8d69fb79034160c01a50298501500f3381b36bd9beb8cf8a8e1800982fb59deb

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
Size

380KB
MD5

69be8f47bf80443a81922501b0a4cdb1
SHA1

cd252c6339a35520013e4db65bb4ebbba398ff29
SHA256

8d69fb79034160c01a50298501500f3381b36bd9beb8cf8a8e1800982fb59deb
SHA512

1dc269602fad287df97486ef55755050c7199274f07c0468ac8c05c9a2bc4fdd1a0490c26d37b2b9eea394c725b028e9c65b80c4fd03a4d28d5a1559a0510ccb
SSDEEP

3072:mEGh0o8lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012346-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014b63-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71AE7F10-590D-4f33-825F-8D7C7BEAE080}	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71AE7F10-590D-4f33-825F-8D7C7BEAE080}\stubpath = "C:\\Windows\\{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe"	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B095293-FF52-443c-A643-0CCFA5B18EB6}	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B095293-FF52-443c-A643-0CCFA5B18EB6}\stubpath = "C:\\Windows\\{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe"	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C2C461A-4824-4044-9E62-2BC8BF159691}	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}\stubpath = "C:\\Windows\\{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe"	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2446498-9ADC-403b-A497-1D224F73A1E5}	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}	{AA642F85-9759-4876-B277-2528864729B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}\stubpath = "C:\\Windows\\{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}.exe"	{AA642F85-9759-4876-B277-2528864729B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA642F85-9759-4876-B277-2528864729B4}	{B389201F-229A-405e-8D3F-A06ACAB00960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B389201F-229A-405e-8D3F-A06ACAB00960}\stubpath = "C:\\Windows\\{B389201F-229A-405e-8D3F-A06ACAB00960}.exe"	{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}\stubpath = "C:\\Windows\\{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe"	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C2C461A-4824-4044-9E62-2BC8BF159691}\stubpath = "C:\\Windows\\{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe"	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}\stubpath = "C:\\Windows\\{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe"	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}\stubpath = "C:\\Windows\\{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe"	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B389201F-229A-405e-8D3F-A06ACAB00960}	{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA642F85-9759-4876-B277-2528864729B4}\stubpath = "C:\\Windows\\{AA642F85-9759-4876-B277-2528864729B4}.exe"	{B389201F-229A-405e-8D3F-A06ACAB00960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2446498-9ADC-403b-A497-1D224F73A1E5}\stubpath = "C:\\Windows\\{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe"	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe
2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe
2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe
2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe
2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe
1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe
2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe
2916	{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe
2976	{B389201F-229A-405e-8D3F-A06ACAB00960}.exe
1356	{AA642F85-9759-4876-B277-2528864729B4}.exe
1444	{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
File created	C:\Windows\{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe
File created	C:\Windows\{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe
File created	C:\Windows\{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe
File created	C:\Windows\{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe
File created	C:\Windows\{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe
File created	C:\Windows\{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe
File created	C:\Windows\{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe
File created	C:\Windows\{B389201F-229A-405e-8D3F-A06ACAB00960}.exe	{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe
File created	C:\Windows\{AA642F85-9759-4876-B277-2528864729B4}.exe	{B389201F-229A-405e-8D3F-A06ACAB00960}.exe
File created	C:\Windows\{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}.exe	{AA642F85-9759-4876-B277-2528864729B4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe
Token: SeIncBasePriorityPrivilege	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe
Token: SeIncBasePriorityPrivilege	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe
Token: SeIncBasePriorityPrivilege	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe
Token: SeIncBasePriorityPrivilege	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe
Token: SeIncBasePriorityPrivilege	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe
Token: SeIncBasePriorityPrivilege	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe
Token: SeIncBasePriorityPrivilege	2916	{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe
Token: SeIncBasePriorityPrivilege	2976	{B389201F-229A-405e-8D3F-A06ACAB00960}.exe
Token: SeIncBasePriorityPrivilege	1356	{AA642F85-9759-4876-B277-2528864729B4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2908	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	28
PID 1948 wrote to memory of 2908	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	28
PID 1948 wrote to memory of 2908	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	28
PID 1948 wrote to memory of 2908	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	28
PID 1948 wrote to memory of 3004	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	29
PID 1948 wrote to memory of 3004	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	29
PID 1948 wrote to memory of 3004	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	29
PID 1948 wrote to memory of 3004	1948	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	29
PID 2908 wrote to memory of 2512	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	30
PID 2908 wrote to memory of 2512	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	30
PID 2908 wrote to memory of 2512	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	30
PID 2908 wrote to memory of 2512	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	30
PID 2908 wrote to memory of 3040	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	31
PID 2908 wrote to memory of 3040	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	31
PID 2908 wrote to memory of 3040	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	31
PID 2908 wrote to memory of 3040	2908	{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe	31
PID 2512 wrote to memory of 2684	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	32
PID 2512 wrote to memory of 2684	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	32
PID 2512 wrote to memory of 2684	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	32
PID 2512 wrote to memory of 2684	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	32
PID 2512 wrote to memory of 2548	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	33
PID 2512 wrote to memory of 2548	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	33
PID 2512 wrote to memory of 2548	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	33
PID 2512 wrote to memory of 2548	2512	{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe	33
PID 2684 wrote to memory of 2280	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	36
PID 2684 wrote to memory of 2280	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	36
PID 2684 wrote to memory of 2280	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	36
PID 2684 wrote to memory of 2280	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	36
PID 2684 wrote to memory of 1228	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	37
PID 2684 wrote to memory of 1228	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	37
PID 2684 wrote to memory of 1228	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	37
PID 2684 wrote to memory of 1228	2684	{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe	37
PID 2280 wrote to memory of 2752	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	38
PID 2280 wrote to memory of 2752	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	38
PID 2280 wrote to memory of 2752	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	38
PID 2280 wrote to memory of 2752	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	38
PID 2280 wrote to memory of 2880	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	39
PID 2280 wrote to memory of 2880	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	39
PID 2280 wrote to memory of 2880	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	39
PID 2280 wrote to memory of 2880	2280	{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe	39
PID 2752 wrote to memory of 1976	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	40
PID 2752 wrote to memory of 1976	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	40
PID 2752 wrote to memory of 1976	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	40
PID 2752 wrote to memory of 1976	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	40
PID 2752 wrote to memory of 1712	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	41
PID 2752 wrote to memory of 1712	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	41
PID 2752 wrote to memory of 1712	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	41
PID 2752 wrote to memory of 1712	2752	{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe	41
PID 1976 wrote to memory of 2436	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	42
PID 1976 wrote to memory of 2436	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	42
PID 1976 wrote to memory of 2436	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	42
PID 1976 wrote to memory of 2436	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	42
PID 1976 wrote to memory of 812	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	43
PID 1976 wrote to memory of 812	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	43
PID 1976 wrote to memory of 812	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	43
PID 1976 wrote to memory of 812	1976	{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe	43
PID 2436 wrote to memory of 2916	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	44
PID 2436 wrote to memory of 2916	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	44
PID 2436 wrote to memory of 2916	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	44
PID 2436 wrote to memory of 2916	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	44
PID 2436 wrote to memory of 2892	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	45
PID 2436 wrote to memory of 2892	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	45
PID 2436 wrote to memory of 2892	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	45
PID 2436 wrote to memory of 2892	2436	{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe
  C:\Windows\{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe
    C:\Windows\{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe
      C:\Windows\{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe
        
        C:\Windows\{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe
        
        C:\Windows\{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe
        
        C:\Windows\{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe
        
        C:\Windows\{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe
        
        C:\Windows\{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{B389201F-229A-405e-8D3F-A06ACAB00960}.exe
        
        C:\Windows\{B389201F-229A-405e-8D3F-A06ACAB00960}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{AA642F85-9759-4876-B277-2528864729B4}.exe
        
        C:\Windows\{AA642F85-9759-4876-B277-2528864729B4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}.exe
        
        C:\Windows\{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}.exe
        12⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA642~1.EXE > nul
        12⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3892~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B88~1.EXE > nul
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFFA~1.EXE > nul
        9⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B4FE~1.EXE > nul
        8⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C2C4~1.EXE > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B095~1.EXE > nul
        6⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9FB5~1.EXE > nul
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{71AE7~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2446~1.EXE > nul
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B095293-FF52-443c-A643-0CCFA5B18EB6}.exe

Filesize
380KB

MD5
5927fc00a9c43a5c2530b8495aef1acd

SHA1
d3c24c3cf227d4c87e5b05138126fcc83c8f1623

SHA256
b96118ee8ddcae900e137f3843e7d2605688385aa6779470929ccbce1f6e3121

SHA512
00840046fa04118ef2217ff2340d377a4ff263e2256b7cc8e262b0f3c2b2bdc435fd7e87b51a756b0de3fd55bfe130d9b7fa0a49e64166ea57220a135a23faa1

Download Submit
C:\Windows\{3B4FECC0-9F0C-4a10-9E38-9E7D3F6917E4}.exe

Filesize
380KB

MD5
b03b52efcf55707c8f8f83c5c4457772

SHA1
cbc49b8c828021cb1ed4df3dcaf36a1f82820a19

SHA256
c6eff518b7cf0fbc9be3869d6a7a0c68b4b5eddd4a87260229afd3dbb6ac8afe

SHA512
154b6b796bdb380888cad3bd99554e47cdf7cc10aa71bd6951a91e035228d2b6571901312cf3741d368fe9903a435267223ee801cff1712a0484294bc769fbac

Download Submit
C:\Windows\{3FFFA10A-3FF5-47c0-A97B-1AC342108F5D}.exe

Filesize
380KB

MD5
78c83ad85a9d6e72fd568d42f1524bc4

SHA1
fb7c3f841da485cf125f0983b6af57fc93164bd1

SHA256
da07899956faf09f77fe25cb15a14947b8984817d3e1ae9c4dbd6ed074a53e34

SHA512
643c541582fdde60e6504add4baddd04baa1b288b7b2ef9b9b6cc27ee8902ee7b93ec485efd7a6118bfb3aecebd5016cbeae6b9f111e65739bbad37a9e5b3e67

Download Submit
C:\Windows\{6C2C461A-4824-4044-9E62-2BC8BF159691}.exe

Filesize
380KB

MD5
2e9d669dfe207e0865dea15420569352

SHA1
ffa979d11b7ccc014d42cc4b5e5e241af3a203b7

SHA256
04cc9559df28576f52717d06f97246702f0c66adcb249fe2eb3f9c0479bdc152

SHA512
e1e4720c32082b46a247eb1210a603bdf302d2b22abd39249c9336ebe14862a71328277f65fe2e98c5fa6a8d998da5fb4abbf5fafecddf1d67a722ddca74e05c

Download Submit
C:\Windows\{71AE7F10-590D-4f33-825F-8D7C7BEAE080}.exe

Filesize
380KB

MD5
61d240f742d57e45956605a72b33c6db

SHA1
d659c091300e4d41e260c9fc8b22d163cbefc82e

SHA256
19a4ed3c209f0fc63cb444661c8efe9df7fb0e92f7873d35671aedfa76d14cd8

SHA512
ce4aae168cedd3a354aef82576efeca93beca86b956c87f3df77fbb308dc35e2e6643c8d1fa0f6262c5a8efbd166de704ca5ec46ead3563ba7eaad1f4c20994b

Download Submit
C:\Windows\{AA642F85-9759-4876-B277-2528864729B4}.exe

Filesize
380KB

MD5
c194969e8646e45ad254b092fc3e2c75

SHA1
2a30dcd597f67b2c5091667822426b7ed74762c4

SHA256
71863974669a3c3da83b918c5f064281270b259131608f64abc69bc5b32d2fae

SHA512
c1b4e0308d3b445da68137deab5b93a421444eac6a6e04b2ccedc10d5e313f31fced2aa53a76755e2558ee680295e71e0d5c0b28f4ada2dc3572c33de9e73118

Download Submit
C:\Windows\{B389201F-229A-405e-8D3F-A06ACAB00960}.exe

Filesize
380KB

MD5
1f86e1fe1c31f7e20e5c809d96f903cd

SHA1
2a1885f6f23afcb1c0b1d1221e55ee7cc40b32b8

SHA256
cb5d161358e95ddf95fc7d1b0db364ecff45e175a035559f05add241277aab30

SHA512
9f4f5b435261b0f20d7c11fc99cce308f7b562ca79ef6993f8bc81eaebbe83101eb757351618cba4a3917f9c49ad4182a20630c0996e8392bd2a0dd8c1c06f4c

Download Submit
C:\Windows\{C3B88EE1-B304-4efc-B874-8C164CF4E8DD}.exe

Filesize
380KB

MD5
e818f92728eee9405ea116a124d6f65e

SHA1
438079ca63461d5d44e6d0daaa5f68c32b95ae85

SHA256
c8899071f7ee506af17fe2146e2ddac8f6b66514c944874219c01f88e6384246

SHA512
0d70f0e7a14faf5eb4d5863bd87de36d608422af2f63873830e0c815e6a0e6513cab22d12c18d2a55b568e3d7ecb8ef68942631f120c775ccbb28e6a0e9ccce7

Download Submit
C:\Windows\{D2446498-9ADC-403b-A497-1D224F73A1E5}.exe

Filesize
380KB

MD5
2ddca4b23033b2cebdfa48704c12922f

SHA1
b0f3c8582f345865a395c3614238b9ff73224eeb

SHA256
49b18bd3dc5ab6293dbc6049d8697f373e844d184835861196d9a37e70bca6c8

SHA512
dbff9f0908ade168af43bd253535712a30a74d9a30c7cfcf10cef98de686e7d7111226fbaeb91f391d9f39121e2d0edcc605951e20acf0732b16d8ed930067ed

Download Submit
C:\Windows\{D73A0F84-1B02-43db-B8C3-1B24C4DC8E37}.exe

Filesize
380KB

MD5
8d9212baa0527d953ff5f4c53f2f4687

SHA1
11baf4e50e5ee869abe6174d2c875ce8de94a55a

SHA256
1a7034d0b8dc75a6e558e30573892dd1ee5f00b930db0028a3aef5d1c6736dbd

SHA512
42f7ae73230a56aafc299e7041cc681c99ef879cf34e0d785b911cb88c7e6996af3da423109b3d4d1e2de68fa7b72aa1acb3f99925181d7c09dff6efa5b564ce

Download Submit
C:\Windows\{D9FB530B-8C5D-469f-BB86-D41CDD8BEDBE}.exe

Filesize
380KB

MD5
ab65c95e990515f5f920b19dc6f45d00

SHA1
7866325afa7eb6fdb507550eee326b57d5e52072

SHA256
7b57aaca47e6dd2a709063629d7dba13ab880fb49d79f798913d0233206c8a65

SHA512
3704b7fe67be57bb7d12aabc0d1dc455b4e51fd05e70a7633447fe1b07ddb79ba1b9b64e25f6f8e367d9df1b2f19d848be9b783b074fd6ad2212543321806c64

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads