d56da7c3c7ad4ade89f8a37ca5ef2e8149036a4784e1c55587cb3d29527d0fc5

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
Size

168KB
MD5

6426dd1a02569cfc4de05d6a3b5c3c95
SHA1

9acd3aff274640115ac4611c657fcf27691c3662
SHA256

d56da7c3c7ad4ade89f8a37ca5ef2e8149036a4784e1c55587cb3d29527d0fc5
SHA512

6500d743c04037eaa4288ba877b3fab94ab93eb0a84d42e48e673b741ef0f92aa05a6db5be1c4ea4b8c581baf295753ed3c741b66361ceeec9e637ac66781005
SSDEEP

1536:1EGh0ohli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012267-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000133c2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000016601-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0029000000016601-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000016601-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016b92-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000016601-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016b92-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000016601-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B17750E4-F4EF-4049-B2C9-A299CADD2985}	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}\stubpath = "C:\\Windows\\{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe"	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}\stubpath = "C:\\Windows\\{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe"	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF4B49AC-394D-4c68-A6AA-880728FD09CF}\stubpath = "C:\\Windows\\{BF4B49AC-394D-4c68-A6AA-880728FD09CF}.exe"	{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F705A4E-2A43-43b1-9895-82A2542DD3CA}	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F705A4E-2A43-43b1-9895-82A2542DD3CA}\stubpath = "C:\\Windows\\{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe"	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51680475-A72F-4c80-BD61-28674F6083C9}	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}	{51680475-A72F-4c80-BD61-28674F6083C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}\stubpath = "C:\\Windows\\{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe"	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}	{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B17750E4-F4EF-4049-B2C9-A299CADD2985}\stubpath = "C:\\Windows\\{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe"	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51680475-A72F-4c80-BD61-28674F6083C9}\stubpath = "C:\\Windows\\{51680475-A72F-4c80-BD61-28674F6083C9}.exe"	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}\stubpath = "C:\\Windows\\{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe"	{51680475-A72F-4c80-BD61-28674F6083C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9EE5AB-6469-4801-9D5D-4F29297F2322}	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9EE5AB-6469-4801-9D5D-4F29297F2322}\stubpath = "C:\\Windows\\{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe"	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}	{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}\stubpath = "C:\\Windows\\{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe"	{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}\stubpath = "C:\\Windows\\{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe"	{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF4B49AC-394D-4c68-A6AA-880728FD09CF}	{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe
2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe
2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe
1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe
2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe
2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe
800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe
592	{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe
1388	{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe
2756	{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe
1252	{BF4B49AC-394D-4c68-A6AA-880728FD09CF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
File created	C:\Windows\{51680475-A72F-4c80-BD61-28674F6083C9}.exe	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe
File created	C:\Windows\{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	{51680475-A72F-4c80-BD61-28674F6083C9}.exe
File created	C:\Windows\{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe
File created	C:\Windows\{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe	{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe
File created	C:\Windows\{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe
File created	C:\Windows\{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe
File created	C:\Windows\{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe
File created	C:\Windows\{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe
File created	C:\Windows\{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe	{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe
File created	C:\Windows\{BF4B49AC-394D-4c68-A6AA-880728FD09CF}.exe	{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe
Token: SeIncBasePriorityPrivilege	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe
Token: SeIncBasePriorityPrivilege	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe
Token: SeIncBasePriorityPrivilege	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe
Token: SeIncBasePriorityPrivilege	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe
Token: SeIncBasePriorityPrivilege	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe
Token: SeIncBasePriorityPrivilege	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe
Token: SeIncBasePriorityPrivilege	592	{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe
Token: SeIncBasePriorityPrivilege	1388	{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe
Token: SeIncBasePriorityPrivilege	2756	{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2972	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	28
PID 2924 wrote to memory of 2972	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	28
PID 2924 wrote to memory of 2972	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	28
PID 2924 wrote to memory of 2972	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	28
PID 2924 wrote to memory of 3012	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	29
PID 2924 wrote to memory of 3012	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	29
PID 2924 wrote to memory of 3012	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	29
PID 2924 wrote to memory of 3012	2924	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	29
PID 2972 wrote to memory of 2472	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	30
PID 2972 wrote to memory of 2472	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	30
PID 2972 wrote to memory of 2472	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	30
PID 2972 wrote to memory of 2472	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	30
PID 2972 wrote to memory of 2544	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	31
PID 2972 wrote to memory of 2544	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	31
PID 2972 wrote to memory of 2544	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	31
PID 2972 wrote to memory of 2544	2972	{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe	31
PID 2472 wrote to memory of 2396	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	34
PID 2472 wrote to memory of 2396	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	34
PID 2472 wrote to memory of 2396	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	34
PID 2472 wrote to memory of 2396	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	34
PID 2472 wrote to memory of 1724	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	35
PID 2472 wrote to memory of 1724	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	35
PID 2472 wrote to memory of 1724	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	35
PID 2472 wrote to memory of 1724	2472	{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe	35
PID 2396 wrote to memory of 1988	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	36
PID 2396 wrote to memory of 1988	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	36
PID 2396 wrote to memory of 1988	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	36
PID 2396 wrote to memory of 1988	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	36
PID 2396 wrote to memory of 268	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	37
PID 2396 wrote to memory of 268	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	37
PID 2396 wrote to memory of 268	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	37
PID 2396 wrote to memory of 268	2396	{51680475-A72F-4c80-BD61-28674F6083C9}.exe	37
PID 1988 wrote to memory of 2716	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	38
PID 1988 wrote to memory of 2716	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	38
PID 1988 wrote to memory of 2716	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	38
PID 1988 wrote to memory of 2716	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	38
PID 1988 wrote to memory of 2744	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	39
PID 1988 wrote to memory of 2744	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	39
PID 1988 wrote to memory of 2744	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	39
PID 1988 wrote to memory of 2744	1988	{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe	39
PID 2716 wrote to memory of 2300	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	40
PID 2716 wrote to memory of 2300	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	40
PID 2716 wrote to memory of 2300	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	40
PID 2716 wrote to memory of 2300	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	40
PID 2716 wrote to memory of 2120	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	41
PID 2716 wrote to memory of 2120	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	41
PID 2716 wrote to memory of 2120	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	41
PID 2716 wrote to memory of 2120	2716	{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe	41
PID 2300 wrote to memory of 800	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	42
PID 2300 wrote to memory of 800	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	42
PID 2300 wrote to memory of 800	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	42
PID 2300 wrote to memory of 800	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	42
PID 2300 wrote to memory of 928	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	43
PID 2300 wrote to memory of 928	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	43
PID 2300 wrote to memory of 928	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	43
PID 2300 wrote to memory of 928	2300	{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe	43
PID 800 wrote to memory of 592	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	44
PID 800 wrote to memory of 592	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	44
PID 800 wrote to memory of 592	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	44
PID 800 wrote to memory of 592	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	44
PID 800 wrote to memory of 2640	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	45
PID 800 wrote to memory of 2640	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	45
PID 800 wrote to memory of 2640	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	45
PID 800 wrote to memory of 2640	800	{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe
  C:\Windows\{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe
    C:\Windows\{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\{51680475-A72F-4c80-BD61-28674F6083C9}.exe
      C:\Windows\{51680475-A72F-4c80-BD61-28674F6083C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe
        
        C:\Windows\{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe
        
        C:\Windows\{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe
        
        C:\Windows\{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe
        
        C:\Windows\{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe
        
        C:\Windows\{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe
        
        C:\Windows\{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe
        
        C:\Windows\{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{BF4B49AC-394D-4c68-A6AA-880728FD09CF}.exe
        
        C:\Windows\{BF4B49AC-394D-4c68-A6AA-880728FD09CF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9606~1.EXE > nul
        12⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0497E~1.EXE > nul
        11⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9EE~1.EXE > nul
        10⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC59~1.EXE > nul
        9⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F50A~1.EXE > nul
        8⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D231~1.EXE > nul
        7⤵
        
        PID:2120
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F75D4~1.EXE > nul
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51680~1.EXE > nul
        5⤵
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1775~1.EXE > nul
      4⤵
      PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F705~1.EXE > nul
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0497ECA3-2C8E-4055-B5A0-6D99C620C1E5}.exe

Filesize
168KB

MD5
0a0370ec6b0f715930f6f8642c990fa4

SHA1
135deede03ea86a05512340968ddbac7d40e7245

SHA256
cbdd4b568438ec2d64e075e6320f9555878d1882d7ff3d3f34fff9ef6d0f8a9f

SHA512
6dbe62f2c0222c07dc8727676bebf92ebb1a5b78f15fce73713681b3038492117126c95c915bdf2e45a51044c2211d43b2f80351926fe242a473ca3cca4fd9d2

Download Submit
C:\Windows\{3D231D87-2202-4ae9-8F6C-729D8D9FE9A6}.exe

Filesize
168KB

MD5
2a62e86ea3627bf87d15992e4120290c

SHA1
3cef73e265b17404302e8be509db61ed4d967ff0

SHA256
f15e4662195bc17c52e8120a79ac08ee6f31ed0dfdd9cb4bc5b43fb92b476318

SHA512
7977d53b858fe70a0b417f873113efd41a360799d5f9957b43b9e49239fe92382ca59105d0ebcc151e83ba3805475298ad48d1118b31c8817f7a8ed38eefa708

Download Submit
C:\Windows\{4DC59158-7EA9-4974-ACB8-CC04D3974ACA}.exe

Filesize
168KB

MD5
444566391484d18906863a110ffba386

SHA1
fdbe295f885b85accae9d0ee0ff9a4f4bcc783e0

SHA256
523c70b50c4448d999cf7eac55abee94bc634b2eaf519697b0e70e5cd62618d6

SHA512
b1c98ba0a07b5e5168d55acb84b8a6482129ab7832050401f5f158088e5e5a5c1a635697668819958e0663a01945dad102fb70d66150677437b3d230143be035

Download Submit
C:\Windows\{51680475-A72F-4c80-BD61-28674F6083C9}.exe

Filesize
168KB

MD5
8d41be9dbd953493672eda3d66c39cac

SHA1
c380d34a2366b005ab5c0bd1e94d11ab260aa3eb

SHA256
b003248e7969119009d6a97ae2415a3c8a00bc70105626edd2dd35b49f6ea1a5

SHA512
bc5187bb3b00baded488a57275bf031ce70b391d76db1f9a4b695077847d5db80e651fab9b712ca7f9cd67fed63865edb90ccc71136c90c332bd70a83cf40358

Download Submit
C:\Windows\{7F50A2CC-7DDE-46f1-922A-F88A9919C95A}.exe

Filesize
168KB

MD5
5b20f8bfd5934514e9b7391229ca612e

SHA1
caa5fb74df68453dc0de6dde586951b881e78bc0

SHA256
dbb59e5545a0a8610b38bbb19d31c3db2aa79f94210bf55997895cb71c05555c

SHA512
a60a98efe556c75c8ac6f523cc8d29149989c28c2c971e9f977a6e2b3c1019b58c13f4ab60bdcd25d440477a9a6e8012be1e3369a039fcdd34afd35eac74d5db

Download Submit
C:\Windows\{8D9EE5AB-6469-4801-9D5D-4F29297F2322}.exe

Filesize
168KB

MD5
031ed9bdbc4df59f255227a1eb84fc7d

SHA1
07c0b0177d1564ac028e1671922d9bdcc1b1f60e

SHA256
9b7e56c596209578c38df9688683b9e7c941bc6d13245953edf54a88325f5290

SHA512
5b2f5037995991f6159a1e547b6938e3d7bc26f4607a90cdc939987c7a6572cdc84ac6ec8ef8efada99e4ea1b5332628c58960894cd654eed7600edcaaf46810

Download Submit
C:\Windows\{8F705A4E-2A43-43b1-9895-82A2542DD3CA}.exe

Filesize
168KB

MD5
723bf3793db3ddebc8249517f58cf68f

SHA1
505e867593757e85a8c85b0c2c0450b08c9913ab

SHA256
29e0975a688575abdb04ea24bbd3b7de6909c26f8f81f4690827ea39af64012e

SHA512
769b6d202e4b5eaa7d752ac2964a80233a27de90bc7a4d91f822e72396fde3dfb2f7f8a3681e06f6554f9ab2256946f128922fce43dc2185542c96c91cf25541

Download Submit
C:\Windows\{A9606B52-24C2-4864-BFE0-7CF9A95D7C19}.exe

Filesize
168KB

MD5
d25c10569ee796a172f6d21d0f20edda

SHA1
1848fdd9a50c26d79e142c749d6fe9a1ec537a55

SHA256
6ce4cc82e8b6a2702db8141b30c28061ef19c946e1f0b489b3ec830bc83703fd

SHA512
0bbf08da7c69c71f8fb65ab67516e5403aa967e313f9c15f4a0318fafbb5f800f9bc6bb2d44edbf8226109b6a65aa3b066bf2fc158ecf59808dbab2a2bea00a9

Download Submit
C:\Windows\{B17750E4-F4EF-4049-B2C9-A299CADD2985}.exe

Filesize
168KB

MD5
99e9244ad956831663e5a0f383276cbc

SHA1
6f3d74b69716c5b08d44fae5947db137a4d6c188

SHA256
32a199cd8ecec3e1516f754919c76d700bda72bd31281c9994e6162a33763f7d

SHA512
2ad0316ce8f9d1d834161225cfc384628188955afff6ffa943e7a1a453dda8263eefe5ed7365d3367404390cbaacda649d0c330e69b4267fba7afe6875c617bc

Download Submit
C:\Windows\{BF4B49AC-394D-4c68-A6AA-880728FD09CF}.exe

Filesize
168KB

MD5
98dda0ad00b20ab51dcbdbb4eb4c903e

SHA1
6a113c69e5902144202919423e03436915724391

SHA256
7f4dabd78cd8d6a489075ec7f88ea79fb6956727314d1d27b35861bc5e62476a

SHA512
9290c0295a36577008a4fa30d1b5e31120edfaf55b5f11a1c1659be938eb148dba0996df8366e1fd37313058250c45d4da3a379b70114f6e3fdc17e03e1453b6

Download Submit
C:\Windows\{F75D4762-DB70-4409-B6CB-D9EDAB7274DC}.exe

Filesize
168KB

MD5
968a9b7ed3eaf25ece5e951d64f4689e

SHA1
0ba1a8ae3dc53087dc73e92e2a7fdb6d6b9856c4

SHA256
0fc6e40f489fc187c872337a34e49a8f0b597a839ebcb7417f2554fffda8fc24

SHA512
a9d8e8ada599b6fe7b26e104e967af9a05f949b87d13b3b673bf891ed549ac0c4c7916c46cbbe0c63415c9f5a45fe24a1b5dd07600a5b32526fb2f9f7c84a01a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads