2c742682ea48a9372e9a632cbdaa1f9814f739d1efd889db6722937476d12e04

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Size

380KB
MD5

019c8a65489a527e9ecb922e1f7bdd7d
SHA1

4163253e449f2f36c764fb6dc7d572438ebd50c8
SHA256

2c742682ea48a9372e9a632cbdaa1f9814f739d1efd889db6722937476d12e04
SHA512

29a12b2cea1f3726f4ef2148d4c30f5ef8f1b9bf8237a3400a4f8a82d833e58cd4109254ae9999865a0488ff45d1e48588481a45a8124ffbd2d6436e0b0db2e7
SSDEEP

3072:mEGh0o3lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGFl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000121c5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000121f4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000121c5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001e000000014240-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000121c5-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000121c5-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000121c5-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4AFE25-1554-4a41-862A-7705A93265C3}\stubpath = "C:\\Windows\\{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe"	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}\stubpath = "C:\\Windows\\{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe"	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}\stubpath = "C:\\Windows\\{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe"	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}	{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D76C76-BA23-452b-8736-2EB9E57F2B11}	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10EFCCEE-A980-40e9-BD3A-F11C66D67229}	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10EFCCEE-A980-40e9-BD3A-F11C66D67229}\stubpath = "C:\\Windows\\{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe"	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}\stubpath = "C:\\Windows\\{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe"	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5398DC5B-DA15-456c-BF65-5BA981DC9D52}	{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5398DC5B-DA15-456c-BF65-5BA981DC9D52}\stubpath = "C:\\Windows\\{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe"	{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D76C76-BA23-452b-8736-2EB9E57F2B11}\stubpath = "C:\\Windows\\{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe"	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4AFE25-1554-4a41-862A-7705A93265C3}	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88843CCE-7226-4967-99D5-20FC88EA689B}	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}\stubpath = "C:\\Windows\\{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}.exe"	{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685F1050-3587-413a-8DD1-0D9E34C1499A}	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685F1050-3587-413a-8DD1-0D9E34C1499A}\stubpath = "C:\\Windows\\{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe"	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88843CCE-7226-4967-99D5-20FC88EA689B}\stubpath = "C:\\Windows\\{88843CCE-7226-4967-99D5-20FC88EA689B}.exe"	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}	{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}\stubpath = "C:\\Windows\\{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe"	{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe

Deletes itself 1 IoCs

pid	Process
1216	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe
2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe
2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe
2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe
2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe
1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe
2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe
1420	{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe
1740	{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe
2052	{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe
608	{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
File created	C:\Windows\{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe
File created	C:\Windows\{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe
File created	C:\Windows\{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}.exe	{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe
File created	C:\Windows\{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe
File created	C:\Windows\{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe
File created	C:\Windows\{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe
File created	C:\Windows\{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe
File created	C:\Windows\{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe
File created	C:\Windows\{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe	{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe
File created	C:\Windows\{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe	{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe
Token: SeIncBasePriorityPrivilege	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe
Token: SeIncBasePriorityPrivilege	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe
Token: SeIncBasePriorityPrivilege	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe
Token: SeIncBasePriorityPrivilege	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe
Token: SeIncBasePriorityPrivilege	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe
Token: SeIncBasePriorityPrivilege	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe
Token: SeIncBasePriorityPrivilege	1420	{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe
Token: SeIncBasePriorityPrivilege	1740	{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe
Token: SeIncBasePriorityPrivilege	2052	{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3060	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	28
PID 2228 wrote to memory of 3060	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	28
PID 2228 wrote to memory of 3060	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	28
PID 2228 wrote to memory of 3060	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	28
PID 2228 wrote to memory of 1216	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	29
PID 2228 wrote to memory of 1216	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	29
PID 2228 wrote to memory of 1216	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	29
PID 2228 wrote to memory of 1216	2228	2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe	29
PID 3060 wrote to memory of 2568	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	30
PID 3060 wrote to memory of 2568	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	30
PID 3060 wrote to memory of 2568	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	30
PID 3060 wrote to memory of 2568	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	30
PID 3060 wrote to memory of 2572	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	31
PID 3060 wrote to memory of 2572	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	31
PID 3060 wrote to memory of 2572	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	31
PID 3060 wrote to memory of 2572	3060	{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe	31
PID 2568 wrote to memory of 2876	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	32
PID 2568 wrote to memory of 2876	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	32
PID 2568 wrote to memory of 2876	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	32
PID 2568 wrote to memory of 2876	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	32
PID 2568 wrote to memory of 1640	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	33
PID 2568 wrote to memory of 1640	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	33
PID 2568 wrote to memory of 1640	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	33
PID 2568 wrote to memory of 1640	2568	{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe	33
PID 2876 wrote to memory of 2240	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	36
PID 2876 wrote to memory of 2240	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	36
PID 2876 wrote to memory of 2240	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	36
PID 2876 wrote to memory of 2240	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	36
PID 2876 wrote to memory of 2420	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	37
PID 2876 wrote to memory of 2420	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	37
PID 2876 wrote to memory of 2420	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	37
PID 2876 wrote to memory of 2420	2876	{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe	37
PID 2240 wrote to memory of 2968	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	38
PID 2240 wrote to memory of 2968	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	38
PID 2240 wrote to memory of 2968	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	38
PID 2240 wrote to memory of 2968	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	38
PID 2240 wrote to memory of 2072	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	39
PID 2240 wrote to memory of 2072	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	39
PID 2240 wrote to memory of 2072	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	39
PID 2240 wrote to memory of 2072	2240	{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe	39
PID 2968 wrote to memory of 1528	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	40
PID 2968 wrote to memory of 1528	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	40
PID 2968 wrote to memory of 1528	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	40
PID 2968 wrote to memory of 1528	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	40
PID 2968 wrote to memory of 2820	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	41
PID 2968 wrote to memory of 2820	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	41
PID 2968 wrote to memory of 2820	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	41
PID 2968 wrote to memory of 2820	2968	{88843CCE-7226-4967-99D5-20FC88EA689B}.exe	41
PID 1528 wrote to memory of 2792	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	42
PID 1528 wrote to memory of 2792	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	42
PID 1528 wrote to memory of 2792	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	42
PID 1528 wrote to memory of 2792	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	42
PID 1528 wrote to memory of 2780	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	43
PID 1528 wrote to memory of 2780	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	43
PID 1528 wrote to memory of 2780	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	43
PID 1528 wrote to memory of 2780	1528	{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe	43
PID 2792 wrote to memory of 1420	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	44
PID 2792 wrote to memory of 1420	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	44
PID 2792 wrote to memory of 1420	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	44
PID 2792 wrote to memory of 1420	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	44
PID 2792 wrote to memory of 1512	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	45
PID 2792 wrote to memory of 1512	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	45
PID 2792 wrote to memory of 1512	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	45
PID 2792 wrote to memory of 1512	2792	{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_019c8a65489a527e9ecb922e1f7bdd7d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe
  C:\Windows\{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe
    C:\Windows\{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe
      C:\Windows\{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe
        
        C:\Windows\{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\{88843CCE-7226-4967-99D5-20FC88EA689B}.exe
        
        C:\Windows\{88843CCE-7226-4967-99D5-20FC88EA689B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe
        
        C:\Windows\{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe
        
        C:\Windows\{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe
        
        C:\Windows\{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe
        
        C:\Windows\{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe
        
        C:\Windows\{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}.exe
        
        C:\Windows\{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}.exe
        12⤵
        Executes dropped EXE
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4FAD~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5398D~1.EXE > nul
        11⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E84FF~1.EXE > nul
        10⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC5E~1.EXE > nul
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B281~1.EXE > nul
        8⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88843~1.EXE > nul
        7⤵
        
        PID:2820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB4AF~1.EXE > nul
        6⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{685F1~1.EXE > nul
        5⤵
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{10EFC~1.EXE > nul
      4⤵
      PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0D76~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10EFCCEE-A980-40e9-BD3A-F11C66D67229}.exe

Filesize
380KB

MD5
ae90f93b2226caea37b60dc19d7868ca

SHA1
875b797a3441c2a724a6bec29b11b4be0710a519

SHA256
11b0905fb81146a1bf2cdd454c541096c37a10025ea7b42c0595f4a3b7dd8244

SHA512
7010da148c70d5c8aa2f17c85a7fd4029990c480314875868964945f157712d6c6505264cfd2cb19e3f6d246e1274f111a33020e06221aff1da29055608bb21a

Download Submit
C:\Windows\{4B28171B-CCD5-4083-91B3-EDE7016AEFCC}.exe

Filesize
380KB

MD5
e07299fcfef18276862467e48715bcbd

SHA1
30ea4c2bbb50900d7b757c9db213b950b6949f8f

SHA256
09834a72d1a65affd3cc5db8e3a06a0e3992b483547fa6143bbad6585f3fd226

SHA512
14e42db37180a21db0967aafe37ea5714d7f75b2c9268ee3198e85f39bacff585f45b728446d0b0c6c0966bf69a1810aea85c8792f6f99bed730ab9be5422805

Download Submit
C:\Windows\{4DC5EE01-164C-4a95-9B36-20DB7126CDC6}.exe

Filesize
380KB

MD5
f888c23e7cd8907d5a7091bbafa42e3d

SHA1
5be55b39a91af4280aec513407b1cd8d118d7969

SHA256
56284711231051934dcdaeaf54dc8aa1ad66a058af8e51ab32cde23230f5122f

SHA512
241c0f6df78499a4dd6f35ef0d0ecc0d9d0485da9e55b104cb3825aceba9a347dc903cd9911e1d60f99f76d93da8a6fa980ed326a1ade9a92e8034163342bc32

Download Submit
C:\Windows\{5398DC5B-DA15-456c-BF65-5BA981DC9D52}.exe

Filesize
380KB

MD5
73cd773eff3d787add4608d07d90d4e5

SHA1
22b0d4d7f648628a10dcf678ce9348da23b71844

SHA256
1b43c306ef29f688f05825322ab27c1d192f7e3d0b70b4ec993f3005356c178d

SHA512
1a2dc056e93fcc3166ab38813bd76792333274e1b8a0e8e0515dd0cea8ba8c57371e33679092f55c1d16f3236b22f48c0c486cd96bf51527e1d4593f37969539

Download Submit
C:\Windows\{685F1050-3587-413a-8DD1-0D9E34C1499A}.exe

Filesize
380KB

MD5
31fcad0a25d6418ed71a4da16e83f5d7

SHA1
263e4cfc8f4990d7255724a7a77d3c8e40ac6687

SHA256
2bbd0e138c2d1c90def050a1fabc309dd11281f359359fc59853542f22f43194

SHA512
76a2d4bd1798454dcfc575fb7884542b29a65434e9e19d858afb9158493318b645f1f3762e03ff534cd03cbd27ea8b1de9726ad78266e3a1982a69c2e8903fd7

Download Submit
C:\Windows\{88843CCE-7226-4967-99D5-20FC88EA689B}.exe

Filesize
380KB

MD5
a135f7aa61d4f1f367905086a39d974a

SHA1
ab3e3df5adab80928983df3862cba184d2660957

SHA256
b7f88e6911a4329c6489825346c8f71d2f25df11aa827f071f6df45168f550e6

SHA512
936ecfe7088664631fd40c742de8f8c87c07cf79ebe919a5d466c48d8415fd015678649b380169bcf0ffe72ea18343cdedceb410b35abede810bc7994550a678

Download Submit
C:\Windows\{A081AD8D-9D14-449c-9BF6-BCA221B8F0CB}.exe

Filesize
380KB

MD5
d8e4173148a9d33717cb61073fa762e4

SHA1
05d260bbf5434174abde46819e20469f659ca4e4

SHA256
81f3600d4c6c315e8b79d89de50464d5c4ffae515d7b2cda0bd3876633b6c335

SHA512
ee2b547bd121887655fbf8ef4b2dae04a9eb0ef126026dc415f432283afe6b54bcd43e487b2f921545c5ce74205f08c8cbf0dab0f3cff5abea6829b3e0db920c

Download Submit
C:\Windows\{C0D76C76-BA23-452b-8736-2EB9E57F2B11}.exe

Filesize
380KB

MD5
d45aafef2f905f4dda91b78b1373febb

SHA1
00bab3e6033a74fde93c8270d4198e480be7ec32

SHA256
a4c00f175b0ec02c6c7f697a86bb30d3d57fee5f0bc581ccf6133548349dc5c2

SHA512
7eecab92e17c4b8b710a33703a4694dd88909891c36956b384ff153a8d1892180d07541f0dd15f2810b264cc1d1891f5543d9185c4ace4686d1c190c8570d949

Download Submit
C:\Windows\{C4FAD80B-49F2-4f37-83BB-EC9FB93AAE94}.exe

Filesize
380KB

MD5
50a049eafa0bccb8d91a57c59971128a

SHA1
3f6a30188e7cb03f30e38e3f031883b72386f47e

SHA256
8d13948d9e62a280503ee07a348583197e56a8dfdda6f8377a76a2b01ee6a66f

SHA512
28fcd55a3f5d04df0736944fe84adc2cb1f67f40c42147c68f0c3635476de1a6f092b1713b4eaeeb45ceb49cbe6cbd17cb064481bebbb61c30aaa76a556fbccb

Download Submit
C:\Windows\{DB4AFE25-1554-4a41-862A-7705A93265C3}.exe

Filesize
380KB

MD5
4cbd5f6a0186ba789852ea070b1ef007

SHA1
df6bfd291833f4219456c54aa7a7418d44e673e4

SHA256
81c10550a0887c877b8d6b85966562e49c528fb8915bda85b8c84e2aadfd31ec

SHA512
ef958ffa8e23cda3818848b466d081267bd44743eba3f656166abb20c0d970cddad2a7fb5328a01187f5ce67720c96b843941e24ed29dec198651cd12ce5d0b3

Download Submit
C:\Windows\{E84FF31A-6D2F-4e0b-9C53-E62E85C98A43}.exe

Filesize
380KB

MD5
61e1269276d975c9191ae6da53def16a

SHA1
ad0be599b6c51d8b9922e6a2bf1ed50d07014614

SHA256
9e0c34f7877245921485986f4182e9a24972acad01b47450f320e9c8df00f1ef

SHA512
077cfd60507b8894b0cd532ab6e9bec222a591bae1031d7e6644c500533de895c103b271121898a9b0ed42915ba1430c8253e83b635b786b431d39c89e3dac53

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads