25cee5dbac1569c7d12faa9aa80a0734e1baff0e13dcd8445b28c66a707ffffd

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe
Size

204KB
MD5

cd59497c659ea368172b9f201711151c
SHA1

620000411521ccebf3cbc657fae0ca4a50431b1b
SHA256

25cee5dbac1569c7d12faa9aa80a0734e1baff0e13dcd8445b28c66a707ffffd
SHA512

e115fbebbfdad86f66459c5d3f8af9c594a293d699804923e56c80015d7601c6445f1fc26b6c352327b6cc617e7b9db9b520960e17ed4645e44cef3565bb6a9e
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012250-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001450b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012250-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014983-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012250-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012250-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012250-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3ED068D-26B5-4e83-B21C-81E32890C8EF}	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88036E2-478A-416d-A416-71F589CDE826}	{BB470227-F569-4d92-8385-272CB1019C8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88036E2-478A-416d-A416-71F589CDE826}\stubpath = "C:\\Windows\\{B88036E2-478A-416d-A416-71F589CDE826}.exe"	{BB470227-F569-4d92-8385-272CB1019C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426460EB-90A5-4dbe-B3F8-1D29E57E8446}\stubpath = "C:\\Windows\\{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe"	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{749DC158-951D-47f7-88F2-495FF3C77DA0}\stubpath = "C:\\Windows\\{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe"	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}\stubpath = "C:\\Windows\\{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe"	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}\stubpath = "C:\\Windows\\{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe"	{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{084D8FAE-EB03-4e79-A626-5F90DC800EBD}	{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{084D8FAE-EB03-4e79-A626-5F90DC800EBD}\stubpath = "C:\\Windows\\{084D8FAE-EB03-4e79-A626-5F90DC800EBD}.exe"	{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB470227-F569-4d92-8385-272CB1019C8F}	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3347F81E-5FB3-42c8-8C86-E129091C3502}	{B88036E2-478A-416d-A416-71F589CDE826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3347F81E-5FB3-42c8-8C86-E129091C3502}\stubpath = "C:\\Windows\\{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe"	{B88036E2-478A-416d-A416-71F589CDE826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB65D1AA-0405-4117-957B-22BC18A7CB1C}	{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB65D1AA-0405-4117-957B-22BC18A7CB1C}\stubpath = "C:\\Windows\\{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe"	{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3ED068D-26B5-4e83-B21C-81E32890C8EF}\stubpath = "C:\\Windows\\{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe"	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{749DC158-951D-47f7-88F2-495FF3C77DA0}	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}\stubpath = "C:\\Windows\\{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe"	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB470227-F569-4d92-8385-272CB1019C8F}\stubpath = "C:\\Windows\\{BB470227-F569-4d92-8385-272CB1019C8F}.exe"	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426460EB-90A5-4dbe-B3F8-1D29E57E8446}	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}	{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe

Deletes itself 1 IoCs

pid	Process
2464	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe
2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe
2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe
1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe
2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe
284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe
1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe
2028	{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe
1924	{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe
1036	{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe
576	{084D8FAE-EB03-4e79-A626-5F90DC800EBD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe
File created	C:\Windows\{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe
File created	C:\Windows\{BB470227-F569-4d92-8385-272CB1019C8F}.exe	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe
File created	C:\Windows\{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	{B88036E2-478A-416d-A416-71F589CDE826}.exe
File created	C:\Windows\{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe
File created	C:\Windows\{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe
File created	C:\Windows\{B88036E2-478A-416d-A416-71F589CDE826}.exe	{BB470227-F569-4d92-8385-272CB1019C8F}.exe
File created	C:\Windows\{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe
File created	C:\Windows\{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe	{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe
File created	C:\Windows\{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe	{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe
File created	C:\Windows\{084D8FAE-EB03-4e79-A626-5F90DC800EBD}.exe	{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe
Token: SeIncBasePriorityPrivilege	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe
Token: SeIncBasePriorityPrivilege	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe
Token: SeIncBasePriorityPrivilege	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe
Token: SeIncBasePriorityPrivilege	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe
Token: SeIncBasePriorityPrivilege	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe
Token: SeIncBasePriorityPrivilege	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe
Token: SeIncBasePriorityPrivilege	2028	{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe
Token: SeIncBasePriorityPrivilege	1924	{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe
Token: SeIncBasePriorityPrivilege	1036	{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2968	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	28
PID 1984 wrote to memory of 2968	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	28
PID 1984 wrote to memory of 2968	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	28
PID 1984 wrote to memory of 2968	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	28
PID 1984 wrote to memory of 2464	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	29
PID 1984 wrote to memory of 2464	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	29
PID 1984 wrote to memory of 2464	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	29
PID 1984 wrote to memory of 2464	1984	2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe	29
PID 2968 wrote to memory of 2584	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	30
PID 2968 wrote to memory of 2584	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	30
PID 2968 wrote to memory of 2584	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	30
PID 2968 wrote to memory of 2584	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	30
PID 2968 wrote to memory of 2632	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	31
PID 2968 wrote to memory of 2632	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	31
PID 2968 wrote to memory of 2632	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	31
PID 2968 wrote to memory of 2632	2968	{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe	31
PID 2584 wrote to memory of 2396	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	32
PID 2584 wrote to memory of 2396	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	32
PID 2584 wrote to memory of 2396	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	32
PID 2584 wrote to memory of 2396	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	32
PID 2584 wrote to memory of 2532	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	33
PID 2584 wrote to memory of 2532	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	33
PID 2584 wrote to memory of 2532	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	33
PID 2584 wrote to memory of 2532	2584	{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe	33
PID 2396 wrote to memory of 1244	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	36
PID 2396 wrote to memory of 1244	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	36
PID 2396 wrote to memory of 1244	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	36
PID 2396 wrote to memory of 1244	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	36
PID 2396 wrote to memory of 2040	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	37
PID 2396 wrote to memory of 2040	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	37
PID 2396 wrote to memory of 2040	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	37
PID 2396 wrote to memory of 2040	2396	{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe	37
PID 1244 wrote to memory of 2684	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	38
PID 1244 wrote to memory of 2684	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	38
PID 1244 wrote to memory of 2684	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	38
PID 1244 wrote to memory of 2684	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	38
PID 1244 wrote to memory of 800	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	39
PID 1244 wrote to memory of 800	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	39
PID 1244 wrote to memory of 800	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	39
PID 1244 wrote to memory of 800	1244	{BB470227-F569-4d92-8385-272CB1019C8F}.exe	39
PID 2684 wrote to memory of 284	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	40
PID 2684 wrote to memory of 284	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	40
PID 2684 wrote to memory of 284	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	40
PID 2684 wrote to memory of 284	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	40
PID 2684 wrote to memory of 108	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	41
PID 2684 wrote to memory of 108	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	41
PID 2684 wrote to memory of 108	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	41
PID 2684 wrote to memory of 108	2684	{B88036E2-478A-416d-A416-71F589CDE826}.exe	41
PID 284 wrote to memory of 1568	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	42
PID 284 wrote to memory of 1568	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	42
PID 284 wrote to memory of 1568	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	42
PID 284 wrote to memory of 1568	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	42
PID 284 wrote to memory of 1324	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	43
PID 284 wrote to memory of 1324	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	43
PID 284 wrote to memory of 1324	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	43
PID 284 wrote to memory of 1324	284	{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe	43
PID 1568 wrote to memory of 2028	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	44
PID 1568 wrote to memory of 2028	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	44
PID 1568 wrote to memory of 2028	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	44
PID 1568 wrote to memory of 2028	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	44
PID 1568 wrote to memory of 2004	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	45
PID 1568 wrote to memory of 2004	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	45
PID 1568 wrote to memory of 2004	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	45
PID 1568 wrote to memory of 2004	1568	{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_cd59497c659ea368172b9f201711151c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe
  C:\Windows\{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe
    C:\Windows\{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe
      C:\Windows\{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{BB470227-F569-4d92-8385-272CB1019C8F}.exe
        
        C:\Windows\{BB470227-F569-4d92-8385-272CB1019C8F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
      - C:\Windows\{B88036E2-478A-416d-A416-71F589CDE826}.exe
        
        C:\Windows\{B88036E2-478A-416d-A416-71F589CDE826}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe
        
        C:\Windows\{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe
        
        C:\Windows\{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe
        
        C:\Windows\{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe
        
        C:\Windows\{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe
        
        C:\Windows\{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\{084D8FAE-EB03-4e79-A626-5F90DC800EBD}.exe
        
        C:\Windows\{084D8FAE-EB03-4e79-A626-5F90DC800EBD}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FD20~1.EXE > nul
        12⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB65D~1.EXE > nul
        11⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42646~1.EXE > nul
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB4CA~1.EXE > nul
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3347F~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8803~1.EXE > nul
        7⤵
        
        PID:108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB470~1.EXE > nul
        6⤵
        
        PID:800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20CAE~1.EXE > nul
        5⤵
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{749DC~1.EXE > nul
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3ED0~1.EXE > nul
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{084D8FAE-EB03-4e79-A626-5F90DC800EBD}.exe

Filesize
204KB

MD5
cd8ec8a4baef8c8d9ef0624e883c4c73

SHA1
9e05df03d95890452dedea4f8b054156484eaa55

SHA256
40a97054d4630d181d4d0a0ac6a60f8037e9c520c5eeda8b1e676f41e0fb30bb

SHA512
436e6be3aa40ebc50a2f6c9b5f7306dabae53111c531dac8ee7eafcbd1789d6ed2e2e3d13aa17a8fcc30ba216c47e8347a12952a7cd3d4500aad2d22cc0d5f47

Download Submit
C:\Windows\{1FD20E55-F99B-4025-A0C7-CF0DFDE24F2E}.exe

Filesize
204KB

MD5
e70d8b6b761925b34e6a612fc6438632

SHA1
646e63db3e8ca6e8b10f5e80b22654b74fad684b

SHA256
dfbd7adc07fee26025d41cb70ea990af8cb20edfcd734d2c0ff2d3f78686a6bf

SHA512
2de906c0097f21e9923e04c5edfb1b478f3c0af82c8a32f5c4553752e0feac362a9ac3004c0fcee21f0579c4b8bc4419fe14eebb2e95b20c715d40969b4c0795

Download Submit
C:\Windows\{20CAEA6E-7652-4dbf-AEA1-301ABC47C25A}.exe

Filesize
204KB

MD5
d3aacefde5e1bc4d3aa2b1c4c3db3bf3

SHA1
b2c7ff7b6607146a2e363646f9d6a2d7e15fb6fb

SHA256
5a1c06144135ffad542e418d342a911ffc1aeae33b628f804f9217404622513e

SHA512
0937a86c08f8946e9f4702596010ed229a7816f779f952b662071de22bc36289fb1597839a138a967239de9020123c6c1724ffa5fb271de0ea3965360f1df6e5

Download Submit
C:\Windows\{3347F81E-5FB3-42c8-8C86-E129091C3502}.exe

Filesize
204KB

MD5
f66f537a4773a57e46bd4126ad0c3532

SHA1
04ec7ad316f139630129dd6ca9aa7af9bb67379c

SHA256
0df24c3dd07b08c7ff99c75f090bf3d07058402d99a908a9c11597e439b32838

SHA512
434e61e9d72cb78dc62a846c823cf7205c4387d4eb1afb96a4153fb5278668f66e8a0765d40893dbab44bddf537a9521b4fd219d997a3b3aec61a2f761c37ce5

Download Submit
C:\Windows\{426460EB-90A5-4dbe-B3F8-1D29E57E8446}.exe

Filesize
204KB

MD5
206ca899c45213e3c35c696e03f0ede4

SHA1
d9f8850cae5f6495955f95727939d0fe805b4813

SHA256
e59871756351488e72b4aefe1a50123c6cc1e501ddb9855cc2262de163348b06

SHA512
ebafb0ee8148323e72ead9966b96d696e7ee2d558f11efe5012912e2bf5a3dd361e98b303c501c0596f62d28306d05f8137e61eb83c194cadc5ed4a4b1c8469a

Download Submit
C:\Windows\{749DC158-951D-47f7-88F2-495FF3C77DA0}.exe

Filesize
204KB

MD5
6ea5bbac813c74b4456e1873794e882d

SHA1
61ba1b45deb45f557e1d7e0081b06257037ebb5d

SHA256
71ba5d118cb3e2cc4a0c2a5e845027cb0348090642177ae8e4136e717f8a5130

SHA512
068cf8035c3127e9f6d4579e32eedc82ff73e206b43855295092b6ab6fbfc4e412326e9d69f26d105c4021a98e4e64bde6fc97cd2c540163aa23fd61612fce45

Download Submit
C:\Windows\{B88036E2-478A-416d-A416-71F589CDE826}.exe

Filesize
204KB

MD5
4e9da7db454caae9182c0ea88730dc28

SHA1
0a5d2fec459867c0fab2712ba5a404cb2fd27c99

SHA256
f7713854a42e6f16ed8874f260bbf16b4150ce881134628e390ae374951cadf8

SHA512
1314c40330834a40f8d9f54398000364f4fed938aff571fdaa605a8b20a4bb11e15d4bc052f854caa5a5a0505911e0d50602d3d05fc94b90b762f4af97075d46

Download Submit
C:\Windows\{BB470227-F569-4d92-8385-272CB1019C8F}.exe

Filesize
204KB

MD5
cf37be1e46ab84ffdc224025b0eab6c8

SHA1
0bbf3b561830208d43d78faf2be96cd5589c6771

SHA256
63b57891f411316f3206dfd7fb7856e8e2af834c0173c2fb1ceeb1f27f1171e0

SHA512
7c74e7acdf0e3196b18d42053454618898d37462d7e4d35650b796f574dfb62271f557c9e0121c7ea704871c6494dc39bd87fdc43a0804830914b072dd4b3114

Download Submit
C:\Windows\{C3ED068D-26B5-4e83-B21C-81E32890C8EF}.exe

Filesize
204KB

MD5
5b589a98d56538a19487b5426e33bbb9

SHA1
3451a3ad5e84e6c2eff31e2bc021886a2916db0a

SHA256
c934685fbbcc43611f1eb0314a0f1305b54ae43f49ac86cbf0db248ef4b1d97b

SHA512
bbaa2ac76a042f71e4d680e1beec7b44a190106e58af92fac25da98e2d0ffcf5c568ab79d4fb003dc5c5e6f777dfe1bd217e3637c752f56f93b2e71990e99fdc

Download Submit
C:\Windows\{DB65D1AA-0405-4117-957B-22BC18A7CB1C}.exe

Filesize
204KB

MD5
ff7773046eab2a30ed62bf1d2d571ff5

SHA1
c67ad9e256c06dcc33b6d09519183f48a4ab9151

SHA256
58b12532d82096e00167a927d0028bab6c50218a52257cb75376ba8ae5824d1b

SHA512
af1afa402c863de3d85ea7a0ed09fde60e0df6da95f18e954e6b325d53b329435ec3abdeed9413af61425fc271ed94da201fe0198362886ff685018663ba1f09

Download Submit
C:\Windows\{FB4CAF9C-391F-4139-9940-BF72E8C3CAE9}.exe

Filesize
204KB

MD5
0b5344c5c8c4ddf8d84924c9dd991582

SHA1
515be79c8968b5365b2811b26637c3dca86ab980

SHA256
08ac9fe37fa358380972bdf79e73f4ac4365d4d89415f1d852632b54e3e881a3

SHA512
ea1e91826c1efee9741bb04ea5bdedd2ca386749535bf5bb0bcf9ec64eae9a36e7c8df1ac257ddca6b4f56093316f0f24c4e152b53c5cc5123c32f0f781bf359

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads