7f96c894639093f6323f208d81cb422f65ff5c776990ba6f30949f5a27bd01a0

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 18:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Size

192KB
MD5

6415d46b5168733c37d1f3f8b41a05c4
SHA1

1492d02cb85eaa2914b9f325cf83fd0ce09b7c54
SHA256

7f96c894639093f6323f208d81cb422f65ff5c776990ba6f30949f5a27bd01a0
SHA512

1c6db00c286447a4fe9875ef7d1f2e7267b5fcf7b650d9145fcf14aacf4eeaf36e4c2e81959b97832ef3a988db3c03576edc7fd6967dec6079517f13d8164eb6
SSDEEP

1536:1EGh0oil15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oil1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013420-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015ccd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013420-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013420-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013420-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000013420-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000013420-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{541A2E9D-D343-449f-AE1C-DFCA591175EC}\stubpath = "C:\\Windows\\{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe"	{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}\stubpath = "C:\\Windows\\{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe"	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EACBA903-3873-41db-A968-C419B278DE6F}\stubpath = "C:\\Windows\\{EACBA903-3873-41db-A968-C419B278DE6F}.exe"	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}\stubpath = "C:\\Windows\\{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe"	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}	{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}\stubpath = "C:\\Windows\\{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe"	{EACBA903-3873-41db-A968-C419B278DE6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51848F6E-9239-4653-BDC6-E425D9A9ACFD}	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51848F6E-9239-4653-BDC6-E425D9A9ACFD}\stubpath = "C:\\Windows\\{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe"	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}\stubpath = "C:\\Windows\\{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe"	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}\stubpath = "C:\\Windows\\{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}.exe"	{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}\stubpath = "C:\\Windows\\{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe"	{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{541A2E9D-D343-449f-AE1C-DFCA591175EC}	{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}	{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EACBA903-3873-41db-A968-C419B278DE6F}	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}	{EACBA903-3873-41db-A968-C419B278DE6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}\stubpath = "C:\\Windows\\{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe"	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}\stubpath = "C:\\Windows\\{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe"	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe

Executes dropped EXE 11 IoCs

pid	Process
1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe
2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe
2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe
2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe
2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe
2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe
1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe
2632	{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe
1304	{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe
2000	{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe
2020	{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}.exe	{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe
File created	C:\Windows\{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
File created	C:\Windows\{EACBA903-3873-41db-A968-C419B278DE6F}.exe	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe
File created	C:\Windows\{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	{EACBA903-3873-41db-A968-C419B278DE6F}.exe
File created	C:\Windows\{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe
File created	C:\Windows\{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe
File created	C:\Windows\{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe
File created	C:\Windows\{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe
File created	C:\Windows\{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe
File created	C:\Windows\{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe	{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe
File created	C:\Windows\{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe	{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe
Token: SeIncBasePriorityPrivilege	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe
Token: SeIncBasePriorityPrivilege	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe
Token: SeIncBasePriorityPrivilege	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe
Token: SeIncBasePriorityPrivilege	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe
Token: SeIncBasePriorityPrivilege	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe
Token: SeIncBasePriorityPrivilege	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe
Token: SeIncBasePriorityPrivilege	2632	{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe
Token: SeIncBasePriorityPrivilege	1304	{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe
Token: SeIncBasePriorityPrivilege	2000	{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1956	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	28
PID 2296 wrote to memory of 1956	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	28
PID 2296 wrote to memory of 1956	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	28
PID 2296 wrote to memory of 1956	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	28
PID 2296 wrote to memory of 2476	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	29
PID 2296 wrote to memory of 2476	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	29
PID 2296 wrote to memory of 2476	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	29
PID 2296 wrote to memory of 2476	2296	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	29
PID 1956 wrote to memory of 2600	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	30
PID 1956 wrote to memory of 2600	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	30
PID 1956 wrote to memory of 2600	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	30
PID 1956 wrote to memory of 2600	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	30
PID 1956 wrote to memory of 2696	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	31
PID 1956 wrote to memory of 2696	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	31
PID 1956 wrote to memory of 2696	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	31
PID 1956 wrote to memory of 2696	1956	{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe	31
PID 2600 wrote to memory of 2720	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	32
PID 2600 wrote to memory of 2720	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	32
PID 2600 wrote to memory of 2720	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	32
PID 2600 wrote to memory of 2720	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	32
PID 2600 wrote to memory of 2704	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	33
PID 2600 wrote to memory of 2704	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	33
PID 2600 wrote to memory of 2704	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	33
PID 2600 wrote to memory of 2704	2600	{EACBA903-3873-41db-A968-C419B278DE6F}.exe	33
PID 2720 wrote to memory of 2472	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	36
PID 2720 wrote to memory of 2472	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	36
PID 2720 wrote to memory of 2472	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	36
PID 2720 wrote to memory of 2472	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	36
PID 2720 wrote to memory of 3008	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	37
PID 2720 wrote to memory of 3008	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	37
PID 2720 wrote to memory of 3008	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	37
PID 2720 wrote to memory of 3008	2720	{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe	37
PID 2472 wrote to memory of 2708	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	38
PID 2472 wrote to memory of 2708	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	38
PID 2472 wrote to memory of 2708	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	38
PID 2472 wrote to memory of 2708	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	38
PID 2472 wrote to memory of 2752	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	39
PID 2472 wrote to memory of 2752	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	39
PID 2472 wrote to memory of 2752	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	39
PID 2472 wrote to memory of 2752	2472	{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe	39
PID 2708 wrote to memory of 2876	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	40
PID 2708 wrote to memory of 2876	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	40
PID 2708 wrote to memory of 2876	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	40
PID 2708 wrote to memory of 2876	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	40
PID 2708 wrote to memory of 2464	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	41
PID 2708 wrote to memory of 2464	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	41
PID 2708 wrote to memory of 2464	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	41
PID 2708 wrote to memory of 2464	2708	{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe	41
PID 2876 wrote to memory of 1208	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	42
PID 2876 wrote to memory of 1208	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	42
PID 2876 wrote to memory of 1208	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	42
PID 2876 wrote to memory of 1208	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	42
PID 2876 wrote to memory of 1640	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	43
PID 2876 wrote to memory of 1640	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	43
PID 2876 wrote to memory of 1640	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	43
PID 2876 wrote to memory of 1640	2876	{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe	43
PID 1208 wrote to memory of 2632	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	44
PID 1208 wrote to memory of 2632	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	44
PID 1208 wrote to memory of 2632	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	44
PID 1208 wrote to memory of 2632	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	44
PID 1208 wrote to memory of 2612	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	45
PID 1208 wrote to memory of 2612	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	45
PID 1208 wrote to memory of 2612	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	45
PID 1208 wrote to memory of 2612	1208	{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe
  C:\Windows\{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\{EACBA903-3873-41db-A968-C419B278DE6F}.exe
    C:\Windows\{EACBA903-3873-41db-A968-C419B278DE6F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe
      C:\Windows\{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe
        
        C:\Windows\{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe
        
        C:\Windows\{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe
        
        C:\Windows\{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe
        
        C:\Windows\{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe
        
        C:\Windows\{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe
        
        C:\Windows\{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe
        
        C:\Windows\{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}.exe
        
        C:\Windows\{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}.exe
        12⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{541A2~1.EXE > nul
        12⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D3E~1.EXE > nul
        11⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA60~1.EXE > nul
        10⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E75C~1.EXE > nul
        9⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B3D~1.EXE > nul
        8⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF5F5~1.EXE > nul
        7⤵
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51848~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8F17~1.EXE > nul
        5⤵
        
        PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EACBA~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DD3E~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C72EF45-5112-42dd-A757-E4B6A60C1FBB}.exe

Filesize
192KB

MD5
f2f3b7a2e9f0045c249a3f8b8e399047

SHA1
a53519d78d95ce2bae980d0bfd228ea6b9694c1d

SHA256
d68ffe60237ec14422cc3f2cb7848af958684e4054968201fa86455944a37aef

SHA512
afef30cb11fc2d93b657d01dd1d27f1a568c0f128c0a264c55bdcc5a1ad36343d83c0993b0f4dc009bf22b29de1a85da8d179dead2bc0332c61d671f28e87994

Download Submit
C:\Windows\{4E75C0B9-4EDD-4baa-9483-BD93C44A95AF}.exe

Filesize
192KB

MD5
b1488d5af16fa919e86d692f4f26db22

SHA1
358e366a22d4454b1ae96b072f70b93fcb7a262b

SHA256
4cbb687469c46b6c5e50af97a201ca86373dcb6a99d32f01f725fac52fb7b08b

SHA512
c85eaa295d01c45b06f9692e9462c4bd20744d3102949cb371b8285b94820652ee3a17f280fbec40681352fd4916647ff3fb5417e1074538c5aa946bdbb6f7fe

Download Submit
C:\Windows\{51848F6E-9239-4653-BDC6-E425D9A9ACFD}.exe

Filesize
192KB

MD5
801e4d879b57031d25d80d460d4218ce

SHA1
8636c3256707425b7175e2f7d4cf45d44dc78a7d

SHA256
e1326b3987d3826c8842203d26ce61d4f3cb516a5d8451b4aece9e9484da320c

SHA512
0a17325b29eafa6c63a868e32b0eb014a9b3d08409b985cd6334ea7c6db8e5828c6f1cbeb9bc4cd31d8edce1ea7e9e0d3ec00c446384a3c4eb6124ab1c935e4a

Download Submit
C:\Windows\{541A2E9D-D343-449f-AE1C-DFCA591175EC}.exe

Filesize
192KB

MD5
2a17dff6aad1a26de871e09a2a46d74f

SHA1
410433da3488413c2fe8763a89d2c51d1bfd8242

SHA256
94c5d47de694599ecfb16325dafa96ecd19e4b1acbba1349a3e6e7649990e568

SHA512
922739408dc81159111447ac0913f09e6e6e932d6a11d304d8b2f956c2b4dc6a6035fafef21489449bcc5cd256308e3bc6cf75b63f85870bf03838b1c88501cf

Download Submit
C:\Windows\{7DD3E8CA-75E5-4c87-B6CC-89DE8BF79BE3}.exe

Filesize
192KB

MD5
2e4b2b49f3024a3b5cd6b1d9adfa5a04

SHA1
ffb12e4bd7307ede037ebbff0358cb56451ab7a0

SHA256
099fa74ca763e3a4ddd11fb0d47c3fcf938e01e8556b214c3d649910488f1acf

SHA512
8db5f4f6d921612fb9fa6a00fdd1e9d38d344807b57c06ada13dd49cfb4ea6ceea7f84b32358ed72dc51e5eba74ab194d92007d592093e55936bb94a26ed06d1

Download Submit
C:\Windows\{A8F17F9A-CF33-43ad-90DD-EE3E94E4852D}.exe

Filesize
192KB

MD5
c94f834b5d81c9ed9e8cc364bd1ead95

SHA1
959e69b6f063fa4de8e2dc010384687415dff15f

SHA256
4c3fac2b9abcb84877f88678179557bd761a9cfcd3d87f3d44d52133c11d4a5f

SHA512
90e50ce14b626fbf8fbc93bad7a1151d905cb5ef44d0abfbab1f7c5e9ea3748a6c461cf804c585a8fdfb2a69f4eca12e77824eefc17a249d5652919a25d9dddf

Download Submit
C:\Windows\{B6B3D0E6-EB9A-47ae-B173-AF094D27A429}.exe

Filesize
192KB

MD5
c8f6b9ce961ca8ddd5b6efa7d084f3c6

SHA1
7d4581421cc2c63378187252397ac74f9c394c42

SHA256
ddf98533a0e2f97141d93ad7a92a428880bd29f60bda9b00c959000fc4de2c6b

SHA512
08c6d426ea0ba298040da0e4f9287c2539daf110c6c6c29abd382e0603ece698578267c01c0473d1b1bb97ec1e6fb4df1e92705ca13c9b5a51870097c10d775c

Download Submit
C:\Windows\{B9D3EB19-AB49-426a-AA36-C44AAFB464CC}.exe

Filesize
192KB

MD5
3e53e10cc9c3c5b277105da089d4b731

SHA1
e9b5c933fc163b4b84ef0b931bbbdd567c22c927

SHA256
06c6e471473c72779b651995fde70976465751ca157003f2c6603cd3e0bf90da

SHA512
1cd8d9c3b3fe17c6665828e4a7f82c15a3b5553758353fcb265e8759ab2a41a176de61b02a8a1fae0d5fa98938a228e0a4ae3595065c5c899883189fe1fcf9f6

Download Submit
C:\Windows\{DF5F5DDB-9A01-46ab-A18A-9362F58C05D2}.exe

Filesize
192KB

MD5
a3e13c3897ba1c04a6df4f048a822c1c

SHA1
ba2f6a85dffc6516c63ea0dfa159745c421b02fc

SHA256
aa98bdd1da5251cbcd9d65bac33fa3e0bb68820c5270f4b7ffd46be29ae1e7cb

SHA512
c518ad9cdb6d6f8e7e2ff4eb5021036981ef09d41ffc4dfb62153afc7c9cf699464e76d3e43d1e68ee7f340a99bdf7dd6d714be676e29eda936e3354ff59a0e7

Download Submit
C:\Windows\{EACBA903-3873-41db-A968-C419B278DE6F}.exe

Filesize
192KB

MD5
31c050d3a13da281de896ea3495ecd3f

SHA1
544294f0f4e0f99d6c3391864a24d6eaf2a79c93

SHA256
9342b620e2c7ddc3e4af82c14a7a74e90c776066fd300e47375760dbc14a18c9

SHA512
1d0a2eccafcc96e31908c91807736eb8f1ea16b419ec917dc69125602f0729b8d03874c8555a2f04e59631e00c467c2b11bf35c76ab973c568adaa8e516e2b67

Download Submit
C:\Windows\{EFA60342-6B07-493d-BF46-0ECC15BEB1A8}.exe

Filesize
192KB

MD5
1d94d2f4467851c33a4ec0e307cdc770

SHA1
420a777f4c067b3cf2cf295e037dbe794398e8c9

SHA256
4d76e8fa31d6d4c88ac933599562fed80115d8cbe79fa62e3bc806f7c27b659f

SHA512
d15f1ce52a948ad7c4f15fd67e34daa8b851d249c30541892aa15531f7055bfdee90c67bf923f34f0b75419d0a5ef34bbbd2e17b24c97b0e948727aa6ffd413e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads