891cdde43c0c4b82875619b489d4f3d0d651e2e7eb4ce84b5b2d18a84f01b44a

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe
Size

204KB
MD5

2f272fd2dc390c98ca486f538acdb11c
SHA1

728dfe6d62efd1301b8d8bc79d10fa91ebcae618
SHA256

891cdde43c0c4b82875619b489d4f3d0d651e2e7eb4ce84b5b2d18a84f01b44a
SHA512

623639833146a8250c9daa92134748182dcc4faf25e4590afa4269435143e650df589557729aa79f929579bd47c5526a6e44a815f5d98e6e6d404d7d29921aa2
SSDEEP

1536:1EGh0ozl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ozl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000126ab-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015605-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000126ab-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c78-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000126ab-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126ab-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000126ab-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C4FB13-991C-424e-BB36-A44D8F42FB93}	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D62D74-2602-4443-8433-C1052880850A}\stubpath = "C:\\Windows\\{A6D62D74-2602-4443-8433-C1052880850A}.exe"	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05CBE5D8-C454-443d-BC0F-DB6753640D32}\stubpath = "C:\\Windows\\{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe"	{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}	{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D4A314E-8522-46a5-9721-94D72EA13AA5}	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}	{A6D62D74-2602-4443-8433-C1052880850A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}\stubpath = "C:\\Windows\\{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe"	{A6D62D74-2602-4443-8433-C1052880850A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EB5FD50-7F47-4ef0-8D50-E642D1784540}	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED3BC47-E288-43ec-AE57-85A7B3944AAC}\stubpath = "C:\\Windows\\{AED3BC47-E288-43ec-AE57-85A7B3944AAC}.exe"	{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D4A314E-8522-46a5-9721-94D72EA13AA5}\stubpath = "C:\\Windows\\{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe"	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}\stubpath = "C:\\Windows\\{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe"	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05CBE5D8-C454-443d-BC0F-DB6753640D32}	{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}\stubpath = "C:\\Windows\\{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe"	{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED3BC47-E288-43ec-AE57-85A7B3944AAC}	{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2AB0004-D834-41ed-B47D-2CC847F11E42}	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2AB0004-D834-41ed-B47D-2CC847F11E42}\stubpath = "C:\\Windows\\{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe"	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C4FB13-991C-424e-BB36-A44D8F42FB93}\stubpath = "C:\\Windows\\{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe"	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D62D74-2602-4443-8433-C1052880850A}	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EB5FD50-7F47-4ef0-8D50-E642D1784540}\stubpath = "C:\\Windows\\{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe"	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C4471C6-50E8-408f-A1C5-B6B645F95D94}	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C4471C6-50E8-408f-A1C5-B6B645F95D94}\stubpath = "C:\\Windows\\{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe"	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe
2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe
2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe
2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe
2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe
1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe
2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe
1852	{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe
2100	{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe
648	{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe
1668	{AED3BC47-E288-43ec-AE57-85A7B3944AAC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AED3BC47-E288-43ec-AE57-85A7B3944AAC}.exe	{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe
File created	C:\Windows\{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe
File created	C:\Windows\{A6D62D74-2602-4443-8433-C1052880850A}.exe	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe
File created	C:\Windows\{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	{A6D62D74-2602-4443-8433-C1052880850A}.exe
File created	C:\Windows\{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe
File created	C:\Windows\{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe
File created	C:\Windows\{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe	{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe
File created	C:\Windows\{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe
File created	C:\Windows\{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe
File created	C:\Windows\{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe
File created	C:\Windows\{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe	{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe
Token: SeIncBasePriorityPrivilege	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe
Token: SeIncBasePriorityPrivilege	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe
Token: SeIncBasePriorityPrivilege	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe
Token: SeIncBasePriorityPrivilege	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe
Token: SeIncBasePriorityPrivilege	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe
Token: SeIncBasePriorityPrivilege	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe
Token: SeIncBasePriorityPrivilege	1852	{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe
Token: SeIncBasePriorityPrivilege	2100	{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe
Token: SeIncBasePriorityPrivilege	648	{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2548	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	28
PID 2216 wrote to memory of 2548	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	28
PID 2216 wrote to memory of 2548	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	28
PID 2216 wrote to memory of 2548	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	28
PID 2216 wrote to memory of 3068	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	29
PID 2216 wrote to memory of 3068	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	29
PID 2216 wrote to memory of 3068	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	29
PID 2216 wrote to memory of 3068	2216	2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe	29
PID 2548 wrote to memory of 2672	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	30
PID 2548 wrote to memory of 2672	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	30
PID 2548 wrote to memory of 2672	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	30
PID 2548 wrote to memory of 2672	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	30
PID 2548 wrote to memory of 2700	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	31
PID 2548 wrote to memory of 2700	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	31
PID 2548 wrote to memory of 2700	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	31
PID 2548 wrote to memory of 2700	2548	{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe	31
PID 2672 wrote to memory of 2624	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	32
PID 2672 wrote to memory of 2624	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	32
PID 2672 wrote to memory of 2624	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	32
PID 2672 wrote to memory of 2624	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	32
PID 2672 wrote to memory of 2800	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	33
PID 2672 wrote to memory of 2800	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	33
PID 2672 wrote to memory of 2800	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	33
PID 2672 wrote to memory of 2800	2672	{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe	33
PID 2624 wrote to memory of 2508	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	36
PID 2624 wrote to memory of 2508	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	36
PID 2624 wrote to memory of 2508	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	36
PID 2624 wrote to memory of 2508	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	36
PID 2624 wrote to memory of 864	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	37
PID 2624 wrote to memory of 864	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	37
PID 2624 wrote to memory of 864	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	37
PID 2624 wrote to memory of 864	2624	{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe	37
PID 2508 wrote to memory of 2940	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	38
PID 2508 wrote to memory of 2940	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	38
PID 2508 wrote to memory of 2940	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	38
PID 2508 wrote to memory of 2940	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	38
PID 2508 wrote to memory of 2648	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	39
PID 2508 wrote to memory of 2648	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	39
PID 2508 wrote to memory of 2648	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	39
PID 2508 wrote to memory of 2648	2508	{A6D62D74-2602-4443-8433-C1052880850A}.exe	39
PID 2940 wrote to memory of 1892	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	40
PID 2940 wrote to memory of 1892	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	40
PID 2940 wrote to memory of 1892	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	40
PID 2940 wrote to memory of 1892	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	40
PID 2940 wrote to memory of 2552	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	41
PID 2940 wrote to memory of 2552	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	41
PID 2940 wrote to memory of 2552	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	41
PID 2940 wrote to memory of 2552	2940	{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe	41
PID 1892 wrote to memory of 2524	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	42
PID 1892 wrote to memory of 2524	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	42
PID 1892 wrote to memory of 2524	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	42
PID 1892 wrote to memory of 2524	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	42
PID 1892 wrote to memory of 2936	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	43
PID 1892 wrote to memory of 2936	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	43
PID 1892 wrote to memory of 2936	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	43
PID 1892 wrote to memory of 2936	1892	{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe	43
PID 2524 wrote to memory of 1852	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	44
PID 2524 wrote to memory of 1852	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	44
PID 2524 wrote to memory of 1852	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	44
PID 2524 wrote to memory of 1852	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	44
PID 2524 wrote to memory of 1128	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	45
PID 2524 wrote to memory of 1128	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	45
PID 2524 wrote to memory of 1128	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	45
PID 2524 wrote to memory of 1128	2524	{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_2f272fd2dc390c98ca486f538acdb11c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe
  C:\Windows\{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe
    C:\Windows\{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe
      C:\Windows\{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{A6D62D74-2602-4443-8433-C1052880850A}.exe
        
        C:\Windows\{A6D62D74-2602-4443-8433-C1052880850A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe
        
        C:\Windows\{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe
        
        C:\Windows\{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe
        
        C:\Windows\{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe
        
        C:\Windows\{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe
        
        C:\Windows\{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe
        
        C:\Windows\{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\{AED3BC47-E288-43ec-AE57-85A7B3944AAC}.exe
        
        C:\Windows\{AED3BC47-E288-43ec-AE57-85A7B3944AAC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF8DB~1.EXE > nul
        12⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05CBE~1.EXE > nul
        11⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C447~1.EXE > nul
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04DE4~1.EXE > nul
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EB5F~1.EXE > nul
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ACEC~1.EXE > nul
        7⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D62~1.EXE > nul
        6⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C4F~1.EXE > nul
        5⤵
        
        PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2AB0~1.EXE > nul
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D4A3~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04DE4AC4-AFC9-4b08-82CA-3CD23A3E293C}.exe

Filesize
204KB

MD5
1965d98d92b29981e3dada0dfc7c8e55

SHA1
c98cb4c9dac984976ee3c56a25c0905e62ff1553

SHA256
edadfadc76aec92d49c7df4165d7aaab158be23932e8c7af575aff3186cc6fd0

SHA512
538f21006fc6d5e513534b0161c5c8e83644f9b05889851e133c55cbf857eb5ccfe7acb28ad63e2d1cc473f862de60b5a14e27ef8637a70667780b242943ea33

Download Submit
C:\Windows\{05CBE5D8-C454-443d-BC0F-DB6753640D32}.exe

Filesize
204KB

MD5
d58eb7b5885a8f02e6385e1875f3c925

SHA1
338bf8c3caa0efe6d265285006f0c4246dbb8730

SHA256
6dec79badd61317d647149b64fd180a78a049e8ed2887901c7607e26f8379776

SHA512
7582533deeeb2da05a81f67f9dd56cdde82fecf027718f5f64027d2ac6b599f5d201292f1632581e0efa180458e1f7d1880cddb28dddb94437e3aca94ac638b0

Download Submit
C:\Windows\{2C4471C6-50E8-408f-A1C5-B6B645F95D94}.exe

Filesize
204KB

MD5
1970dfcb4da530bff958ec3b36f231f4

SHA1
548c4bfd27bf5c4a3cee6dda1dd052ead8ace122

SHA256
d3e9dade00275e2bb22aa5865696ad8e330f75277ac954f65769433e80456305

SHA512
32815930e1fa6cf4d1a4a311c3b0eeddf67a5f6acf18160f65c4d911ae0e009f5d39b11b3bff10ca051cf126fa662317048af4b60af54dc01fa433e39081d753

Download Submit
C:\Windows\{4EB5FD50-7F47-4ef0-8D50-E642D1784540}.exe

Filesize
204KB

MD5
027c3be6d86f174bf018951890113ae8

SHA1
afa22dd70d2a1f6a09c7de36768e41e68aebccca

SHA256
80eb66a4d5b5d221fc34cb38a857a31a3143cdaa58fdf459e99eb305e3cd6fc0

SHA512
ed30ec307dd5016d9e8f331244f97442fe9c1e079aee4aa2b871d8c498c3940652188f34bb550e4f1c8da46bc14f6730632f5fd8047fd46ec61061ec2576ea5b

Download Submit
C:\Windows\{6ACECF17-21A9-4e21-840F-7E1F4A98F9E1}.exe

Filesize
204KB

MD5
4eb04caa83aded1b8045d3ecd98bd856

SHA1
a9fd48abd03279d5fad7f64d5b897689f99fa1c8

SHA256
c86ac934ab8ad598e6224bd79687bd51a012423101af8a369b6e05dd5d162a1b

SHA512
39f62f3d7c40f5824245134201cf02ca9916bbfa935df43026b2e7bb47849663cb086000824b9f793edd89590bbe919117672167a592b9855363ac086e723aed

Download Submit
C:\Windows\{6D4A314E-8522-46a5-9721-94D72EA13AA5}.exe

Filesize
204KB

MD5
15966ef75dc28597c184628bf9bc475a

SHA1
5b6f0b8e7152f61b7d72560df57de5e6d7cb3e9f

SHA256
4aa1b385172d9976b099d636dbe888cadcf8c9d20e1a189f24f82780b7a01898

SHA512
ffab8b53d14543c811cb17ab2f0596603e8d8743c647f2ba6b36acb95ce934b3d4e5108d665c57b3ccaaf89afb5476cf8c5cf12b53719b04d0a43e1774c764ea

Download Submit
C:\Windows\{A2AB0004-D834-41ed-B47D-2CC847F11E42}.exe

Filesize
204KB

MD5
08cdae98d106bf66236437242c89f04b

SHA1
0000acef045d4a7e6f187f2c7a7ac62faedee75e

SHA256
2ad68048de63e83fc1f77f8df80c18c4b3dc8785b33d15c4645f448dd6381a90

SHA512
43b6d260f58406f553190e403dd46e41a9ddd5b2c4a1a4cffb739d529179cdb52bf48bf6c519e44474923e53f86ed3da63ab9e38bc9b9e85c472677efc699614

Download Submit
C:\Windows\{A6D62D74-2602-4443-8433-C1052880850A}.exe

Filesize
204KB

MD5
aae472c5ae7953f94e56a7db3dcb83e2

SHA1
4076d92798d4e8225f1496db2318544712315b62

SHA256
7d5a5ffc00d5402b947c9c165ce1b7fe31b0c968cfb441112a3d07855b103b93

SHA512
835b3978775f8b50c34c0561450ec9e122f42c55620847dfe5675b9b067b00f5539146c909ad1855c455641bda4b10861d5060a8d0ab0643d6caffc11e7d37c0

Download Submit
C:\Windows\{AED3BC47-E288-43ec-AE57-85A7B3944AAC}.exe

Filesize
204KB

MD5
8484df046915fa17831f5eab3a4b1858

SHA1
3bcc5dcc7f77cd5b76aed215bf4a49d2faefc768

SHA256
846a257ab292a2e2114b3df242533cc93d6ad2496f5c080d1d1d158c6f101772

SHA512
bf47870d2235c8d2e25086b0f4af0130bab03c45e6a2f17533e0ca37ef2980ad905db564fa242128d4cabd9ea788802fc2044fdde35a8b4b86decbd08a7d4cf9

Download Submit
C:\Windows\{C3C4FB13-991C-424e-BB36-A44D8F42FB93}.exe

Filesize
204KB

MD5
e8355d01be023b7c04f2b2ce4c2a6547

SHA1
499269b4af7866d5ae67437dbeb42293709b77db

SHA256
b59ba7025b44ec9e5be254fb1adbd8ada92cd83a188f0e1ccfd6c37856e52784

SHA512
64c34222cffc17a847ba3d8f66f3536a69f1e2a458e41ad52f4e6062071345dff3d6c3b2aabc0b2d3cbf5bee0258bc8c927104989932dd3ce5cfea2e27d7e857

Download Submit
C:\Windows\{DF8DB3AF-1EF3-4bd8-9C11-7A3CBC2C2076}.exe

Filesize
204KB

MD5
e23cda36cbf142c9b1926a814075b916

SHA1
a5edd0c7a87b8c4b86f612ec57c39fec3affd8c5

SHA256
7b37284ca173d197bc8b27cbb152e26777547b88532f9109735b722647b97a14

SHA512
165a1bec1ae69337572447ed17dadac1684c060bc8139f073b3b4543465db7a329d293a5749a44ade726d0b0ee5da17a9cdf8d0e8bf7fc37029a6481df80d845

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads