f2e9f9f3f814fededa3875f7994da404bcc8c81a2bc799d359ed9a2bba553bf7

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Size

180KB
MD5

dce680bbb0d5cf36eb941e5d03cc6580
SHA1

726ee05fa130e29990f4d3439128b70876f5aabe
SHA256

f2e9f9f3f814fededa3875f7994da404bcc8c81a2bc799d359ed9a2bba553bf7
SHA512

ea05077da4a5361340b333d708e1dc1116b1926380c4ba8290373f1a33720ec37be1df2ac5ff4b41639a3f066922b03fe9583ce7db098c07515d2d8c5befad1c
SSDEEP

3072:jEGh0oDlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012306-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001315b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012306-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001340c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012306-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012306-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012306-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7994F4DC-82B9-4da7-9BB7-2958662A5554}	{F18A6647-2A56-4138-893D-10804C6064BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{486084EB-1E3F-44d5-9D93-47E3C847228E}	{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}\stubpath = "C:\\Windows\\{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe"	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}	{CB21F872-1F70-40a7-A44B-07B433C40405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18A6647-2A56-4138-893D-10804C6064BA}\stubpath = "C:\\Windows\\{F18A6647-2A56-4138-893D-10804C6064BA}.exe"	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97569219-7021-4b66-8533-61B219CCF78F}	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7994F4DC-82B9-4da7-9BB7-2958662A5554}\stubpath = "C:\\Windows\\{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe"	{F18A6647-2A56-4138-893D-10804C6064BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97569219-7021-4b66-8533-61B219CCF78F}\stubpath = "C:\\Windows\\{97569219-7021-4b66-8533-61B219CCF78F}.exe"	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB21F872-1F70-40a7-A44B-07B433C40405}	{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB21F872-1F70-40a7-A44B-07B433C40405}\stubpath = "C:\\Windows\\{CB21F872-1F70-40a7-A44B-07B433C40405}.exe"	{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}\stubpath = "C:\\Windows\\{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe"	{CB21F872-1F70-40a7-A44B-07B433C40405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}\stubpath = "C:\\Windows\\{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe"	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{486084EB-1E3F-44d5-9D93-47E3C847228E}\stubpath = "C:\\Windows\\{486084EB-1E3F-44d5-9D93-47E3C847228E}.exe"	{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}\stubpath = "C:\\Windows\\{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe"	{97569219-7021-4b66-8533-61B219CCF78F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}\stubpath = "C:\\Windows\\{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe"	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}\stubpath = "C:\\Windows\\{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe"	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18A6647-2A56-4138-893D-10804C6064BA}	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}	{97569219-7021-4b66-8533-61B219CCF78F}.exe

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe
2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe
1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe
2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe
2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe
2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe
2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe
868	{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe
2476	{CB21F872-1F70-40a7-A44B-07B433C40405}.exe
2748	{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe
696	{486084EB-1E3F-44d5-9D93-47E3C847228E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe
File created	C:\Windows\{CB21F872-1F70-40a7-A44B-07B433C40405}.exe	{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe
File created	C:\Windows\{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe
File created	C:\Windows\{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	{F18A6647-2A56-4138-893D-10804C6064BA}.exe
File created	C:\Windows\{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	{97569219-7021-4b66-8533-61B219CCF78F}.exe
File created	C:\Windows\{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe
File created	C:\Windows\{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe	{CB21F872-1F70-40a7-A44B-07B433C40405}.exe
File created	C:\Windows\{486084EB-1E3F-44d5-9D93-47E3C847228E}.exe	{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe
File created	C:\Windows\{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
File created	C:\Windows\{F18A6647-2A56-4138-893D-10804C6064BA}.exe	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe
File created	C:\Windows\{97569219-7021-4b66-8533-61B219CCF78F}.exe	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe
Token: SeIncBasePriorityPrivilege	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe
Token: SeIncBasePriorityPrivilege	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe
Token: SeIncBasePriorityPrivilege	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe
Token: SeIncBasePriorityPrivilege	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe
Token: SeIncBasePriorityPrivilege	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe
Token: SeIncBasePriorityPrivilege	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe
Token: SeIncBasePriorityPrivilege	868	{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe
Token: SeIncBasePriorityPrivilege	2476	{CB21F872-1F70-40a7-A44B-07B433C40405}.exe
Token: SeIncBasePriorityPrivilege	2748	{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2916	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	28
PID 2220 wrote to memory of 2916	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	28
PID 2220 wrote to memory of 2916	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	28
PID 2220 wrote to memory of 2916	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	28
PID 2220 wrote to memory of 2568	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	29
PID 2220 wrote to memory of 2568	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	29
PID 2220 wrote to memory of 2568	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	29
PID 2220 wrote to memory of 2568	2220	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	29
PID 2916 wrote to memory of 2920	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	30
PID 2916 wrote to memory of 2920	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	30
PID 2916 wrote to memory of 2920	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	30
PID 2916 wrote to memory of 2920	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	30
PID 2916 wrote to memory of 2412	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	31
PID 2916 wrote to memory of 2412	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	31
PID 2916 wrote to memory of 2412	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	31
PID 2916 wrote to memory of 2412	2916	{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe	31
PID 2920 wrote to memory of 1656	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	32
PID 2920 wrote to memory of 1656	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	32
PID 2920 wrote to memory of 1656	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	32
PID 2920 wrote to memory of 1656	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	32
PID 2920 wrote to memory of 2492	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	33
PID 2920 wrote to memory of 2492	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	33
PID 2920 wrote to memory of 2492	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	33
PID 2920 wrote to memory of 2492	2920	{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe	33
PID 1656 wrote to memory of 2108	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	36
PID 1656 wrote to memory of 2108	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	36
PID 1656 wrote to memory of 2108	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	36
PID 1656 wrote to memory of 2108	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	36
PID 1656 wrote to memory of 884	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	37
PID 1656 wrote to memory of 884	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	37
PID 1656 wrote to memory of 884	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	37
PID 1656 wrote to memory of 884	1656	{F18A6647-2A56-4138-893D-10804C6064BA}.exe	37
PID 2108 wrote to memory of 2692	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	38
PID 2108 wrote to memory of 2692	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	38
PID 2108 wrote to memory of 2692	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	38
PID 2108 wrote to memory of 2692	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	38
PID 2108 wrote to memory of 1976	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	39
PID 2108 wrote to memory of 1976	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	39
PID 2108 wrote to memory of 1976	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	39
PID 2108 wrote to memory of 1976	2108	{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe	39
PID 2692 wrote to memory of 2096	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	40
PID 2692 wrote to memory of 2096	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	40
PID 2692 wrote to memory of 2096	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	40
PID 2692 wrote to memory of 2096	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	40
PID 2692 wrote to memory of 1796	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	41
PID 2692 wrote to memory of 1796	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	41
PID 2692 wrote to memory of 1796	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	41
PID 2692 wrote to memory of 1796	2692	{97569219-7021-4b66-8533-61B219CCF78F}.exe	41
PID 2096 wrote to memory of 2112	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	42
PID 2096 wrote to memory of 2112	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	42
PID 2096 wrote to memory of 2112	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	42
PID 2096 wrote to memory of 2112	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	42
PID 2096 wrote to memory of 2284	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	43
PID 2096 wrote to memory of 2284	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	43
PID 2096 wrote to memory of 2284	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	43
PID 2096 wrote to memory of 2284	2096	{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe	43
PID 2112 wrote to memory of 868	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	44
PID 2112 wrote to memory of 868	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	44
PID 2112 wrote to memory of 868	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	44
PID 2112 wrote to memory of 868	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	44
PID 2112 wrote to memory of 2016	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	45
PID 2112 wrote to memory of 2016	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	45
PID 2112 wrote to memory of 2016	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	45
PID 2112 wrote to memory of 2016	2112	{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe
  C:\Windows\{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe
    C:\Windows\{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{F18A6647-2A56-4138-893D-10804C6064BA}.exe
      C:\Windows\{F18A6647-2A56-4138-893D-10804C6064BA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe
        
        C:\Windows\{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{97569219-7021-4b66-8533-61B219CCF78F}.exe
        
        C:\Windows\{97569219-7021-4b66-8533-61B219CCF78F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe
        
        C:\Windows\{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe
        
        C:\Windows\{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe
        
        C:\Windows\{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\{CB21F872-1F70-40a7-A44B-07B433C40405}.exe
        
        C:\Windows\{CB21F872-1F70-40a7-A44B-07B433C40405}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe
        
        C:\Windows\{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\{486084EB-1E3F-44d5-9D93-47E3C847228E}.exe
        
        C:\Windows\{486084EB-1E3F-44d5-9D93-47E3C847228E}.exe
        12⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3E0B~1.EXE > nul
        12⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB21F~1.EXE > nul
        11⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3A7F~1.EXE > nul
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A8F4~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B726~1.EXE > nul
        8⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97569~1.EXE > nul
        7⤵
        
        PID:1796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7994F~1.EXE > nul
        6⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F18A6~1.EXE > nul
        5⤵
        
        PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F7FAF~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80D31~1.EXE > nul
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B7264F4-CBAA-440b-A85B-A8EE881E30F4}.exe

Filesize
180KB

MD5
c1a316b2e0c2778003814590edf251f9

SHA1
ea1481a24922151b0bae5c98e8ed831504358b03

SHA256
47846ceb27ed50bf4075a9f81c323d5be086891c5bed2f5e747aa4afe04e0292

SHA512
9caf473acdf4b0e2ba373f70b8447c190de7625fea02b3a91282edb6844ab3d101b91e0e9a268914598c1127692abdbc1ec63d54e9b46d2cdc2faf68a5f2711c

Download Submit
C:\Windows\{486084EB-1E3F-44d5-9D93-47E3C847228E}.exe

Filesize
180KB

MD5
6410434aad0b88b67bb2e606563f4107

SHA1
aeec1bcb58a87d73011aeb515980dbe6794e7378

SHA256
ab73d1f3ee00d952a70b31a8368fafa3de5a00cb287ea3bf54b4b6d7504a0c83

SHA512
af6686623ee9e8b79a8cadc6d61559e220eefa32df64e92dd372688f1d6596f1998dd88bbceef2de947595a545a52daf571ef9a55af3a4adb30f3151cccfd4f7

Download Submit
C:\Windows\{7994F4DC-82B9-4da7-9BB7-2958662A5554}.exe

Filesize
180KB

MD5
f5454aeec9586cd3b3624ac489433278

SHA1
9a340d89e6cdb79664abbb2858c19872c1b0aef8

SHA256
c414cc685f89516509709d72aec9b3047b598a0cacc274101a1314be60500392

SHA512
855b84c5b12f8d31d27f68b939fe9767e2552b1709fd5a4c41678edf2d6312b17e5b1d619d838675ab8321206fe1df5a136a3f9e47999fe3bf4435ce0c0ad0c4

Download Submit
C:\Windows\{80D316E0-36ED-42c2-92BC-4CE3F4AA55B0}.exe

Filesize
180KB

MD5
19b4428159039be49a03cbb84d364bae

SHA1
496d9d53ea70ebc5802c18ece96fb68540490e76

SHA256
a335a8cf5cc28f34d3625cdfea9418a6d59b0390c2c6e3acec83e365de58c87b

SHA512
0a6108bfdcbbcba05fbb5803dbe5cdf7ba756a59b893d44671120772e06f7cc3cc2e06086643d83640ddea3daf53bfb4302cabeacbb15cad06d22bc8ca690914

Download Submit
C:\Windows\{8A8F4C5A-6DCF-4e55-B926-37BDFBFE6459}.exe

Filesize
180KB

MD5
af64cbf782ea4d8421cceeceb5db0135

SHA1
63ba5da0f7ed22b68c51cbec2296f08f661a3879

SHA256
2acb26ca1b79c89780b559cf33aad249ef4968e7f6043342ccf095473e8c6edc

SHA512
77945621e54f51059b0093a99934d4fb7197828e9b038b05eeba5ee30fbc108b6e47d526b0c4e81ceb711bb086a7f7d27fd9aec8bde2602c670eb0018e082601

Download Submit
C:\Windows\{97569219-7021-4b66-8533-61B219CCF78F}.exe

Filesize
180KB

MD5
0c6c635250ba08b7b8f1bad7151102c4

SHA1
be29c987e944c774d4d0240de9d665893be04bf1

SHA256
f379642863399cd19030d82a8f2a9e45e064676aa34df03eafff7235b4598592

SHA512
33cdd53566d4feb39b0fe49f5dab8285fbc1d7945c5ca73e1bc25165e3a38e9704481c3108b181e3cbe343e63867ac533438a10cbf4e0a46c84221c016a73419

Download Submit
C:\Windows\{B3E0BC02-95BE-4532-AA2E-25F8CBCD2E46}.exe

Filesize
180KB

MD5
2b9ad06e3358fcafadb592ade2663e0f

SHA1
aba899d981700a129c9862d79c6abf129f5ef3a0

SHA256
556ea7736e6d19da555532f145119bc0f344804e7c1ca6c56a5cfcedc2192470

SHA512
d7ffe795a1fcf0f663fd679f4735eacdb85c59ca13bde39f7640a6545bd779527a2073a98451c11a95add9bfc867349b75ff495664129df54cb04f495fd3c986

Download Submit
C:\Windows\{CB21F872-1F70-40a7-A44B-07B433C40405}.exe

Filesize
180KB

MD5
25f2564f3eb86e64cdb03f3d1f6ca7a1

SHA1
db2039e20fa5849dfa1ae9224bd3336cd89ef11f

SHA256
a8bf2fd3d5703b40d3c9cde11a0914221881ae9acb886b415038947f083b04ab

SHA512
f9275b9698e2119e384eed083ed11fcb848692a21901389415e57e8401df5e80f47159fa5e4015f9b816e432200fcdf6861d7057084316c751c7fdccb045504b

Download Submit
C:\Windows\{D3A7F1B9-B27E-40c4-95F4-51491C3A5698}.exe

Filesize
180KB

MD5
fa27bba00c35bf45f3bcec1f0c7cacac

SHA1
d9318c3c7255770161fbdb7672cdb2da3ed7ea3f

SHA256
ef486d81d71c6b6dc921199bb44e35f54798b1c4753022bd150c4dbb8a7274f5

SHA512
523c41da4512267c5e5b5d7b592149f667333e45f6d0415a7cfbd4a67fda4c7e19ea631405decaa162b1bdf6df2366988f672d35a10941c847f27a64f49fe05a

Download Submit
C:\Windows\{F18A6647-2A56-4138-893D-10804C6064BA}.exe

Filesize
180KB

MD5
d9f37a9f46a823aa398c86bf4413097c

SHA1
abaf70b3475170424adfca31ed283528d325cd89

SHA256
18a2e6c0884604362d220a227cb7b6cb44bc05cb1f756d30abf165c8a304d472

SHA512
cd8a528dfb135e469611619f5ea369e1dc70ed0242c337dc5e54fc624aee375bed32352e491968630295a9e166202cde2ca1f36f6c970ba20dc01e234849616c

Download Submit
C:\Windows\{F7FAF10E-EABA-4de6-8AC2-3CAC24925AD6}.exe

Filesize
180KB

MD5
6d42b479552095aab99ca5082d6a649a

SHA1
17ae94f037efd1f80dd3c3b0c78b146887a31e08

SHA256
26dd79bfc81714c7557fb1d5e9c87b51b712baacd213d2385ecce12ac172919e

SHA512
ca712aeefd93c55ed02a9ef640faf11a194f8f32904cbe37eed1ceda6b1d2caef6d42716ee0bbb7fe1d46c46a3c5ba3fdbb859c97546d83718fe3f91f6823335

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads