c3ea21af99d02fd436da2812583b2919e5b7822c4a2f887b7196d8217f8d7762

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe
Size

380KB
MD5

f857b71631b9feb9f4369aee82c24d0b
SHA1

980ed05ec975645d98ff66565913410de20eae2d
SHA256

c3ea21af99d02fd436da2812583b2919e5b7822c4a2f887b7196d8217f8d7762
SHA512

9faa1c1b953b56f604f948e1186b3af8201caf7fc2bdc38f1e0801e7857d7c2625bbd6ef087e715022e513f221241f189573be9a5f72093ab6378d2ce9362d6a
SSDEEP

3072:mEGh0o7lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGVl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a06-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001415f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A92C268-B7CD-4bda-B4A4-3663600B8A62}	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD0364B-5D54-46db-B9B5-7B63051A18B1}	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0E8E29-EC48-44e9-A748-71A881A3F409}	{DC22A142-0C61-418b-B12A-235F42E96013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}\stubpath = "C:\\Windows\\{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe"	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A92C268-B7CD-4bda-B4A4-3663600B8A62}\stubpath = "C:\\Windows\\{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe"	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC22A142-0C61-418b-B12A-235F42E96013}	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B35A98-4A2B-4456-ACC4-CE11575D5001}	{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}\stubpath = "C:\\Windows\\{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe"	{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC22A142-0C61-418b-B12A-235F42E96013}\stubpath = "C:\\Windows\\{DC22A142-0C61-418b-B12A-235F42E96013}.exe"	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0E8E29-EC48-44e9-A748-71A881A3F409}\stubpath = "C:\\Windows\\{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe"	{DC22A142-0C61-418b-B12A-235F42E96013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}\stubpath = "C:\\Windows\\{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe"	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA462751-1366-4e8d-B517-AB508EBB4C2B}\stubpath = "C:\\Windows\\{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe"	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FE04E94-B496-4d7b-80FE-719BA246872B}	{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}	{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD0364B-5D54-46db-B9B5-7B63051A18B1}\stubpath = "C:\\Windows\\{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe"	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA462751-1366-4e8d-B517-AB508EBB4C2B}	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}\stubpath = "C:\\Windows\\{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe"	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FE04E94-B496-4d7b-80FE-719BA246872B}\stubpath = "C:\\Windows\\{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe"	{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B35A98-4A2B-4456-ACC4-CE11575D5001}\stubpath = "C:\\Windows\\{C7B35A98-4A2B-4456-ACC4-CE11575D5001}.exe"	{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe
2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe
2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe
1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe
2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe
1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe
2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe
2024	{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe
2872	{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe
2120	{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe
1572	{C7B35A98-4A2B-4456-ACC4-CE11575D5001}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe
File created	C:\Windows\{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	{DC22A142-0C61-418b-B12A-235F42E96013}.exe
File created	C:\Windows\{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe	{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe
File created	C:\Windows\{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe	{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe
File created	C:\Windows\{C7B35A98-4A2B-4456-ACC4-CE11575D5001}.exe	{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe
File created	C:\Windows\{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe
File created	C:\Windows\{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe
File created	C:\Windows\{DC22A142-0C61-418b-B12A-235F42E96013}.exe	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe
File created	C:\Windows\{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe
File created	C:\Windows\{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe
File created	C:\Windows\{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe
Token: SeIncBasePriorityPrivilege	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe
Token: SeIncBasePriorityPrivilege	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe
Token: SeIncBasePriorityPrivilege	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe
Token: SeIncBasePriorityPrivilege	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe
Token: SeIncBasePriorityPrivilege	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe
Token: SeIncBasePriorityPrivilege	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe
Token: SeIncBasePriorityPrivilege	2024	{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe
Token: SeIncBasePriorityPrivilege	2872	{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe
Token: SeIncBasePriorityPrivilege	2120	{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2572	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	28
PID 1900 wrote to memory of 2572	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	28
PID 1900 wrote to memory of 2572	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	28
PID 1900 wrote to memory of 2572	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	28
PID 1900 wrote to memory of 2940	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	29
PID 1900 wrote to memory of 2940	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	29
PID 1900 wrote to memory of 2940	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	29
PID 1900 wrote to memory of 2940	1900	2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe	29
PID 2572 wrote to memory of 2492	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	30
PID 2572 wrote to memory of 2492	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	30
PID 2572 wrote to memory of 2492	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	30
PID 2572 wrote to memory of 2492	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	30
PID 2572 wrote to memory of 2656	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	31
PID 2572 wrote to memory of 2656	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	31
PID 2572 wrote to memory of 2656	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	31
PID 2572 wrote to memory of 2656	2572	{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe	31
PID 2492 wrote to memory of 2476	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	32
PID 2492 wrote to memory of 2476	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	32
PID 2492 wrote to memory of 2476	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	32
PID 2492 wrote to memory of 2476	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	32
PID 2492 wrote to memory of 2548	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	33
PID 2492 wrote to memory of 2548	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	33
PID 2492 wrote to memory of 2548	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	33
PID 2492 wrote to memory of 2548	2492	{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe	33
PID 2476 wrote to memory of 1716	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	36
PID 2476 wrote to memory of 1716	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	36
PID 2476 wrote to memory of 1716	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	36
PID 2476 wrote to memory of 1716	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	36
PID 2476 wrote to memory of 2276	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	37
PID 2476 wrote to memory of 2276	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	37
PID 2476 wrote to memory of 2276	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	37
PID 2476 wrote to memory of 2276	2476	{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe	37
PID 1716 wrote to memory of 2364	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	38
PID 1716 wrote to memory of 2364	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	38
PID 1716 wrote to memory of 2364	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	38
PID 1716 wrote to memory of 2364	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	38
PID 1716 wrote to memory of 2624	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	39
PID 1716 wrote to memory of 2624	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	39
PID 1716 wrote to memory of 2624	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	39
PID 1716 wrote to memory of 2624	1716	{DC22A142-0C61-418b-B12A-235F42E96013}.exe	39
PID 2364 wrote to memory of 1512	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	40
PID 2364 wrote to memory of 1512	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	40
PID 2364 wrote to memory of 1512	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	40
PID 2364 wrote to memory of 1512	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	40
PID 2364 wrote to memory of 1608	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	41
PID 2364 wrote to memory of 1608	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	41
PID 2364 wrote to memory of 1608	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	41
PID 2364 wrote to memory of 1608	2364	{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe	41
PID 1512 wrote to memory of 2176	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	42
PID 1512 wrote to memory of 2176	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	42
PID 1512 wrote to memory of 2176	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	42
PID 1512 wrote to memory of 2176	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	42
PID 1512 wrote to memory of 2272	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	43
PID 1512 wrote to memory of 2272	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	43
PID 1512 wrote to memory of 2272	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	43
PID 1512 wrote to memory of 2272	1512	{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe	43
PID 2176 wrote to memory of 2024	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	44
PID 2176 wrote to memory of 2024	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	44
PID 2176 wrote to memory of 2024	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	44
PID 2176 wrote to memory of 2024	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	44
PID 2176 wrote to memory of 1228	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	45
PID 2176 wrote to memory of 1228	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	45
PID 2176 wrote to memory of 1228	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	45
PID 2176 wrote to memory of 1228	2176	{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_f857b71631b9feb9f4369aee82c24d0b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe
  C:\Windows\{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe
    C:\Windows\{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe
      C:\Windows\{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{DC22A142-0C61-418b-B12A-235F42E96013}.exe
        
        C:\Windows\{DC22A142-0C61-418b-B12A-235F42E96013}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe
        
        C:\Windows\{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe
        
        C:\Windows\{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe
        
        C:\Windows\{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe
        
        C:\Windows\{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe
        
        C:\Windows\{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe
        
        C:\Windows\{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{C7B35A98-4A2B-4456-ACC4-CE11575D5001}.exe
        
        C:\Windows\{C7B35A98-4A2B-4456-ACC4-CE11575D5001}.exe
        12⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E483~1.EXE > nul
        12⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FE04~1.EXE > nul
        11⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6842D~1.EXE > nul
        10⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA462~1.EXE > nul
        9⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12B64~1.EXE > nul
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB0E8~1.EXE > nul
        7⤵
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC22A~1.EXE > nul
        6⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD03~1.EXE > nul
        5⤵
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A92C~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{341F8~1.EXE > nul
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12B64F03-2B5A-40a2-9544-0BDC4EA33DD9}.exe

Filesize
380KB

MD5
5650817c812495a44e60b80c41fd5f5b

SHA1
fa7766a6df022f22e4ccd234335335e3db0144b9

SHA256
a9f692f99b222a3d17ac2c0e629dba3ce75c28a3b930ca30ba02c46d136aafd1

SHA512
46f099e989cd21c24c049646546609a241bcdf16432bc280af877e6f0a94d3246165bc93cb073405d56314b078e6ec0005dec9096bb395f06487c9ee0515387c

Download Submit
C:\Windows\{341F84AA-4BAA-472c-A7CF-B2EB5FD92D6A}.exe

Filesize
380KB

MD5
84613c5a1ef453d531c6a5fcf12cdf8c

SHA1
af2d9f9b3d0bbb55c280c99bdc4ec3a3da57bedd

SHA256
4a51a8099e39e88960368d89ae0b1fbe2a3d562f48ed5e7cd86b0f814ef7e6bc

SHA512
9e0fad21dfd3ab8b8c567c297b4592cf1826189a49955e487a82f95fd852e7a6596b857b47b9de62674c44b593bd97f82602cdc80e045008d8851645f1de88d2

Download Submit
C:\Windows\{4FE04E94-B496-4d7b-80FE-719BA246872B}.exe

Filesize
380KB

MD5
952ff756a667c60c9052d283fb61fd6c

SHA1
0aa724ddcfa0d70afe854cc2f1646fdd5bf5e878

SHA256
71fad2ce9c4a34dcb659060373a050c9e0f2951e3bac602419ec9ddfca1604ca

SHA512
a43c64f31de40cd1e9c98b8560ef5195a740e89ff7ae16a3de57d7456b240f96092456163d3ad42e05eb684897a9f114175bccc975ee3b3f4ffa9e84e243f1c7

Download Submit
C:\Windows\{6842D1D9-2CCB-4dea-9A0B-F16FB79FFA30}.exe

Filesize
380KB

MD5
7a2d2ad1537781f923da92d2e4ed1b19

SHA1
c9993b91686dd38d98bdab1fa3dd6d6bce878eba

SHA256
de02b2ad46f6b225b5bcf64b0493b05394b0c0487ca035db00b1e6bdccc63789

SHA512
61ccb8abaf84cd01d89a1b179ed727602da43075fe2228c1942da96c579a5fd3bc9bed2e14e83b2efbfc0d74e2254f58b58017cdf479a98839fd1f4ebeb847fa

Download Submit
C:\Windows\{7E48338D-99F1-4d92-BBCB-F77FF89FB13C}.exe

Filesize
380KB

MD5
2bba621c6b1825559bee1d18bb594159

SHA1
49e4a4fef4d1d27005350df314cbeb274d6a4fea

SHA256
2ac1d71ebc6147ccaaee526fa87afed873e2dc4e4c6033de3a4af853fd1323dc

SHA512
ad971a4ed36885d00f6fca026fe5c05b18f079707d26c1fdf7859c539302e7644cb0b34a31095af8167a9c7480d28f7cbf5713110d1f148f6e1a56547732cadc

Download Submit
C:\Windows\{8A92C268-B7CD-4bda-B4A4-3663600B8A62}.exe

Filesize
380KB

MD5
6a014449a4ea52dca8db9a164448c84a

SHA1
2e518a06d4f3ca86ae08f81858d2599c1bb70674

SHA256
e6e3c7efd5f1f6558858988882821371559b9b1aad16a1640134c7daba49162a

SHA512
f6fe64d877a2f413773a00d4c9a182b50dea73c9aa8d32650089f22377bf51e7d5f9663680c2d81c46d688e78471bcc9a033ad03d3cf768ddd72628bb4c98943

Download Submit
C:\Windows\{C7B35A98-4A2B-4456-ACC4-CE11575D5001}.exe

Filesize
380KB

MD5
dd0b9fb1f3e595b21f315bcab9b1a72b

SHA1
6b7aa96b6c80209606b1192effbe19d53f7640cb

SHA256
9dbb1ec4eace9fbeeb534023998a114405fd3e63afbe81a2bdb6cfdfde01e295

SHA512
2d4c9ae62fe4c3011755103a5873b302d838a5ee626a7dabf73483b9f3ff589cd2a37e0f7265fc1f0cb9b3caa7385e7daeee630a3e2876a2655fce2b0afa077f

Download Submit
C:\Windows\{CBD0364B-5D54-46db-B9B5-7B63051A18B1}.exe

Filesize
380KB

MD5
2369a95451632c733da31c831a5ce15b

SHA1
d698e5a4e283360244afad22d9bcf71333acaa05

SHA256
f4ff5200863129f2d5eb98ff1d6e3c2bf87a3b5a29114a7c31eb2a89852f7f87

SHA512
ca31bae5de065a951605a6526f755741e28526ca8ca786d9e0e8ca949118dcc76bda19096e81f974921c790e640006ae284dd75dba259f938018fcfb9a10236f

Download Submit
C:\Windows\{DB0E8E29-EC48-44e9-A748-71A881A3F409}.exe

Filesize
380KB

MD5
ccf55a6f817b3fdff102e170c9140bf6

SHA1
8fc4f038e2b0a57b13382b5ee8f85981359adf4e

SHA256
2419eb9771497a343f6db15b4df202f84973d36692347b8cb7c35b467d9b1c45

SHA512
2aa491d235f6b9796a0f53e57019012c180326c2fc1017f81f87d8cfed64814755a06bdabdd3a6e8af91d058ab5cb331e684319b730d6d225e43fe52bf7ef425

Download Submit
C:\Windows\{DC22A142-0C61-418b-B12A-235F42E96013}.exe

Filesize
380KB

MD5
ea211cd7ba99c2908255ba44dba5b1a1

SHA1
12cce21ec4c6c76dbe2da37d65dd4470c5d19a60

SHA256
7a839bf2f71257f004a6c45ac5e7aa2a2439d0b5b7dd36bdfcfeaf921d8378bd

SHA512
43dae262d8f61a30556a649ddb665bf59734863aa4cc19d65bc5e2172837a582cc4ad33e0630895b6dd8ffba93af31629216cb8eded2874453b3b8a7d7a479e5

Download Submit
C:\Windows\{FA462751-1366-4e8d-B517-AB508EBB4C2B}.exe

Filesize
380KB

MD5
ab010ca25a9d9fc12e45b8013cdbbb1a

SHA1
f5a92bf45bab1676e0077363026cc5a5009108e7

SHA256
68d824961666e41b2aa01e9aec985040d2f2c573631aae0316ddfadf7b5d8a10

SHA512
32c344cf369acdd5f1fbb92bd52ee4bc775233dba57054c048d5131a2afe4bbc41336435e865544c751a00dc175cb3d63ba9f83601d3326cf9b068740d5354b8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads