238736C}.exe	{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe
File created	C:\Windows\{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	{2361C863-636E-4a33-A644-714678FC9803}.exe
File created	C:\Windows\{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe
File created	C:\Windows\{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe
File created	C:\Windows\{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe
File created	C:\Windows\{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe
File created	C:\Windows\{2361C863-636E-4a33-A644-714678FC9803}.exe	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe
File created	C:\Windows\{762D2C24-7631-451b-9F77-311BCA662A85}.exe	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe
File created	C:\Windows\{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	{762D2C24-7631-451b-9F77-311BCA662A85}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe
Token: SeIncBasePriorityPrivilege	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe
Token: SeIncBasePriorityPrivilege	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe
Token: SeIncBasePriorityPrivilege	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe
Token: SeIncBasePriorityPrivilege	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe
Token: SeIncBasePriorityPrivilege	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe
Token: SeIncBasePriorityPrivilege	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe
Token: SeIncBasePriorityPrivilege	1904	{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe
Token: SeIncBasePriorityPrivilege	1832	{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe
Token: SeIncBasePriorityPrivilege	1968	{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3016	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	28
PID 2156 wrote to memory of 3016	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	28
PID 2156 wrote to memory of 3016	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	28
PID 2156 wrote to memory of 3016	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	28
PID 2156 wrote to memory of 2812	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	29
PID 2156 wrote to memory of 2812	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	29
PID 2156 wrote to memory of 2812	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	29
PID 2156 wrote to memory of 2812	2156	2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe	29
PID 3016 wrote to memory of 2672	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	30
PID 3016 wrote to memory of 2672	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	30
PID 3016 wrote to memory of 2672	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	30
PID 3016 wrote to memory of 2672	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	30
PID 3016 wrote to memory of 2668	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	31
PID 3016 wrote to memory of 2668	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	31
PID 3016 wrote to memory of 2668	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	31
PID 3016 wrote to memory of 2668	3016	{2361C863-636E-4a33-A644-714678FC9803}.exe	31
PID 2672 wrote to memory of 2412	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	32
PID 2672 wrote to memory of 2412	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	32
PID 2672 wrote to memory of 2412	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	32
PID 2672 wrote to memory of 2412	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	32
PID 2672 wrote to memory of 2560	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	33
PID 2672 wrote to memory of 2560	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	33
PID 2672 wrote to memory of 2560	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	33
PID 2672 wrote to memory of 2560	2672	{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe	33
PID 2412 wrote to memory of 1868	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	36
PID 2412 wrote to memory of 1868	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	36
PID 2412 wrote to memory of 1868	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	36
PID 2412 wrote to memory of 1868	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	36
PID 2412 wrote to memory of 2728	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	37
PID 2412 wrote to memory of 2728	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	37
PID 2412 wrote to memory of 2728	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	37
PID 2412 wrote to memory of 2728	2412	{762D2C24-7631-451b-9F77-311BCA662A85}.exe	37
PID 1868 wrote to memory of 2868	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	38
PID 1868 wrote to memory of 2868	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	38
PID 1868 wrote to memory of 2868	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	38
PID 1868 wrote to memory of 2868	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	38
PID 1868 wrote to memory of 2892	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	39
PID 1868 wrote to memory of 2892	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	39
PID 1868 wrote to memory of 2892	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	39
PID 1868 wrote to memory of 2892	1868	{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe	39
PID 2868 wrote to memory of 792	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	40
PID 2868 wrote to memory of 792	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	40
PID 2868 wrote to memory of 792	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	40
PID 2868 wrote to memory of 792	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	40
PID 2868 wrote to memory of 1604	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	41
PID 2868 wrote to memory of 1604	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	41
PID 2868 wrote to memory of 1604	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	41
PID 2868 wrote to memory of 1604	2868	{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe	41
PID 792 wrote to memory of 1764	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	42
PID 792 wrote to memory of 1764	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	42
PID 792 wrote to memory of 1764	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	42
PID 792 wrote to memory of 1764	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	42
PID 792 wrote to memory of 2488	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	43
PID 792 wrote to memory of 2488	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	43
PID 792 wrote to memory of 2488	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	43
PID 792 wrote to memory of 2488	792	{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe	43
PID 1764 wrote to memory of 1904	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	44
PID 1764 wrote to memory of 1904	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	44
PID 1764 wrote to memory of 1904	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	44
PID 1764 wrote to memory of 1904	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	44
PID 1764 wrote to memory of 1348	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	45
PID 1764 wrote to memory of 1348	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	45
PID 1764 wrote to memory of 1348	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	45
PID 1764 wrote to memory of 1348	1764	{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_fa56f836cc4f0ed7c2fcc84002e79ce3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{2361C863-636E-4a33-A644-714678FC9803}.exe
  C:\Windows\{2361C863-636E-4a33-A644-714678FC9803}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe
    C:\Windows\{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{762D2C24-7631-451b-9F77-311BCA662A85}.exe
      C:\Windows\{762D2C24-7631-451b-9F77-311BCA662A85}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe
        
        C:\Windows\{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe
        
        C:\Windows\{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe
        
        C:\Windows\{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe
        
        C:\Windows\{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe
        
        C:\Windows\{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe
        
        C:\Windows\{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe
        
        C:\Windows\{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{B1D0355A-1079-4e21-85C0-06E8F238736C}.exe
        
        C:\Windows\{B1D0355A-1079-4e21-85C0-06E8F238736C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C767A~1.EXE > nul
        12⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF8CA~1.EXE > nul
        11⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7727A~1.EXE > nul
        10⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7EDE~1.EXE > nul
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D6DB~1.EXE > nul
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A50B~1.EXE > nul
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E9DA~1.EXE > nul
        6⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{762D2~1.EXE > nul
        5⤵
        
        PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A807~1.EXE > nul
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2361C~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D6DB178-28ED-4f97-AC88-4F5F0D75F9A6}.exe

Filesize
180KB

MD5
ca5fd25a55a18c60ad3f872b86856a29

SHA1
d9a36be1927ce368d1f69acfdf57d7a16cc161e9

SHA256
690c5a8945c5c14bb26cd9ba0b8d8ce313107f9bee1066086dac1bf8f749ac8b

SHA512
2971776623e08af8b3634bf3a609311a9c624cdc8cf87f5aa445fdc9c8302d2974ed366e809e2ecb4839e9b2cb9e0f7811a140f2e6956a4054cb15649200f669

Download Submit
C:\Windows\{1E9DAB26-3985-40ce-A3C8-542DF871704F}.exe

Filesize
180KB

MD5
1f4d27d2f0a502925d1f4020e0ddc528

SHA1
e71ad7946237820fa99188f4af75715b52f14ee9

SHA256
36299522ecd900d1ff16861eaadf25949e40a22a8648c65d0c911d34fd834500

SHA512
0b86859d3036b7fcec40ac2b8579b1bf1c809cbb064599219c80f841233048eea94a6a24a3ba6bce61ac1f506655f95c6f8f235570672c6afaabcf0b9eeb6e50

Download Submit
C:\Windows\{2361C863-636E-4a33-A644-714678FC9803}.exe

Filesize
180KB

MD5
fb145feeb185e7f3ed203e4241214567

SHA1
22f39d4c7b6eb466f8f8ce8643142089bedb902e

SHA256
50e22ea0aaec208b5edc4fe37527b2da9f0ec3e614e5e9c0b84eea6d064af444

SHA512
05c1b5c57fe1f5e705239d3a07c169334d861ac789e4a11ad626b2e61dde60a7fe9d3ee2753a9ec1247e76e53fe74db894bc0fe23ce117b1a4795962a3886fd0

Download Submit
C:\Windows\{762D2C24-7631-451b-9F77-311BCA662A85}.exe

Filesize
180KB

MD5
ffa2ad0007717c703670c4edf3bb2b88

SHA1
fc0352564b1d336751eb3163bb689da868ef3525

SHA256
c0c582451ae4c635c4b981d991ddffadabf1ecf530ed4526bdd1a7248ca75484

SHA512
a427e09bb8f0ec0a5a92461c2c43c95051afd42e9813b75b4049e283cce88023c7635e69a9a740b6b777f5fd3ca0309c192b2a32a8b9256bb4c2c38e4ebc3b95

Download Submit
C:\Windows\{7727AB6D-54A8-482d-98DB-5A9FCFFA59B7}.exe

Filesize
180KB

MD5
f00813d6d965aaadb97179dc74e7a9d9

SHA1
b230d6b9bb293f19e442e2f17da552bf5b828a26

SHA256
bd640ec54b972b92352ec0b5efc5591961dd9630cd6bb0eb0136fab9bc7d5f5a

SHA512
fe54ecbff69fa4d7739447e0240a0bd0178af887c592868e781d1e52319787f705615132ac175fa2e75f25473b6e6f7e9c98fbe5974c02b86bf11ea950977d5a

Download Submit
C:\Windows\{8A50B8E7-A246-4d1d-AD02-94F5F44931A0}.exe

Filesize
180KB

MD5
0e499ed30267948eaf575cb20990ecff

SHA1
6aa533279a6d3d568fd5ab81d650ded3c273a98d

SHA256
68fafde32b8063ebeddc88446b969fe231eb32a85f3aaf0b5db35f4326ece59f

SHA512
787dca066eb125a3b3500c52355181b7eb4454e16c70de13eaba8bb127d3021ac29719199d130e3d3146c5a67af373cc1e77550431979d48cd23566abd9ad806

Download Submit
C:\Windows\{9A807C3B-B4FA-44c9-8765-36567F54897C}.exe

Filesize
180KB

MD5
31d9b8de0a5dd550af6217220a2580e1

SHA1
aac3b35fd7fbf9b5e0e36d902ee7393a1d0e2bdf

SHA256
487bbea423926e3512441652ad541a4015d95bf3180af4496d5cd9c2b10ee3f6

SHA512
67490e94f9a70510df070d7861381b824f65fdef7126abcbaa134af85736d06dc503df03e10013b1bee05291b970f0f5ecacbf49cdff77913fd0d06e426c79ef

Download Submit
C:\Windows\{B1D0355A-1079-4e21-85C0-06E8F238736C}.exe

Filesize
180KB

MD5
be0486dac257676e44f453691564168e

SHA1
69cde8222913d0e66a4b8c3569f7d7f38a22a8fc

SHA256
d6cbea5e1ac8c787b906ba495771b173d849e43bc0b54ebe2949f731b841c531

SHA512
9e1c61a6898ffa30a3f78fc9969438cfd5cc86f31cdfc534507d18273ce870f7ddb4a8999f92f538d21839bcb80853893c26e8e4651a8f4871868097b56e02d8

Download Submit
C:\Windows\{BF8CA8F9-0EEC-4bb7-A78B-1150886BF39F}.exe

Filesize
180KB

MD5
e3a4a9e40f7129e0624b0e86697789c8

SHA1
c82db160ad7b3d25eff005d3cd7964a0f56a3a91

SHA256
9eb61d16bfdae6a1e7dce2512b1382681ceb94c1641d6bbca6ac80b5044d8144

SHA512
2663de9da470e4f772082431eebc12adf4fd18e2f81e1c3fca606fa2e7dddaaf853364b998bdb705368577de97640607290f1dd0696006093ae6442d8c5c4520

Download Submit
C:\Windows\{C767AD84-2E77-4cb3-AE6D-F4F0CEA50510}.exe

Filesize
180KB

MD5
91e52772e84ee1cfe3f1161b93b64fe7

SHA1
ea0a1d5e9f301c0fd995a1f273072efd4af2ab84

SHA256
6827a7f476ce8b0576c8c7bcd28f528612107bc315ddaf1a41c998d30a25909d

SHA512
6b89c39aba84a4411c6bd0e84b3ba3162a8121b82f962a9e71af1505f70d8f4f91cc44da25dc90d218f4f79af07fd003a6fce4b00f2c1a3625f4f2042c23564c

Download Submit
C:\Windows\{E7EDEBDB-C8EF-4d5d-9D63-3AAF64BBAF9F}.exe

Filesize
180KB

MD5
caaed5e3b463eb154e2f7b8dab93fe48

SHA1
9e22e61799ae5ec8b716c7d18414d307a43bb050

SHA256
fd8184dd46b3975bd1792b9d77e30b9307b310592876a852a738674ca091039d

SHA512
0a621c978958b567ee03fb9f8682058677e40a93578611dd5b9fef49d8085cd35ca9f0101398a7e09d12421fd60e08eb8e2938ab2d26da5b848c8ef879b69dc4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads