fb76ee27c87095423533fab016217f195210ed5a652c7a59b406a85262042fa6

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 02:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe
Size

408KB
MD5

9d6ccde438daee06bc1e771c223a0d6d
SHA1

217a7191dd4dc7a06e8056b7fb75208784f15ce1
SHA256

fb76ee27c87095423533fab016217f195210ed5a652c7a59b406a85262042fa6
SHA512

c845acf540a41422bf4a933451c42aed8896d1fba44a27e96b1111ef0ddb3a9b2343c385c6f4adb6e30b2453e4c43eddb67beb41b14092cd53da8f507a6f263e
SSDEEP

3072:CEGh0oFl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGnldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012272-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122d5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000014f02-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014f02-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014f02-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014f02-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014f02-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41616041-9FC5-4cb6-BF60-59822CE505C9}	{027999B1-DCF4-425b-AF40-347862385272}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{027999B1-DCF4-425b-AF40-347862385272}	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF590B73-0EEE-44b8-9EF3-C32B99488D42}	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF590B73-0EEE-44b8-9EF3-C32B99488D42}\stubpath = "C:\\Windows\\{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe"	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{669005F1-382B-4607-B7F8-70885EDCDFC8}\stubpath = "C:\\Windows\\{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe"	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{293750FA-A75A-4d78-94B6-68ADD3BB35C4}\stubpath = "C:\\Windows\\{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe"	{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41616041-9FC5-4cb6-BF60-59822CE505C9}\stubpath = "C:\\Windows\\{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe"	{027999B1-DCF4-425b-AF40-347862385272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}\stubpath = "C:\\Windows\\{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe"	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}\stubpath = "C:\\Windows\\{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe"	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D78B5E-DD11-4f68-89E0-62731B4C5599}\stubpath = "C:\\Windows\\{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe"	{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06337A3-8054-4c84-AE27-071ED22D7021}	{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06337A3-8054-4c84-AE27-071ED22D7021}\stubpath = "C:\\Windows\\{B06337A3-8054-4c84-AE27-071ED22D7021}.exe"	{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}\stubpath = "C:\\Windows\\{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe"	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{027999B1-DCF4-425b-AF40-347862385272}\stubpath = "C:\\Windows\\{027999B1-DCF4-425b-AF40-347862385272}.exe"	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}\stubpath = "C:\\Windows\\{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe"	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{669005F1-382B-4607-B7F8-70885EDCDFC8}	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{293750FA-A75A-4d78-94B6-68ADD3BB35C4}	{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9D78B5E-DD11-4f68-89E0-62731B4C5599}	{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe
2520	{027999B1-DCF4-425b-AF40-347862385272}.exe
2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe
1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe
2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe
2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe
2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe
1100	{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe
1380	{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe
2248	{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe
2904	{B06337A3-8054-4c84-AE27-071ED22D7021}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe
File created	C:\Windows\{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe
File created	C:\Windows\{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe
File created	C:\Windows\{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe	{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe
File created	C:\Windows\{B06337A3-8054-4c84-AE27-071ED22D7021}.exe	{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe
File created	C:\Windows\{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe
File created	C:\Windows\{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe
File created	C:\Windows\{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe
File created	C:\Windows\{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe	{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe
File created	C:\Windows\{027999B1-DCF4-425b-AF40-347862385272}.exe	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe
File created	C:\Windows\{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	{027999B1-DCF4-425b-AF40-347862385272}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe
Token: SeIncBasePriorityPrivilege	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe
Token: SeIncBasePriorityPrivilege	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe
Token: SeIncBasePriorityPrivilege	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe
Token: SeIncBasePriorityPrivilege	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe
Token: SeIncBasePriorityPrivilege	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe
Token: SeIncBasePriorityPrivilege	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe
Token: SeIncBasePriorityPrivilege	1100	{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe
Token: SeIncBasePriorityPrivilege	1380	{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe
Token: SeIncBasePriorityPrivilege	2248	{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2528	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	28
PID 1924 wrote to memory of 2528	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	28
PID 1924 wrote to memory of 2528	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	28
PID 1924 wrote to memory of 2528	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	28
PID 1924 wrote to memory of 2928	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	29
PID 1924 wrote to memory of 2928	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	29
PID 1924 wrote to memory of 2928	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	29
PID 1924 wrote to memory of 2928	1924	2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe	29
PID 2528 wrote to memory of 2520	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	30
PID 2528 wrote to memory of 2520	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	30
PID 2528 wrote to memory of 2520	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	30
PID 2528 wrote to memory of 2520	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	30
PID 2528 wrote to memory of 2612	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	31
PID 2528 wrote to memory of 2612	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	31
PID 2528 wrote to memory of 2612	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	31
PID 2528 wrote to memory of 2612	2528	{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe	31
PID 2520 wrote to memory of 2400	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	34
PID 2520 wrote to memory of 2400	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	34
PID 2520 wrote to memory of 2400	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	34
PID 2520 wrote to memory of 2400	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	34
PID 2520 wrote to memory of 2460	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	35
PID 2520 wrote to memory of 2460	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	35
PID 2520 wrote to memory of 2460	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	35
PID 2520 wrote to memory of 2460	2520	{027999B1-DCF4-425b-AF40-347862385272}.exe	35
PID 2400 wrote to memory of 1956	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	36
PID 2400 wrote to memory of 1956	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	36
PID 2400 wrote to memory of 1956	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	36
PID 2400 wrote to memory of 1956	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	36
PID 2400 wrote to memory of 2616	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	37
PID 2400 wrote to memory of 2616	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	37
PID 2400 wrote to memory of 2616	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	37
PID 2400 wrote to memory of 2616	2400	{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe	37
PID 1956 wrote to memory of 2480	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	38
PID 1956 wrote to memory of 2480	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	38
PID 1956 wrote to memory of 2480	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	38
PID 1956 wrote to memory of 2480	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	38
PID 1956 wrote to memory of 2020	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	39
PID 1956 wrote to memory of 2020	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	39
PID 1956 wrote to memory of 2020	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	39
PID 1956 wrote to memory of 2020	1956	{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe	39
PID 2480 wrote to memory of 2152	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	40
PID 2480 wrote to memory of 2152	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	40
PID 2480 wrote to memory of 2152	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	40
PID 2480 wrote to memory of 2152	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	40
PID 2480 wrote to memory of 1960	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	41
PID 2480 wrote to memory of 1960	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	41
PID 2480 wrote to memory of 1960	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	41
PID 2480 wrote to memory of 1960	2480	{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe	41
PID 2152 wrote to memory of 2340	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	42
PID 2152 wrote to memory of 2340	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	42
PID 2152 wrote to memory of 2340	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	42
PID 2152 wrote to memory of 2340	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	42
PID 2152 wrote to memory of 2324	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	43
PID 2152 wrote to memory of 2324	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	43
PID 2152 wrote to memory of 2324	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	43
PID 2152 wrote to memory of 2324	2152	{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe	43
PID 2340 wrote to memory of 1100	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	44
PID 2340 wrote to memory of 1100	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	44
PID 2340 wrote to memory of 1100	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	44
PID 2340 wrote to memory of 1100	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	44
PID 2340 wrote to memory of 1156	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	45
PID 2340 wrote to memory of 1156	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	45
PID 2340 wrote to memory of 1156	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	45
PID 2340 wrote to memory of 1156	2340	{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_9d6ccde438daee06bc1e771c223a0d6d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe
  C:\Windows\{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\{027999B1-DCF4-425b-AF40-347862385272}.exe
    C:\Windows\{027999B1-DCF4-425b-AF40-347862385272}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe
      C:\Windows\{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe
        
        C:\Windows\{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe
        
        C:\Windows\{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe
        
        C:\Windows\{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe
        
        C:\Windows\{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe
        
        C:\Windows\{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe
        
        C:\Windows\{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe
        
        C:\Windows\{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\{B06337A3-8054-4c84-AE27-071ED22D7021}.exe
        
        C:\Windows\{B06337A3-8054-4c84-AE27-071ED22D7021}.exe
        12⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D78~1.EXE > nul
        12⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29375~1.EXE > nul
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EBAC~1.EXE > nul
        10⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66900~1.EXE > nul
        9⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52DFC~1.EXE > nul
        8⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E502F~1.EXE > nul
        7⤵
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF590~1.EXE > nul
        6⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41616~1.EXE > nul
        5⤵
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02799~1.EXE > nul
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EAB1~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{027999B1-DCF4-425b-AF40-347862385272}.exe

Filesize
408KB

MD5
0b1089cb2168eb7a994091e4707a2d01

SHA1
7c760f6f70622388b919561b7370c19ffad823f7

SHA256
8d3877e72d32dabaf78a3cadaf16ed6300669e4306c045d0bfbe0f6aca9ea1e5

SHA512
7eb02d74057cfced601a82b24975f1dbd38934753748eed486d1087148b20427154d3405d62124a8f6c162630ddeef5efd2c88a6047bd689bf81fa429b593aba

Download Submit
C:\Windows\{293750FA-A75A-4d78-94B6-68ADD3BB35C4}.exe

Filesize
408KB

MD5
ebe56e060e1c62e1d0f767baf4f01ce2

SHA1
c4f64327a91ea259990f528ee649794c2e043f81

SHA256
df6895b380d749bbab887f1e26b2590f488f68e2299aed970d4cbc9d0d7c5834

SHA512
2c0ec51555c87381883f5c24ae91e81eb9febeab0a97185af577e1a769f03062ecd484a61945c2a3f15258dfdca83e011472398e1f76c62591608711cdc01b1f

Download Submit
C:\Windows\{41616041-9FC5-4cb6-BF60-59822CE505C9}.exe

Filesize
408KB

MD5
cb9c67c3abf7e725709fba1cb99fcacd

SHA1
bda67ce626ce215fcefcaee37c9612e53fd5763c

SHA256
d6b20eb8fc4e01baf83cc425d1705bffaaae4e5c8e63c1f3c9240c5b047d7904

SHA512
61f2a07019c945963812727642cec311cc1eb61919ee2459f651bb23630f6a9242a03ac32a79040200b23d8270f240a27cf0536f77a988aadc800190bb9fc863

Download Submit
C:\Windows\{4EBAC39E-874A-4ea2-B9C4-CA7C3FE3D114}.exe

Filesize
408KB

MD5
012ccf425c9ab599cd9f80b426defc85

SHA1
0f6059b7505484a133fb65a3ce7b2308dea5c669

SHA256
a058230370cd6e3f72668691156d4dbee22662c18d45eca39183e54926594654

SHA512
c8b80a0c1d3a78a739c668aad8d13f959bb872efc976469c72023d669d0b2147dccd165f02b19de0d66ce1105443da4a94d55c1b50720b060822f92fa019a156

Download Submit
C:\Windows\{52DFC96C-2D48-407e-9F5B-5F1F507CDD5C}.exe

Filesize
408KB

MD5
d624faf5952b1370eb61b8be29088234

SHA1
ac175ebf7bb5e09c96c10f0418c04c423c05edc0

SHA256
7f0038cff50395d5d6a1fad716bd065c0f1028e9dab886ee01f62463645bc5c1

SHA512
1fdf2421db0752e7bde2f5f06e8f2e5a9c27593150431c0ebb7553ea1d78c8113d19e7d187cbd105144f5cb9fe1b48501572e5120aaf498f4a66a14c1b0df23e

Download Submit
C:\Windows\{669005F1-382B-4607-B7F8-70885EDCDFC8}.exe

Filesize
408KB

MD5
cfcb3083bd28d4f7fcd5238ba9af4fd3

SHA1
d2a68c0b3047d37292897238adb99521494c0b9c

SHA256
0df5b7d2e27bfe3dde0fa3cbd91954196e24576a2b39803262cb1ea6838269d5

SHA512
aeade6137fb77970fa61c6821fd7f0310d8e1adba8aaebf93feeff3e48e17fca0d7560870f567f2f26afbc38078e434c486fdfe06dd1860895d04f4736624102

Download Submit
C:\Windows\{7EAB169C-53E6-49af-BEF4-E363D4A9DF8E}.exe

Filesize
408KB

MD5
0f7d5a85480196695d769ae36afd32b8

SHA1
6c98726a04a7798559ed8db8b9e47a67312de9a9

SHA256
9547e2a057c7e922755d1f65f1c153a25bc214b6a5c23faee1c2194367502f42

SHA512
fac50f52efbde5e04e9af4354d1c1688f7c19ba83477e5fab168342b547148379d60468e70dde67e77505bb7737545bacf4fa1fa0dd10927576a0d58f79d1f7a

Download Submit
C:\Windows\{B06337A3-8054-4c84-AE27-071ED22D7021}.exe

Filesize
408KB

MD5
009b7ec95521ff7d7ef76e392f4e2ecb

SHA1
83623e00df93607904b14237fc1a67fce1660a14

SHA256
f87f5929aaafdfbf687cb7ee2a8385ccaf8998f39c3a062d7f356e76e57dc35e

SHA512
e0b7d09193b575ffe60aeef5df747e765b14b34e925e56ec7c49478aafaadbcfaae4dbac569aedee99952bf57bd0adb42222686798fe5d60a80071c8afe6180f

Download Submit
C:\Windows\{B9D78B5E-DD11-4f68-89E0-62731B4C5599}.exe

Filesize
408KB

MD5
f65bd1803b5461c19ed32ccc9e6e8042

SHA1
b482bf6bd96243ae0a6512351bd0e96297e25170

SHA256
ad44d3b65d8bad7a38712894035d225f5e83e3bb539e7611b66e396b75da0171

SHA512
fdc126c889569ac055cdaec864e5c4e68673a73c0a3cd35d4bf14ad701e2a3e755bc0a6377a234779649ea4d692a21f1fabfbdbf1f559644551706d47674d270

Download Submit
C:\Windows\{DF590B73-0EEE-44b8-9EF3-C32B99488D42}.exe

Filesize
408KB

MD5
f9c3989c0988f93fb869be234a7ee9de

SHA1
bb63524a28516762e533c482fbf8872792a14a55

SHA256
d110aa505bc7773e71b7ebb98660b5de3e628471b7f4cd2511f6a8c942a4133a

SHA512
e9a23e0f61674864088ebcb11788c734592b23b5f89c7dcd3e71c5224dec07f005797fd1f811e1dc3340a6c229b4f2239423dce0af22679f97c15c8a233d0fa6

Download Submit
C:\Windows\{E502F3A0-A0FC-44ba-98E4-AD9523BD84AE}.exe

Filesize
408KB

MD5
3a12d2f445b93a28a270821a0b331763

SHA1
f0854b60dc627948c6d827f3b133a28cac7ff537

SHA256
73062c6babcb310dccf5a3575170c8c6799af8d1e686adc1eb894691a853fd66

SHA512
7f998838ba703b18c792fa198cdd88b5ac18efb08524c4223ab3cf0784b821d3b77d44bcc916161892fb058ca91d59c8f2cb1c49f3ccf667f87c690ef2f5c0a1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads