3816a0da3247a74108b8dddd209aef54d5ee4ca5417360c6ee1a63f1a964de09

Analysis

max time kernel
138s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
Size

372KB
MD5

76e710fd6812c7274cdaca384023bd20
SHA1

613c2b0fd77b75e957d5b2e46951890f0cd5428a
SHA256

3816a0da3247a74108b8dddd209aef54d5ee4ca5417360c6ee1a63f1a964de09
SHA512

fcf8a7de39607f08bd5135fddb8a1e38d051d11c9a9fbbd1da1adee4b9ea40978b84ef7f7d9e12c9beff3767d6409dad8304cf7e7a2451a0be0a63318baa0407
SSDEEP

3072:CEGh0orlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e000000014698-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000014b6d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b000000014b6d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c000000014b6d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014b6d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000014b6d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361635AC-A7CE-45dd-93A4-EBA401228F45}	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59C96492-EC96-417f-8166-7A7E7E43315E}\stubpath = "C:\\Windows\\{59C96492-EC96-417f-8166-7A7E7E43315E}.exe"	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}\stubpath = "C:\\Windows\\{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe"	{B13A923B-E39B-42df-A278-165187A47689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC800F3-3822-4650-8ED1-6ED9E452D498}\stubpath = "C:\\Windows\\{AFC800F3-3822-4650-8ED1-6ED9E452D498}.exe"	{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B667772-BFEB-4764-BA8A-156E47CB0B82}	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59C96492-EC96-417f-8166-7A7E7E43315E}	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}\stubpath = "C:\\Windows\\{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe"	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}\stubpath = "C:\\Windows\\{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe"	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B667772-BFEB-4764-BA8A-156E47CB0B82}\stubpath = "C:\\Windows\\{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe"	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}	{B13A923B-E39B-42df-A278-165187A47689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}\stubpath = "C:\\Windows\\{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe"	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}\stubpath = "C:\\Windows\\{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe"	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361635AC-A7CE-45dd-93A4-EBA401228F45}\stubpath = "C:\\Windows\\{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe"	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13A923B-E39B-42df-A278-165187A47689}	{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13A923B-E39B-42df-A278-165187A47689}\stubpath = "C:\\Windows\\{B13A923B-E39B-42df-A278-165187A47689}.exe"	{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC800F3-3822-4650-8ED1-6ED9E452D498}	{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}\stubpath = "C:\\Windows\\{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe"	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe
2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe
2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe
2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe
1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe
2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe
2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe
1712	{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe
2072	{B13A923B-E39B-42df-A278-165187A47689}.exe
1836	{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe
2188	{AFC800F3-3822-4650-8ED1-6ED9E452D498}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe
File created	C:\Windows\{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe
File created	C:\Windows\{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
File created	C:\Windows\{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe
File created	C:\Windows\{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe
File created	C:\Windows\{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe
File created	C:\Windows\{B13A923B-E39B-42df-A278-165187A47689}.exe	{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe
File created	C:\Windows\{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe	{B13A923B-E39B-42df-A278-165187A47689}.exe
File created	C:\Windows\{AFC800F3-3822-4650-8ED1-6ED9E452D498}.exe	{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe
File created	C:\Windows\{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe
File created	C:\Windows\{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe
Token: SeIncBasePriorityPrivilege	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe
Token: SeIncBasePriorityPrivilege	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe
Token: SeIncBasePriorityPrivilege	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe
Token: SeIncBasePriorityPrivilege	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe
Token: SeIncBasePriorityPrivilege	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe
Token: SeIncBasePriorityPrivilege	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe
Token: SeIncBasePriorityPrivilege	1712	{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe
Token: SeIncBasePriorityPrivilege	2072	{B13A923B-E39B-42df-A278-165187A47689}.exe
Token: SeIncBasePriorityPrivilege	1836	{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2908	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	28
PID 2656 wrote to memory of 2908	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	28
PID 2656 wrote to memory of 2908	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	28
PID 2656 wrote to memory of 2908	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	28
PID 2656 wrote to memory of 2640	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	29
PID 2656 wrote to memory of 2640	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	29
PID 2656 wrote to memory of 2640	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	29
PID 2656 wrote to memory of 2640	2656	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	29
PID 2908 wrote to memory of 2420	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	30
PID 2908 wrote to memory of 2420	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	30
PID 2908 wrote to memory of 2420	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	30
PID 2908 wrote to memory of 2420	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	30
PID 2908 wrote to memory of 2572	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	31
PID 2908 wrote to memory of 2572	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	31
PID 2908 wrote to memory of 2572	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	31
PID 2908 wrote to memory of 2572	2908	{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe	31
PID 2420 wrote to memory of 2876	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	34
PID 2420 wrote to memory of 2876	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	34
PID 2420 wrote to memory of 2876	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	34
PID 2420 wrote to memory of 2876	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	34
PID 2420 wrote to memory of 2848	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	35
PID 2420 wrote to memory of 2848	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	35
PID 2420 wrote to memory of 2848	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	35
PID 2420 wrote to memory of 2848	2420	{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe	35
PID 2876 wrote to memory of 2392	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	36
PID 2876 wrote to memory of 2392	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	36
PID 2876 wrote to memory of 2392	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	36
PID 2876 wrote to memory of 2392	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	36
PID 2876 wrote to memory of 1492	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	37
PID 2876 wrote to memory of 1492	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	37
PID 2876 wrote to memory of 1492	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	37
PID 2876 wrote to memory of 1492	2876	{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe	37
PID 2392 wrote to memory of 1208	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	38
PID 2392 wrote to memory of 1208	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	38
PID 2392 wrote to memory of 1208	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	38
PID 2392 wrote to memory of 1208	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	38
PID 2392 wrote to memory of 1120	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	39
PID 2392 wrote to memory of 1120	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	39
PID 2392 wrote to memory of 1120	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	39
PID 2392 wrote to memory of 1120	2392	{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe	39
PID 1208 wrote to memory of 2452	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	40
PID 1208 wrote to memory of 2452	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	40
PID 1208 wrote to memory of 2452	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	40
PID 1208 wrote to memory of 2452	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	40
PID 1208 wrote to memory of 808	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	41
PID 1208 wrote to memory of 808	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	41
PID 1208 wrote to memory of 808	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	41
PID 1208 wrote to memory of 808	1208	{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe	41
PID 2452 wrote to memory of 2012	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	42
PID 2452 wrote to memory of 2012	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	42
PID 2452 wrote to memory of 2012	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	42
PID 2452 wrote to memory of 2012	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	42
PID 2452 wrote to memory of 1236	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	43
PID 2452 wrote to memory of 1236	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	43
PID 2452 wrote to memory of 1236	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	43
PID 2452 wrote to memory of 1236	2452	{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe	43
PID 2012 wrote to memory of 1712	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	44
PID 2012 wrote to memory of 1712	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	44
PID 2012 wrote to memory of 1712	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	44
PID 2012 wrote to memory of 1712	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	44
PID 2012 wrote to memory of 2472	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	45
PID 2012 wrote to memory of 2472	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	45
PID 2012 wrote to memory of 2472	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	45
PID 2012 wrote to memory of 2472	2012	{59C96492-EC96-417f-8166-7A7E7E43315E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe
  C:\Windows\{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe
    C:\Windows\{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe
      C:\Windows\{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe
        
        C:\Windows\{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe
        
        C:\Windows\{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe
        
        C:\Windows\{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{59C96492-EC96-417f-8166-7A7E7E43315E}.exe
        
        C:\Windows\{59C96492-EC96-417f-8166-7A7E7E43315E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe
        
        C:\Windows\{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\{B13A923B-E39B-42df-A278-165187A47689}.exe
        
        C:\Windows\{B13A923B-E39B-42df-A278-165187A47689}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe
        
        C:\Windows\{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\{AFC800F3-3822-4650-8ED1-6ED9E452D498}.exe
        
        C:\Windows\{AFC800F3-3822-4650-8ED1-6ED9E452D498}.exe
        12⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CF7D~1.EXE > nul
        12⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B13A9~1.EXE > nul
        11⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9814E~1.EXE > nul
        10⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59C96~1.EXE > nul
        9⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36163~1.EXE > nul
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35216~1.EXE > nul
        7⤵
        
        PID:808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B667~1.EXE > nul
        6⤵
        
        PID:1120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A4F3~1.EXE > nul
        5⤵
        
        PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7EE~1.EXE > nul
      4⤵
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA0E9~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A4F333B-492D-4c4e-AF2D-51E75076BEE4}.exe

Filesize
372KB

MD5
c54331495cdae8f0b75ece52be928522

SHA1
499e17cd91aba5fd9b73fc94ad6f8100aaa776da

SHA256
8fa9f7915c2d9e16bba036309a764e5ad8096400d066fc63bed16e9b038157ce

SHA512
aa45950b9ebaec1a51150eef1881c4c0ceed261b3f7dd7fd6d1ab2622f84a94304dac77bc486c4e62ed60787265ab49396eaeef793c4a65c5ce79ffe1b669d09

Download Submit
C:\Windows\{35216BAC-3FB0-45e5-AC5D-774A7FCB7C91}.exe

Filesize
372KB

MD5
c2c497ae31daa5fb92e9e188a1eb66ce

SHA1
f38beb8dbad9e14418f20425df617daf79d3e77a

SHA256
440249a146fa458b09ebecf11a063b5db630e24464dee791545d7ea76930feb1

SHA512
b3df377dc0b91ea9d8110808e1c5833ba5f9d60641658964aef2deb55f7fc1106a7ae7ea07d24629252301903856bc7c045a68946d5fe9e5a7264eb4c904d9f4

Download Submit
C:\Windows\{361635AC-A7CE-45dd-93A4-EBA401228F45}.exe

Filesize
372KB

MD5
1c694fc95c6729e75d23b842a550fc94

SHA1
4780337dfc41d2c3256a28ea4fd57cdba3e88cfb

SHA256
cd1e3b212118312bb72355c39c40e1a208b133c530846ddc330c4ebd6a34feba

SHA512
a6920b889896d95000eaf62d81fffb18cc444daa51bc5567cdce7eb999f1103f6ac6190b17153b9b4b608e181afa883476607a933cef8ac33c43fd63e9e6378e

Download Submit
C:\Windows\{3CF7DC6B-C55C-4486-8D10-E2D115ECFBCD}.exe

Filesize
372KB

MD5
4569a160e427fe80a9ac265122baf6c9

SHA1
94f4db2fec614d800e7190dc9a3f5b9791350292

SHA256
02f84ffeee4d98ae78d8f0b64aebc38fbc37b74506cbd121702acdada9183a39

SHA512
ddda61c67e9ffc5d5fe030b6737cddf353186c2a15333e3d55ff1a330ecb2fd3ed698c3e224399a3c58df1c7a7a8c0501cf26f6f6ae064740840f539c17cef79

Download Submit
C:\Windows\{59C96492-EC96-417f-8166-7A7E7E43315E}.exe

Filesize
372KB

MD5
fd19455f04ee68cc95d22e414163a087

SHA1
3133e44d51ef6292ca1be1c922ea2120586f1f5d

SHA256
9bfd4986dd4c74ef638be7f33139637837c30f9f269842d9d4bf72b424e72d29

SHA512
ccfc519b3ec1d475e2aad1501ed22e9a790bae2162a3c75eb92567f8dd3bc1a9b3232c4e807930b275685ca4769731f4518a715cb080ae27ee47430fb4df0159

Download Submit
C:\Windows\{6B667772-BFEB-4764-BA8A-156E47CB0B82}.exe

Filesize
372KB

MD5
58fac4af3f83c58fe929648a17a0ae6d

SHA1
dd58229e2a2e41a8c52c6b818896c5135cabc2e0

SHA256
72d9e5600c7507a6c85261ca76dc02a08aa101b08f8b95cf3ff51dafbfd179ba

SHA512
f6e4c2995080aedc0d77a325f28c379b163a326e81d74cbc3d091bf7a16a6588424b597ea82776df4081dfdd1ee3a5fcf26101a56e62321368c7fae0cc31c58f

Download Submit
C:\Windows\{8B7EEBD7-63D2-49bc-B2C9-5427B0738410}.exe

Filesize
372KB

MD5
2aecf7ca6e04d44011ae2c4a29e85ad5

SHA1
bffaa8a1bd782aa54b3035bab33a8fe3437f8e2a

SHA256
25847bbba3365b31e9b92534e8a81eeeb3f184afbe465b041ff2fe5dfce7ca23

SHA512
a0d98b79b5a48f3c21027e00f8be6102ae97815add6a3b092257e517c12492133ef757c1fc9d10af7a0148ecb123b2ddcf2f32fe16bc46cc8d4ce141196ffae0

Download Submit
C:\Windows\{9814E4AD-3FC7-445c-98F5-6247C6F80E2D}.exe

Filesize
372KB

MD5
c4ea7f905dde35938e713e82504f2aeb

SHA1
821ca00fa63bc72144fda44aadd82cd54be5d692

SHA256
196ec3d61f4ca4f639e251b86c961bfe4c3e4c94b36c53e4a5f0659eaae86ebb

SHA512
288a83ed8bd3c61fd3c3e6ef5313d9756a04490e781bf894b517ef31f739248878f6c5bf70043ffd84b87e06325c26318a2e36b82302a75770112c637920fb3c

Download Submit
C:\Windows\{AFC800F3-3822-4650-8ED1-6ED9E452D498}.exe

Filesize
372KB

MD5
61fb6291892a52dd13ec17fbdf267d76

SHA1
e0fbcddeca6b4f526d57514c9606dbe6113ca58f

SHA256
414bbad59524757503432a60878ce1cc3e7923bee269c2a1ad3eaeb145fed553

SHA512
861eb9f64608a772fec405a2d5ababa50b0fa88f5fe5858f33832108246c9385617d4dee0f3d98ceb0e57744ae07bfed0b032b84aec8c9938f6a8609b051f236

Download Submit
C:\Windows\{B13A923B-E39B-42df-A278-165187A47689}.exe

Filesize
372KB

MD5
64fc3b9a4aa0492569e693b909de2566

SHA1
1e0eadbd249ed0ccbec6f40b97a5a5ac257fc76a

SHA256
b335b8019d6f986005c5c09c4e710435aae8230f2cea4e8cdd5a841e27580df3

SHA512
f0d1c12439d76bac43edc9726c7c5baa60bc2049afbe1e7e54c272df2158a0a6f87ea33a3cb341f75ea7d4ad8da3be9dace03382918765ae70d057f3fcc2d60d

Download Submit
C:\Windows\{CA0E9B0B-BCD1-4858-B481-674C5D6946CD}.exe

Filesize
372KB

MD5
34674c3cd7e4aaa27e278b0f5a0622c4

SHA1
741ac04bc63837cf05522b36cc46685a5d0edf81

SHA256
8ad21e44286eccadc7d5c3655317ba72614b9773fcd1b516dd13bbbe8bd20d18

SHA512
8e5ce9c7e0f7a2d2d26baaef059f0156694a2476c3d28aeeb7137aadd7e41ef0e24b42deff619258e3fb1ab53f54a571de362ac9ee6424fa181418e15c4f4284

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads