e2114f8c89797588def452c718ca697e3b20e0940c8f9b1ff37eb365d1854be8

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe
Size

216KB
MD5

ab7979e053e0ede9be79b519d214bf3f
SHA1

639e81bc22dd049fd5381c53d88b7c54fb84c40b
SHA256

e2114f8c89797588def452c718ca697e3b20e0940c8f9b1ff37eb365d1854be8
SHA512

be06265ec58caf1ab602ee45ad6ad7b1c62264f45aefed5ad87c577aabcb7b0397a1428f07600bb743de0a3caf8c8dbf38addd052c1376de4a617885def69d64
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG6lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001225b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00040000000130fc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015c00-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00050000000130fc-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00060000000130fc-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000130fc-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000130fc-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D2346E0-2443-4cd3-9273-8AB3AF051889}\stubpath = "C:\\Windows\\{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe"	{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0F6FCD-D03A-4944-A0CE-8644F7034204}\stubpath = "C:\\Windows\\{DB0F6FCD-D03A-4944-A0CE-8644F7034204}.exe"	{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76378112-568B-471b-891F-7AC8ABBF258E}	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A061D285-A3C9-4570-A8DB-C55849948AD0}\stubpath = "C:\\Windows\\{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe"	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD41F0D9-5CBA-4573-B5DA-99F83036515E}\stubpath = "C:\\Windows\\{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe"	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F870B18-C6CF-47f5-8F54-B9883333A3C9}	{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D2346E0-2443-4cd3-9273-8AB3AF051889}	{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}	{76378112-568B-471b-891F-7AC8ABBF258E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE06C084-3175-4d2a-A85B-D0578DC02BA3}\stubpath = "C:\\Windows\\{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe"	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F870B18-C6CF-47f5-8F54-B9883333A3C9}\stubpath = "C:\\Windows\\{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe"	{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76378112-568B-471b-891F-7AC8ABBF258E}\stubpath = "C:\\Windows\\{76378112-568B-471b-891F-7AC8ABBF258E}.exe"	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD41F0D9-5CBA-4573-B5DA-99F83036515E}	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE06C084-3175-4d2a-A85B-D0578DC02BA3}	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0F6FCD-D03A-4944-A0CE-8644F7034204}	{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}\stubpath = "C:\\Windows\\{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe"	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}\stubpath = "C:\\Windows\\{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe"	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}\stubpath = "C:\\Windows\\{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe"	{76378112-568B-471b-891F-7AC8ABBF258E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A061D285-A3C9-4570-A8DB-C55849948AD0}	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A79BB40-F4F2-42e7-845F-0B316F37B43A}	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A79BB40-F4F2-42e7-845F-0B316F37B43A}\stubpath = "C:\\Windows\\{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe"	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe

Deletes itself 1 IoCs

pid	Process
2284	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe
2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe
2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe
1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe
2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe
1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe
1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe
544	{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe
1368	{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe
2060	{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe
2960	{DB0F6FCD-D03A-4944-A0CE-8644F7034204}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	{76378112-568B-471b-891F-7AC8ABBF258E}.exe
File created	C:\Windows\{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe
File created	C:\Windows\{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe
File created	C:\Windows\{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe
File created	C:\Windows\{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe
File created	C:\Windows\{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe
File created	C:\Windows\{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe	{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe
File created	C:\Windows\{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe	{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe
File created	C:\Windows\{76378112-568B-471b-891F-7AC8ABBF258E}.exe	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe
File created	C:\Windows\{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe
File created	C:\Windows\{DB0F6FCD-D03A-4944-A0CE-8644F7034204}.exe	{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe
Token: SeIncBasePriorityPrivilege	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe
Token: SeIncBasePriorityPrivilege	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe
Token: SeIncBasePriorityPrivilege	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe
Token: SeIncBasePriorityPrivilege	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe
Token: SeIncBasePriorityPrivilege	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe
Token: SeIncBasePriorityPrivilege	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe
Token: SeIncBasePriorityPrivilege	544	{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe
Token: SeIncBasePriorityPrivilege	1368	{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe
Token: SeIncBasePriorityPrivilege	2060	{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2156	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	28
PID 2356 wrote to memory of 2156	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	28
PID 2356 wrote to memory of 2156	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	28
PID 2356 wrote to memory of 2156	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	28
PID 2356 wrote to memory of 2284	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	29
PID 2356 wrote to memory of 2284	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	29
PID 2356 wrote to memory of 2284	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	29
PID 2356 wrote to memory of 2284	2356	2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe	29
PID 2156 wrote to memory of 2832	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	30
PID 2156 wrote to memory of 2832	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	30
PID 2156 wrote to memory of 2832	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	30
PID 2156 wrote to memory of 2832	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	30
PID 2156 wrote to memory of 2684	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	31
PID 2156 wrote to memory of 2684	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	31
PID 2156 wrote to memory of 2684	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	31
PID 2156 wrote to memory of 2684	2156	{76378112-568B-471b-891F-7AC8ABBF258E}.exe	31
PID 2832 wrote to memory of 2456	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	34
PID 2832 wrote to memory of 2456	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	34
PID 2832 wrote to memory of 2456	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	34
PID 2832 wrote to memory of 2456	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	34
PID 2832 wrote to memory of 2196	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	35
PID 2832 wrote to memory of 2196	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	35
PID 2832 wrote to memory of 2196	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	35
PID 2832 wrote to memory of 2196	2832	{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe	35
PID 2456 wrote to memory of 1196	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	36
PID 2456 wrote to memory of 1196	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	36
PID 2456 wrote to memory of 1196	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	36
PID 2456 wrote to memory of 1196	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	36
PID 2456 wrote to memory of 2712	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	37
PID 2456 wrote to memory of 2712	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	37
PID 2456 wrote to memory of 2712	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	37
PID 2456 wrote to memory of 2712	2456	{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe	37
PID 1196 wrote to memory of 2752	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	38
PID 1196 wrote to memory of 2752	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	38
PID 1196 wrote to memory of 2752	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	38
PID 1196 wrote to memory of 2752	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	38
PID 1196 wrote to memory of 2764	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	39
PID 1196 wrote to memory of 2764	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	39
PID 1196 wrote to memory of 2764	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	39
PID 1196 wrote to memory of 2764	1196	{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe	39
PID 2752 wrote to memory of 1340	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	40
PID 2752 wrote to memory of 1340	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	40
PID 2752 wrote to memory of 1340	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	40
PID 2752 wrote to memory of 1340	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	40
PID 2752 wrote to memory of 1264	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	41
PID 2752 wrote to memory of 1264	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	41
PID 2752 wrote to memory of 1264	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	41
PID 2752 wrote to memory of 1264	2752	{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe	41
PID 1340 wrote to memory of 1632	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	42
PID 1340 wrote to memory of 1632	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	42
PID 1340 wrote to memory of 1632	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	42
PID 1340 wrote to memory of 1632	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	42
PID 1340 wrote to memory of 1584	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	43
PID 1340 wrote to memory of 1584	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	43
PID 1340 wrote to memory of 1584	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	43
PID 1340 wrote to memory of 1584	1340	{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe	43
PID 1632 wrote to memory of 544	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	44
PID 1632 wrote to memory of 544	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	44
PID 1632 wrote to memory of 544	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	44
PID 1632 wrote to memory of 544	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	44
PID 1632 wrote to memory of 1484	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	45
PID 1632 wrote to memory of 1484	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	45
PID 1632 wrote to memory of 1484	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	45
PID 1632 wrote to memory of 1484	1632	{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_ab7979e053e0ede9be79b519d214bf3f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{76378112-568B-471b-891F-7AC8ABBF258E}.exe
  C:\Windows\{76378112-568B-471b-891F-7AC8ABBF258E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe
    C:\Windows\{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe
      C:\Windows\{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe
        
        C:\Windows\{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe
        
        C:\Windows\{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe
        
        C:\Windows\{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe
        
        C:\Windows\{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe
        
        C:\Windows\{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe
        
        C:\Windows\{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe
        
        C:\Windows\{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\{DB0F6FCD-D03A-4944-A0CE-8644F7034204}.exe
        
        C:\Windows\{DB0F6FCD-D03A-4944-A0CE-8644F7034204}.exe
        12⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D234~1.EXE > nul
        12⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F870~1.EXE > nul
        11⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB0EA~1.EXE > nul
        10⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE06C~1.EXE > nul
        9⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49F5B~1.EXE > nul
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD41F~1.EXE > nul
        7⤵
        
        PID:1264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A79B~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A061D~1.EXE > nul
        5⤵
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{19FEC~1.EXE > nul
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{76378~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19FECFF4-49A7-4d17-AC92-3990E2D8FF03}.exe

Filesize
216KB

MD5
4af54b42a6cc69c907b714526e04de94

SHA1
638b4b506f1d43b5432f1289edd3551253278d76

SHA256
49690692b02fc15a83321bc182125b2e8395be3aebae4017a6e122aad51f90bd

SHA512
88a8c07ec06b5e5f64fd66a3310b62df310a2cdc173972635804a99fbc3d88cac2fbacfa76898a4a9954972899ba14cf758ef791b70a9d86896b926f08ec84e0

Download Submit
C:\Windows\{1D2346E0-2443-4cd3-9273-8AB3AF051889}.exe

Filesize
216KB

MD5
bba2dfe7e8029da9c0e44796584344e5

SHA1
6b6a9a6a3e5d8b3b3beb191c75df3f06bb37621c

SHA256
5a71d773d2caaf940b15524ff1f9ae5fbaf9ac0b021a0f03a0fa29487ff33e6a

SHA512
fe87e22fb2ac37b0a6bbb24858460b0a19d6e4badfe375a11a08c87ef6009c769959402479e250c44e00dbdf9c1db1c4529949013bebad6b8abf22a277d5cffc

Download Submit
C:\Windows\{2F870B18-C6CF-47f5-8F54-B9883333A3C9}.exe

Filesize
216KB

MD5
3367f9b48ee36a8b9aaf12662225e604

SHA1
aba87079483f8290eebf3a822b95a0b43488a72d

SHA256
d693c74fb054c4e81753b4b2cec894797144738c25552b76174ef82a8875c199

SHA512
62bf6e62c4f9ffd7794e7ff3c40d13afb99ca531bd7cac25a57ccbe76ae143b356173f53fec8e50695337c23f69f962044c676b66974e35aeaf731cb8d63b900

Download Submit
C:\Windows\{49F5B1C8-105E-4b50-A9FD-32EDD2B5F4A6}.exe

Filesize
216KB

MD5
1123c8c54b461648748b37e9ec58aba2

SHA1
4d4d947305a67d33bf14b301d3b542081426531e

SHA256
60aab9d9817d02d311e34f5b249e1e566cd61809af1ece23895d11e13d36fd7c

SHA512
79203873bab82a5f4f0c5285fedff6b473a64864758438b2af898d66e338a110f325f3131122a94b7216ce4d9d987aa99d1eecad9d26addfdbd2f71dbead985c

Download Submit
C:\Windows\{76378112-568B-471b-891F-7AC8ABBF258E}.exe

Filesize
216KB

MD5
394e650fded9c91edb18b3c5e4d792c0

SHA1
5a8b7a0907bae43a5cba881d1eae23b9e7d7179b

SHA256
2c60a9ab03959d7679c35bc93514ba34d8419270db115cc45ceb2f87f161a24f

SHA512
dddcc7643fb4097c5a55e33a5cbfe6ac1de1936f19921e43378354f9a2a2fce95382acec24763f811053a43a295567b960c137f1d930983f4b8838a407309377

Download Submit
C:\Windows\{7A79BB40-F4F2-42e7-845F-0B316F37B43A}.exe

Filesize
216KB

MD5
1e0295525fd220895b1f05d02cabdd0c

SHA1
7fc8aed99e53011d980993ee1f013f5b1e9ca920

SHA256
768fac4281d742cc6d4e2a1425b17af41f21b73ab83a006a354fe50d916a75c8

SHA512
c18acbcc0d667dc7d7572281278eb5c2945d8f12155f0e6978bd0c2ccc2f78a86c782a29349acbe0954830f5d765f1e823a11df491d9c0d953246cc0cb9c6479

Download Submit
C:\Windows\{A061D285-A3C9-4570-A8DB-C55849948AD0}.exe

Filesize
216KB

MD5
46d8ffe7df71cfcf4ebfc079fdddd52e

SHA1
c0b1c9ede0fab710c47b2c80d64221c886689ec4

SHA256
d557521df3a3a997dd929ad7aaad4eb0373986dcef0a783ca314747192fa08e1

SHA512
7e89561b8768525685c0bec5019d0854940596ffd7840b7e2fc9a64021f5abd6b36af8128f267d4587fc9aecba723b148ee8d957f2914db4e31f3d6acad14215

Download Submit
C:\Windows\{AB0EA96F-087D-49a5-AEC2-5DBFEB2E5DDE}.exe

Filesize
216KB

MD5
bc3a0c929f9ea7724156a14d7dcca848

SHA1
29c34b77ef542d4a7c00f68ad77aef7f86607c0a

SHA256
81c94bb47180ac073c922700c19bb573ff4d1bb2706e61607e60a9cc468619c9

SHA512
9f0ab416df34c2a25aeb093ba9b711fca3dc9769da5c2083cd3262e4fe7d30947d1b0d2b160d2c60f0a9286789afc6782e1695baacdc3d75049e31c602d3fb13

Download Submit
C:\Windows\{DB0F6FCD-D03A-4944-A0CE-8644F7034204}.exe

Filesize
216KB

MD5
a00e62a0a196f7207af6a7a2b06bdf60

SHA1
03ee4f0ea10f4a0620987a0b9bf78f7b55e66f6a

SHA256
6120f249c4ff123317c526bb6786cbc1d2f61b0eed296f521758f404b3b7d20e

SHA512
47690733b46b846cf9638a3c1d0e225e6bd3d10869f7f516a3f99510b330fe14d62a7d76436de8e8d94e1becd5273928aaaec28447c879a2839aa9e2f35a3097

Download Submit
C:\Windows\{EE06C084-3175-4d2a-A85B-D0578DC02BA3}.exe

Filesize
216KB

MD5
ff2ee8f4381dfe982224ec43d9c9e3fc

SHA1
908e0506f651b0d3af54bbd30d4fc0476f0aa930

SHA256
6dc0df68a70d328fbbbcd6099fd07c7cf58dd33059883dc8d2008a579916c20a

SHA512
882a4d11ab0f630efb2308511b43e92c2de5731220f55659db78aea95494c17ada66d1151a66ae7934556b4e5a81194060177fcc1f817fbc717d717147602c96

Download Submit
C:\Windows\{FD41F0D9-5CBA-4573-B5DA-99F83036515E}.exe

Filesize
216KB

MD5
74c33744e4ad6e9dd5ab9a1e66f34a78

SHA1
5900d85432e1a7fa2a33b4bcce1ee6f53e13852f

SHA256
3eb3f5d1a88e316fe10d005731fd9aa555bd39070b394245a93dbe8906736eb5

SHA512
5fa000ef156bb54ba87d7fa84ddd761ba3779605f2784b6ef41288c4fa2d58259c795290601cd145bf2da0139821677f100806129bade9cd6b6fbd4efb4da02f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads