fe747edc86e0f6188ba3a24a4e4794df1b2e874a7ff60d5bbf5196aa3c7b2d67

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe
Size

197KB
MD5

2756d574d20fbd09234f9a179b2c1fb2
SHA1

90c92337549f1356b773e1e363f2101b8a832c63
SHA256

fe747edc86e0f6188ba3a24a4e4794df1b2e874a7ff60d5bbf5196aa3c7b2d67
SHA512

33bbcd5dc59f63f0a7e5c324303ead195f98858082d02e108969fb7810ace0408be46ec13520922887ee239421aa28824521f372373afec4ca3b74c40c6f93f5
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGhlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012331-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000001470b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38BF18AA-ED90-4b38-B682-D14599EAC83A}\stubpath = "C:\\Windows\\{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe"	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3B7024-F5F4-4755-9837-6A0281D25D7E}\stubpath = "C:\\Windows\\{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe"	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}\stubpath = "C:\\Windows\\{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe"	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8099287-9595-43cf-A107-5492CCEB2FA9}\stubpath = "C:\\Windows\\{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe"	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D6940D-A9C4-475c-9217-3137B04DD2C8}	{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF26D326-B46B-458d-BF8D-986128272373}\stubpath = "C:\\Windows\\{EF26D326-B46B-458d-BF8D-986128272373}.exe"	{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38BF18AA-ED90-4b38-B682-D14599EAC83A}	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}\stubpath = "C:\\Windows\\{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe"	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3B7024-F5F4-4755-9837-6A0281D25D7E}	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27740DC-DD39-47ac-8573-A7C433C09C07}	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27740DC-DD39-47ac-8573-A7C433C09C07}\stubpath = "C:\\Windows\\{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe"	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}\stubpath = "C:\\Windows\\{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe"	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3829846F-E3B2-45d8-8463-EB12EA7D605F}\stubpath = "C:\\Windows\\{3829846F-E3B2-45d8-8463-EB12EA7D605F}.exe"	{EF26D326-B46B-458d-BF8D-986128272373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}\stubpath = "C:\\Windows\\{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe"	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8099287-9595-43cf-A107-5492CCEB2FA9}	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D6940D-A9C4-475c-9217-3137B04DD2C8}\stubpath = "C:\\Windows\\{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe"	{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF26D326-B46B-458d-BF8D-986128272373}	{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3829846F-E3B2-45d8-8463-EB12EA7D605F}	{EF26D326-B46B-458d-BF8D-986128272373}.exe

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe
2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe
2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe
1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe
2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe
1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe
1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe
1044	{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe
1760	{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe
2064	{EF26D326-B46B-458d-BF8D-986128272373}.exe
1492	{3829846F-E3B2-45d8-8463-EB12EA7D605F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe	{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe
File created	C:\Windows\{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe
File created	C:\Windows\{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe
File created	C:\Windows\{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe
File created	C:\Windows\{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe
File created	C:\Windows\{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe
File created	C:\Windows\{EF26D326-B46B-458d-BF8D-986128272373}.exe	{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe
File created	C:\Windows\{3829846F-E3B2-45d8-8463-EB12EA7D605F}.exe	{EF26D326-B46B-458d-BF8D-986128272373}.exe
File created	C:\Windows\{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe
File created	C:\Windows\{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe
File created	C:\Windows\{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe
Token: SeIncBasePriorityPrivilege	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe
Token: SeIncBasePriorityPrivilege	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe
Token: SeIncBasePriorityPrivilege	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe
Token: SeIncBasePriorityPrivilege	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe
Token: SeIncBasePriorityPrivilege	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe
Token: SeIncBasePriorityPrivilege	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe
Token: SeIncBasePriorityPrivilege	1044	{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe
Token: SeIncBasePriorityPrivilege	1760	{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe
Token: SeIncBasePriorityPrivilege	2064	{EF26D326-B46B-458d-BF8D-986128272373}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2744	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	28
PID 2320 wrote to memory of 2744	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	28
PID 2320 wrote to memory of 2744	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	28
PID 2320 wrote to memory of 2744	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	28
PID 2320 wrote to memory of 3044	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	29
PID 2320 wrote to memory of 3044	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	29
PID 2320 wrote to memory of 3044	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	29
PID 2320 wrote to memory of 3044	2320	2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe	29
PID 2744 wrote to memory of 2584	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	30
PID 2744 wrote to memory of 2584	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	30
PID 2744 wrote to memory of 2584	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	30
PID 2744 wrote to memory of 2584	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	30
PID 2744 wrote to memory of 2592	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	31
PID 2744 wrote to memory of 2592	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	31
PID 2744 wrote to memory of 2592	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	31
PID 2744 wrote to memory of 2592	2744	{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe	31
PID 2584 wrote to memory of 2548	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	32
PID 2584 wrote to memory of 2548	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	32
PID 2584 wrote to memory of 2548	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	32
PID 2584 wrote to memory of 2548	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	32
PID 2584 wrote to memory of 2516	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	33
PID 2584 wrote to memory of 2516	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	33
PID 2584 wrote to memory of 2516	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	33
PID 2584 wrote to memory of 2516	2584	{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe	33
PID 2548 wrote to memory of 1544	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	36
PID 2548 wrote to memory of 1544	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	36
PID 2548 wrote to memory of 1544	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	36
PID 2548 wrote to memory of 1544	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	36
PID 2548 wrote to memory of 2788	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	37
PID 2548 wrote to memory of 2788	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	37
PID 2548 wrote to memory of 2788	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	37
PID 2548 wrote to memory of 2788	2548	{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe	37
PID 1544 wrote to memory of 2844	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	38
PID 1544 wrote to memory of 2844	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	38
PID 1544 wrote to memory of 2844	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	38
PID 1544 wrote to memory of 2844	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	38
PID 1544 wrote to memory of 2996	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	39
PID 1544 wrote to memory of 2996	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	39
PID 1544 wrote to memory of 2996	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	39
PID 1544 wrote to memory of 2996	1544	{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe	39
PID 2844 wrote to memory of 1996	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	40
PID 2844 wrote to memory of 1996	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	40
PID 2844 wrote to memory of 1996	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	40
PID 2844 wrote to memory of 1996	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	40
PID 2844 wrote to memory of 1320	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	41
PID 2844 wrote to memory of 1320	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	41
PID 2844 wrote to memory of 1320	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	41
PID 2844 wrote to memory of 1320	2844	{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe	41
PID 1996 wrote to memory of 1888	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	42
PID 1996 wrote to memory of 1888	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	42
PID 1996 wrote to memory of 1888	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	42
PID 1996 wrote to memory of 1888	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	42
PID 1996 wrote to memory of 1952	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	43
PID 1996 wrote to memory of 1952	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	43
PID 1996 wrote to memory of 1952	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	43
PID 1996 wrote to memory of 1952	1996	{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe	43
PID 1888 wrote to memory of 1044	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	44
PID 1888 wrote to memory of 1044	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	44
PID 1888 wrote to memory of 1044	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	44
PID 1888 wrote to memory of 1044	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	44
PID 1888 wrote to memory of 920	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	45
PID 1888 wrote to memory of 920	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	45
PID 1888 wrote to memory of 920	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	45
PID 1888 wrote to memory of 920	1888	{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_2756d574d20fbd09234f9a179b2c1fb2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe
  C:\Windows\{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe
    C:\Windows\{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe
      C:\Windows\{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe
        
        C:\Windows\{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe
        
        C:\Windows\{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe
        
        C:\Windows\{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe
        
        C:\Windows\{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe
        
        C:\Windows\{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe
        
        C:\Windows\{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{EF26D326-B46B-458d-BF8D-986128272373}.exe
        
        C:\Windows\{EF26D326-B46B-458d-BF8D-986128272373}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{3829846F-E3B2-45d8-8463-EB12EA7D605F}.exe
        
        C:\Windows\{3829846F-E3B2-45d8-8463-EB12EA7D605F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF26D~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9D69~1.EXE > nul
        11⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8099~1.EXE > nul
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{405DF~1.EXE > nul
        9⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9563D~1.EXE > nul
        8⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2774~1.EXE > nul
        7⤵
        
        PID:1320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF3B7~1.EXE > nul
        6⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9547B~1.EXE > nul
        5⤵
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F6AAC~1.EXE > nul
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{38BF1~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3829846F-E3B2-45d8-8463-EB12EA7D605F}.exe

Filesize
197KB

MD5
a348ca978fc5695f5c687b69b72a3640

SHA1
e4212c21111ed3c62d8619ae1043d5df527033c6

SHA256
591d450b0eca8b1bb77eb30d90f60372e9cab60f1fd60a705daae14ffbe97c91

SHA512
f3672fc8fe72f920d73780ca6eaf4cb4acc2a7a2964cf84ea7c8257b2ddd9af6dafae7004d6e997f0148cf8fada907bf1db3d380efcaaf2f5c0f8bdeb86f25c5

Download Submit
C:\Windows\{38BF18AA-ED90-4b38-B682-D14599EAC83A}.exe

Filesize
197KB

MD5
08991fcff063bbcb2d3ebe9612937088

SHA1
1c6844aa709d71a45e25022b8e91b061493f6fd6

SHA256
b6962b58d00a32e96fcaa0f79dc6b17cb32e13f5dc8fb6145a7204cc7897d72a

SHA512
080d29bb579705700976147c18abe3487a32d0bc71fcfc5c050b2e532d7ae06dbc9fa567c3db42690e0332420f4aa06fe06b71666d251624d29667f1c20fdfed

Download Submit
C:\Windows\{405DF117-6DFC-45f9-BE9F-4A6BE5F6A50F}.exe

Filesize
197KB

MD5
7e97a9bd07432dd94e1ccde7fd36fd56

SHA1
9c2e95e9191abd76629d904b3d5b14b64d1f24b3

SHA256
2f1d470b7528bec5ab69f6025489058d6eddccfba11f369908e7f34fbbbac4fe

SHA512
41f20ba18eebfe4a754faa82c33889915de5457042a5507fa91c5a83b646146eaf2200efa758ed37247460d25a1890f8c5595bb5ec12bd369887346b63ef094d

Download Submit
C:\Windows\{9547BE56-9DF9-472b-ABE1-0C882CE8B78D}.exe

Filesize
197KB

MD5
d02c7a80d8b4ec82e5d9f5022b046f1f

SHA1
02ad3f4c8fee30190811ade90b6797e84c0ee702

SHA256
2abe23899c0148b893420d58dadb9ae2c0045185d87efd82d9c50634b8fab2d5

SHA512
39acb31ae9b661a6dcfedec76c8ba6c14bbcccc9fb3809fc92fa7db20bfaefc2f7963e81965306e4c5f6a1d48b880f7b64592db2590d1e24beccbb045fc12b03

Download Submit
C:\Windows\{9563DB2B-FCD8-47c6-A858-6DACFB7DCC3E}.exe

Filesize
197KB

MD5
426705a09d5141297f7acce1516a7c48

SHA1
626a0f5c4e3d129993dc93b02ba8dd726653da5a

SHA256
a1626568055b7f49b8a23ff34b6b17e0a8c794e93527daf2cd05bcfeb3eb47da

SHA512
54ca820e500cd365f003bd3f593b97342ea7c6ba284df415e3364c20943033508759f96d0876175d33b22c92715bf2c98c4c4ac01311b81e6bbd98829ded590e

Download Submit
C:\Windows\{BF3B7024-F5F4-4755-9837-6A0281D25D7E}.exe

Filesize
197KB

MD5
4711f743eb1d3c93e9dc75c158dad1bb

SHA1
36e89da873ba45b0cb452e93f304ed4ec7b61f4d

SHA256
499cfbe0007f920da64d4de461062abf29436e2b4ad11ea53c33655148d5aebc

SHA512
2070ed8f8d5b5a014aca61f77c9060012e4fdf75b848441d1ad5817bd266e0cc91793bbbacad67b2dd0e94e1255153c51675807d9aec49e2443e28e933f6ff04

Download Submit
C:\Windows\{E8099287-9595-43cf-A107-5492CCEB2FA9}.exe

Filesize
197KB

MD5
e848984d843c1d87d729f99f48c60d1d

SHA1
0edafd309151b549f872aed6c9c84d4d494025d8

SHA256
31decae5bff1d80204fb6779a7db87f4ed34ed55fd21f745393c38caa10394e7

SHA512
203589c4cd5b0fae63cabf0925acf2a924ef76a08f145c805f6df612a8ef8797babdd7a57156152e200ecf53a3e5125a200f9f051361d0ee1493d653931d97fc

Download Submit
C:\Windows\{EF26D326-B46B-458d-BF8D-986128272373}.exe

Filesize
197KB

MD5
fcfc49c5459cf7d0618c566dacb1060f

SHA1
c7d8f0b1a840125c26f8e072cbc0e6f205b52e4a

SHA256
fa56cfdc7daf35b74d3c4c218033055c0ccf9a312cc6a844bad6e04fcc41d604

SHA512
b29e2df201c96736d1f0fc4b0b61a9c3f003c577812399826e65e2f90b12b1f7f92272d054619fcd1ca359488be08b128e0ab15cfcb8759573736011bbede241

Download Submit
C:\Windows\{F27740DC-DD39-47ac-8573-A7C433C09C07}.exe

Filesize
197KB

MD5
ed547ccdc5ba2b6fa542965b1efbf003

SHA1
6987f291f98c570b7ae9352c365e8972aa47c08d

SHA256
17ccacbcf7543df73e07cf7eedc8ef678f08f1a266a24f854a5c582302e5e602

SHA512
1a41c67baa055662fcfb87e78d84655b15270a416a653b0306b0cebbbec057d9a1d211a0600d4ea2f8d9ac3e0799b0ee582bd5b53120418274419b798e299f7c

Download Submit
C:\Windows\{F6AAC919-C3D5-43c8-B321-FA61DF64E2AD}.exe

Filesize
197KB

MD5
3920cca1de9b0ed544027709ffcc1202

SHA1
ff5619a9252ead72a900e666f72ee3ddce7b11a2

SHA256
a787750383e841e74608ae534bcf28c3c29c19241b6e37d6791fb5b84c7b046a

SHA512
ac7a528d4d1f043ae083184caca4b81916e71fbb498d9a63cd0c1521aaba1fb4e7bf0c76bcbea69b0666cca93fa4d9c84d4102f7b8bf6010db68dc30f2669ca4

Download Submit
C:\Windows\{F9D6940D-A9C4-475c-9217-3137B04DD2C8}.exe

Filesize
197KB

MD5
14e8338ddcaebc158277ad7e9de33948

SHA1
b111454b8cf0a95344210440be805ca18bc9b1de

SHA256
540478fcc1f6a0ffc003eb503df4fb6708c6e8186de912f56b109cf901678579

SHA512
d1755877b59ec518aff91c98620f4b2aa54a6a0a5589ca1f9973fd77fd2a1514831cb249eba394f74521d61c086ddd84dd80912979288f114d88814f5e08885e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads