3f2e5e68f3f2ef4d86ae6bee35adedb8f8665ee974eafb41a3088136f6be62de

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Size

408KB
MD5

d23c74d26ba418b2599b51c77fe67c01
SHA1

bd8507b937872ec64143c99cc4fbcf3d395288ea
SHA256

3f2e5e68f3f2ef4d86ae6bee35adedb8f8665ee974eafb41a3088136f6be62de
SHA512

1e44f1473900206f31ed2137f89f4b75d633ff998f6ac754d1876fbce707f6732120112943718820f1dbc99440c696e086648ed47b53554ebfcf79d7d67696b5
SSDEEP

3072:CEGh0o4Zl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTB1:CEGaldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012253-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013144-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000001565a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012253-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012253-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012253-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}\stubpath = "C:\\Windows\\{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe"	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{765D2986-1B5D-4538-9B82-C2E44B7EA97A}	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{765D2986-1B5D-4538-9B82-C2E44B7EA97A}\stubpath = "C:\\Windows\\{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe"	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07285CA7-67E7-4348-846D-4320EECF0E41}\stubpath = "C:\\Windows\\{07285CA7-67E7-4348-846D-4320EECF0E41}.exe"	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{236369AA-E9DF-4964-A9B2-3738B76AA674}	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{236369AA-E9DF-4964-A9B2-3738B76AA674}\stubpath = "C:\\Windows\\{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe"	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA806695-8C15-46d2-8A38-C211D7AED543}\stubpath = "C:\\Windows\\{FA806695-8C15-46d2-8A38-C211D7AED543}.exe"	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}\stubpath = "C:\\Windows\\{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe"	{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2986B3E1-FD31-41e3-A98A-A828C616EE89}	{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664EA432-EDEB-45d0-AF22-0ABC304CC02E}	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664EA432-EDEB-45d0-AF22-0ABC304CC02E}\stubpath = "C:\\Windows\\{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe"	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2986B3E1-FD31-41e3-A98A-A828C616EE89}\stubpath = "C:\\Windows\\{2986B3E1-FD31-41e3-A98A-A828C616EE89}.exe"	{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07285CA7-67E7-4348-846D-4320EECF0E41}	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}\stubpath = "C:\\Windows\\{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe"	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0652750-DACC-4338-BE38-99776FEAB45A}\stubpath = "C:\\Windows\\{B0652750-DACC-4338-BE38-99776FEAB45A}.exe"	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA806695-8C15-46d2-8A38-C211D7AED543}	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D384DB0-E744-4ef7-8002-F0B0D466673D}	{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D384DB0-E744-4ef7-8002-F0B0D466673D}\stubpath = "C:\\Windows\\{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe"	{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}	{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0652750-DACC-4338-BE38-99776FEAB45A}	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe
2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe
2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe
2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe
1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe
2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe
1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe
644	{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe
2008	{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe
2056	{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe
1404	{2986B3E1-FD31-41e3-A98A-A828C616EE89}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe
File created	C:\Windows\{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe	{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe
File created	C:\Windows\{2986B3E1-FD31-41e3-A98A-A828C616EE89}.exe	{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe
File created	C:\Windows\{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe
File created	C:\Windows\{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe
File created	C:\Windows\{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe
File created	C:\Windows\{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe
File created	C:\Windows\{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe	{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe
File created	C:\Windows\{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
File created	C:\Windows\{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe
File created	C:\Windows\{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe
Token: SeIncBasePriorityPrivilege	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe
Token: SeIncBasePriorityPrivilege	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe
Token: SeIncBasePriorityPrivilege	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe
Token: SeIncBasePriorityPrivilege	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe
Token: SeIncBasePriorityPrivilege	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe
Token: SeIncBasePriorityPrivilege	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe
Token: SeIncBasePriorityPrivilege	644	{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe
Token: SeIncBasePriorityPrivilege	2008	{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe
Token: SeIncBasePriorityPrivilege	2056	{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2692	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	28
PID 2080 wrote to memory of 2692	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	28
PID 2080 wrote to memory of 2692	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	28
PID 2080 wrote to memory of 2692	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	28
PID 2080 wrote to memory of 2524	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	29
PID 2080 wrote to memory of 2524	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	29
PID 2080 wrote to memory of 2524	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	29
PID 2080 wrote to memory of 2524	2080	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	29
PID 2692 wrote to memory of 2756	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	30
PID 2692 wrote to memory of 2756	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	30
PID 2692 wrote to memory of 2756	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	30
PID 2692 wrote to memory of 2756	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	30
PID 2692 wrote to memory of 2928	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	31
PID 2692 wrote to memory of 2928	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	31
PID 2692 wrote to memory of 2928	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	31
PID 2692 wrote to memory of 2928	2692	{07285CA7-67E7-4348-846D-4320EECF0E41}.exe	31
PID 2756 wrote to memory of 2704	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	32
PID 2756 wrote to memory of 2704	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	32
PID 2756 wrote to memory of 2704	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	32
PID 2756 wrote to memory of 2704	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	32
PID 2756 wrote to memory of 2464	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	33
PID 2756 wrote to memory of 2464	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	33
PID 2756 wrote to memory of 2464	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	33
PID 2756 wrote to memory of 2464	2756	{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe	33
PID 2704 wrote to memory of 2204	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	36
PID 2704 wrote to memory of 2204	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	36
PID 2704 wrote to memory of 2204	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	36
PID 2704 wrote to memory of 2204	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	36
PID 2704 wrote to memory of 1016	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	37
PID 2704 wrote to memory of 1016	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	37
PID 2704 wrote to memory of 1016	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	37
PID 2704 wrote to memory of 1016	2704	{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe	37
PID 2204 wrote to memory of 1548	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	38
PID 2204 wrote to memory of 1548	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	38
PID 2204 wrote to memory of 1548	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	38
PID 2204 wrote to memory of 1548	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	38
PID 2204 wrote to memory of 1580	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	39
PID 2204 wrote to memory of 1580	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	39
PID 2204 wrote to memory of 1580	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	39
PID 2204 wrote to memory of 1580	2204	{B0652750-DACC-4338-BE38-99776FEAB45A}.exe	39
PID 1548 wrote to memory of 2336	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	40
PID 1548 wrote to memory of 2336	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	40
PID 1548 wrote to memory of 2336	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	40
PID 1548 wrote to memory of 2336	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	40
PID 1548 wrote to memory of 2192	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	41
PID 1548 wrote to memory of 2192	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	41
PID 1548 wrote to memory of 2192	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	41
PID 1548 wrote to memory of 2192	1548	{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe	41
PID 2336 wrote to memory of 1880	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	42
PID 2336 wrote to memory of 1880	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	42
PID 2336 wrote to memory of 1880	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	42
PID 2336 wrote to memory of 1880	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	42
PID 2336 wrote to memory of 1884	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	43
PID 2336 wrote to memory of 1884	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	43
PID 2336 wrote to memory of 1884	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	43
PID 2336 wrote to memory of 1884	2336	{FA806695-8C15-46d2-8A38-C211D7AED543}.exe	43
PID 1880 wrote to memory of 644	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	44
PID 1880 wrote to memory of 644	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	44
PID 1880 wrote to memory of 644	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	44
PID 1880 wrote to memory of 644	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	44
PID 1880 wrote to memory of 1276	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	45
PID 1880 wrote to memory of 1276	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	45
PID 1880 wrote to memory of 1276	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	45
PID 1880 wrote to memory of 1276	1880	{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{07285CA7-67E7-4348-846D-4320EECF0E41}.exe
  C:\Windows\{07285CA7-67E7-4348-846D-4320EECF0E41}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe
    C:\Windows\{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe
      C:\Windows\{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{B0652750-DACC-4338-BE38-99776FEAB45A}.exe
        
        C:\Windows\{B0652750-DACC-4338-BE38-99776FEAB45A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe
        
        C:\Windows\{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{FA806695-8C15-46d2-8A38-C211D7AED543}.exe
        
        C:\Windows\{FA806695-8C15-46d2-8A38-C211D7AED543}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe
        
        C:\Windows\{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe
        
        C:\Windows\{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe
        
        C:\Windows\{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe
        
        C:\Windows\{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{2986B3E1-FD31-41e3-A98A-A828C616EE89}.exe
        
        C:\Windows\{2986B3E1-FD31-41e3-A98A-A828C616EE89}.exe
        12⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9CC4~1.EXE > nul
        12⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D384~1.EXE > nul
        11⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{664EA~1.EXE > nul
        10⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{765D2~1.EXE > nul
        9⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA806~1.EXE > nul
        8⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39FB4~1.EXE > nul
        7⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0652~1.EXE > nul
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23636~1.EXE > nul
        5⤵
        
        PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BEE5F~1.EXE > nul
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{07285~1.EXE > nul
    3⤵
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07285CA7-67E7-4348-846D-4320EECF0E41}.exe

Filesize
408KB

MD5
d40657b4e64d7eb5a55948f246dc5de3

SHA1
e3e97c1693c24ef3fc24e259da3c0d0ce7e306d2

SHA256
4cad9c7c5c7e583c3326a04c6fa7d73b190956d69ada1cff47a7e1edeba5e93f

SHA512
43d78af7d14f51ea0ce47917d3208621028d2f03900f1c921efb4d3b97d46dfadc421ac79c309b988db74e07e7972ef1ae0d0b80c61a6149c827da042bd9f22f

Download Submit
C:\Windows\{236369AA-E9DF-4964-A9B2-3738B76AA674}.exe

Filesize
408KB

MD5
736f9b0a4b866aa65965d008479382b3

SHA1
3e31765cb5dad11b4a5351d7ba8a8ca4cedef7b4

SHA256
aea945a7ae406dafaf4d8f726aaed8a644c3335ece6e922781e85dd7c240acd4

SHA512
0e57634245f210158be64460bad09d715bc104acee84338a05ba23e1843f632cfd0e5ccb12f72b9fa6a1ca48aa490299f4ba51b208acab1fbf6af6674d08afd1

Download Submit
C:\Windows\{2986B3E1-FD31-41e3-A98A-A828C616EE89}.exe

Filesize
408KB

MD5
ca6f6a6771a97772bd383b388d4f4359

SHA1
87ca8b55e5bf7bac8daa042df85e4a6253ba7db6

SHA256
7d9802c896fc6fee6975dbfb4f0275db9d159c2bf3308c8bddbaaef0d3c32967

SHA512
2769c7c38b32dce4caddd21fc8681c446249129df30e4463451d457c3afa49ef2f4d7aea5a979746fe934835b91697e270779753dde0d2ac25431d73918e85a1

Download Submit
C:\Windows\{39FB44C0-1FD0-4060-9B0E-DB26EB584C2C}.exe

Filesize
408KB

MD5
2f494ae366acb98a2887ba0771c0c428

SHA1
4ecb93204f4ef89422f26b292eb06697958e9756

SHA256
aae60e6e6311a6d68433ad5d044e9602e72e5c2c545838195207d71080d17bc1

SHA512
ffefd6b7bb9dc8f567f64648681b340d20a90ca74acf653e31f31d010b24bdc891bc17c6c9866cfbfa51f36d6efe35e985b6c8585d5f1a51be306e76e9df6518

Download Submit
C:\Windows\{664EA432-EDEB-45d0-AF22-0ABC304CC02E}.exe

Filesize
408KB

MD5
80167f51e0f6dc3283f1e85f258d419a

SHA1
f7b42e5c2b8c2278a157d873864e0282f7f408d9

SHA256
85fb645338ed5557ecc6bd5436a53e3e444db0ddc0cc35dced667ae1e043379b

SHA512
9132f771ec1508d20078f978ed6210a89b2a158ca1ed49ca509ac7e1f0e51ffc0b29debe0dc172a209585fcfe52d2260582f8e44f532cd0f14a7299db15d5152

Download Submit
C:\Windows\{765D2986-1B5D-4538-9B82-C2E44B7EA97A}.exe

Filesize
408KB

MD5
65a89e4d24c1689d88bf15f7bdcce9ed

SHA1
d096ae2dad3caec5eb0e2c88957504e6cd8cc027

SHA256
50a08a75979b85be71821c761392ce2c39144a1f5366e4d51ad9d193b87cfea7

SHA512
7a4fffe60a9e3fe0a0b1723f0dee64f63f5fdfd3f15f4197fa5a7a2d3e7501273d3486f856cf6427f1ddc5c256d7204ffe7e21ca8d0fb3f927b0122102eb2fe1

Download Submit
C:\Windows\{7D384DB0-E744-4ef7-8002-F0B0D466673D}.exe

Filesize
408KB

MD5
01616da16c112b8707cc1e1f57ec862e

SHA1
c7f35d888c1ca9deb96adf28550315eb76880d05

SHA256
392018f486f947bdf8575d503d9ad856a99baaf190379122d6ca5c9b3bcf4093

SHA512
5e180997a9c6ebd67f37383969fec063e3a17e82ec9d22f7a622146932c0b66729f357d9f10ca86f9a1570f057ff0a1eb73bbd679540262d69cc120b480168b9

Download Submit
C:\Windows\{B0652750-DACC-4338-BE38-99776FEAB45A}.exe

Filesize
408KB

MD5
b4ae0ba6b6805f35cc47946640a2dcd7

SHA1
06b96b0ec4d1488aafbff6bf78031df5bb5f2df3

SHA256
a6003edabb78f78fae067408371f43d16a677a185779d0570c3883f50df0a4ea

SHA512
b0b541954627ca31c45c8d12074be135066abce6fee8bc528c9f3265cd8032be193c5d4fea8c36f07fa63e2e7c9c3915291032b4e068c49d104b09094ecc84fe

Download Submit
C:\Windows\{BEE5F04E-B6FF-4e42-BD71-0D2C3FA68CD1}.exe

Filesize
408KB

MD5
6fc2b8871c37a4818854f21f6646b74e

SHA1
1f83b8d6fc94b63da017fd6b9d74aa1271d77c50

SHA256
6e5bf485ad908f722d3650cf2599f9c72685077654ee06c2c0023318d16d6141

SHA512
bee67a26c9ac7be3cc4180a8ee33a4595611a73b4c77bb59a723456df00b3bb748e08f837d3b6806201aa234df847f3a1791cb63c3c7349287d51060fb1bba0b

Download Submit
C:\Windows\{D9CC4DA5-1F93-47c9-A90C-C122552A6BC5}.exe

Filesize
408KB

MD5
9f85ef74f47b43672b091ebd5755fe34

SHA1
f9a45013b342c8def0d71d4d1429be46576d91b8

SHA256
237a273a016ea96c0f82bc70c66e39db73b57ccb7449506f7b81e8f0e7d008ff

SHA512
60ae1785e1431c0a2d09c544b4c3d6527a2f7bc606a684702985add58531398a647de0ef0adc09c69f30b6e12566a4f5d4e13bc4db73074c20690b07ac403de4

Download Submit
C:\Windows\{FA806695-8C15-46d2-8A38-C211D7AED543}.exe

Filesize
408KB

MD5
3f5b24e55bf8a881306263cbfd7a0a42

SHA1
b487498b8bbcea70ecb648f9ff29b12b68b6e24a

SHA256
5f7494396bc7d451056673c9ca90075ba8372e12d2a4f8f739aaf4564d7b57bb

SHA512
cb91efff6365a89de2b28a3b01da2f6bbff036f6713571d8155bdb9595af06ae8ad02fb16a064e7103db014c378732646d78f097e196dccf704539d02a7d2c82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads