cd70c4f08b6bd6a197e0c3bf19053d002e74361f48d9d488b20946b34bd2b97c

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe
Size

204KB
MD5

ed0556f0086456c26069412b3e800221
SHA1

b6650caeadc7c920e1c2637f10dae3b88fbd908c
SHA256

cd70c4f08b6bd6a197e0c3bf19053d002e74361f48d9d488b20946b34bd2b97c
SHA512

2f75ccb2f49ba94486c8e6424c782cbe70a907d2b2daca22b12589877389338544ce7426167981644a0ffe794896b3acc949df357c12e3899ca2479244aaf045
SSDEEP

1536:1EGh0oMl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oMl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000f00000000f680-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014aec-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014aec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014aec-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014aec-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014b6d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001400000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{338484E0-6B70-4919-BA83-9389B2C4EC34}	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{234C73AA-B6AC-4434-A494-9BBAA708A694}\stubpath = "C:\\Windows\\{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe"	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41429506-9669-4c3c-B34E-A1F962803E4E}	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41429506-9669-4c3c-B34E-A1F962803E4E}\stubpath = "C:\\Windows\\{41429506-9669-4c3c-B34E-A1F962803E4E}.exe"	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF350761-AAA2-4c77-9512-6BEE345A244D}	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF350761-AAA2-4c77-9512-6BEE345A244D}\stubpath = "C:\\Windows\\{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe"	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F061253-3F65-49a3-BDF8-74CEE31D116D}	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8984562E-62A8-44eb-AA22-91F13109A334}	{E0889A87-588F-4682-B625-60D2F380432E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}\stubpath = "C:\\Windows\\{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe"	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79CB2B16-1CD8-4cc0-8686-6182835860E0}\stubpath = "C:\\Windows\\{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe"	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F061253-3F65-49a3-BDF8-74CEE31D116D}\stubpath = "C:\\Windows\\{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe"	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{338484E0-6B70-4919-BA83-9389B2C4EC34}\stubpath = "C:\\Windows\\{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe"	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{234C73AA-B6AC-4434-A494-9BBAA708A694}	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCF37EEB-B467-4495-85B5-7377868FD9D6}	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8984562E-62A8-44eb-AA22-91F13109A334}\stubpath = "C:\\Windows\\{8984562E-62A8-44eb-AA22-91F13109A334}.exe"	{E0889A87-588F-4682-B625-60D2F380432E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30311094-DDE2-4215-B1A4-F6F352C4B7B6}\stubpath = "C:\\Windows\\{30311094-DDE2-4215-B1A4-F6F352C4B7B6}.exe"	{8984562E-62A8-44eb-AA22-91F13109A334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79CB2B16-1CD8-4cc0-8686-6182835860E0}	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCF37EEB-B467-4495-85B5-7377868FD9D6}\stubpath = "C:\\Windows\\{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe"	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0889A87-588F-4682-B625-60D2F380432E}	{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0889A87-588F-4682-B625-60D2F380432E}\stubpath = "C:\\Windows\\{E0889A87-588F-4682-B625-60D2F380432E}.exe"	{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30311094-DDE2-4215-B1A4-F6F352C4B7B6}	{8984562E-62A8-44eb-AA22-91F13109A334}.exe

Deletes itself 1 IoCs

pid	Process
1108	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe
3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe
2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe
2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe
2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe
2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe
1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe
2196	{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe
2320	{E0889A87-588F-4682-B625-60D2F380432E}.exe
1764	{8984562E-62A8-44eb-AA22-91F13109A334}.exe
1616	{30311094-DDE2-4215-B1A4-F6F352C4B7B6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe
File created	C:\Windows\{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe
File created	C:\Windows\{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe
File created	C:\Windows\{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe
File created	C:\Windows\{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe
File created	C:\Windows\{E0889A87-588F-4682-B625-60D2F380432E}.exe	{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe
File created	C:\Windows\{8984562E-62A8-44eb-AA22-91F13109A334}.exe	{E0889A87-588F-4682-B625-60D2F380432E}.exe
File created	C:\Windows\{30311094-DDE2-4215-B1A4-F6F352C4B7B6}.exe	{8984562E-62A8-44eb-AA22-91F13109A334}.exe
File created	C:\Windows\{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe
File created	C:\Windows\{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe
File created	C:\Windows\{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe
Token: SeIncBasePriorityPrivilege	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe
Token: SeIncBasePriorityPrivilege	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe
Token: SeIncBasePriorityPrivilege	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe
Token: SeIncBasePriorityPrivilege	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe
Token: SeIncBasePriorityPrivilege	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe
Token: SeIncBasePriorityPrivilege	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe
Token: SeIncBasePriorityPrivilege	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe
Token: SeIncBasePriorityPrivilege	2196	{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe
Token: SeIncBasePriorityPrivilege	2320	{E0889A87-588F-4682-B625-60D2F380432E}.exe
Token: SeIncBasePriorityPrivilege	1764	{8984562E-62A8-44eb-AA22-91F13109A334}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 284	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	30
PID 2180 wrote to memory of 284	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	30
PID 2180 wrote to memory of 284	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	30
PID 2180 wrote to memory of 284	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	30
PID 2180 wrote to memory of 1108	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	31
PID 2180 wrote to memory of 1108	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	31
PID 2180 wrote to memory of 1108	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	31
PID 2180 wrote to memory of 1108	2180	2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe	31
PID 284 wrote to memory of 3012	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	32
PID 284 wrote to memory of 3012	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	32
PID 284 wrote to memory of 3012	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	32
PID 284 wrote to memory of 3012	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	32
PID 284 wrote to memory of 2592	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	33
PID 284 wrote to memory of 2592	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	33
PID 284 wrote to memory of 2592	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	33
PID 284 wrote to memory of 2592	284	{41429506-9669-4c3c-B34E-A1F962803E4E}.exe	33
PID 3012 wrote to memory of 2892	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	34
PID 3012 wrote to memory of 2892	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	34
PID 3012 wrote to memory of 2892	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	34
PID 3012 wrote to memory of 2892	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	34
PID 3012 wrote to memory of 2888	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	35
PID 3012 wrote to memory of 2888	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	35
PID 3012 wrote to memory of 2888	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	35
PID 3012 wrote to memory of 2888	3012	{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe	35
PID 2892 wrote to memory of 2636	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	36
PID 2892 wrote to memory of 2636	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	36
PID 2892 wrote to memory of 2636	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	36
PID 2892 wrote to memory of 2636	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	36
PID 2892 wrote to memory of 2524	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	37
PID 2892 wrote to memory of 2524	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	37
PID 2892 wrote to memory of 2524	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	37
PID 2892 wrote to memory of 2524	2892	{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe	37
PID 2636 wrote to memory of 2616	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	38
PID 2636 wrote to memory of 2616	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	38
PID 2636 wrote to memory of 2616	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	38
PID 2636 wrote to memory of 2616	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	38
PID 2636 wrote to memory of 2608	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	39
PID 2636 wrote to memory of 2608	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	39
PID 2636 wrote to memory of 2608	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	39
PID 2636 wrote to memory of 2608	2636	{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe	39
PID 2616 wrote to memory of 2444	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	40
PID 2616 wrote to memory of 2444	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	40
PID 2616 wrote to memory of 2444	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	40
PID 2616 wrote to memory of 2444	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	40
PID 2616 wrote to memory of 2536	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	41
PID 2616 wrote to memory of 2536	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	41
PID 2616 wrote to memory of 2536	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	41
PID 2616 wrote to memory of 2536	2616	{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe	41
PID 2444 wrote to memory of 1496	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	42
PID 2444 wrote to memory of 1496	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	42
PID 2444 wrote to memory of 1496	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	42
PID 2444 wrote to memory of 1496	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	42
PID 2444 wrote to memory of 2216	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	43
PID 2444 wrote to memory of 2216	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	43
PID 2444 wrote to memory of 2216	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	43
PID 2444 wrote to memory of 2216	2444	{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe	43
PID 1496 wrote to memory of 2196	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	44
PID 1496 wrote to memory of 2196	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	44
PID 1496 wrote to memory of 2196	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	44
PID 1496 wrote to memory of 2196	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	44
PID 1496 wrote to memory of 2188	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	45
PID 1496 wrote to memory of 2188	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	45
PID 1496 wrote to memory of 2188	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	45
PID 1496 wrote to memory of 2188	1496	{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_ed0556f0086456c26069412b3e800221_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{41429506-9669-4c3c-B34E-A1F962803E4E}.exe
  C:\Windows\{41429506-9669-4c3c-B34E-A1F962803E4E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe
    C:\Windows\{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe
      C:\Windows\{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe
        
        C:\Windows\{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe
        
        C:\Windows\{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe
        
        C:\Windows\{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe
        
        C:\Windows\{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe
        
        C:\Windows\{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{E0889A87-588F-4682-B625-60D2F380432E}.exe
        
        C:\Windows\{E0889A87-588F-4682-B625-60D2F380432E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{8984562E-62A8-44eb-AA22-91F13109A334}.exe
        
        C:\Windows\{8984562E-62A8-44eb-AA22-91F13109A334}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{30311094-DDE2-4215-B1A4-F6F352C4B7B6}.exe
        
        C:\Windows\{30311094-DDE2-4215-B1A4-F6F352C4B7B6}.exe
        12⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89845~1.EXE > nul
        12⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0889~1.EXE > nul
        11⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCF37~1.EXE > nul
        10⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{234C7~1.EXE > nul
        9⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79CB2~1.EXE > nul
        8⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33848~1.EXE > nul
        7⤵
        
        PID:2536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08E2F~1.EXE > nul
        6⤵
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F061~1.EXE > nul
        5⤵
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF350~1.EXE > nul
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{41429~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08E2FD9C-68D4-4e00-B3C8-B742B742BAF0}.exe

Filesize
204KB

MD5
e50ec7ed8b67620648f8f87ea6f57e57

SHA1
f7de62a2fc3aed1994a4313c9a270bc422ff91fa

SHA256
1ff07d42270598ce50c6ac91cc11f1149c95c38f3a1f782c64d406e039e44cb7

SHA512
803ef80ecd14f60c4967040412ed06298378c27d26a7b782c0697a09577055760665017b9d86fe294213e595b281365153324799f6ca00f1e38e52e4a96e65b3

Download Submit
C:\Windows\{234C73AA-B6AC-4434-A494-9BBAA708A694}.exe

Filesize
204KB

MD5
6a3be654c848f3dd80c3095e6d400f08

SHA1
80f32f33effdd7cb6675246b4a5ef77ea2b05884

SHA256
f8c6c9e3037db17721cb9501de20e12be5c0e6387e9478c908d61d8daf1b2d52

SHA512
93b8b85773d048b19aa5909bdc5e20604ebab4237923e6938b124129efe512a5dd0f3c26e52aa7a365e8d84e5ce7dc9fcec0a0a689035f58aac4d507f15f6010

Download Submit
C:\Windows\{30311094-DDE2-4215-B1A4-F6F352C4B7B6}.exe

Filesize
204KB

MD5
97c756e5cb17f54c5c9acd0415ba186a

SHA1
f8affd5e6ace25683dcc768471f79a512186eb23

SHA256
a9d4f66765484c532993e5ebba16cec1fb15daedea6263d749d56926d88a7e5d

SHA512
da8b9b53dc7b1747f0cb6140dc9d12841923230c4fde7e417dfd66b7b22decc5247303c92d95934dce5cc42d7cb3d1057348bee5355fb596a5902cc2f1a7b376

Download Submit
C:\Windows\{338484E0-6B70-4919-BA83-9389B2C4EC34}.exe

Filesize
204KB

MD5
78ad21abe33e4ec8536a46c91e552572

SHA1
f5197aa9658b53ec872dede3eb3b13d09a2157f0

SHA256
c47d72a1a3d865294c2e7519accb236543ed80ded714e0b88ad79425b076c8c6

SHA512
cf9a6e845eae75021fdd1b2858aee74f1e193dba5891268273a6f42d274a6923b5811da385b23f49f2f2bd34759dd65e5a61d0b455bb05d9751a9a4cc8ed5918

Download Submit
C:\Windows\{41429506-9669-4c3c-B34E-A1F962803E4E}.exe

Filesize
204KB

MD5
131019ec718ae28424c183e7b3d35059

SHA1
8e93e33f1dded9bd69761c455072cdef919cf989

SHA256
929a16dc8bde284fb23ecb1acd9f00867ce97ce8b420446ce59db89da3cd4183

SHA512
3ea0d28d1503d72b432cd0b334416270afbe343f0f5a99b18978b571e2bc32439ace346919baa1b00297a17a049909ce03e96040fd07e9d45ffd1a15b7fc34ab

Download Submit
C:\Windows\{79CB2B16-1CD8-4cc0-8686-6182835860E0}.exe

Filesize
204KB

MD5
f69ab39d983e190bc13f73426f576791

SHA1
b16f90fc12de11e68b3ca8e03866ee05a93d1c52

SHA256
1c1f619b72230f0d7b4a73057634f3532af0fe344f060c1df64830b07513d128

SHA512
f4c1eecdd3eda1d1a01ab98c374d4cbb35e080c54fdfe568ccb11d761e3985f7e314656d8a97a5521b340e619e0e70cf906a5191d8b15840c0929f0cdd156944

Download Submit
C:\Windows\{8984562E-62A8-44eb-AA22-91F13109A334}.exe

Filesize
204KB

MD5
3e374d484c3fd0bcaa259be7db0693c5

SHA1
03f198cb7b7689d270889214eca77f741cf8dad3

SHA256
2d6b8f2b72746a2cda4020bac04b8b32a47766607eb3437aa010b1a9b23d3645

SHA512
2148c362e30efbd735a7a3aecd094dc76d04cd0aa91336a53d0ee4ea864f39cdb442e730273650bf791be86203fcf23eb1ad363861f239c572f87c3562a065b9

Download Submit
C:\Windows\{9F061253-3F65-49a3-BDF8-74CEE31D116D}.exe

Filesize
204KB

MD5
e7422e85f1410f859a73667983257177

SHA1
4cb5a8dbdb40926e49ef18387dd0d7583077bbc0

SHA256
9a3940c287aa66b872304f22797664d0247dc29f451c9b22e68041ac8b41c61c

SHA512
66d7e77249a69b587e43bf63f61eaafe5d633c1b716cbcbf308b89ed050441d00569e869cc367ea175ec985555730676d88a4e7bbcdb75f333d5eac47c6eb967

Download Submit
C:\Windows\{BF350761-AAA2-4c77-9512-6BEE345A244D}.exe

Filesize
204KB

MD5
ae9dfe293ccb0ded8a46ec2fdc64e147

SHA1
0223f43539f6b753ded1b00b657ecbe13ed170de

SHA256
7ba3f6a0b6065c9c67bdae5f8b018aedf6a5c924b19ffae1f0d2de0c8f85713a

SHA512
9aa8dcf4ef3f61f684bad895fd56b8a93728752bd31565342212fc52f5a63f87ac61e3c3b8bbe3bf3aa701dac03be366c54be991a3d6c649a8f28eb1fb3e493a

Download Submit
C:\Windows\{E0889A87-588F-4682-B625-60D2F380432E}.exe

Filesize
204KB

MD5
48ba6108bfd6d5d3028ac43010575655

SHA1
3b539ee53e0103924330a8c2799f971f6e1867d9

SHA256
c776b6e59d69a33c28b9cff49fd1073dab7886b2d3f287cf1833144f12a1bfda

SHA512
43795d52487df1819f66a823e73cb674adfe552f86eccd956da57e00b504c769a0cd85ff74b0db0c1e650f3a1db60544b4500dfa614bf774094589a86e320ae4

Download Submit
C:\Windows\{FCF37EEB-B467-4495-85B5-7377868FD9D6}.exe

Filesize
204KB

MD5
94f30c22eb078826c94fe56a1bc783fe

SHA1
3696b1f36c6518039b76886b5279dc69ecb1c209

SHA256
f1761bbf92845ef043022137de3e26c5a9c88b7091968439c1511705ffdc816e

SHA512
c0e37f66480372006d9a5f33dc749225cd55ecd54a9ecff879273eedd9345d169cc67dd1559d57bcbc52def69d927cf1703c49ca9ab277e96906fd906443452a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads