9a910bf2d5d76ef4609d33965132f4182762b7a503115ac646c1c36fe9e9b4dd

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Size

192KB
MD5

2581fd023ecf8aa758f67b5a01fe907b
SHA1

859f0b63573e6fdaec58c94169eb3034d8b7c664
SHA256

9a910bf2d5d76ef4609d33965132f4182762b7a503115ac646c1c36fe9e9b4dd
SHA512

ed019bc813f193d5725e5c7542f63435b8cdedba86be63c7ff85460ecccd813613623bfd5467888de9c5f3253dbe412388fb049c1df4f6d4b36c104d7ba3f72a
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o/l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122cd-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d79-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122cd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122cd-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122cd-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122cd-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122cd-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B88B151-E79E-463e-9529-FED71ED025DD}\stubpath = "C:\\Windows\\{7B88B151-E79E-463e-9529-FED71ED025DD}.exe"	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D5FCB3-6A8B-4717-8648-7AD562C7277B}	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A2D17C8-51A8-42a9-A8A8-1499071E168E}\stubpath = "C:\\Windows\\{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe"	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}	{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}\stubpath = "C:\\Windows\\{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe"	{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CCCAF47-E228-481e-A27E-1E5C0C46582C}	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CCCAF47-E228-481e-A27E-1E5C0C46582C}\stubpath = "C:\\Windows\\{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe"	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE8F93BF-5BED-48c6-9520-ED19B24EC761}	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE8F93BF-5BED-48c6-9520-ED19B24EC761}\stubpath = "C:\\Windows\\{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe"	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22DC219-9F5E-40c6-AAD3-40FF643B410A}\stubpath = "C:\\Windows\\{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe"	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D5FCB3-6A8B-4717-8648-7AD562C7277B}\stubpath = "C:\\Windows\\{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe"	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22DC219-9F5E-40c6-AAD3-40FF643B410A}	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B70016C9-4B37-41b5-8677-C697DD7813FB}\stubpath = "C:\\Windows\\{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe"	{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}\stubpath = "C:\\Windows\\{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}.exe"	{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B70016C9-4B37-41b5-8677-C697DD7813FB}	{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}	{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}\stubpath = "C:\\Windows\\{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe"	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B88B151-E79E-463e-9529-FED71ED025DD}	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A2D17C8-51A8-42a9-A8A8-1499071E168E}	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}\stubpath = "C:\\Windows\\{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe"	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe
2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe
1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe
1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe
852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe
1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe
996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe
1404	{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe
2576	{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe
3060	{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe
1716	{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}.exe	{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe
File created	C:\Windows\{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe
File created	C:\Windows\{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe
File created	C:\Windows\{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe
File created	C:\Windows\{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe
File created	C:\Windows\{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe
File created	C:\Windows\{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe	{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe
File created	C:\Windows\{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
File created	C:\Windows\{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe
File created	C:\Windows\{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe
File created	C:\Windows\{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe	{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe
Token: SeIncBasePriorityPrivilege	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe
Token: SeIncBasePriorityPrivilege	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe
Token: SeIncBasePriorityPrivilege	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe
Token: SeIncBasePriorityPrivilege	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe
Token: SeIncBasePriorityPrivilege	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe
Token: SeIncBasePriorityPrivilege	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe
Token: SeIncBasePriorityPrivilege	1404	{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe
Token: SeIncBasePriorityPrivilege	2576	{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe
Token: SeIncBasePriorityPrivilege	3060	{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2444	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	28
PID 1972 wrote to memory of 2444	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	28
PID 1972 wrote to memory of 2444	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	28
PID 1972 wrote to memory of 2444	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	28
PID 1972 wrote to memory of 2548	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	29
PID 1972 wrote to memory of 2548	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	29
PID 1972 wrote to memory of 2548	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	29
PID 1972 wrote to memory of 2548	1972	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	29
PID 2444 wrote to memory of 2608	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	30
PID 2444 wrote to memory of 2608	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	30
PID 2444 wrote to memory of 2608	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	30
PID 2444 wrote to memory of 2608	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	30
PID 2444 wrote to memory of 2560	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	31
PID 2444 wrote to memory of 2560	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	31
PID 2444 wrote to memory of 2560	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	31
PID 2444 wrote to memory of 2560	2444	{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe	31
PID 2608 wrote to memory of 1652	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	32
PID 2608 wrote to memory of 1652	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	32
PID 2608 wrote to memory of 1652	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	32
PID 2608 wrote to memory of 1652	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	32
PID 2608 wrote to memory of 2348	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	33
PID 2608 wrote to memory of 2348	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	33
PID 2608 wrote to memory of 2348	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	33
PID 2608 wrote to memory of 2348	2608	{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe	33
PID 1652 wrote to memory of 1948	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	36
PID 1652 wrote to memory of 1948	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	36
PID 1652 wrote to memory of 1948	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	36
PID 1652 wrote to memory of 1948	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	36
PID 1652 wrote to memory of 1628	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	37
PID 1652 wrote to memory of 1628	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	37
PID 1652 wrote to memory of 1628	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	37
PID 1652 wrote to memory of 1628	1652	{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe	37
PID 1948 wrote to memory of 852	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	38
PID 1948 wrote to memory of 852	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	38
PID 1948 wrote to memory of 852	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	38
PID 1948 wrote to memory of 852	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	38
PID 1948 wrote to memory of 2280	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	39
PID 1948 wrote to memory of 2280	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	39
PID 1948 wrote to memory of 2280	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	39
PID 1948 wrote to memory of 2280	1948	{7B88B151-E79E-463e-9529-FED71ED025DD}.exe	39
PID 852 wrote to memory of 1360	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	40
PID 852 wrote to memory of 1360	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	40
PID 852 wrote to memory of 1360	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	40
PID 852 wrote to memory of 1360	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	40
PID 852 wrote to memory of 328	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	41
PID 852 wrote to memory of 328	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	41
PID 852 wrote to memory of 328	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	41
PID 852 wrote to memory of 328	852	{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe	41
PID 1360 wrote to memory of 996	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	42
PID 1360 wrote to memory of 996	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	42
PID 1360 wrote to memory of 996	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	42
PID 1360 wrote to memory of 996	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	42
PID 1360 wrote to memory of 1896	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	43
PID 1360 wrote to memory of 1896	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	43
PID 1360 wrote to memory of 1896	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	43
PID 1360 wrote to memory of 1896	1360	{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe	43
PID 996 wrote to memory of 1404	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	44
PID 996 wrote to memory of 1404	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	44
PID 996 wrote to memory of 1404	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	44
PID 996 wrote to memory of 1404	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	44
PID 996 wrote to memory of 1916	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	45
PID 996 wrote to memory of 1916	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	45
PID 996 wrote to memory of 1916	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	45
PID 996 wrote to memory of 1916	996	{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe
  C:\Windows\{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe
    C:\Windows\{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe
      C:\Windows\{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\{7B88B151-E79E-463e-9529-FED71ED025DD}.exe
        
        C:\Windows\{7B88B151-E79E-463e-9529-FED71ED025DD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe
        
        C:\Windows\{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe
        
        C:\Windows\{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe
        
        C:\Windows\{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe
        
        C:\Windows\{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe
        
        C:\Windows\{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe
        
        C:\Windows\{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}.exe
        
        C:\Windows\{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF21A~1.EXE > nul
        12⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7001~1.EXE > nul
        11⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CCCA~1.EXE > nul
        10⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D9E2~1.EXE > nul
        9⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A2D1~1.EXE > nul
        8⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31D5F~1.EXE > nul
        7⤵
        
        PID:328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B88B~1.EXE > nul
        6⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F22DC~1.EXE > nul
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0454F~1.EXE > nul
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EE8F9~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0454F3CD-0F2F-49e8-A2FC-CD72C65DB3F4}.exe

Filesize
192KB

MD5
89af77692c753bfb5049afde42a590a3

SHA1
98c4d9d719481144c1b239622d9b73384e4a1020

SHA256
ba95e2461b5666a98b78865473f5a62f061b5a2b6ea906c544d44207155a5269

SHA512
98db2b9db6780127ea60db4fc14be0a5a70aaea4838d221bbc1d576c6e2a814736d98b85a62d5ee9c141fdb1511501337eea3e380eadeb4495114699312cdafc

Download Submit
C:\Windows\{0D9E2ED5-C5B7-4a0a-B65C-F3ECCE8BF72A}.exe

Filesize
192KB

MD5
c4efe5fccaa4999cf76ca0c8efc1a208

SHA1
4548c553bab23cb1719f8b0a39df7e4b9771c46b

SHA256
8f63fa5031d629c95c33739b0c886d249c319fac5844c9f13fbf79967bbe522a

SHA512
4f85eca3d73ac8e880a3540cc4445a666d7cde8c8564c97c54a88c2e29cef4ab83c6a88b4f5fbf97b2456da30925648d17845331e450ac743b30e61300df7692

Download Submit
C:\Windows\{31D5FCB3-6A8B-4717-8648-7AD562C7277B}.exe

Filesize
192KB

MD5
255b8a73368f20b4337a83cdc70f3355

SHA1
02364764e16bd130fd96f2f7ffb61051efe6da03

SHA256
e65fc26a41a4733cad679e7fdc2513c3fdccf2c8a93abe8d6c40bdb5dc65e344

SHA512
2b0ad7329f3cc9acae427b2f3767d4fde17dedd74ef72993c6db05a9b263fae2301db420fd413b709cb6bdb6ce5fa92bd5a3de32d5636a3b7ad3438a7972731d

Download Submit
C:\Windows\{7B88B151-E79E-463e-9529-FED71ED025DD}.exe

Filesize
192KB

MD5
525ab98d0a9c4f83294fcec8b5b15265

SHA1
a664aac95598bd633dad1f96ec3e781552f339bc

SHA256
e5c4fe9ab805791c0e71bf4b7d63306f7bb3ac67a444c72f1cd493d741f9bb18

SHA512
c9f402189f1b54f8683f6f81e5ecc2c29ab10349cb82c774a458c932b2188c361c93b24f408dab4e77da84a63390fa52d7ef2bd40fe8decc3c5d2418884b6552

Download Submit
C:\Windows\{7CCCAF47-E228-481e-A27E-1E5C0C46582C}.exe

Filesize
192KB

MD5
18b75b0c54f73a6ce76fc5bf0d6e1d5a

SHA1
9c838196b7f532a03709c3cc3439905bba5a3a7c

SHA256
afdc8b0ea3649d81b9f68695f3446bb4aa17dc9d09fbff483f7996537b77f34a

SHA512
0d3b0f3b5608946485970d71e4d8b230e2c0d8be10096c1ba6e27a90b83a22ff1191cf557f8230a67f63579a00ffb7aaf14cb57ffcc00b36d225cebcd3ac195b

Download Submit
C:\Windows\{8A2D17C8-51A8-42a9-A8A8-1499071E168E}.exe

Filesize
192KB

MD5
28fec8effead4257ba86831d26c1000b

SHA1
bfe657c5e5b9304fca0a4d752daefbc5a6276d02

SHA256
5d3c322924f73b30555de6c945c3d365473bb1a509bd329410a2caeed6768731

SHA512
9766151f8e353f96041ae2fac33928faeaa4d297f7f4c4a62b1ddb672bd88441ded41e9b5fc6e381630c1da7430035b8a005c21df19be8187bf07544dd697155

Download Submit
C:\Windows\{B70016C9-4B37-41b5-8677-C697DD7813FB}.exe

Filesize
192KB

MD5
faf76089107b657c120734aed6cee713

SHA1
99df1885cb71fa475f40c0cdb389f0bc09dc9a61

SHA256
7304108b30e4d231b523843b79607bd68d5065a7f00eb8878d208d599fc13c9a

SHA512
0889399d72c16d7e36bf4f64c29b65580e6497703f510b6db96ad41cfad9ab24d34b4742ed7de65211c2c4c1690378621bc773c9b22097292bf64081d2899fa8

Download Submit
C:\Windows\{CF21A84C-C0A3-4467-8CEE-CFEABE6E892C}.exe

Filesize
192KB

MD5
d89e78abdf8bcc70267e0e5a0c172cbf

SHA1
de2dd3f04f464980e3b444d9d074abf6d8695240

SHA256
1323511869510e48cd032fc74f965bf109ffd19a79de5c321c6581b859f1e94f

SHA512
df100915d9f10190136e114f853e840cb8483434b8935070bac926e620e835b25630338f5d166e92a995959aa5499734617ff142bff2da6d1181c92101260364

Download Submit
C:\Windows\{EE8F93BF-5BED-48c6-9520-ED19B24EC761}.exe

Filesize
192KB

MD5
848a4c18a8282f45fdda77efcb6746fd

SHA1
e2112acc9b42485640b1fc25e9c6f93c53a856e2

SHA256
6b04e7de05b847adb4ffc2d52b1a549dcfc36e29f581dfb93353557f20faa16c

SHA512
2ed22b444df86309d03492b9d39aa0ef1bee266dce26bce42b92d64bd0dd49bf82fe50ad9cd813f23185c1a517ebd1501709784ddf5983ae168410b71629081b

Download Submit
C:\Windows\{F22DC219-9F5E-40c6-AAD3-40FF643B410A}.exe

Filesize
192KB

MD5
b562a38a3379f94361e8ad6dead64d2e

SHA1
ebc09c1d5a5bd3ae7556a89673da823b421331bb

SHA256
ea91cc733d3bfd22155d17e3209e4d00d686fcf29f448cf5e2f9cebc812f8b19

SHA512
af91182c93c080d020a89f3493f635e8d015b44798281b5a15db7f22ffa3d93089c17049c800e31484ed6d760279fcc920fb31ad9cf982fa12b833f3ed088146

Download Submit
C:\Windows\{FD96F30F-5DDB-4ee5-9067-B2E3A4FEBD5E}.exe

Filesize
192KB

MD5
d84c921751f81ce637eba451aaa865e9

SHA1
15f32fb75a2730dc07e56cc93c6d2f687c14977d

SHA256
82659cb85c8db427d9de4a6386c7228ec874a8cdc79973e050c14e05eb012b60

SHA512
189a3c2192a428423fd83be4bfeba0c1bd6db55ab4b715a7df9ed0ebde17cae43dcbf1e1cf3895ed2c46909b288e1d377c330f65312e0d5db77ad5a23787354c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads