cd2ea7af3c723c3a0db234e9186b461d7b9aeaf836d42e996aca61bc9e94219a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
Size

204KB
MD5

281209c1f670a58bc1b94bc28ab5ef6a
SHA1

103005a58dba318a1e026d642ede562ad03adf2d
SHA256

cd2ea7af3c723c3a0db234e9186b461d7b9aeaf836d42e996aca61bc9e94219a
SHA512

108f9ccb1934d65a9eff6dbfa9a2d7a2b9a19b908063ec30c79339250553a8283e7c17f0c694ec7ed6765d555fe327e95bdf6f918abbc77f128c52d2bbe1bceb
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000121de-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c63-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000121de-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000121de-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000121de-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000121de-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000121de-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1482E189-C238-4cb2-89C7-973FAD86DBB0}\stubpath = "C:\\Windows\\{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe"	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}\stubpath = "C:\\Windows\\{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe"	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B775EB5D-BF50-4736-A9B1-042AEF041F7F}	{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}\stubpath = "C:\\Windows\\{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe"	{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}\stubpath = "C:\\Windows\\{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}.exe"	{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1482E189-C238-4cb2-89C7-973FAD86DBB0}	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}\stubpath = "C:\\Windows\\{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe"	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}\stubpath = "C:\\Windows\\{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe"	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F53E0AC3-9721-45a7-96CE-FC282DA725C8}	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B775EB5D-BF50-4736-A9B1-042AEF041F7F}\stubpath = "C:\\Windows\\{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe"	{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}\stubpath = "C:\\Windows\\{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe"	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F53E0AC3-9721-45a7-96CE-FC282DA725C8}\stubpath = "C:\\Windows\\{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe"	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}	{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}\stubpath = "C:\\Windows\\{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe"	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}\stubpath = "C:\\Windows\\{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe"	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}	{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe
2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe
2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe
2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe
2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe
1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe
1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe
2816	{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe
1140	{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe
2104	{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe
2320	{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}.exe	{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe
File created	C:\Windows\{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe
File created	C:\Windows\{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe
File created	C:\Windows\{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe
File created	C:\Windows\{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe
File created	C:\Windows\{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe
File created	C:\Windows\{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe	{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe
File created	C:\Windows\{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
File created	C:\Windows\{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe
File created	C:\Windows\{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe
File created	C:\Windows\{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe	{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe
Token: SeIncBasePriorityPrivilege	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe
Token: SeIncBasePriorityPrivilege	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe
Token: SeIncBasePriorityPrivilege	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe
Token: SeIncBasePriorityPrivilege	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe
Token: SeIncBasePriorityPrivilege	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe
Token: SeIncBasePriorityPrivilege	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe
Token: SeIncBasePriorityPrivilege	2816	{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe
Token: SeIncBasePriorityPrivilege	1140	{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe
Token: SeIncBasePriorityPrivilege	2104	{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2216	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	28
PID 1676 wrote to memory of 2216	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	28
PID 1676 wrote to memory of 2216	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	28
PID 1676 wrote to memory of 2216	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	28
PID 1676 wrote to memory of 1716	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	29
PID 1676 wrote to memory of 1716	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	29
PID 1676 wrote to memory of 1716	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	29
PID 1676 wrote to memory of 1716	1676	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	29
PID 2216 wrote to memory of 2664	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	30
PID 2216 wrote to memory of 2664	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	30
PID 2216 wrote to memory of 2664	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	30
PID 2216 wrote to memory of 2664	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	30
PID 2216 wrote to memory of 2772	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	31
PID 2216 wrote to memory of 2772	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	31
PID 2216 wrote to memory of 2772	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	31
PID 2216 wrote to memory of 2772	2216	{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe	31
PID 2664 wrote to memory of 2788	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	32
PID 2664 wrote to memory of 2788	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	32
PID 2664 wrote to memory of 2788	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	32
PID 2664 wrote to memory of 2788	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	32
PID 2664 wrote to memory of 2780	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	33
PID 2664 wrote to memory of 2780	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	33
PID 2664 wrote to memory of 2780	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	33
PID 2664 wrote to memory of 2780	2664	{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe	33
PID 2788 wrote to memory of 2928	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	36
PID 2788 wrote to memory of 2928	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	36
PID 2788 wrote to memory of 2928	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	36
PID 2788 wrote to memory of 2928	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	36
PID 2788 wrote to memory of 2288	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	37
PID 2788 wrote to memory of 2288	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	37
PID 2788 wrote to memory of 2288	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	37
PID 2788 wrote to memory of 2288	2788	{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe	37
PID 2928 wrote to memory of 2732	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	38
PID 2928 wrote to memory of 2732	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	38
PID 2928 wrote to memory of 2732	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	38
PID 2928 wrote to memory of 2732	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	38
PID 2928 wrote to memory of 2524	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	39
PID 2928 wrote to memory of 2524	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	39
PID 2928 wrote to memory of 2524	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	39
PID 2928 wrote to memory of 2524	2928	{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe	39
PID 2732 wrote to memory of 1528	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	40
PID 2732 wrote to memory of 1528	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	40
PID 2732 wrote to memory of 1528	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	40
PID 2732 wrote to memory of 1528	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	40
PID 2732 wrote to memory of 2624	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	41
PID 2732 wrote to memory of 2624	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	41
PID 2732 wrote to memory of 2624	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	41
PID 2732 wrote to memory of 2624	2732	{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe	41
PID 1528 wrote to memory of 1784	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	42
PID 1528 wrote to memory of 1784	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	42
PID 1528 wrote to memory of 1784	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	42
PID 1528 wrote to memory of 1784	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	42
PID 1528 wrote to memory of 592	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	43
PID 1528 wrote to memory of 592	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	43
PID 1528 wrote to memory of 592	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	43
PID 1528 wrote to memory of 592	1528	{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe	43
PID 1784 wrote to memory of 2816	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	44
PID 1784 wrote to memory of 2816	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	44
PID 1784 wrote to memory of 2816	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	44
PID 1784 wrote to memory of 2816	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	44
PID 1784 wrote to memory of 2692	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	45
PID 1784 wrote to memory of 2692	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	45
PID 1784 wrote to memory of 2692	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	45
PID 1784 wrote to memory of 2692	1784	{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe
  C:\Windows\{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe
    C:\Windows\{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe
      C:\Windows\{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe
        
        C:\Windows\{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe
        
        C:\Windows\{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe
        
        C:\Windows\{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe
        
        C:\Windows\{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe
        
        C:\Windows\{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe
        
        C:\Windows\{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe
        
        C:\Windows\{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}.exe
        
        C:\Windows\{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92D4D~1.EXE > nul
        12⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B775E~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F53E0~1.EXE > nul
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{678E5~1.EXE > nul
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEAB5~1.EXE > nul
        8⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1482E~1.EXE > nul
        7⤵
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C382~1.EXE > nul
        6⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA05C~1.EXE > nul
        5⤵
        
        PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FD7D5~1.EXE > nul
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A40C~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1482E189-C238-4cb2-89C7-973FAD86DBB0}.exe

Filesize
204KB

MD5
56772cc9756817b2ab3dc8e79d2be1b8

SHA1
c6b786c201460a2d4226f67869a1a1406da15dae

SHA256
371cb5c8f96ef5a311c7bbc2de5f4148255f9814af2fd0e9a11698e4c1cfbc2a

SHA512
4fd3c73f9fcad1cfc767e975d8d22fba384a6d073de8dfa90c8e15b336382be86a1bbeb26c7f5dc676d6ac2e7dbdb2021c80706f7503fb94981cf594517f0b6b

Download Submit
C:\Windows\{4C382F88-CECA-4c8b-AF26-C7A45C54F68D}.exe

Filesize
204KB

MD5
7b0edf3bee95df7d402cd29c9920a985

SHA1
9461482416b07a69b6fb8782b9c5ed10c5f8af79

SHA256
431124da0e34c8ebdd477bf4209212b61a4020598c2877725643e5eacbcc00b0

SHA512
19fb58de084b9cd083f23c8fc04a1a781b3b74df47d0dcb51d8fc2df00be71996e4dd034b6277cb1bc8ae52b9adece1676cf103023345ee0f71133ccfe7cf4b0

Download Submit
C:\Windows\{4D2EA662-6628-4d0d-A372-9F6C594C8B5F}.exe

Filesize
204KB

MD5
1f20469c9b727ac78b37444b3fcc41cb

SHA1
1cc3ad173fc0966b26115ac03b9cd79ca215e4a9

SHA256
27ce3f1ea19597103f1f8020308c3b5f8a71233c4798dbd623ac564d0000b76d

SHA512
97508ff4c56affa436e12f0fe1fed2db9aac243fd06b376f6675c2b538b7411e4aa9b3ff3a64aacc2fc87f8ea469e8cbe435e9949f13f1c700272a012877eac7

Download Submit
C:\Windows\{678E5400-3F5E-4d0e-A7D0-02E37B250AC3}.exe

Filesize
204KB

MD5
201f5e5d2f1a0599e87f71c8abe84c24

SHA1
7a33a681ee301d29304d29497b0eca9d6568cd67

SHA256
bbc5de7da7412d1d97badb83a5ad0339571e77d668e451dec64325c4ad5a5fde

SHA512
0e57ec71b6db859a4fed0f7fc08321e667a5556b780166c83afd8fb079dd3240b4d6913fc628f9f7ffdbfb9e11112f06fd519c8d526241f04f6ecfe671fb6c15

Download Submit
C:\Windows\{7A40C291-7AC2-45fc-9DDE-1AECFB3FD66D}.exe

Filesize
204KB

MD5
af0f90ba703edd342f5bdcf514365954

SHA1
c16ca937df3c234564022eea8407b80cc91c5efd

SHA256
27b97a62ce6eba6bab9197bbbc46ac08832b4eb63e32468955e8b473151dba6b

SHA512
42288c884fe2fc9fea6fdb77a8567b52bbd65be5f3fe4d8c97fe54d36be4c1d73fab16095ad6adeaf185b2d4326832742fa39c5fc802211cddd8b4d24c98164c

Download Submit
C:\Windows\{92D4DAF6-B6A8-4219-BC7F-81EDABDA396B}.exe

Filesize
204KB

MD5
5a46cb314a8039afb07ee7e61b9756c4

SHA1
2132169ce95e4d405e8c8f80ff1b9c7dea0c50bb

SHA256
ca34181091791cc8415ab752bfa305fb61c4596b76dbf03f2130e378a6af5fe4

SHA512
82312de153139be39cf1d6db91a622e0694dc930f8988455a22a5463f1e38c8b72eda52d5ccb90f1420ea6ec1d0b2fb4dc89585abcea63731265ef1ba8d4cc6c

Download Submit
C:\Windows\{AA05CBD8-ACFF-48cb-9FF8-8C30586FFCA5}.exe

Filesize
204KB

MD5
021905a64618d474474853c3c6022983

SHA1
728a524ad9e2deb379edfb275790445de7176510

SHA256
3d2f205901d969761a82194dc3689c4ba828a8b44e23eeee8be84cb172f24702

SHA512
f1c8010546ddaa9f9d4a0848d542e6917809ccb15ee3237512cc2e92115ecd6d293e140adc7d9271c152e3886d67788e752954acbe843d7cc8b60a6bf161f077

Download Submit
C:\Windows\{B775EB5D-BF50-4736-A9B1-042AEF041F7F}.exe

Filesize
204KB

MD5
2a6a7beaffcf4fe4cb01a0d6a1f54853

SHA1
a9e26fa0127d9f326afdcd82556aba0e05294762

SHA256
c820246e72f56d34d3284a4286ab24281a336d2766a5afb6c7e75f5b54942e3a

SHA512
92c4bf9817ef9506138e46bb74ae951da164d8dc720de6c8d1b2c01c4d04cbdbaddd3ff11a867444f5ca0f0899bba8d0349114407ef9f457d57214fb5d609d1c

Download Submit
C:\Windows\{EEAB5A43-BC2C-47dc-8676-DC74A0A9F221}.exe

Filesize
204KB

MD5
7a45460da139038be163e54be159937b

SHA1
fc4836214284f6b673db452b2bdcc17e97e9c609

SHA256
ffefb491fad28c724d0ce0d7605987098ad74c68189ffc0fec350467d68bbc79

SHA512
a9d1e898f2e1919465767f59ce1dd0ae653275cd6d655ca03b66c8cc39a09228eba3964ac932aa796d365efb59f932904a0c5066d951bb7d0adb299373062db9

Download Submit
C:\Windows\{F53E0AC3-9721-45a7-96CE-FC282DA725C8}.exe

Filesize
204KB

MD5
be18080686448ab44b31e53fc359b29e

SHA1
3ddc4dc515da66e5a55f392ea4f49da46e67f6f7

SHA256
510280f7004edc01c58f8d1d92614abc75f8ac0ebececb113dd9f915b80df264

SHA512
6601cff519d87e7999730e837bc97545505753295cb11442733896509ec3de205565adf5af7dd5b8e657957837032a88f15530d62706d1cd9e57ac36145acd8e

Download Submit
C:\Windows\{FD7D5A2A-4056-4d6f-B4F2-6BD44EED667C}.exe

Filesize
204KB

MD5
f2d59337325a4b27c5cd9101d0414de2

SHA1
b8f38f3f1d3697b33b38f7a1a3b967d3125be546

SHA256
40d03aa29dab78db714bf60080758da52f22522631a5e4fad4a116521d149933

SHA512
e4deb3c35ffaa92c9e8277ddbe022442a1c59c6aac24fcd4e3263ce9810d4ebc4f47690cd6627a16ac1ae3585887a7b2cf0c600187fbbb31384d45cb9e9d82af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads