10d8516c2cd4b5ad123fa7af70110e95e94dffc037d2c6c7a7957d6088eb462d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 17:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Size

344KB
MD5

4c435e98215bb9f0742fc1bf1136b642
SHA1

f268d679c2fce6b8d86045fc8d52577ec381582e
SHA256

10d8516c2cd4b5ad123fa7af70110e95e94dffc037d2c6c7a7957d6088eb462d
SHA512

1ba4b7ab531d23b30e6d6a78a6a0971bd75a1d14d9c61ebda88b56265f2904c0f840a0d3d27d62e84e7dc62e4553375f832e79d7efef0fef5da50616e3c4dba2
SSDEEP

3072:mEGh0o/lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG9lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001441e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001441e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001441e-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001441e-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001441e-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001441e-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}\stubpath = "C:\\Windows\\{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe"	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDAFFF45-6E72-4304-995E-2DD0397429D3}	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDAFFF45-6E72-4304-995E-2DD0397429D3}\stubpath = "C:\\Windows\\{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe"	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37976A2A-16EE-450d-8931-D9D54C48FB9C}	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}	{7776B791-026D-4fcb-A500-A4FC32332256}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EC161DD-61E0-4034-A876-ECEFD5056788}	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31D5B97-9714-4209-8C64-C8D8839E2CEC}	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31D5B97-9714-4209-8C64-C8D8839E2CEC}\stubpath = "C:\\Windows\\{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe"	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7495B4D2-CDAA-43c7-8029-34E022C534C8}\stubpath = "C:\\Windows\\{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe"	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7776B791-026D-4fcb-A500-A4FC32332256}	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}\stubpath = "C:\\Windows\\{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}.exe"	{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7495B4D2-CDAA-43c7-8029-34E022C534C8}	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}\stubpath = "C:\\Windows\\{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe"	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37976A2A-16EE-450d-8931-D9D54C48FB9C}\stubpath = "C:\\Windows\\{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe"	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7776B791-026D-4fcb-A500-A4FC32332256}\stubpath = "C:\\Windows\\{7776B791-026D-4fcb-A500-A4FC32332256}.exe"	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}\stubpath = "C:\\Windows\\{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe"	{7776B791-026D-4fcb-A500-A4FC32332256}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DC00F7-1257-4f36-BF74-D1F78846B6FF}\stubpath = "C:\\Windows\\{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe"	{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}	{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EC161DD-61E0-4034-A876-ECEFD5056788}\stubpath = "C:\\Windows\\{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe"	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DC00F7-1257-4f36-BF74-D1F78846B6FF}	{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe

Deletes itself 1 IoCs

pid	Process
2332	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe
3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe
2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe
2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe
2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe
2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe
948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe
1716	{7776B791-026D-4fcb-A500-A4FC32332256}.exe
632	{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe
336	{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe
1128	{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe
File created	C:\Windows\{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe
File created	C:\Windows\{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe	{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe
File created	C:\Windows\{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}.exe	{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe
File created	C:\Windows\{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe
File created	C:\Windows\{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe
File created	C:\Windows\{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe
File created	C:\Windows\{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe
File created	C:\Windows\{7776B791-026D-4fcb-A500-A4FC32332256}.exe	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe
File created	C:\Windows\{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe	{7776B791-026D-4fcb-A500-A4FC32332256}.exe
File created	C:\Windows\{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe
Token: SeIncBasePriorityPrivilege	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe
Token: SeIncBasePriorityPrivilege	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe
Token: SeIncBasePriorityPrivilege	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe
Token: SeIncBasePriorityPrivilege	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe
Token: SeIncBasePriorityPrivilege	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe
Token: SeIncBasePriorityPrivilege	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe
Token: SeIncBasePriorityPrivilege	1716	{7776B791-026D-4fcb-A500-A4FC32332256}.exe
Token: SeIncBasePriorityPrivilege	632	{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe
Token: SeIncBasePriorityPrivilege	336	{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2192	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	28
PID 2220 wrote to memory of 2192	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	28
PID 2220 wrote to memory of 2192	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	28
PID 2220 wrote to memory of 2192	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	28
PID 2220 wrote to memory of 2332	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	29
PID 2220 wrote to memory of 2332	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	29
PID 2220 wrote to memory of 2332	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	29
PID 2220 wrote to memory of 2332	2220	2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe	29
PID 2192 wrote to memory of 3040	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	32
PID 2192 wrote to memory of 3040	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	32
PID 2192 wrote to memory of 3040	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	32
PID 2192 wrote to memory of 3040	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	32
PID 2192 wrote to memory of 2488	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	33
PID 2192 wrote to memory of 2488	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	33
PID 2192 wrote to memory of 2488	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	33
PID 2192 wrote to memory of 2488	2192	{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe	33
PID 3040 wrote to memory of 2580	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	34
PID 3040 wrote to memory of 2580	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	34
PID 3040 wrote to memory of 2580	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	34
PID 3040 wrote to memory of 2580	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	34
PID 3040 wrote to memory of 2772	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	35
PID 3040 wrote to memory of 2772	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	35
PID 3040 wrote to memory of 2772	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	35
PID 3040 wrote to memory of 2772	3040	{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe	35
PID 2580 wrote to memory of 2412	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	36
PID 2580 wrote to memory of 2412	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	36
PID 2580 wrote to memory of 2412	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	36
PID 2580 wrote to memory of 2412	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	36
PID 2580 wrote to memory of 2692	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	37
PID 2580 wrote to memory of 2692	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	37
PID 2580 wrote to memory of 2692	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	37
PID 2580 wrote to memory of 2692	2580	{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe	37
PID 2412 wrote to memory of 2380	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	38
PID 2412 wrote to memory of 2380	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	38
PID 2412 wrote to memory of 2380	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	38
PID 2412 wrote to memory of 2380	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	38
PID 2412 wrote to memory of 2408	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	39
PID 2412 wrote to memory of 2408	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	39
PID 2412 wrote to memory of 2408	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	39
PID 2412 wrote to memory of 2408	2412	{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe	39
PID 2380 wrote to memory of 2864	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	40
PID 2380 wrote to memory of 2864	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	40
PID 2380 wrote to memory of 2864	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	40
PID 2380 wrote to memory of 2864	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	40
PID 2380 wrote to memory of 2356	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	41
PID 2380 wrote to memory of 2356	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	41
PID 2380 wrote to memory of 2356	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	41
PID 2380 wrote to memory of 2356	2380	{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe	41
PID 2864 wrote to memory of 948	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	42
PID 2864 wrote to memory of 948	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	42
PID 2864 wrote to memory of 948	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	42
PID 2864 wrote to memory of 948	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	42
PID 2864 wrote to memory of 1432	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	43
PID 2864 wrote to memory of 1432	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	43
PID 2864 wrote to memory of 1432	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	43
PID 2864 wrote to memory of 1432	2864	{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe	43
PID 948 wrote to memory of 1716	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	44
PID 948 wrote to memory of 1716	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	44
PID 948 wrote to memory of 1716	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	44
PID 948 wrote to memory of 1716	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	44
PID 948 wrote to memory of 2340	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	45
PID 948 wrote to memory of 2340	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	45
PID 948 wrote to memory of 2340	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	45
PID 948 wrote to memory of 2340	948	{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_4c435e98215bb9f0742fc1bf1136b642_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe
  C:\Windows\{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe
    C:\Windows\{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe
      C:\Windows\{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe
        
        C:\Windows\{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe
        
        C:\Windows\{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe
        
        C:\Windows\{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe
        
        C:\Windows\{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{7776B791-026D-4fcb-A500-A4FC32332256}.exe
        
        C:\Windows\{7776B791-026D-4fcb-A500-A4FC32332256}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe
        
        C:\Windows\{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe
        
        C:\Windows\{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}.exe
        
        C:\Windows\{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05DC0~1.EXE > nul
        12⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EEBB~1.EXE > nul
        11⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7776B~1.EXE > nul
        10⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37976~1.EXE > nul
        9⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C6C1~1.EXE > nul
        8⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7495B~1.EXE > nul
        7⤵
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C31D5~1.EXE > nul
        6⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDAFF~1.EXE > nul
        5⤵
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CDEF0~1.EXE > nul
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EC16~1.EXE > nul
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05DC00F7-1257-4f36-BF74-D1F78846B6FF}.exe

Filesize
344KB

MD5
cd8952ee3e53e6e36881aa89f64b36d9

SHA1
1165f8f5c97d336d18ae9cf8e9ddb26eb1ae028c

SHA256
df8e0c1fe303f44cd701cda3ebe521bcbf81ea55c9ab5f9a5739cab956fe8d11

SHA512
99f87e0a8ffa349a3e0a7267efa8b40b054ca5d175c9a0da86e9e1b448e39f8a7ea1e56b60fa5e9d9b72026b0f91784641120fdf1b0f882c5fbe23d787a7c34e

Download Submit
C:\Windows\{37976A2A-16EE-450d-8931-D9D54C48FB9C}.exe

Filesize
344KB

MD5
08af988809486a4a2f8a69ac6b006794

SHA1
7ae5ea71c5f92544b4cb831c6b931fe4dd0e6351

SHA256
a38bb1c18b44db39ee3567d42d00ea833df109131b41cdb42d71a12a0b54746f

SHA512
cdd9a2581e1033c4a456090b40eb16229f1d2e387eeb213a6128d252931d26b08adb020de13b7518b4b136b6786a06b6d0447c1003b0442ad627273877d0e513

Download Submit
C:\Windows\{6EEBBF84-5DB1-48e9-B265-BE5FEF2045AD}.exe

Filesize
344KB

MD5
4a78cff3c65e4e87e4c92744f6e985e0

SHA1
62bd1023c5fd60431776f78571e7dd8da2afd4d5

SHA256
674ff37bcc4ef71ee622bf939c23a18e590d6099177a7a90a0ce738ff0e573ee

SHA512
e94b827a221c83034ec73011a2df5c6ec422fad4913f93c88920ea535994780c85ed964d784f2c3c8c6d171dd7a044bafb51e6a3442bbf709d10bd5a614e2ade

Download Submit
C:\Windows\{7495B4D2-CDAA-43c7-8029-34E022C534C8}.exe

Filesize
344KB

MD5
bd2d9371aa19738de49777b0b4e0f3a8

SHA1
bea7f19169337a5513f6325cc2779abf096c52c8

SHA256
903d4ee461b11f91b4e0ff7af0bf823aa1c66cf9aa8794af53a2590cc60f8ebf

SHA512
2aea863a55b63b271e70310cf11ad00c9d5aa32985b2599cc77a3fcdb2aff21e9ad01d6fdef8871a74cbabc667fc9183f5ad171ba10d0db131f11d25ef9dd533

Download Submit
C:\Windows\{7776B791-026D-4fcb-A500-A4FC32332256}.exe

Filesize
344KB

MD5
4b9d0a5a32365552e5ebc91ae14903f6

SHA1
99a08a28029d859da557440abbd6e9f5e4a42796

SHA256
d2c41d5b54516de58240669e7c78039b39e0c202b85f65334d795abba181c2da

SHA512
85bfd8d4e5ee0c815ff1d7d511fe5f0414d3b9e7707dd8182616d521edbb8fa5e92360dc6848346ac4f4c1407f9edc4e921e5079b3a16362048a5e8376d74d7f

Download Submit
C:\Windows\{7EC161DD-61E0-4034-A876-ECEFD5056788}.exe

Filesize
344KB

MD5
343cfa67896ba57baeb83279f4bf3da7

SHA1
bd0f90760f1c1d2161477d185ad822bbb64a48ff

SHA256
70bdff30176798086ffdb28d54903850f26f39c5a1164533901bc0476c473c38

SHA512
0279cfc393becb3def98d0f39e2ce41919865f60c0796653906d01a9d9e2d7f60bda06289bdc903d1d181b13db4a37347af46e1d0f9e570ea8f452810eb495fe

Download Submit
C:\Windows\{8C6C1CA3-CFAE-4930-BC06-0AC5A8701456}.exe

Filesize
344KB

MD5
3e5b7366bc13646d6e6231d7e35e0a7f

SHA1
f41a2b0b942c4178b00aeea6dd223a339af5d439

SHA256
43803e0a1b59a7e62f2a54066fd4e899cddee04c51dfdf152f8c1341d5a599e4

SHA512
ae262decc95f4f09a5e5ab23c7b07d539db135c96e9ab7a2d87483e63c47b93161b979be0dff90587813ef87b173af54840aac09c4b1329e27a82947cb823134

Download Submit
C:\Windows\{C31D5B97-9714-4209-8C64-C8D8839E2CEC}.exe

Filesize
344KB

MD5
fada8a89b7b21970de418d6c15c70137

SHA1
d3446d8777d2b9bb4c026f403c5031483f27f639

SHA256
8693a253c85de3609dae9d765abddedce23e8ecc0391cd78fbc1d6274ce9f52c

SHA512
b14e942bcdb5d226f02b78d4dca6b130c5ef07d758313a3e962c65b09cfc5b3ffd0493958bb9b3b29f67f91bcc9ef88aea7e13dd5d87b29a60da5d7432346cfa

Download Submit
C:\Windows\{CDEF053A-BE7B-4d45-A60D-48FF5F1BFEFB}.exe

Filesize
344KB

MD5
1da74561beee09c62fceceb391519d0f

SHA1
310d28f3b6186cd4b927e86b16a3caa2193e5edd

SHA256
7abd8478603211223e2fe7212ff7f5ecb4839c60bc7d22f127bd50f36bc0f4d3

SHA512
7be37f23bbe49beb4e423a4649ce09a2962325c3e770885520203c906bfd56afa42c01f859b6ea1cb2fc2e938bb33f9a5e060a9ab48a02ccb0244630c4a0793a

Download Submit
C:\Windows\{DDAFFF45-6E72-4304-995E-2DD0397429D3}.exe

Filesize
344KB

MD5
db6c528d4d0d988afb0ef783f60bd6ac

SHA1
05973c40ec1f1d41010dfb61569a8c7774ed694e

SHA256
af4b1471fb4b5f292ff6d94937027576fee19e3acba922701213c9832ad65b53

SHA512
8698cb4c6c49b8685130974f47d3d0302f13b6388111a3d59ee120bc115357d8e4dc33754b3f11f9c85f36a834b4e6cc4248e9ec877063196c2fae228b0470b6

Download Submit
C:\Windows\{DE5B9B7E-73E4-457d-A4B1-DB55BDDBB04B}.exe

Filesize
344KB

MD5
a3370812b26e6da820906f86a6897cc4

SHA1
8175836678aa935aa5248c1964b8d50889faa0d9

SHA256
ce2f85f686ea676318edfd0655d7dc8a2323e471be2ec16a25b75e31125bf437

SHA512
509acf56fecdf68d4dab09b681933ae6bf5f0b045dfc4b4969974fae1e4a3cdf436c74879c0accf509e52af3b33fff93c3d4443da9328155e33982f9356075a3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads