dca84e34f3f7796e36861270114255240e91a42b84e0e3807905ec3328eb5a60

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 15:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Size

408KB
MD5

12971782a980f5bde4c924dd747f40d6
SHA1

5e7dfd28987dc41b18a5e145e03c808e69214789
SHA256

dca84e34f3f7796e36861270114255240e91a42b84e0e3807905ec3328eb5a60
SHA512

c127e5ff00e1163197aabd0149b04d4ff03a28025795ff50761f4e243fa822027600fe555129ba6b8d9ceef9c183e0c874f1a7a5e41111e3c4801ef805eccb2e
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014454-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014708-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012256-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012256-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012256-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}	{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}\stubpath = "C:\\Windows\\{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe"	{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}	{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}\stubpath = "C:\\Windows\\{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe"	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B001179B-C74D-4ed5-8FED-4F91C358E98D}\stubpath = "C:\\Windows\\{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe"	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0043524-2FB8-4070-9038-901F9C22EA9B}\stubpath = "C:\\Windows\\{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe"	{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1944F844-6658-4505-80CE-027F4EA97723}\stubpath = "C:\\Windows\\{1944F844-6658-4505-80CE-027F4EA97723}.exe"	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}	{1944F844-6658-4505-80CE-027F4EA97723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}\stubpath = "C:\\Windows\\{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe"	{1944F844-6658-4505-80CE-027F4EA97723}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B001179B-C74D-4ed5-8FED-4F91C358E98D}	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}\stubpath = "C:\\Windows\\{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe"	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1944F844-6658-4505-80CE-027F4EA97723}	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0043524-2FB8-4070-9038-901F9C22EA9B}	{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}\stubpath = "C:\\Windows\\{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}.exe"	{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C737C92B-0A8C-4033-A453-E14965BFC733}	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}\stubpath = "C:\\Windows\\{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe"	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}\stubpath = "C:\\Windows\\{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe"	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C737C92B-0A8C-4033-A453-E14965BFC733}\stubpath = "C:\\Windows\\{C737C92B-0A8C-4033-A453-E14965BFC733}.exe"	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe
2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe
2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe
2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe
2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe
2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe
2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe
1276	{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe
1888	{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe
580	{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe
2236	{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
File created	C:\Windows\{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe
File created	C:\Windows\{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	{1944F844-6658-4505-80CE-027F4EA97723}.exe
File created	C:\Windows\{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe
File created	C:\Windows\{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe
File created	C:\Windows\{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe	{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe
File created	C:\Windows\{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}.exe	{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe
File created	C:\Windows\{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe
File created	C:\Windows\{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe
File created	C:\Windows\{1944F844-6658-4505-80CE-027F4EA97723}.exe	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe
File created	C:\Windows\{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe	{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe
Token: SeIncBasePriorityPrivilege	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe
Token: SeIncBasePriorityPrivilege	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe
Token: SeIncBasePriorityPrivilege	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe
Token: SeIncBasePriorityPrivilege	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe
Token: SeIncBasePriorityPrivilege	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe
Token: SeIncBasePriorityPrivilege	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe
Token: SeIncBasePriorityPrivilege	1276	{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe
Token: SeIncBasePriorityPrivilege	1888	{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe
Token: SeIncBasePriorityPrivilege	580	{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2548	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	28
PID 2168 wrote to memory of 2548	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	28
PID 2168 wrote to memory of 2548	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	28
PID 2168 wrote to memory of 2548	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	28
PID 2168 wrote to memory of 2608	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	29
PID 2168 wrote to memory of 2608	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	29
PID 2168 wrote to memory of 2608	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	29
PID 2168 wrote to memory of 2608	2168	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	29
PID 2548 wrote to memory of 2032	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	30
PID 2548 wrote to memory of 2032	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	30
PID 2548 wrote to memory of 2032	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	30
PID 2548 wrote to memory of 2032	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	30
PID 2548 wrote to memory of 2440	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	31
PID 2548 wrote to memory of 2440	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	31
PID 2548 wrote to memory of 2440	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	31
PID 2548 wrote to memory of 2440	2548	{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe	31
PID 2032 wrote to memory of 2520	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	32
PID 2032 wrote to memory of 2520	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	32
PID 2032 wrote to memory of 2520	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	32
PID 2032 wrote to memory of 2520	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	32
PID 2032 wrote to memory of 2416	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	33
PID 2032 wrote to memory of 2416	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	33
PID 2032 wrote to memory of 2416	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	33
PID 2032 wrote to memory of 2416	2032	{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe	33
PID 2520 wrote to memory of 2776	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	36
PID 2520 wrote to memory of 2776	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	36
PID 2520 wrote to memory of 2776	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	36
PID 2520 wrote to memory of 2776	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	36
PID 2520 wrote to memory of 2844	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	37
PID 2520 wrote to memory of 2844	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	37
PID 2520 wrote to memory of 2844	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	37
PID 2520 wrote to memory of 2844	2520	{C737C92B-0A8C-4033-A453-E14965BFC733}.exe	37
PID 2776 wrote to memory of 2836	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	38
PID 2776 wrote to memory of 2836	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	38
PID 2776 wrote to memory of 2836	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	38
PID 2776 wrote to memory of 2836	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	38
PID 2776 wrote to memory of 2996	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	39
PID 2776 wrote to memory of 2996	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	39
PID 2776 wrote to memory of 2996	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	39
PID 2776 wrote to memory of 2996	2776	{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe	39
PID 2836 wrote to memory of 2472	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	40
PID 2836 wrote to memory of 2472	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	40
PID 2836 wrote to memory of 2472	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	40
PID 2836 wrote to memory of 2472	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	40
PID 2836 wrote to memory of 2592	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	41
PID 2836 wrote to memory of 2592	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	41
PID 2836 wrote to memory of 2592	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	41
PID 2836 wrote to memory of 2592	2836	{1944F844-6658-4505-80CE-027F4EA97723}.exe	41
PID 2472 wrote to memory of 2760	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	42
PID 2472 wrote to memory of 2760	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	42
PID 2472 wrote to memory of 2760	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	42
PID 2472 wrote to memory of 2760	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	42
PID 2472 wrote to memory of 2508	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	43
PID 2472 wrote to memory of 2508	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	43
PID 2472 wrote to memory of 2508	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	43
PID 2472 wrote to memory of 2508	2472	{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe	43
PID 2760 wrote to memory of 1276	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	44
PID 2760 wrote to memory of 1276	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	44
PID 2760 wrote to memory of 1276	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	44
PID 2760 wrote to memory of 1276	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	44
PID 2760 wrote to memory of 1980	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	45
PID 2760 wrote to memory of 1980	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	45
PID 2760 wrote to memory of 1980	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	45
PID 2760 wrote to memory of 1980	2760	{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe
  C:\Windows\{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe
    C:\Windows\{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\{C737C92B-0A8C-4033-A453-E14965BFC733}.exe
      C:\Windows\{C737C92B-0A8C-4033-A453-E14965BFC733}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe
        
        C:\Windows\{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\{1944F844-6658-4505-80CE-027F4EA97723}.exe
        
        C:\Windows\{1944F844-6658-4505-80CE-027F4EA97723}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe
        
        C:\Windows\{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe
        
        C:\Windows\{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe
        
        C:\Windows\{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe
        
        C:\Windows\{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe
        
        C:\Windows\{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}.exe
        
        C:\Windows\{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A841~1.EXE > nul
        12⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0043~1.EXE > nul
        11⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9BFC~1.EXE > nul
        10⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0011~1.EXE > nul
        9⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A9DF~1.EXE > nul
        8⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1944F~1.EXE > nul
        7⤵
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FD44~1.EXE > nul
        6⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C737C~1.EXE > nul
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8BAB5~1.EXE > nul
      4⤵
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{292D0~1.EXE > nul
    3⤵
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1419B142-1BB1-45bd-A2BF-7B43FCA6EFC2}.exe

Filesize
408KB

MD5
57fc1f0b65183d536c9768b21a9a2fb0

SHA1
95e86c4f128f216cc0e43636b2eb44497fe7fb36

SHA256
6fd2a575689e55b7f4102744e49bfe8a7ee70d9c9b0892181a81e185a163ed79

SHA512
c374dcf74aa83aa3abbc23837aa039b7051e3b766d16a68765d411aacb68a56ccadbc9cffb72ac5e80096be385947000c143f7647f4c32d1b78f647609286d41

Download Submit
C:\Windows\{1944F844-6658-4505-80CE-027F4EA97723}.exe

Filesize
408KB

MD5
2967a19784bd3cc88fbf9972915db377

SHA1
4b70ba8f01fec0154acdefe850199da8834d8a79

SHA256
3d02551c36622d51d8d1f6e09913cf2c5c65bdc67a4400bcc28ec238bd8ce970

SHA512
7f57721c9351da3ab499175febe167a2650bc19199f59dcbd22b8573e99e5a931feb5a7f03349fe5c80975f640244af8936e841fe3bcf99837de64803f4b36f4

Download Submit
C:\Windows\{292D0FBD-27FD-4255-8DEA-E0E4C2CBEB1B}.exe

Filesize
408KB

MD5
f4b8fcc9f30030fc06592518b74c4f46

SHA1
1d0a34df79e5747dd344f4203fd5704a2df4a285

SHA256
d0cc738c1f82e79857fd119535e7d319713b1118bef8bd3767d25ea31a643ac9

SHA512
b3c25bc04a6ef4b1b1cf0633a2993c9633f9bf880998be8034579226374b19f37a7786537a6cdcbeb68399745fdff12becac12d46da5083d317e957a7fe49367

Download Submit
C:\Windows\{2A841A3C-FAC9-4a2b-AF5B-F199808D52EA}.exe

Filesize
408KB

MD5
ee925dceb71ce4d632c7502f17eb3e29

SHA1
42a03486e616773e9ce6f492073f193836fbabc3

SHA256
4c2d6a49b9a4762c84c9534c0fc177a212bcd6e90d8898f62911460cbafadc54

SHA512
92b70dbd176095581e935d75df43d79a30f1e7bdf49817509ce5772d47aad3f36b8db1df8bd1234a1b669da2d2a1f084455329e3be105b60e68b407e7f21da1c

Download Submit
C:\Windows\{4A9DF9B7-CD5B-405e-84F4-ECC2AE472B53}.exe

Filesize
408KB

MD5
26f350986b00d436bec120f029060518

SHA1
ba789c76166e3b1dce10372c59bc691a568e44b9

SHA256
fe7f120bc1640e1d86265af03cf338225bf9c29a5393b1631d94797659d181d7

SHA512
7e642fa6f56befd4ccaaaa6533b344f0eba00218aa4b0ff5984f3d45e807b5648ddfe7deb2fced133193b4a4a3b962f91e1cf553303c37caf052b5a0aa5688ae

Download Submit
C:\Windows\{6FD44BDB-F41C-4adc-89FA-4A2BE0E80F51}.exe

Filesize
408KB

MD5
3bbb2127ebb5374d8e8fb5c61a73d4f1

SHA1
7b06570b163b1f281b6708fda9cc15bb54bed174

SHA256
9c5d1b00353643224b0152cf396efb8d69446455b602d76767dc665eab7c74ac

SHA512
20b8f4f18e7b5fc6736a6e60090261a5aa7dcc39a8f00c933c580bca8297789dd5d078697d819a860c0ab8062e7df4f49112cf3843b8c9570246a222f415b7ee

Download Submit
C:\Windows\{8BAB5380-B97A-4ae0-84AA-9C0BE4042167}.exe

Filesize
408KB

MD5
c317c5a4fba694e469d1e4fa8d9ced1d

SHA1
fcefb518b632cfe7d397159e375fb76c8d0e514e

SHA256
fa938164e9ee59d8e313b831cc928e70bdf61659a5fa9bd4d54e27298033814a

SHA512
ae226b628a635024de91437b31957e375113ccd76a98cf6c848b68f93d0a81bfdfe0bdc3e1f47709d7b66f81b0157ffdfae33620a9cad1a8090f8113199d42d7

Download Submit
C:\Windows\{A9BFC91C-44C6-4b8b-8E88-F1B46917327D}.exe

Filesize
408KB

MD5
9ce53d3322956b7399019bcda46b6baf

SHA1
92b0c9f0c227b26980cc480a45c501827dcdd27b

SHA256
e8da2bc425d9d49da7de61058476c7e00365c9ac24bdb8e847e4e9bb95dac1b4

SHA512
1a401feacd26abba485b9ffe96fef1acd48a591caeb4bf7c15c870293d0a8ead5e50808d24d9236e01368b2e986dbf787012f7f8e56e6ed3064d7ca81575f6b8

Download Submit
C:\Windows\{B001179B-C74D-4ed5-8FED-4F91C358E98D}.exe

Filesize
408KB

MD5
f2aa4e6b2d2887ac67c8584bcce48d94

SHA1
25c2529bd98516a1e25bb072462b0407604d76ba

SHA256
61991b78e72eea080d9b36e7a8e0629f30ff4dacaea1850a183a0095abeee2c4

SHA512
bb0d787c194f92b7283fc5d3407f1a5d763e1c00e4ae203983889860b9ab43b24f50b2cfe8b3f417f14cdfccb5bd796ff4b1841ca338c145903c18dc81360047

Download Submit
C:\Windows\{C737C92B-0A8C-4033-A453-E14965BFC733}.exe

Filesize
408KB

MD5
e7784fd9393b81d4927207b257d3e9fd

SHA1
215fd1fd0dad0160e0ceae00320a9420fae66f14

SHA256
bd593dba852a6ac8b532db1ff02b2a7ae77368ee5acecc08d12669d3f15ecbd8

SHA512
6040f1d4a64b872818b014ee4744bbbf81f9d201fedc3da4286af6c8dcaada51aa78ad80a9599b89ab44b326985384937ebed27ea6d07fc0dcd72cef4196deae

Download Submit
C:\Windows\{E0043524-2FB8-4070-9038-901F9C22EA9B}.exe

Filesize
408KB

MD5
8d8dc42ca39720c7915b5b7fb297c957

SHA1
763ebce6d385dc4f353570aa014f2ba4bba3aa4b

SHA256
16f1b58c8e4cbedf31bd40b49fb0ade5db1a6d877badbf3f2362d698861879c1

SHA512
6e0a0e9c22b9711d05a8808b671108c75e4f2725d8446ce1843e7c92480600fa1b78a882bae4bab706fa30134577556d4b1efdf110492983ed292f80619e9f51

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads