c9f5dd48b653ca2f32fef1c9e5b3ccf1f8986ff7bc730631e4254fa3433a62a9

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe
Size

168KB
MD5

3722f71ee75185e441aacc29015dc6e7
SHA1

6f4d20057b72338e805264a01c90b551d768e7c7
SHA256

c9f5dd48b653ca2f32fef1c9e5b3ccf1f8986ff7bc730631e4254fa3433a62a9
SHA512

98208010c164348b18cb1fa55487b6cdc50c1614e1c68964f1936bc7766a10e7da1380d3fa2b62528f8fca6976af4062b248d6a5138003debb6fd48a05fff0e9
SSDEEP

1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122fa-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012345-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012345-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012345-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012345-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012345-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}\stubpath = "C:\\Windows\\{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe"	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B050F21-7138-4ac9-8C75-9393EE4DFF21}\stubpath = "C:\\Windows\\{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe"	{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C560C6-A9FA-4636-AFDB-C1944DE5627A}	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8543DB77-F32A-4678-B085-8455BE14D073}\stubpath = "C:\\Windows\\{8543DB77-F32A-4678-B085-8455BE14D073}.exe"	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B050F21-7138-4ac9-8C75-9393EE4DFF21}	{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E79938C7-CA14-409f-B584-F4717B3E12D0}	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}\stubpath = "C:\\Windows\\{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe"	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D7B19F-CB7C-43f8-9241-781DEFF69926}	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D7B19F-CB7C-43f8-9241-781DEFF69926}\stubpath = "C:\\Windows\\{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe"	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F318AA4E-1C5E-4281-B985-09C654A4DBB4}\stubpath = "C:\\Windows\\{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe"	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861D3960-CA6D-4ca4-9517-DC6590568E6C}\stubpath = "C:\\Windows\\{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe"	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8543DB77-F32A-4678-B085-8455BE14D073}	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9863688-48CE-47ca-81FB-6EBF3674CD30}	{8543DB77-F32A-4678-B085-8455BE14D073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA221C8-A3FC-474f-825C-F5B61CDC9238}	{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E79938C7-CA14-409f-B584-F4717B3E12D0}\stubpath = "C:\\Windows\\{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe"	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C560C6-A9FA-4636-AFDB-C1944DE5627A}\stubpath = "C:\\Windows\\{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe"	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F318AA4E-1C5E-4281-B985-09C654A4DBB4}	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861D3960-CA6D-4ca4-9517-DC6590568E6C}	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9863688-48CE-47ca-81FB-6EBF3674CD30}\stubpath = "C:\\Windows\\{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe"	{8543DB77-F32A-4678-B085-8455BE14D073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA221C8-A3FC-474f-825C-F5B61CDC9238}\stubpath = "C:\\Windows\\{6BA221C8-A3FC-474f-825C-F5B61CDC9238}.exe"	{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe
2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe
2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe
2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe
2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe
404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe
932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe
2032	{8543DB77-F32A-4678-B085-8455BE14D073}.exe
2068	{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe
268	{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe
980	{6BA221C8-A3FC-474f-825C-F5B61CDC9238}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe
File created	C:\Windows\{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe
File created	C:\Windows\{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe
File created	C:\Windows\{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe	{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe
File created	C:\Windows\{6BA221C8-A3FC-474f-825C-F5B61CDC9238}.exe	{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe
File created	C:\Windows\{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe	{8543DB77-F32A-4678-B085-8455BE14D073}.exe
File created	C:\Windows\{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe
File created	C:\Windows\{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe
File created	C:\Windows\{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe
File created	C:\Windows\{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe
File created	C:\Windows\{8543DB77-F32A-4678-B085-8455BE14D073}.exe	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe
Token: SeIncBasePriorityPrivilege	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe
Token: SeIncBasePriorityPrivilege	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe
Token: SeIncBasePriorityPrivilege	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe
Token: SeIncBasePriorityPrivilege	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe
Token: SeIncBasePriorityPrivilege	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe
Token: SeIncBasePriorityPrivilege	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe
Token: SeIncBasePriorityPrivilege	2032	{8543DB77-F32A-4678-B085-8455BE14D073}.exe
Token: SeIncBasePriorityPrivilege	2068	{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe
Token: SeIncBasePriorityPrivilege	268	{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2520	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	28
PID 2876 wrote to memory of 2520	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	28
PID 2876 wrote to memory of 2520	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	28
PID 2876 wrote to memory of 2520	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	28
PID 2876 wrote to memory of 2540	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	29
PID 2876 wrote to memory of 2540	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	29
PID 2876 wrote to memory of 2540	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	29
PID 2876 wrote to memory of 2540	2876	2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe	29
PID 2520 wrote to memory of 2748	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	30
PID 2520 wrote to memory of 2748	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	30
PID 2520 wrote to memory of 2748	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	30
PID 2520 wrote to memory of 2748	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	30
PID 2520 wrote to memory of 2680	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	31
PID 2520 wrote to memory of 2680	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	31
PID 2520 wrote to memory of 2680	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	31
PID 2520 wrote to memory of 2680	2520	{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe	31
PID 2748 wrote to memory of 2456	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	32
PID 2748 wrote to memory of 2456	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	32
PID 2748 wrote to memory of 2456	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	32
PID 2748 wrote to memory of 2456	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	32
PID 2748 wrote to memory of 2584	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	33
PID 2748 wrote to memory of 2584	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	33
PID 2748 wrote to memory of 2584	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	33
PID 2748 wrote to memory of 2584	2748	{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe	33
PID 2456 wrote to memory of 2580	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	34
PID 2456 wrote to memory of 2580	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	34
PID 2456 wrote to memory of 2580	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	34
PID 2456 wrote to memory of 2580	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	34
PID 2456 wrote to memory of 2832	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	35
PID 2456 wrote to memory of 2832	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	35
PID 2456 wrote to memory of 2832	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	35
PID 2456 wrote to memory of 2832	2456	{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe	35
PID 2580 wrote to memory of 2732	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	38
PID 2580 wrote to memory of 2732	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	38
PID 2580 wrote to memory of 2732	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	38
PID 2580 wrote to memory of 2732	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	38
PID 2580 wrote to memory of 2844	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	39
PID 2580 wrote to memory of 2844	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	39
PID 2580 wrote to memory of 2844	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	39
PID 2580 wrote to memory of 2844	2580	{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe	39
PID 2732 wrote to memory of 404	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	40
PID 2732 wrote to memory of 404	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	40
PID 2732 wrote to memory of 404	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	40
PID 2732 wrote to memory of 404	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	40
PID 2732 wrote to memory of 2316	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	41
PID 2732 wrote to memory of 2316	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	41
PID 2732 wrote to memory of 2316	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	41
PID 2732 wrote to memory of 2316	2732	{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe	41
PID 404 wrote to memory of 932	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	42
PID 404 wrote to memory of 932	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	42
PID 404 wrote to memory of 932	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	42
PID 404 wrote to memory of 932	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	42
PID 404 wrote to memory of 1456	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	43
PID 404 wrote to memory of 1456	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	43
PID 404 wrote to memory of 1456	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	43
PID 404 wrote to memory of 1456	404	{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe	43
PID 932 wrote to memory of 2032	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	44
PID 932 wrote to memory of 2032	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	44
PID 932 wrote to memory of 2032	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	44
PID 932 wrote to memory of 2032	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	44
PID 932 wrote to memory of 1704	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	45
PID 932 wrote to memory of 1704	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	45
PID 932 wrote to memory of 1704	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	45
PID 932 wrote to memory of 1704	932	{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_3722f71ee75185e441aacc29015dc6e7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe
  C:\Windows\{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe
    C:\Windows\{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe
      C:\Windows\{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe
        
        C:\Windows\{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe
        
        C:\Windows\{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe
        
        C:\Windows\{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe
        
        C:\Windows\{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\{8543DB77-F32A-4678-B085-8455BE14D073}.exe
        
        C:\Windows\{8543DB77-F32A-4678-B085-8455BE14D073}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe
        
        C:\Windows\{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe
        
        C:\Windows\{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{6BA221C8-A3FC-474f-825C-F5B61CDC9238}.exe
        
        C:\Windows\{6BA221C8-A3FC-474f-825C-F5B61CDC9238}.exe
        12⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B050~1.EXE > nul
        12⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9863~1.EXE > nul
        11⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8543D~1.EXE > nul
        10⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{861D3~1.EXE > nul
        9⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F318A~1.EXE > nul
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4D7B~1.EXE > nul
        7⤵
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92C56~1.EXE > nul
        6⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF19~1.EXE > nul
        5⤵
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6E3EC~1.EXE > nul
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E7993~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5FF19DC2-35FC-49f5-9784-6C04DB0EEF65}.exe

Filesize
168KB

MD5
c13bb5179fe96470e70ef81afecb24fe

SHA1
fd057ea1deea399d058f8c389373af13aa3261e4

SHA256
35b1d526370d71f0aefda8b8cf1136e06dbcc74f3e8813ec6db5d6349947bf96

SHA512
b0eaf6065eef9d20756fbbf957ccac70e755cc8c624700da3a5e9b035f203afb1bc7275947f1b139554363431188da898a59a519f25af8e2c55ffe61c57d7330

Download Submit
C:\Windows\{6BA221C8-A3FC-474f-825C-F5B61CDC9238}.exe

Filesize
168KB

MD5
65dda5cfae0489904c6d4261af32cafd

SHA1
b88d3cc4912c5fbd05ad6f4f6e38e0c2fbb5620d

SHA256
09cc7aa17b19d9977107540a93a4ed8399e0c7e7d410cb773857f0f82113e40c

SHA512
8b47a524bd9ada13e3a352c188f6e62d31b4edc1522bdffdcb4b7661735184be6da953ca24947f2cea9b06fa1ad81dd75a63b516b889404898224573b3b0c3a9

Download Submit
C:\Windows\{6E3EC5ED-63EE-49e8-A91B-C2F19EE7B7AC}.exe

Filesize
168KB

MD5
32c0d09f7c3b4402e05def41d7a3985d

SHA1
63b4d0513b100312212ac7e0dd309bb884b8711d

SHA256
52c9f6dd636fea1a3c49ea86a18e42bee3f9ef871291577e1a71a659816249e5

SHA512
626252ce959949433807482a67150cb32775e10132f11f4000a1e7a9574ffdfaa853f2800eb3f9e5f6e5a50b58dff891750fe12367be23b0a4d66992faad1c8f

Download Submit
C:\Windows\{7B050F21-7138-4ac9-8C75-9393EE4DFF21}.exe

Filesize
168KB

MD5
7bc612035c32411a56ed0c19e432d068

SHA1
65b66ec6927b304b57d799b4a02f28317acd3dde

SHA256
377a827de764432adf451ee8284064094d933c70dedcacf2e52f918271a9dce5

SHA512
4c6a4e72652cf9843239dd09da378ce48a203e2ab7a3de83886a0f36f29815dfd1ec16c773f7c796bf7699b37b80c739821ef888908deb70b02319d10d155d1a

Download Submit
C:\Windows\{8543DB77-F32A-4678-B085-8455BE14D073}.exe

Filesize
168KB

MD5
639f68e3b27e29d2742d967db508c562

SHA1
43ee6314b5c8c297d3a73d6a83c4480421160876

SHA256
7b9c11c269195ddb1d18ed240954defb7cfa1a0456c30db6f1c8068e8460fc5f

SHA512
c6b01e994091694803469f5a84ad8a3a7ad17a0ae8ad8e15cce7f13c508f901c1094934e986eb6167bc6903c6ac741ef4b7fe36241949035e15a6763ae1c4cae

Download Submit
C:\Windows\{861D3960-CA6D-4ca4-9517-DC6590568E6C}.exe

Filesize
168KB

MD5
d31bbfb03f83dd7088b3855dbf93385e

SHA1
101a124ec4654f9cc5dca240256c870d56574e2b

SHA256
fac7902fd930de6cdf1c3b7f23966789949b9d012a05690dce476b2c711c1575

SHA512
40eef2c5d099f49ca9b80c266c9664ac9f32479c29816ae6bfa936ef1df47e61b7f61fc0968517eb61077642b64ebeeec4430b3ad49742bd31d57f0042c711e6

Download Submit
C:\Windows\{92C560C6-A9FA-4636-AFDB-C1944DE5627A}.exe

Filesize
168KB

MD5
efe438ff4f1a0a85ee87891dbaf56a6c

SHA1
9fc8abce902f54cddb93eb882e2c3f71b673f2b7

SHA256
cab3979b1af255d1c45cb960af3aabcfb3218df25de407a94678e9b77092f308

SHA512
60d87d3a6b3f10f1b11e3b9b2edf7a15b10ff174b88d66f4dfd6646b366ed925e6a11d2e9ffe73b17c7e97bc047ccfaab86e3a301cd3922fdec016aacb7681a4

Download Submit
C:\Windows\{A4D7B19F-CB7C-43f8-9241-781DEFF69926}.exe

Filesize
168KB

MD5
fada312d9709eeddba7013ff0e3d40ed

SHA1
90277f432aa2158cb8424bfed603b82859b2ece8

SHA256
f3afc254223812f0cb7d0c0429e5213759245ae27f02b589398cd40b59c425eb

SHA512
451bd92a70a664becc6d3c838634d3bb0c12240978dcfe5fcdc27a079b1d8bb6eee60215ebe66ad9c3cd0b2ae30d05aec946e209f0fa97883aaa3c7f7917f0f6

Download Submit
C:\Windows\{B9863688-48CE-47ca-81FB-6EBF3674CD30}.exe

Filesize
168KB

MD5
eafee9bf8fa551a97cbdfaa818e7b8db

SHA1
85a6f5e3a3aee79b056815e2d1b3dd967a65b844

SHA256
9d944c053be071224ae37efafa483f01e26462a2f7c443c81f3b1c011ecc7717

SHA512
8fa79dda61add726b98cd1fb01c60fc152cb8e594d7bd8fd76e50468e8e234b81fc8f78bc9f4f9fb2929447023af7d92e775f791998a508b5e886cff86348cc7

Download Submit
C:\Windows\{E79938C7-CA14-409f-B584-F4717B3E12D0}.exe

Filesize
168KB

MD5
018da3107b7771d07b227b8e5756fa6f

SHA1
67874136f9673849b8cde173c8d1d77ed2c3ccb1

SHA256
b522bf2b36668afa0571ccb33ab8f5221a5f16c685de9837582ef73b8e46144d

SHA512
4bf364c25c6004469db7ab8f5f7d7cb41a808391c54e8d97d0339a283a52c467acdd85548a4cedc2e402ecbb6f56f1306e09e765c14c36995929bf0f66709e80

Download Submit
C:\Windows\{F318AA4E-1C5E-4281-B985-09C654A4DBB4}.exe

Filesize
168KB

MD5
b5737a66044329a10515e4bb8bd4788a

SHA1
7621b0799f3c4b63c1349aa1b67214f55e2b9456

SHA256
fc1060b2c259f6fc53d5df36f973ee1735c28d83bcc5ce39eebf856fb85e18ae

SHA512
f0372fdcc43a4c7c30be1b5509cb1219f0f4c8d7325cf84157056578b29178c4ebb7e4d29f6af8aea4d5a56a0634ee5e0f8c10da13e16b1f949626d6d0aab32d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads