2cd46ce3036e586734fe8440a5a97030a0c2722e78b2ef98085987061b16b4e3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-04-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
Size

168KB
MD5

cfedb16492903c61a6c70d08e1fcfaa9
SHA1

3b02fe75e35590332b34ff62dbf0b3d65a1bd230
SHA256

2cd46ce3036e586734fe8440a5a97030a0c2722e78b2ef98085987061b16b4e3
SHA512

72db918a1042a216d9eed15254cca211a9de35c8c42210131e279838f1ba232cba3c96508d17b33d3ad66d8982e54ceaad612821b391dbed91bf325c25e57f0b
SSDEEP

1536:1EGh0o0lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014b34-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e0000000155d1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014b34-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}	{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}\stubpath = "C:\\Windows\\{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe"	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8386B3FC-0363-43e8-9756-4F2BD739177E}	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8386B3FC-0363-43e8-9756-4F2BD739177E}\stubpath = "C:\\Windows\\{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe"	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D8652B1-070B-4fd8-BDD2-54402484F6C8}	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFE4016-E822-4e52-A3BB-A4726673CCEB}\stubpath = "C:\\Windows\\{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe"	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53B3C941-04DE-42fe-88A3-81515CD92F33}\stubpath = "C:\\Windows\\{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe"	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}\stubpath = "C:\\Windows\\{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe"	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}\stubpath = "C:\\Windows\\{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe"	{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49FEC425-2268-403e-B563-3B96F3AF8E2F}	{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}\stubpath = "C:\\Windows\\{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe"	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{466E9882-D305-493f-BC2E-9843D684E0AA}\stubpath = "C:\\Windows\\{466E9882-D305-493f-BC2E-9843D684E0AA}.exe"	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D8652B1-070B-4fd8-BDD2-54402484F6C8}\stubpath = "C:\\Windows\\{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe"	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53B3C941-04DE-42fe-88A3-81515CD92F33}	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49FEC425-2268-403e-B563-3B96F3AF8E2F}\stubpath = "C:\\Windows\\{49FEC425-2268-403e-B563-3B96F3AF8E2F}.exe"	{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{466E9882-D305-493f-BC2E-9843D684E0AA}	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFE4016-E822-4e52-A3BB-A4726673CCEB}	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A4F3131-526E-45c0-8B77-CFC0DC53B551}	{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A4F3131-526E-45c0-8B77-CFC0DC53B551}\stubpath = "C:\\Windows\\{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe"	{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe
2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe
2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe
2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe
2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe
1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe
1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe
1904	{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe
1968	{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe
2520	{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe
2980	{49FEC425-2268-403e-B563-3B96F3AF8E2F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe
File created	C:\Windows\{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe
File created	C:\Windows\{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe
File created	C:\Windows\{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe
File created	C:\Windows\{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe
File created	C:\Windows\{49FEC425-2268-403e-B563-3B96F3AF8E2F}.exe	{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe
File created	C:\Windows\{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
File created	C:\Windows\{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe
File created	C:\Windows\{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe	{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe
File created	C:\Windows\{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe	{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe
File created	C:\Windows\{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe
Token: SeIncBasePriorityPrivilege	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe
Token: SeIncBasePriorityPrivilege	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe
Token: SeIncBasePriorityPrivilege	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe
Token: SeIncBasePriorityPrivilege	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe
Token: SeIncBasePriorityPrivilege	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe
Token: SeIncBasePriorityPrivilege	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe
Token: SeIncBasePriorityPrivilege	1904	{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe
Token: SeIncBasePriorityPrivilege	1968	{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe
Token: SeIncBasePriorityPrivilege	2520	{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2976	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	28
PID 3024 wrote to memory of 2976	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	28
PID 3024 wrote to memory of 2976	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	28
PID 3024 wrote to memory of 2976	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	28
PID 3024 wrote to memory of 2516	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	29
PID 3024 wrote to memory of 2516	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	29
PID 3024 wrote to memory of 2516	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	29
PID 3024 wrote to memory of 2516	3024	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	29
PID 2976 wrote to memory of 2848	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	30
PID 2976 wrote to memory of 2848	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	30
PID 2976 wrote to memory of 2848	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	30
PID 2976 wrote to memory of 2848	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	30
PID 2976 wrote to memory of 2548	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	31
PID 2976 wrote to memory of 2548	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	31
PID 2976 wrote to memory of 2548	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	31
PID 2976 wrote to memory of 2548	2976	{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe	31
PID 2848 wrote to memory of 2688	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	32
PID 2848 wrote to memory of 2688	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	32
PID 2848 wrote to memory of 2688	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	32
PID 2848 wrote to memory of 2688	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	32
PID 2848 wrote to memory of 2652	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	33
PID 2848 wrote to memory of 2652	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	33
PID 2848 wrote to memory of 2652	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	33
PID 2848 wrote to memory of 2652	2848	{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe	33
PID 2688 wrote to memory of 2072	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	36
PID 2688 wrote to memory of 2072	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	36
PID 2688 wrote to memory of 2072	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	36
PID 2688 wrote to memory of 2072	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	36
PID 2688 wrote to memory of 1532	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	37
PID 2688 wrote to memory of 1532	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	37
PID 2688 wrote to memory of 1532	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	37
PID 2688 wrote to memory of 1532	2688	{466E9882-D305-493f-BC2E-9843D684E0AA}.exe	37
PID 2072 wrote to memory of 2784	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	38
PID 2072 wrote to memory of 2784	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	38
PID 2072 wrote to memory of 2784	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	38
PID 2072 wrote to memory of 2784	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	38
PID 2072 wrote to memory of 2812	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	39
PID 2072 wrote to memory of 2812	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	39
PID 2072 wrote to memory of 2812	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	39
PID 2072 wrote to memory of 2812	2072	{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe	39
PID 2784 wrote to memory of 1988	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	40
PID 2784 wrote to memory of 1988	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	40
PID 2784 wrote to memory of 1988	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	40
PID 2784 wrote to memory of 1988	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	40
PID 2784 wrote to memory of 1900	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	41
PID 2784 wrote to memory of 1900	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	41
PID 2784 wrote to memory of 1900	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	41
PID 2784 wrote to memory of 1900	2784	{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe	41
PID 1988 wrote to memory of 1824	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	42
PID 1988 wrote to memory of 1824	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	42
PID 1988 wrote to memory of 1824	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	42
PID 1988 wrote to memory of 1824	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	42
PID 1988 wrote to memory of 2484	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	43
PID 1988 wrote to memory of 2484	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	43
PID 1988 wrote to memory of 2484	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	43
PID 1988 wrote to memory of 2484	1988	{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe	43
PID 1824 wrote to memory of 1904	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	44
PID 1824 wrote to memory of 1904	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	44
PID 1824 wrote to memory of 1904	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	44
PID 1824 wrote to memory of 1904	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	44
PID 1824 wrote to memory of 2724	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	45
PID 1824 wrote to memory of 2724	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	45
PID 1824 wrote to memory of 2724	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	45
PID 1824 wrote to memory of 2724	1824	{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe
  C:\Windows\{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe
    C:\Windows\{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\{466E9882-D305-493f-BC2E-9843D684E0AA}.exe
      C:\Windows\{466E9882-D305-493f-BC2E-9843D684E0AA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe
        
        C:\Windows\{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe
        
        C:\Windows\{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe
        
        C:\Windows\{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe
        
        C:\Windows\{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe
        
        C:\Windows\{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe
        
        C:\Windows\{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe
        
        C:\Windows\{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{49FEC425-2268-403e-B563-3B96F3AF8E2F}.exe
        
        C:\Windows\{49FEC425-2268-403e-B563-3B96F3AF8E2F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A4F3~1.EXE > nul
        12⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BE25~1.EXE > nul
        11⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A63B~1.EXE > nul
        10⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53B3C~1.EXE > nul
        9⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CFE4~1.EXE > nul
        8⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D865~1.EXE > nul
        7⤵
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8386B~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{466E9~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A3F83~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{02F6C~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02F6C989-E1E8-4995-9C99-5A5D21BC85FA}.exe

Filesize
168KB

MD5
83bcdcd00dd61e81f3112832c42ca588

SHA1
1eb1cc184b96a659c319be07fda29c677811ccc1

SHA256
95c9e4be3a60dd3fc5de4513b2a461367b1e2503fc9cde63a1e74cb39be72d45

SHA512
a3f66fc6f089546d4a1a65bd60b369cb28f38dc9af2fa12cadcaec035da669579c555b3519f4d8fb1fe0a11a3baf374f08e89a2e6c0ebc3272c86269e001e514

Download Submit
C:\Windows\{1A63B4AA-88FE-4637-8EBD-64A6BB5ACB5E}.exe

Filesize
168KB

MD5
ac8a5b2c3792a7183c94c86666a420aa

SHA1
24d040f6529e4dc68125a6d63c8680016509d2d3

SHA256
95997bfe2b4741f5520f3ed843fe0f9b6a6e880797e80b8be0606733a24dd68b

SHA512
6fdfb1801aa65a427ad82439729815bba831d92c4b8b46938324d970fa41afd84d0dd118656ce69299efa0dd63904a2f49e91f2aa643a3951fd206217a8b5c05

Download Submit
C:\Windows\{2A4F3131-526E-45c0-8B77-CFC0DC53B551}.exe

Filesize
168KB

MD5
0af2b1e50faf5b58a6da80eab5a10eb2

SHA1
cb2d60a8baeb012b03db30efaa3c3223e4018307

SHA256
6611399f37a27efce949f78508c2ee61f8e5dd559e7b1d2092552d17358c0f0e

SHA512
be990d2d3b2763d3399489ceb2a8c8821745719ca4e8f4190ae29244298a457999eb3427c736a0d3ae32dc779c9265bc6877869aa7428dd99f5f69d06000d2d0

Download Submit
C:\Windows\{466E9882-D305-493f-BC2E-9843D684E0AA}.exe

Filesize
168KB

MD5
9d2bcc9dcd5d3381c35486ae81f8372e

SHA1
025a8b9c21c43e3a77fce029cb43c79e56a10cce

SHA256
a68188d03e8b25d7ecde134e07a6173505b01499020abfb44866ce750be6d4f9

SHA512
386025cab09be50615bea291a6db79b081b012fcc220ee925060b05ceaa482c0d3dfb94adc568b0d96186e0710134144de1953b9cd86f164aacf919b8e42fe36

Download Submit
C:\Windows\{49FEC425-2268-403e-B563-3B96F3AF8E2F}.exe

Filesize
168KB

MD5
2a58e07420b536840541725534ecd4e1

SHA1
9387e4541166e89551a7f0fa8b40282cf98f488c

SHA256
d6041d06a37d443d506da91c9271d2dc06d79cc0b3bcd0a8de8a89e455e35f99

SHA512
e42863053130be42e31d2edd8b0e09ec5d9f78766cbf6693a40bdb48dbf73ac406a36d29e345b4b0020b1027956c8b59df2ee57d6ff5b6f345300c8f530fce97

Download Submit
C:\Windows\{4CFE4016-E822-4e52-A3BB-A4726673CCEB}.exe

Filesize
168KB

MD5
57291a099c180abcdc123c992572994d

SHA1
a43232d20ab7cbc1ceb3e7a71e7f55c961ec5e75

SHA256
ded986bc4a1c338fdb56d354246337deaec2e9f087c5862ff2d77a0d9793ff08

SHA512
bbcc24fe4dd84c740358fc95a6722e812c9c3e60d50a6795a8fdd07c87c976144ada9a96563b74627f0283f10447301e2ec80f907d98937b51cd93dd7decb8de

Download Submit
C:\Windows\{53B3C941-04DE-42fe-88A3-81515CD92F33}.exe

Filesize
168KB

MD5
6f5dbec1bd4c5189979f867bce0de446

SHA1
d4b83ec9143323f6797e656cfa128b41ce7d3986

SHA256
7f9eb9d23e0baabe57c7a533f12fecf51e066c65d09b96dede0e7acca8ae0568

SHA512
4c22f34655b10e281f15d3ce0c11ea6d8a00695d4563a8af971be0160b169e2e36099e96a08b3d6d831d47168209feeb731d06466f859c3e78b5c66a9b26d407

Download Submit
C:\Windows\{7BE251A2-0F59-41a0-A5A4-A13147E5D2CC}.exe

Filesize
168KB

MD5
0823354e4b7550d694e89dcf18ef6b6b

SHA1
7a9253d2742e662c690597a5a07233821f50b50a

SHA256
4df103e140b78767fbd2cf50d5a0544b65914a1b7560c85e1fe744dce786f009

SHA512
d852906a87d11686554ee76c690fd24f3fdea3cc7ec1855d0c2c354a45a4d9ced117a3bb996f88f69a45e9aa82d73f3d40306ae70ea3a7ddbf8fc1fea5dc029e

Download Submit
C:\Windows\{7D8652B1-070B-4fd8-BDD2-54402484F6C8}.exe

Filesize
168KB

MD5
258c4c8edeeb29c3a576701f05edaea8

SHA1
bd45163d65b36b6b96b32954bddc0e332a62ed66

SHA256
f68bbf5452363ae6c5dfffb3c96e4fd147efeaf4545118bf26f028c54210e0bc

SHA512
78c8d47b624c16b83b2e5b872189220ace63fee3dec62986e08cb1d254fd3ba0845045e6ed987c37c860f88edc718f0c5814e31b7741e713e61b59c59a454ec5

Download Submit
C:\Windows\{8386B3FC-0363-43e8-9756-4F2BD739177E}.exe

Filesize
168KB

MD5
72de2128ee4c77b4aa8e462febe53c3c

SHA1
fa300877bc74fc5fb4ecb6c78f493c140260dbb0

SHA256
3f8386f1faab42d0b09cab8533a58cbe29d24fffacdeff95909c5a96d11aceb9

SHA512
e410b747b58185867d15480309ac695099394f85283a8417fea95bd4b1d8678d063072306b33154d2428de80bff93f2e36a096a3ef09391ea6751f97167ee496

Download Submit
C:\Windows\{A3F83E93-EF58-44df-BE3A-7790DF55F3BC}.exe

Filesize
168KB

MD5
450c7c676ee118ce6334d6e77877d029

SHA1
871ac17ab0e0fc4c26cf40c4f726acaa5e6ceb17

SHA256
820de48c518cb9268ccaa9b57684994b83d0bd5a7dcf23908c73b97ecfbf9766

SHA512
5d2806fad3b2faee6037394de3d951f42d9da73e373cecb9cfa300f0a2574b8ac7cc5d9e0a307106d8ebe30a42075cdf5f9414c206745f7ba1f8e18bb6ad9064

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads