c487c539b32d6008cf29b242be8b5f3e429411c717dd1638567a40cdf2eab8ff

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe
Size

204KB
MD5

4505367cbb3941cb2b8ff86c6a224148
SHA1

fad29a01638d153b09ff9451eed7f656de2eb429
SHA256

c487c539b32d6008cf29b242be8b5f3e429411c717dd1638567a40cdf2eab8ff
SHA512

b0062b60f4c5d2f1a0cfb17fe535cd30a649effa509c9774ac6b8dc8d6926dbc7c5a2a7a25f0a6f50b8470849bc97a47dc5544af4ccbee5aa264fd69df4be9f3
SSDEEP

1536:1EGh0oPl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c5d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015e41-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c5d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015e5b-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015c5d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015e5b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c5d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015e5b-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015c5d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015e5b-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75C29406-9A11-4747-89D9-1EA980093C6E}	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8C3889F-0942-4536-8416-6101A96AD71E}	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}	{F8C3889F-0942-4536-8416-6101A96AD71E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1636E5A9-FD51-4d97-A45A-745578012BD7}\stubpath = "C:\\Windows\\{1636E5A9-FD51-4d97-A45A-745578012BD7}.exe"	{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE3154AA-AE25-4e32-AB93-88D3A64B8775}	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE3154AA-AE25-4e32-AB93-88D3A64B8775}\stubpath = "C:\\Windows\\{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe"	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094C7004-B676-43c3-9E72-C49B201C8518}	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40556203-F37E-4ab4-8FE0-E509E1323E7D}	{094C7004-B676-43c3-9E72-C49B201C8518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40556203-F37E-4ab4-8FE0-E509E1323E7D}\stubpath = "C:\\Windows\\{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe"	{094C7004-B676-43c3-9E72-C49B201C8518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8C3889F-0942-4536-8416-6101A96AD71E}\stubpath = "C:\\Windows\\{F8C3889F-0942-4536-8416-6101A96AD71E}.exe"	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CD423C-273C-4ad7-8924-F5B3B38D9B98}\stubpath = "C:\\Windows\\{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe"	{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09164659-E7DD-4559-9A57-F0B7ECBE89BA}\stubpath = "C:\\Windows\\{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe"	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D220E06-F6CD-4e76-B4E4-8376AC51F365}	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D220E06-F6CD-4e76-B4E4-8376AC51F365}\stubpath = "C:\\Windows\\{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe"	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}\stubpath = "C:\\Windows\\{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe"	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75C29406-9A11-4747-89D9-1EA980093C6E}\stubpath = "C:\\Windows\\{75C29406-9A11-4747-89D9-1EA980093C6E}.exe"	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}\stubpath = "C:\\Windows\\{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe"	{F8C3889F-0942-4536-8416-6101A96AD71E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09164659-E7DD-4559-9A57-F0B7ECBE89BA}	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CD423C-273C-4ad7-8924-F5B3B38D9B98}	{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1636E5A9-FD51-4d97-A45A-745578012BD7}	{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094C7004-B676-43c3-9E72-C49B201C8518}\stubpath = "C:\\Windows\\{094C7004-B676-43c3-9E72-C49B201C8518}.exe"	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe
2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe
2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe
760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe
2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe
1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe
1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe
2152	{F8C3889F-0942-4536-8416-6101A96AD71E}.exe
1824	{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe
2492	{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe
2920	{1636E5A9-FD51-4d97-A45A-745578012BD7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F8C3889F-0942-4536-8416-6101A96AD71E}.exe	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe
File created	C:\Windows\{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe	{F8C3889F-0942-4536-8416-6101A96AD71E}.exe
File created	C:\Windows\{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe	{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe
File created	C:\Windows\{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe
File created	C:\Windows\{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe
File created	C:\Windows\{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	{094C7004-B676-43c3-9E72-C49B201C8518}.exe
File created	C:\Windows\{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe
File created	C:\Windows\{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe
File created	C:\Windows\{1636E5A9-FD51-4d97-A45A-745578012BD7}.exe	{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe
File created	C:\Windows\{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe
File created	C:\Windows\{094C7004-B676-43c3-9E72-C49B201C8518}.exe	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe
Token: SeIncBasePriorityPrivilege	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe
Token: SeIncBasePriorityPrivilege	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe
Token: SeIncBasePriorityPrivilege	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe
Token: SeIncBasePriorityPrivilege	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe
Token: SeIncBasePriorityPrivilege	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe
Token: SeIncBasePriorityPrivilege	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe
Token: SeIncBasePriorityPrivilege	2152	{F8C3889F-0942-4536-8416-6101A96AD71E}.exe
Token: SeIncBasePriorityPrivilege	1824	{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe
Token: SeIncBasePriorityPrivilege	2492	{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2588	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	28
PID 2240 wrote to memory of 2588	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	28
PID 2240 wrote to memory of 2588	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	28
PID 2240 wrote to memory of 2588	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	28
PID 2240 wrote to memory of 2936	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	29
PID 2240 wrote to memory of 2936	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	29
PID 2240 wrote to memory of 2936	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	29
PID 2240 wrote to memory of 2936	2240	2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe	29
PID 2588 wrote to memory of 2684	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	32
PID 2588 wrote to memory of 2684	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	32
PID 2588 wrote to memory of 2684	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	32
PID 2588 wrote to memory of 2684	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	32
PID 2588 wrote to memory of 2416	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	33
PID 2588 wrote to memory of 2416	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	33
PID 2588 wrote to memory of 2416	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	33
PID 2588 wrote to memory of 2416	2588	{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe	33
PID 2684 wrote to memory of 2408	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	34
PID 2684 wrote to memory of 2408	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	34
PID 2684 wrote to memory of 2408	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	34
PID 2684 wrote to memory of 2408	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	34
PID 2684 wrote to memory of 2472	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	35
PID 2684 wrote to memory of 2472	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	35
PID 2684 wrote to memory of 2472	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	35
PID 2684 wrote to memory of 2472	2684	{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe	35
PID 2408 wrote to memory of 760	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	36
PID 2408 wrote to memory of 760	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	36
PID 2408 wrote to memory of 760	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	36
PID 2408 wrote to memory of 760	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	36
PID 2408 wrote to memory of 1532	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	37
PID 2408 wrote to memory of 1532	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	37
PID 2408 wrote to memory of 1532	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	37
PID 2408 wrote to memory of 1532	2408	{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe	37
PID 760 wrote to memory of 2316	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	38
PID 760 wrote to memory of 2316	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	38
PID 760 wrote to memory of 2316	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	38
PID 760 wrote to memory of 2316	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	38
PID 760 wrote to memory of 836	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	39
PID 760 wrote to memory of 836	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	39
PID 760 wrote to memory of 836	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	39
PID 760 wrote to memory of 836	760	{094C7004-B676-43c3-9E72-C49B201C8518}.exe	39
PID 2316 wrote to memory of 1060	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	40
PID 2316 wrote to memory of 1060	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	40
PID 2316 wrote to memory of 1060	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	40
PID 2316 wrote to memory of 1060	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	40
PID 2316 wrote to memory of 2640	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	41
PID 2316 wrote to memory of 2640	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	41
PID 2316 wrote to memory of 2640	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	41
PID 2316 wrote to memory of 2640	2316	{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe	41
PID 1060 wrote to memory of 1480	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	42
PID 1060 wrote to memory of 1480	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	42
PID 1060 wrote to memory of 1480	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	42
PID 1060 wrote to memory of 1480	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	42
PID 1060 wrote to memory of 2028	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	43
PID 1060 wrote to memory of 2028	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	43
PID 1060 wrote to memory of 2028	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	43
PID 1060 wrote to memory of 2028	1060	{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe	43
PID 1480 wrote to memory of 2152	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	44
PID 1480 wrote to memory of 2152	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	44
PID 1480 wrote to memory of 2152	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	44
PID 1480 wrote to memory of 2152	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	44
PID 1480 wrote to memory of 1808	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	45
PID 1480 wrote to memory of 1808	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	45
PID 1480 wrote to memory of 1808	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	45
PID 1480 wrote to memory of 1808	1480	{75C29406-9A11-4747-89D9-1EA980093C6E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-01_4505367cbb3941cb2b8ff86c6a224148_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe
  C:\Windows\{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe
    C:\Windows\{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe
      C:\Windows\{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{094C7004-B676-43c3-9E72-C49B201C8518}.exe
        
        C:\Windows\{094C7004-B676-43c3-9E72-C49B201C8518}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe
        
        C:\Windows\{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe
        
        C:\Windows\{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{75C29406-9A11-4747-89D9-1EA980093C6E}.exe
        
        C:\Windows\{75C29406-9A11-4747-89D9-1EA980093C6E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{F8C3889F-0942-4536-8416-6101A96AD71E}.exe
        
        C:\Windows\{F8C3889F-0942-4536-8416-6101A96AD71E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe
        
        C:\Windows\{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe
        
        C:\Windows\{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{1636E5A9-FD51-4d97-A45A-745578012BD7}.exe
        
        C:\Windows\{1636E5A9-FD51-4d97-A45A-745578012BD7}.exe
        12⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38CD4~1.EXE > nul
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB63~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C38~1.EXE > nul
        10⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75C29~1.EXE > nul
        9⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D65B9~1.EXE > nul
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40556~1.EXE > nul
        7⤵
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{094C7~1.EXE > nul
        6⤵
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D220~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE315~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{09164~1.EXE > nul
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09164659-E7DD-4559-9A57-F0B7ECBE89BA}.exe

Filesize
204KB

MD5
66a43f1a02a632994aa217126d3b5908

SHA1
cbcc0cd0aa5697bb4f328ded103bab4e0d8ff78f

SHA256
fdd259af9f8fe63fc4fdd2331e8b6ad5b7b6065c992ac163fb915b8bb4aa45b0

SHA512
cf21d1478838853adafbee862ea081f213a5df384f22a261b95b8754f28bca6c553a343c56ffeae9382c73b07fac19b92f26b14e22ad0fde5d116f974958fb4f

Download Submit
C:\Windows\{094C7004-B676-43c3-9E72-C49B201C8518}.exe

Filesize
204KB

MD5
2ff014172854a093ca26fb67621a5409

SHA1
b06cc991d3d849fa4de74cbeadd0017ac200a0e0

SHA256
095801ed0e7a07a17aa5329b97083d9c654b8ea59dcde9be547747045a5e5fc3

SHA512
2b44ac1558d4f9138bb29d0f5ee2f38d4365857347320d8edbcde1a19d27d3ecbb815bd353f611fb97e093ccf431d45badf7aa95ce26a281790aee0d63bc6c30

Download Submit
C:\Windows\{1636E5A9-FD51-4d97-A45A-745578012BD7}.exe

Filesize
204KB

MD5
22e7da7c7c14a4601001a967a1997b1c

SHA1
60ba128e12613175cab0cb3465974aad99516000

SHA256
9727cc07a0bd90d07f9ab61f89122e72314746e339ac39b734589a6b1e4d2f6e

SHA512
776b1ad8725b5dd895505e0e65c1b384e9b6a64bd4b79aec7361392cbb4b2ce9cb5b7d587cad3fe8f9508c690b1d95e11c8349953bda8022bb077a525587b74f

Download Submit
C:\Windows\{1DB6398E-06F4-42d9-80EA-DFF29C75C33F}.exe

Filesize
204KB

MD5
70acfd76687a2e1ee9942e974e8b0916

SHA1
9382e0f96ccc68114dea9a64275aaafbc7a372ba

SHA256
8c25509d780e091637fda2778ca4fcc2be7ec3046ff7f5f78e10f9881d1ac68e

SHA512
007aadedf96d29146730f2ff80053d7a377295f147e6d99df2da01de5dba1ccacc3e73bd13f94785740ec29119f96545bd656358d623688ec1d03e5492353da6

Download Submit
C:\Windows\{38CD423C-273C-4ad7-8924-F5B3B38D9B98}.exe

Filesize
204KB

MD5
eaea95c4698ec71c059f35a27a7abd3f

SHA1
3f47378507b3cde5453e848c0af798a241846148

SHA256
f0074b35be66e0f1a217558c77d146f91c7ad0e70a520e6a21b7d188a38a2566

SHA512
f9757bca2ada2d953d9670f0b2276bd5ab3d90670b45bf9354740f8780a350330b817de084c11a95136915d989a5d5bb6d434b122c8758261163970ba781f888

Download Submit
C:\Windows\{40556203-F37E-4ab4-8FE0-E509E1323E7D}.exe

Filesize
204KB

MD5
d0904727266226b7c70e4779f9a61bfa

SHA1
afc92fa1852ca076192eb164b5407a1008c9dee7

SHA256
0ea9b6a2dd3fc5b9a21334e552347de0d3c15d3a5c823cabb78baf73226ca8ff

SHA512
ac9d9474fafeea9c1caa7d0c094d2a302626d156d73db442b745448adf7bc947b26cd6a67868eabdcd4b30881c8019575bf413ce1b304ba0d5c7d6713c11dc4f

Download Submit
C:\Windows\{75C29406-9A11-4747-89D9-1EA980093C6E}.exe

Filesize
204KB

MD5
ff94623aeeff2fc26b3dd6a22de186c3

SHA1
234a6461eb0af7c0982cc96e49e6bce12a24b47f

SHA256
2707b50dc3b6d0ad86748776be76676a53a6731e7ded9a32afc73ba890c39964

SHA512
27a42793dd44159f174fb310caf0c6fab6d320d1998d7d25a5ff4d50b875a900ec577dc0f887db1bdd23987d149ad09b596cca7ac6720327a15e7c1f36326b2c

Download Submit
C:\Windows\{8D220E06-F6CD-4e76-B4E4-8376AC51F365}.exe

Filesize
204KB

MD5
9543b57f2a7fac7ea786701f69b5d45b

SHA1
b5e280fd0d3b31a6aeaa63dc94d44c3872ac9306

SHA256
3265d3e1112b79ec8f134adf1f1cb163e25a9e29bd1f47c86f5324b6be2882b6

SHA512
d63016e0ee751bcf0113ac601fe7aacc5d4358ddda8c48aa8f601a646fe78f2878d22fd4c0c29118b615a9c570c67236198e479744691e8119c07b9ca9801b6b

Download Submit
C:\Windows\{D65B9F0D-97CE-43c9-B815-5AB007EA6F65}.exe

Filesize
204KB

MD5
247935efdf55ad1572467217e5943838

SHA1
5713c1fb9317adc92a84e941d22eb6fc58374d88

SHA256
82b40b9c8666f80d43189e81ed0bc81697051158e970d670f2c99381592581b1

SHA512
d357f318d055935278f85024d0f238cfe7f0506d9b0a5b4dd7a2a39b90c4223be4be9eabc05f4e98e95dbc8a041e49ba42ac1cd47b7f935144fb06aa0004eec2

Download Submit
C:\Windows\{EE3154AA-AE25-4e32-AB93-88D3A64B8775}.exe

Filesize
204KB

MD5
84cdb4de078070d5f385014c1beaa026

SHA1
4e54654307c8756f71e995d95d0c45aafc8ef784

SHA256
8cbb7008e58658087da43ca3c6c2ab4d810e9e51179b306a6257fb4ea40613ef

SHA512
e2a62794f95fa502008f247c8e8dc3a8607079f55b838a979042e90f8db8c145120c0241c7d58ddf3b98414ee4b7f9d7108bd83bd582a232e6c7b82be11da8c8

Download Submit
C:\Windows\{F8C3889F-0942-4536-8416-6101A96AD71E}.exe

Filesize
204KB

MD5
99c7d560534b1210b9f66c4206269240

SHA1
5104e376c1e00dbb57ff21777f98014bf7c385aa

SHA256
1b97e16a76087d318f432e9c6b5e10f4cc38e1b6268874ba7680d46681f9e435

SHA512
cb388937ef47e093636b53bf3b9ff9a7f5d293b1a97b01eb8264032e2beddaa18e9ca8976714bfc9386e8d32dedfb53315eddbfff9b42d4c12b912a947659d2e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads