2616f59726e4b90662a5f1ac609b4307e772ebed372744850d78f96464dbd734

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe
Size

168KB
MD5

e6f375623873f12b4ca19742c1e8b730
SHA1

949549c83dbe896f993ec4b49f838a18516e9fe3
SHA256

2616f59726e4b90662a5f1ac609b4307e772ebed372744850d78f96464dbd734
SHA512

2c08d21754d797b0e4a5ec327465acd4996efd0033e2a75c2692506af115a7f62a546df2df0a54cba52b9e091230081ab207e473c74b8ee5e4192b8f4c373699
SSDEEP

1536:1EGh0o8li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8liOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012256-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012256-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001567f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001567f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001568c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A610F08-1535-4d51-BF34-8159920D93B2}\stubpath = "C:\\Windows\\{2A610F08-1535-4d51-BF34-8159920D93B2}.exe"	{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{952366F3-612F-4244-A1C0-AFEC6764AD93}\stubpath = "C:\\Windows\\{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe"	{2A610F08-1535-4d51-BF34-8159920D93B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{829E0036-EB61-4734-89AD-20463163A06F}	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A610F08-1535-4d51-BF34-8159920D93B2}	{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}\stubpath = "C:\\Windows\\{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe"	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}\stubpath = "C:\\Windows\\{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe"	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D1A4901-3162-41df-9750-89C827E1C7DE}\stubpath = "C:\\Windows\\{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe"	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{829E0036-EB61-4734-89AD-20463163A06F}\stubpath = "C:\\Windows\\{829E0036-EB61-4734-89AD-20463163A06F}.exe"	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}	{829E0036-EB61-4734-89AD-20463163A06F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{721FDB1B-60B4-41e8-9E34-1F3650918FC9}	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189F7B85-3E09-4e8f-9239-604EDABE3CB4}	{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{802F8353-F616-4d60-925E-61AA1546C6B2}	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D1A4901-3162-41df-9750-89C827E1C7DE}	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}\stubpath = "C:\\Windows\\{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe"	{829E0036-EB61-4734-89AD-20463163A06F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}\stubpath = "C:\\Windows\\{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe"	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{721FDB1B-60B4-41e8-9E34-1F3650918FC9}\stubpath = "C:\\Windows\\{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe"	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{952366F3-612F-4244-A1C0-AFEC6764AD93}	{2A610F08-1535-4d51-BF34-8159920D93B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{189F7B85-3E09-4e8f-9239-604EDABE3CB4}\stubpath = "C:\\Windows\\{189F7B85-3E09-4e8f-9239-604EDABE3CB4}.exe"	{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{802F8353-F616-4d60-925E-61AA1546C6B2}\stubpath = "C:\\Windows\\{802F8353-F616-4d60-925E-61AA1546C6B2}.exe"	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe
2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe
2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe
1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe
2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe
2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe
324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe
268	{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe
2056	{2A610F08-1535-4d51-BF34-8159920D93B2}.exe
2316	{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe
3060	{189F7B85-3E09-4e8f-9239-604EDABE3CB4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe
File created	C:\Windows\{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe
File created	C:\Windows\{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe
File created	C:\Windows\{2A610F08-1535-4d51-BF34-8159920D93B2}.exe	{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe
File created	C:\Windows\{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe	{2A610F08-1535-4d51-BF34-8159920D93B2}.exe
File created	C:\Windows\{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe
File created	C:\Windows\{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe
File created	C:\Windows\{829E0036-EB61-4734-89AD-20463163A06F}.exe	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe
File created	C:\Windows\{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	{829E0036-EB61-4734-89AD-20463163A06F}.exe
File created	C:\Windows\{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe
File created	C:\Windows\{189F7B85-3E09-4e8f-9239-604EDABE3CB4}.exe	{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe
Token: SeIncBasePriorityPrivilege	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe
Token: SeIncBasePriorityPrivilege	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe
Token: SeIncBasePriorityPrivilege	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe
Token: SeIncBasePriorityPrivilege	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe
Token: SeIncBasePriorityPrivilege	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe
Token: SeIncBasePriorityPrivilege	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe
Token: SeIncBasePriorityPrivilege	268	{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe
Token: SeIncBasePriorityPrivilege	2056	{2A610F08-1535-4d51-BF34-8159920D93B2}.exe
Token: SeIncBasePriorityPrivilege	2316	{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3052	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	28
PID 2368 wrote to memory of 3052	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	28
PID 2368 wrote to memory of 3052	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	28
PID 2368 wrote to memory of 3052	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	28
PID 2368 wrote to memory of 3048	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe	29
PID 3052 wrote to memory of 2584	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	30
PID 3052 wrote to memory of 2584	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	30
PID 3052 wrote to memory of 2584	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	30
PID 3052 wrote to memory of 2584	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	30
PID 3052 wrote to memory of 2468	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	31
PID 3052 wrote to memory of 2468	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	31
PID 3052 wrote to memory of 2468	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	31
PID 3052 wrote to memory of 2468	3052	{802F8353-F616-4d60-925E-61AA1546C6B2}.exe	31
PID 2584 wrote to memory of 2800	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	32
PID 2584 wrote to memory of 2800	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	32
PID 2584 wrote to memory of 2800	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	32
PID 2584 wrote to memory of 2800	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	32
PID 2584 wrote to memory of 2632	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	33
PID 2584 wrote to memory of 2632	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	33
PID 2584 wrote to memory of 2632	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	33
PID 2584 wrote to memory of 2632	2584	{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe	33
PID 2800 wrote to memory of 1804	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	36
PID 2800 wrote to memory of 1804	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	36
PID 2800 wrote to memory of 1804	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	36
PID 2800 wrote to memory of 1804	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	36
PID 2800 wrote to memory of 2720	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	37
PID 2800 wrote to memory of 2720	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	37
PID 2800 wrote to memory of 2720	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	37
PID 2800 wrote to memory of 2720	2800	{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe	37
PID 1804 wrote to memory of 2964	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	38
PID 1804 wrote to memory of 2964	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	38
PID 1804 wrote to memory of 2964	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	38
PID 1804 wrote to memory of 2964	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	38
PID 1804 wrote to memory of 2928	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	39
PID 1804 wrote to memory of 2928	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	39
PID 1804 wrote to memory of 2928	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	39
PID 1804 wrote to memory of 2928	1804	{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe	39
PID 2964 wrote to memory of 2272	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	40
PID 2964 wrote to memory of 2272	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	40
PID 2964 wrote to memory of 2272	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	40
PID 2964 wrote to memory of 2272	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	40
PID 2964 wrote to memory of 892	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	41
PID 2964 wrote to memory of 892	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	41
PID 2964 wrote to memory of 892	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	41
PID 2964 wrote to memory of 892	2964	{829E0036-EB61-4734-89AD-20463163A06F}.exe	41
PID 2272 wrote to memory of 324	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	42
PID 2272 wrote to memory of 324	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	42
PID 2272 wrote to memory of 324	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	42
PID 2272 wrote to memory of 324	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	42
PID 2272 wrote to memory of 1720	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	43
PID 2272 wrote to memory of 1720	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	43
PID 2272 wrote to memory of 1720	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	43
PID 2272 wrote to memory of 1720	2272	{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe	43
PID 324 wrote to memory of 268	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	44
PID 324 wrote to memory of 268	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	44
PID 324 wrote to memory of 268	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	44
PID 324 wrote to memory of 268	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	44
PID 324 wrote to memory of 1152	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	45
PID 324 wrote to memory of 1152	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	45
PID 324 wrote to memory of 1152	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	45
PID 324 wrote to memory of 1152	324	{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_e6f375623873f12b4ca19742c1e8b730_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{802F8353-F616-4d60-925E-61AA1546C6B2}.exe
  C:\Windows\{802F8353-F616-4d60-925E-61AA1546C6B2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe
    C:\Windows\{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe
      C:\Windows\{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe
        
        C:\Windows\{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\{829E0036-EB61-4734-89AD-20463163A06F}.exe
        
        C:\Windows\{829E0036-EB61-4734-89AD-20463163A06F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe
        
        C:\Windows\{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe
        
        C:\Windows\{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe
        
        C:\Windows\{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{2A610F08-1535-4d51-BF34-8159920D93B2}.exe
        
        C:\Windows\{2A610F08-1535-4d51-BF34-8159920D93B2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe
        
        C:\Windows\{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{189F7B85-3E09-4e8f-9239-604EDABE3CB4}.exe
        
        C:\Windows\{189F7B85-3E09-4e8f-9239-604EDABE3CB4}.exe
        12⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95236~1.EXE > nul
        12⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A610~1.EXE > nul
        11⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{721FD~1.EXE > nul
        10⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8A1C~1.EXE > nul
        9⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C9F0~1.EXE > nul
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{829E0~1.EXE > nul
        7⤵
        
        PID:892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BF60~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D1A4~1.EXE > nul
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B158C~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{802F8~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{189F7B85-3E09-4e8f-9239-604EDABE3CB4}.exe

Filesize
168KB

MD5
55ac6fa88e162cefc8fc1649dd2a3381

SHA1
9a4b5655e23a3a896b3e51ea948280d6c9017c92

SHA256
360e946b2dbaa588cfb92a37c544c58a94776b5ca0a3af902b0da4f95ab0aa80

SHA512
b1b91502ac10680f8adea5cc10c2c734984316e110e1a6fc8b7416eb31dc34fd6e41c4d8d85d973ca23ba558d5359f079ab5b17f20855ffe4a31a3660afda059

Download Submit
C:\Windows\{2A610F08-1535-4d51-BF34-8159920D93B2}.exe

Filesize
168KB

MD5
ef5763327b934330a56a35c21ba3747e

SHA1
0449551d814fcaf5d43d9ff8d89cfd68b9949f5d

SHA256
e24bb52402716e96aca377a68de71d68d58e8d977ad8910fc29c376630a10687

SHA512
fc43139bcb824778092c78246cbe919fc51f2295d1ef918a8bf7b20d9d17023e2a95a4d3ce0e9dab269f534f4d45fa9adc829a46a68066a9d016da7c1d3c7da4

Download Submit
C:\Windows\{2BF603B2-05F0-4c8c-AA60-DB740AEB13CD}.exe

Filesize
168KB

MD5
d8c2c1610fc3e1bf63601c6087263c4a

SHA1
72fa396dc2a355b4b76afd4b02caec0cc0edbff4

SHA256
910aef3c5966edc3fc75e9fe2a7e134aea3dbca82d7106eb6b8b4a9abb9d7df5

SHA512
25fbb6b8a4dc411b2097a62e249e3c39435f8d758f23cdcf0730fed30c208e9f79a9a04a9fc12fb3ae18456fb180c5b9aa37f6352da955ff20cfd6ef7023a84c

Download Submit
C:\Windows\{721FDB1B-60B4-41e8-9E34-1F3650918FC9}.exe

Filesize
168KB

MD5
0dbcd66a64ab7ae76598a72feb7a5ed5

SHA1
7e79fa052310cac5921491c06696ff0d8fcd3675

SHA256
99208680d7971647d53d97c03887a4c9cd7f3b850ac99135bd05893c0fe512e8

SHA512
1506d691f822a95d78bd0303fbfa9442f80440433cbad44ca8ac2fa6c2ef46e553b9eae3b0202dcbe14cf2279cadbecf32202be0ac0bce75df6068a7bf83734c

Download Submit
C:\Windows\{7D1A4901-3162-41df-9750-89C827E1C7DE}.exe

Filesize
168KB

MD5
e6f39aa1fb75254b5ca630f41f6d574d

SHA1
d47089d4b51973193cdb3ee62caabc41e1224629

SHA256
1e4498044d1f7eb7d1c5ec20bc16f7c5400523dc9aaf9cfce4fc71ca3e3d4c4a

SHA512
687590d111bdd77d8908d07fe73bfb508fb354253ca99be524dcce1b7921b0db270ff6683d9eefbc740a2c177dcf8eed63a0ba71bacb1ba5ab954e03ed5243b1

Download Submit
C:\Windows\{802F8353-F616-4d60-925E-61AA1546C6B2}.exe

Filesize
168KB

MD5
366c7838fc0520cbbbc640d74f7d2eb3

SHA1
489793c92287f8d288fc24496bad553275fe193f

SHA256
53b3c5ccb500bedead06f4c1642a6f1196242257d2c619c386a9cdbbafd087ba

SHA512
3e65f38a89f673a2c549d439f5a51a856f90b6c4a3724e2d87fe28bb3ad07fd2ce167bd7256bc678676013579f4e98e716f5791ecce126de6a7c8a79744d46a4

Download Submit
C:\Windows\{829E0036-EB61-4734-89AD-20463163A06F}.exe

Filesize
168KB

MD5
c0c16dbaf8b8449de96ca2acf9f6b793

SHA1
1e442e087c5962ab1596361b2a044ec758779da5

SHA256
aed40d7949fe494dcc35204a1670fc204ef5806f4a19c056c2f657e428179864

SHA512
53e737f6e523f5a1113c0e6432f411f4398b42ddfd6420a8de2344c5870b1e4d3a9f1db59490173c125f78fb1f2eb8c61656560c406d2858eff961e8fe845874

Download Submit
C:\Windows\{8C9F0D0D-E8B8-407c-A80D-39AF2B83243A}.exe

Filesize
168KB

MD5
d42f8fe2f11ad95219aca3504bdf3b31

SHA1
031d7f9a6987c940b51898dc84c02e7a0ce9cbb0

SHA256
ea69779e80036324befa7d85386e283e2f832b77f64baaa4002346ce381f577c

SHA512
a3ea91997687ddd1c4cf76e2b35e6144ab30146fe8146bd82f51ebba1229e514b47d5090fb0e17894ab51e30e9ad5eb35035a4ecb49f79a67a335a91a5715138

Download Submit
C:\Windows\{952366F3-612F-4244-A1C0-AFEC6764AD93}.exe

Filesize
168KB

MD5
7bd091730b4712a55a3caf4ddfc1c1dc

SHA1
9750448784f90523dc6d62bba2641a35e362b1c5

SHA256
6e33d3611ca79616c21fad019d3be01ff3177d9f92b5f8bad11496a4abbc6644

SHA512
f0ab12514f0d12ddf47d72c1395b1031849de09a47aac7173325394d92d3badc190f07188eafbf6f90e5bf7b46ea764f30f77558b34a73b6fb0f79a6b97745e6

Download Submit
C:\Windows\{B158CA9C-8C45-47c1-965D-E7FF67EA51EC}.exe

Filesize
168KB

MD5
768f08fd79494cfe652ad2edf586b995

SHA1
36a5c7fced30d9f59e2c20f64e53074bcfbd4966

SHA256
4ee39bafac6db13d5fcdc63dca109295a2150c4aa445dd5afc2f89c6a890604e

SHA512
ba9bb964fe252c076c1a3fb16b96b0650bde00421478ad6214f10405871e86671389e7dd206992189148e170a3f8df75a4b958c4fdca9f272b0e7b138d89d2d7

Download Submit
C:\Windows\{D8A1C95C-A0BA-4278-9B98-BBAC7F10996B}.exe

Filesize
168KB

MD5
90330a6e9c9dc31b728e533a0ecac837

SHA1
1d71c128153dd357b6d0b695cd244eb5150d50e7

SHA256
16b47d2e48b8e9272b1659030a66cab6190e5ea7b8e135aaaa1e451abca5c1ee

SHA512
fc11f6c48c0849d5d5728c3f28722310a015343c87b9cd68ea8b7dbed6cf6a41aff7ebf4026edbdd461282649e7d1ca985af851c09a37b962f8db00ddeb1db3c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads