956a7a4acd43f7e390107bd102077f8238a0c85cd9472194fd4abf40142c9deb

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Size

372KB
MD5

4112befc0c0de62d228b31ada1e9f351
SHA1

a36333c468ea42fbfad7d97c67d88c2ad6b633ad
SHA256

956a7a4acd43f7e390107bd102077f8238a0c85cd9472194fd4abf40142c9deb
SHA512

9936aa44518a1dbc2dbc300a1c4159bff893b248f3fc9fdd650dc6f26da135cb79518a72e4c615e7479dbbbfc2ff3d8e07320ab81db54dc4cd1c2993cea62f5d
SSDEEP

3072:CEGh0o9lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGjlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001223a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001449a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001223a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000014701-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001223a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001223a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001223a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E5433BB-9220-490c-9F72-39131FAAA389}	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F251A76-3088-4820-8AA9-254BC4F2DF6F}	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}\stubpath = "C:\\Windows\\{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe"	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}	{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}	{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}\stubpath = "C:\\Windows\\{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe"	{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56098EF8-B772-4fa2-9DED-22C99A154DF3}	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{825319BF-356C-4211-A08D-8B6E550E9353}\stubpath = "C:\\Windows\\{825319BF-356C-4211-A08D-8B6E550E9353}.exe"	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}	{825319BF-356C-4211-A08D-8B6E550E9353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}\stubpath = "C:\\Windows\\{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe"	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}\stubpath = "C:\\Windows\\{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe"	{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC64D5F-D75B-4088-8B20-30AAB092A594}\stubpath = "C:\\Windows\\{0FC64D5F-D75B-4088-8B20-30AAB092A594}.exe"	{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E5433BB-9220-490c-9F72-39131FAAA389}\stubpath = "C:\\Windows\\{6E5433BB-9220-490c-9F72-39131FAAA389}.exe"	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5B9670-524D-4eb2-8515-18010CA0A964}	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}\stubpath = "C:\\Windows\\{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe"	{825319BF-356C-4211-A08D-8B6E550E9353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC64D5F-D75B-4088-8B20-30AAB092A594}	{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56098EF8-B772-4fa2-9DED-22C99A154DF3}\stubpath = "C:\\Windows\\{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe"	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5B9670-524D-4eb2-8515-18010CA0A964}\stubpath = "C:\\Windows\\{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe"	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{825319BF-356C-4211-A08D-8B6E550E9353}	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F251A76-3088-4820-8AA9-254BC4F2DF6F}\stubpath = "C:\\Windows\\{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe"	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe
2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe
2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe
1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe
2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe
1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe
2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe
1228	{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe
3008	{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe
2180	{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe
1056	{0FC64D5F-D75B-4088-8B20-30AAB092A594}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe
File created	C:\Windows\{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe
File created	C:\Windows\{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe
File created	C:\Windows\{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe	{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe
File created	C:\Windows\{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe	{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe
File created	C:\Windows\{0FC64D5F-D75B-4088-8B20-30AAB092A594}.exe	{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe
File created	C:\Windows\{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
File created	C:\Windows\{825319BF-356C-4211-A08D-8B6E550E9353}.exe	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe
File created	C:\Windows\{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	{825319BF-356C-4211-A08D-8B6E550E9353}.exe
File created	C:\Windows\{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe
File created	C:\Windows\{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe
Token: SeIncBasePriorityPrivilege	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe
Token: SeIncBasePriorityPrivilege	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe
Token: SeIncBasePriorityPrivilege	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe
Token: SeIncBasePriorityPrivilege	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe
Token: SeIncBasePriorityPrivilege	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe
Token: SeIncBasePriorityPrivilege	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe
Token: SeIncBasePriorityPrivilege	1228	{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe
Token: SeIncBasePriorityPrivilege	3008	{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe
Token: SeIncBasePriorityPrivilege	2180	{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2168	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	28
PID 1904 wrote to memory of 2168	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	28
PID 1904 wrote to memory of 2168	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	28
PID 1904 wrote to memory of 2168	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	28
PID 1904 wrote to memory of 2492	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	29
PID 1904 wrote to memory of 2492	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	29
PID 1904 wrote to memory of 2492	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	29
PID 1904 wrote to memory of 2492	1904	2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe	29
PID 2168 wrote to memory of 2716	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	30
PID 2168 wrote to memory of 2716	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	30
PID 2168 wrote to memory of 2716	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	30
PID 2168 wrote to memory of 2716	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	30
PID 2168 wrote to memory of 2616	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	31
PID 2168 wrote to memory of 2616	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	31
PID 2168 wrote to memory of 2616	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	31
PID 2168 wrote to memory of 2616	2168	{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe	31
PID 2716 wrote to memory of 2500	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	32
PID 2716 wrote to memory of 2500	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	32
PID 2716 wrote to memory of 2500	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	32
PID 2716 wrote to memory of 2500	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	32
PID 2716 wrote to memory of 2412	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	33
PID 2716 wrote to memory of 2412	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	33
PID 2716 wrote to memory of 2412	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	33
PID 2716 wrote to memory of 2412	2716	{6E5433BB-9220-490c-9F72-39131FAAA389}.exe	33
PID 2500 wrote to memory of 1572	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	36
PID 2500 wrote to memory of 1572	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	36
PID 2500 wrote to memory of 1572	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	36
PID 2500 wrote to memory of 1572	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	36
PID 2500 wrote to memory of 1428	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	37
PID 2500 wrote to memory of 1428	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	37
PID 2500 wrote to memory of 1428	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	37
PID 2500 wrote to memory of 1428	2500	{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe	37
PID 1572 wrote to memory of 2676	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	38
PID 1572 wrote to memory of 2676	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	38
PID 1572 wrote to memory of 2676	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	38
PID 1572 wrote to memory of 2676	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	38
PID 1572 wrote to memory of 332	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	39
PID 1572 wrote to memory of 332	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	39
PID 1572 wrote to memory of 332	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	39
PID 1572 wrote to memory of 332	1572	{825319BF-356C-4211-A08D-8B6E550E9353}.exe	39
PID 2676 wrote to memory of 1584	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	40
PID 2676 wrote to memory of 1584	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	40
PID 2676 wrote to memory of 1584	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	40
PID 2676 wrote to memory of 1584	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	40
PID 2676 wrote to memory of 1800	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	41
PID 2676 wrote to memory of 1800	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	41
PID 2676 wrote to memory of 1800	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	41
PID 2676 wrote to memory of 1800	2676	{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe	41
PID 1584 wrote to memory of 2112	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	42
PID 1584 wrote to memory of 2112	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	42
PID 1584 wrote to memory of 2112	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	42
PID 1584 wrote to memory of 2112	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	42
PID 1584 wrote to memory of 2104	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	43
PID 1584 wrote to memory of 2104	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	43
PID 1584 wrote to memory of 2104	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	43
PID 1584 wrote to memory of 2104	1584	{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe	43
PID 2112 wrote to memory of 1228	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	44
PID 2112 wrote to memory of 1228	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	44
PID 2112 wrote to memory of 1228	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	44
PID 2112 wrote to memory of 1228	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	44
PID 2112 wrote to memory of 1332	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	45
PID 2112 wrote to memory of 1332	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	45
PID 2112 wrote to memory of 1332	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	45
PID 2112 wrote to memory of 1332	2112	{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_4112befc0c0de62d228b31ada1e9f351_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe
  C:\Windows\{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{6E5433BB-9220-490c-9F72-39131FAAA389}.exe
    C:\Windows\{6E5433BB-9220-490c-9F72-39131FAAA389}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe
      C:\Windows\{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\{825319BF-356C-4211-A08D-8B6E550E9353}.exe
        
        C:\Windows\{825319BF-356C-4211-A08D-8B6E550E9353}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe
        
        C:\Windows\{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe
        
        C:\Windows\{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe
        
        C:\Windows\{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe
        
        C:\Windows\{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe
        
        C:\Windows\{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe
        
        C:\Windows\{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\{0FC64D5F-D75B-4088-8B20-30AAB092A594}.exe
        
        C:\Windows\{0FC64D5F-D75B-4088-8B20-30AAB092A594}.exe
        12⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7AFE~1.EXE > nul
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F14~1.EXE > nul
        11⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E90A~1.EXE > nul
        10⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F251~1.EXE > nul
        9⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3DAC~1.EXE > nul
        8⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71E66~1.EXE > nul
        7⤵
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82531~1.EXE > nul
        6⤵
        
        PID:332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF5B9~1.EXE > nul
        5⤵
        
        PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6E543~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{56098~1.EXE > nul
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FC64D5F-D75B-4088-8B20-30AAB092A594}.exe

Filesize
372KB

MD5
bb5d605f74604baab87c781943c67fa6

SHA1
d578b68014d1c097016484a7af5636869e594b62

SHA256
1b35e37c14c6674e06bef1f02bc2ac8a42d359600b4731f7403fde44e2a30803

SHA512
38fa8c9663d96a154f9a369614d77d384bc4932dc2366d25f25c1b22c2569c2ff5fbe9e31bbe1379733ec2d37b7c750b5c5fcd062f65934d893a0ab52aad86e4

Download Submit
C:\Windows\{2F251A76-3088-4820-8AA9-254BC4F2DF6F}.exe

Filesize
372KB

MD5
d607f054eece191a5a8296475744c96c

SHA1
b82ccdd397d681c8a6256de3715f18f8b2a9b8e2

SHA256
2ddc53e0631fce30fd57ca76988153d3acf878edb2319e7474a8a499a279c75f

SHA512
edae4bfd471946962ce3ba994abbfb8d0896947704894a11cb47f6b0cee665c1ab49a6c5d37c9c7166f0c683d98a47135aa4a0a3b2ed8bc30440762aaf0cad26

Download Submit
C:\Windows\{56098EF8-B772-4fa2-9DED-22C99A154DF3}.exe

Filesize
372KB

MD5
600255da4a0f0ab0acbf22a81b6d4288

SHA1
a9604315a308edf63de209b1a3320a87b47bea6a

SHA256
696acf4de56d541f69ad554815e5f0dba4282b20fd1d5e4ba568cd3e367b6428

SHA512
667ae845112aa5600822accbf9936f357ce297b8705f927a58b640ae80a7269324567642d0879a3e1ed01cb1d36a23984e0ad8f3ec5e73ad1a4bcc14d2ec5b69

Download Submit
C:\Windows\{6E5433BB-9220-490c-9F72-39131FAAA389}.exe

Filesize
372KB

MD5
99fdc649f929e2b114946c6210bfda62

SHA1
f4188bbf09fbf3655298ecc4abaccf5afd12bcaa

SHA256
72c0ef0e66f2e825b87fed043cb5f02e6d43f6a6d2c28076d35d7fec3627069b

SHA512
0bf5c38f7942b9581fb93905a04fbdcc488490f4aa146da58d2fb5d133d7c4605856f7631b39f23e68e93aedeadfc449e0dec1ef56edb9f200c7cf3f0157d7de

Download Submit
C:\Windows\{71E66D56-47DC-4fad-87E3-5AB0F2FDE84F}.exe

Filesize
372KB

MD5
e9dea652ff7e9eafc59857908321d584

SHA1
f2def12c625560c3cca43f2fdb1b0355f5655960

SHA256
e8e0d2976e956a235049668722576fdd6d71fab60ca2117523fec5f8d706f548

SHA512
adab9de17383dd3708c1c5221b46bac4fb0b96d96cf2928ad9e30d10ac9a6637582ec18c67da659905ad49a02dc68d47076b33ecaf23128af1ab9e63167aca6e

Download Submit
C:\Windows\{7E90A404-67CD-4b47-B7C7-7B88EE48BEC7}.exe

Filesize
372KB

MD5
47a4b939c8be5a177940cffcce415ff4

SHA1
e2eab8506008f94b9fb39895de394bf9c33ccaa2

SHA256
aafeeedba1de3b271472cb98eaffeb7b99d419475d689b030f5692fc3726c164

SHA512
71e47a96d4f15ade66052e032ebf5e5a42ba34bb43efd4f295663e46a2eb959942395f7e579b13726e2f13178a45a3124f5e3a75d7a1749e936c11e2ab826316

Download Submit
C:\Windows\{825319BF-356C-4211-A08D-8B6E550E9353}.exe

Filesize
372KB

MD5
709ef24b84593b0a8133ef35cea01189

SHA1
7130436bd8f1c11319e2225589720384b444c4d5

SHA256
7566d6e12336536ef9eec93683cada352a9df40709a4fd48157664deda678f7b

SHA512
05cf890f15c318f1322da54d059d043f238f66ae1389f16f50b640ecedc7ad512972a4e84e1217e1f425cb25faaa346a27ee981dc2c3384ba4c62be4886bb29f

Download Submit
C:\Windows\{B3DAC4EB-F322-4164-A4A8-97F925A8C1DC}.exe

Filesize
372KB

MD5
c068ecffaaa349e5168cb4a2b1e043bd

SHA1
ca654f7e6063a60856461d7aa77d3c8c6e15b146

SHA256
e969ef7106548010db77d61950f8a5a528b4c6fd2e21fd90aba266894647c78e

SHA512
0e152b29a662cee8d6dcef98f0a50dd1c06b7992e98ed2dc29c43d6c4467b5dccb96777f77c985ec2246a1407c6c7456a7c06ab54f1b97e3825a7da0e3aa6c5f

Download Submit
C:\Windows\{C5F14ED3-1C8D-4a16-BAA5-4D3029FA3D6C}.exe

Filesize
372KB

MD5
cddae2cc1d2b52d4c1e5dd5de70bd46a

SHA1
92b1779527ee9a86fcbcb643839502c772cdbe6e

SHA256
08316ffed2d1044044201d49684b88fe92647cba218779e9094f09c36a250756

SHA512
fe57ad8a303ef30e59a0a3e7613136769ca8a521a4d0d7250c10d16b9880127388470b189b4a9671ae2c666edf94f25ef982c49744375248cc999258aa4eaff0

Download Submit
C:\Windows\{DF5B9670-524D-4eb2-8515-18010CA0A964}.exe

Filesize
372KB

MD5
01612be0474c060281c26fd0e45051ad

SHA1
039a71b72ddefcf661c43caf0637e12b78f14131

SHA256
d693561aa33cad351cedd260157f538fe4dabe24bafc435f03f92bea9c255f88

SHA512
7780e3e57389dcf53b8f3b23ce89efc4d6a2fa93895aa9ab56e60966816b21c872a4839c7be800c6c879f00714596a7e69d6f9e415cab579c1e2ad5771dd6624

Download Submit
C:\Windows\{E7AFE738-81E9-4e15-95FE-FBCB0286B7CF}.exe

Filesize
372KB

MD5
d5f182f57d12a5202e24a59c591aafe2

SHA1
f82f35546f335317a8d88948aa5bcd5beb6e306b

SHA256
ad7513cf8b562b533c198c614da8e3d8b5b6421a6298689826d2640d23e3edb9

SHA512
0b164f0f04847e2aaf232a86e8b464bd3d80681bfe39599e99d68741e16899a97e9353359b6a0dd7a2e5bc0a5c6fe7aa43474f839434c6e97af93bb8dfb9f678

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads