9fbd9b621f101618233442b3c1ff0a8ff7aa0fbe507f90c4f64776f725f5049a

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Size

168KB
MD5

7c766384d8f3d127f2c2918fdf079539
SHA1

e7f2f59c63332527ba66cf1df8a79d4c738d56ac
SHA256

9fbd9b621f101618233442b3c1ff0a8ff7aa0fbe507f90c4f64776f725f5049a
SHA512

a1b789ed9fb84d133573407709c7b826f36ccb78e54d7e949bf8f10f5d97520c12abda142e8271244325478f709ff90db9221171ee364867e162b796685ed386
SSDEEP

1536:1EGh0owlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0owlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}\stubpath = "C:\\Windows\\{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe"	{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{183827D3-8AD6-4ec8-988E-54849BEC78F8}	{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A23046C1-755B-4c7b-B4C8-6A7BB5564542}	{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63391A72-7725-4c6d-8395-8E860FA5ABD9}	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}\stubpath = "C:\\Windows\\{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe"	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F85FEF-6DA1-43b5-800E-971C5076C787}\stubpath = "C:\\Windows\\{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe"	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E4BF769-29DE-4f02-B9D5-3A7B79180797}	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E4BF769-29DE-4f02-B9D5-3A7B79180797}\stubpath = "C:\\Windows\\{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe"	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E90C9C23-E52C-4599-A2DA-AE10418149AE}	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E90C9C23-E52C-4599-A2DA-AE10418149AE}\stubpath = "C:\\Windows\\{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe"	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F85FEF-6DA1-43b5-800E-971C5076C787}	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDC93B6A-D280-4271-A13A-C36B0F5D5004}\stubpath = "C:\\Windows\\{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe"	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A23046C1-755B-4c7b-B4C8-6A7BB5564542}\stubpath = "C:\\Windows\\{A23046C1-755B-4c7b-B4C8-6A7BB5564542}.exe"	{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{183827D3-8AD6-4ec8-988E-54849BEC78F8}\stubpath = "C:\\Windows\\{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe"	{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}\stubpath = "C:\\Windows\\{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe"	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63391A72-7725-4c6d-8395-8E860FA5ABD9}\stubpath = "C:\\Windows\\{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe"	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDC93B6A-D280-4271-A13A-C36B0F5D5004}	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}\stubpath = "C:\\Windows\\{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe"	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}	{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe
2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe
2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe
1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe
2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe
1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe
2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe
2776	{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe
2056	{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe
2064	{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe
2684	{A23046C1-755B-4c7b-B4C8-6A7BB5564542}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe
File created	C:\Windows\{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe
File created	C:\Windows\{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe
File created	C:\Windows\{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe	{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe
File created	C:\Windows\{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe	{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe
File created	C:\Windows\{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
File created	C:\Windows\{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe
File created	C:\Windows\{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe
File created	C:\Windows\{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe
File created	C:\Windows\{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe
File created	C:\Windows\{A23046C1-755B-4c7b-B4C8-6A7BB5564542}.exe	{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe
Token: SeIncBasePriorityPrivilege	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe
Token: SeIncBasePriorityPrivilege	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe
Token: SeIncBasePriorityPrivilege	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe
Token: SeIncBasePriorityPrivilege	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe
Token: SeIncBasePriorityPrivilege	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe
Token: SeIncBasePriorityPrivilege	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe
Token: SeIncBasePriorityPrivilege	2776	{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe
Token: SeIncBasePriorityPrivilege	2056	{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe
Token: SeIncBasePriorityPrivilege	2064	{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2984	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	28
PID 2204 wrote to memory of 2984	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	28
PID 2204 wrote to memory of 2984	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	28
PID 2204 wrote to memory of 2984	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	28
PID 2204 wrote to memory of 3064	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	29
PID 2204 wrote to memory of 3064	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	29
PID 2204 wrote to memory of 3064	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	29
PID 2204 wrote to memory of 3064	2204	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	29
PID 2984 wrote to memory of 2556	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	30
PID 2984 wrote to memory of 2556	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	30
PID 2984 wrote to memory of 2556	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	30
PID 2984 wrote to memory of 2556	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	30
PID 2984 wrote to memory of 2532	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	31
PID 2984 wrote to memory of 2532	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	31
PID 2984 wrote to memory of 2532	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	31
PID 2984 wrote to memory of 2532	2984	{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe	31
PID 2556 wrote to memory of 2436	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	32
PID 2556 wrote to memory of 2436	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	32
PID 2556 wrote to memory of 2436	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	32
PID 2556 wrote to memory of 2436	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	32
PID 2556 wrote to memory of 2440	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	33
PID 2556 wrote to memory of 2440	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	33
PID 2556 wrote to memory of 2440	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	33
PID 2556 wrote to memory of 2440	2556	{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe	33
PID 2436 wrote to memory of 1092	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	36
PID 2436 wrote to memory of 1092	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	36
PID 2436 wrote to memory of 1092	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	36
PID 2436 wrote to memory of 1092	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	36
PID 2436 wrote to memory of 1664	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	37
PID 2436 wrote to memory of 1664	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	37
PID 2436 wrote to memory of 1664	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	37
PID 2436 wrote to memory of 1664	2436	{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe	37
PID 1092 wrote to memory of 2924	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	38
PID 1092 wrote to memory of 2924	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	38
PID 1092 wrote to memory of 2924	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	38
PID 1092 wrote to memory of 2924	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	38
PID 1092 wrote to memory of 2956	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	39
PID 1092 wrote to memory of 2956	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	39
PID 1092 wrote to memory of 2956	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	39
PID 1092 wrote to memory of 2956	1092	{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe	39
PID 2924 wrote to memory of 1228	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	40
PID 2924 wrote to memory of 1228	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	40
PID 2924 wrote to memory of 1228	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	40
PID 2924 wrote to memory of 1228	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	40
PID 2924 wrote to memory of 868	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	41
PID 2924 wrote to memory of 868	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	41
PID 2924 wrote to memory of 868	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	41
PID 2924 wrote to memory of 868	2924	{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe	41
PID 1228 wrote to memory of 2632	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	42
PID 1228 wrote to memory of 2632	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	42
PID 1228 wrote to memory of 2632	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	42
PID 1228 wrote to memory of 2632	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	42
PID 1228 wrote to memory of 1380	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	43
PID 1228 wrote to memory of 1380	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	43
PID 1228 wrote to memory of 1380	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	43
PID 1228 wrote to memory of 1380	1228	{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe	43
PID 2632 wrote to memory of 2776	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	44
PID 2632 wrote to memory of 2776	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	44
PID 2632 wrote to memory of 2776	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	44
PID 2632 wrote to memory of 2776	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	44
PID 2632 wrote to memory of 2744	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	45
PID 2632 wrote to memory of 2744	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	45
PID 2632 wrote to memory of 2744	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	45
PID 2632 wrote to memory of 2744	2632	{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe
  C:\Windows\{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe
    C:\Windows\{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe
      C:\Windows\{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe
        
        C:\Windows\{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe
        
        C:\Windows\{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe
        
        C:\Windows\{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe
        
        C:\Windows\{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe
        
        C:\Windows\{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe
        
        C:\Windows\{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe
        
        C:\Windows\{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{A23046C1-755B-4c7b-B4C8-6A7BB5564542}.exe
        
        C:\Windows\{A23046C1-755B-4c7b-B4C8-6A7BB5564542}.exe
        12⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18382~1.EXE > nul
        12⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ADD3~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62FCA~1.EXE > nul
        10⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDC93~1.EXE > nul
        9⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6F85~1.EXE > nul
        8⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77795~1.EXE > nul
        7⤵
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E90C9~1.EXE > nul
        6⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E4BF~1.EXE > nul
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63391~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3F76F~1.EXE > nul
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{183827D3-8AD6-4ec8-988E-54849BEC78F8}.exe

Filesize
168KB

MD5
d18afcdf7a1b744d7d2cbbad50154eeb

SHA1
932f21db16482b0e1725a83d05dcacef3c3f3772

SHA256
76e4f716e8f37548205f49e68e7e5c6c84b01f639e20e5255e89af82224e4dbe

SHA512
00d9969bc198c1578577051e8e6b5d27c747d81765c3a166457d6c68d6bec8d38b686ed9bfa75797f408aa5eff98cbc898d3adc0ded11f089f45bafc8b155311

Download Submit
C:\Windows\{1ADD36E5-6F65-41b2-BCDB-0C41D449222D}.exe

Filesize
168KB

MD5
d85279543c332dcf984580604d86d152

SHA1
55e036716cedb1b2a612090826f125aa46385f2d

SHA256
a61f2203c350b9a883f7f34051c4783e0bea41ef75d00ab3cae2c4b0a34be0e7

SHA512
485859023316044237cb49bd8d6a40b3d781646848c8a7e44991ad821468d48adfc3fef8f576f862e91e23af43638cc11bd3d9a3cc90bc5095dbf1c2e2f74f7b

Download Submit
C:\Windows\{3F76FE20-6520-4f72-A2C0-E6186CB7B47E}.exe

Filesize
168KB

MD5
4e0bb401685dc161364f3432b0455a51

SHA1
41227e9a26dab94b3aa95ac981d8b9d6338301ab

SHA256
e8c68e0442f07854030444dd11c876b1a71d8b56b1aaa81a4b83f48bf0789885

SHA512
47af640c969c10a29000c92385de473ccba9211debe24cec7c42402017673793b8f28680f2ce72d36a56d31f91cca64ad119b1d7e84c5c4171e92dbce1ac9a84

Download Submit
C:\Windows\{62FCACD9-2399-4b9e-A01E-BEE28ACC0FCB}.exe

Filesize
168KB

MD5
0ab06a627c43e75dff2a72d1d838868c

SHA1
639fc597e1174dcbb1c10ddd027252942c368211

SHA256
bfebd2822777eda0a4eb02e2b6c55cf12b4272d4d475021ef11e0664ca817146

SHA512
390498bad44217e69051330a52c72f7813eee90128b33b30359d10d8b9a622ef982740cea7a31abc3175cceed40d6a8d1e33122ae8c79f41be078f39570129bd

Download Submit
C:\Windows\{63391A72-7725-4c6d-8395-8E860FA5ABD9}.exe

Filesize
168KB

MD5
d513ceb4312a888e7a791aedd7092cff

SHA1
043d96395cd9eb470463df48ffe247951b530b61

SHA256
89e0f8203375b1a55dcad5d71af663015d969eaf90bdf86d02264897809cefcf

SHA512
746a4bb91a60664ebc6b989c84ad4ca3fe5cb9c449c939159e55f58781a9892b27ab28717f9aca3d45f9d20714a0b78ab764007e376c5cdb39c45db0ff316a06

Download Submit
C:\Windows\{77795A8F-E253-4e1f-A689-26EBF9BCC6C3}.exe

Filesize
168KB

MD5
a98eb043754dd2adc04ac7a4e90f15b1

SHA1
0125a07e8defeeaf8af2a68f7075f5dac426f2b3

SHA256
d0213e5b01f499ed7d517311a8e8a5e341f41ba53e55def1da6fbeca2c4c5ae7

SHA512
604c00b87684036569d6dcf631f003d72faafd5917a298d2ee617b21d852928a874a7caee9bf27e2cb3a885a19f61c0aa7338773a2e29582e733b18d06c21dd1

Download Submit
C:\Windows\{8E4BF769-29DE-4f02-B9D5-3A7B79180797}.exe

Filesize
168KB

MD5
26bf47e4a031b0000a63c02b93095edc

SHA1
938d09d683074b195cb47d243aebf9fc47dc46f5

SHA256
a7474e00402fad8dd21cf99ef6d45edd1ab82cc947e75cbf5ba591b1571af94a

SHA512
c1d4dab0cc92626bc1557636b274417f9e1222abf4a27fc0aedfaf3a8442ce43755992f8f654ff7f436fe5be3ad3ac72fe7d6a49d2dbae06947bd45dc69b8def

Download Submit
C:\Windows\{A23046C1-755B-4c7b-B4C8-6A7BB5564542}.exe

Filesize
168KB

MD5
c7d6690a6247bc15524721e0aeaa6ced

SHA1
e90730bcd30ce020715dd2007a84152d4ba04916

SHA256
90bf86e32ce7f3df9b3874944467b72be24b43ba2736797c1bead0fab2eaaeee

SHA512
51a0e9c8c0f7ce4a01d163c65a5249068d5c7fb35be0ceb209d30518d77c06ebf6b35ea5853fe82e41b23711f9e5ec0e7fa465103dd033f7fd8fbccbbcbc4b3c

Download Submit
C:\Windows\{DDC93B6A-D280-4271-A13A-C36B0F5D5004}.exe

Filesize
168KB

MD5
259839a96065f3bf03ac936abd1bb839

SHA1
9df1951db0c19511e19df578cff9a7be34dcebba

SHA256
228b88787073dba79b36768153afc4dfadce7aa37657ba95b096e0c859f38d0c

SHA512
a6ff76dff34d0241c787c84bd1d299e9becf943e660500aa2ff8a7ad0e5104c66102e7bb6ac6f8462a92aab89db57e9d13df35c75173311b43b177eaae44eea0

Download Submit
C:\Windows\{E6F85FEF-6DA1-43b5-800E-971C5076C787}.exe

Filesize
168KB

MD5
aa07b383881efea2653d57b16388b559

SHA1
be1541842aab49a787de58aae0b159c815634f07

SHA256
e9ff428b747047413324cc5adb6f03de3d07a0df054cd029166c548fa032d0c8

SHA512
ae4c07cde0a2a078748b1bff98a806c46153445cfdf169583913ec4de91b694cb8f5a7487d7027ea1f91127835ebe3ef97c2629007e6e5a7cb4517af5c7f443c

Download Submit
C:\Windows\{E90C9C23-E52C-4599-A2DA-AE10418149AE}.exe

Filesize
168KB

MD5
073ccd35c0245676b2ae646fb8609646

SHA1
3f45245b22cf1ba7d82287e8005f306ee82d3e22

SHA256
b983a65fc279f12e60b9f30058d6fe9f46e50866ae735c74b3d25692b0561e26

SHA512
f0bfd963f3d53dcb15abe1cda8ffcd19bb30e0548aca97b361eed2d84d10fd644f8d61340fde2fb57676b53eacc798c6ed9efc74ba4a653ba3bccc06cc64a020

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads