3bed55aec8dfd35175e03a2a9197331f978452eb27394e59e0cbcd2ffe9ea4f2

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 03:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe
Size

408KB
MD5

8110b0b226009af45b068393a30b8cf0
SHA1

42198c468610ceb904e30fee6bc3023c809ced70
SHA256

3bed55aec8dfd35175e03a2a9197331f978452eb27394e59e0cbcd2ffe9ea4f2
SHA512

df5c4df3931ced6a1576581102cc8d5ccc64b70391312784f652606c90370dcd4c2c140fc80134ff6f6a4eda2d710696a04547dfb1c9b5c973f674a86bbe01cd
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGxldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122cd-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014aa2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122cd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122cd-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122cd-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122cd-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122cd-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55156657-35EE-4df1-A412-45016193B415}	{F37B67C3-6705-404e-89CA-359238FAE566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8EC189-4CDE-4508-9C59-689AF65BDF15}	{55156657-35EE-4df1-A412-45016193B415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}\stubpath = "C:\\Windows\\{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe"	{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79F09FC-91C0-43cc-878B-F177BBD81C28}\stubpath = "C:\\Windows\\{D79F09FC-91C0-43cc-878B-F177BBD81C28}.exe"	{5831644E-A2BD-486f-98FF-FDD715083E99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D60DB4E-B41F-426d-A767-61CC77B21665}	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}\stubpath = "C:\\Windows\\{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe"	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{345313C9-0222-4a97-AEEC-37B33101CF46}	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75C700F5-159D-45be-A5F5-4E26FC9D100E}\stubpath = "C:\\Windows\\{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe"	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75C700F5-159D-45be-A5F5-4E26FC9D100E}	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F37B67C3-6705-404e-89CA-359238FAE566}	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F37B67C3-6705-404e-89CA-359238FAE566}\stubpath = "C:\\Windows\\{F37B67C3-6705-404e-89CA-359238FAE566}.exe"	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8EC189-4CDE-4508-9C59-689AF65BDF15}\stubpath = "C:\\Windows\\{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe"	{55156657-35EE-4df1-A412-45016193B415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}\stubpath = "C:\\Windows\\{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe"	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5831644E-A2BD-486f-98FF-FDD715083E99}	{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5831644E-A2BD-486f-98FF-FDD715083E99}\stubpath = "C:\\Windows\\{5831644E-A2BD-486f-98FF-FDD715083E99}.exe"	{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D60DB4E-B41F-426d-A767-61CC77B21665}\stubpath = "C:\\Windows\\{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe"	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79F09FC-91C0-43cc-878B-F177BBD81C28}	{5831644E-A2BD-486f-98FF-FDD715083E99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55156657-35EE-4df1-A412-45016193B415}\stubpath = "C:\\Windows\\{55156657-35EE-4df1-A412-45016193B415}.exe"	{F37B67C3-6705-404e-89CA-359238FAE566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}	{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{345313C9-0222-4a97-AEEC-37B33101CF46}\stubpath = "C:\\Windows\\{345313C9-0222-4a97-AEEC-37B33101CF46}.exe"	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe
2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe
2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe
2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe
2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe
1884	{55156657-35EE-4df1-A412-45016193B415}.exe
1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe
804	{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe
2956	{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe
1616	{5831644E-A2BD-486f-98FF-FDD715083E99}.exe
1400	{D79F09FC-91C0-43cc-878B-F177BBD81C28}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe
File created	C:\Windows\{5831644E-A2BD-486f-98FF-FDD715083E99}.exe	{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe
File created	C:\Windows\{D79F09FC-91C0-43cc-878B-F177BBD81C28}.exe	{5831644E-A2BD-486f-98FF-FDD715083E99}.exe
File created	C:\Windows\{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe
File created	C:\Windows\{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe
File created	C:\Windows\{F37B67C3-6705-404e-89CA-359238FAE566}.exe	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe
File created	C:\Windows\{55156657-35EE-4df1-A412-45016193B415}.exe	{F37B67C3-6705-404e-89CA-359238FAE566}.exe
File created	C:\Windows\{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe
File created	C:\Windows\{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe
File created	C:\Windows\{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	{55156657-35EE-4df1-A412-45016193B415}.exe
File created	C:\Windows\{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe	{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe
Token: SeIncBasePriorityPrivilege	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe
Token: SeIncBasePriorityPrivilege	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe
Token: SeIncBasePriorityPrivilege	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe
Token: SeIncBasePriorityPrivilege	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe
Token: SeIncBasePriorityPrivilege	1884	{55156657-35EE-4df1-A412-45016193B415}.exe
Token: SeIncBasePriorityPrivilege	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe
Token: SeIncBasePriorityPrivilege	804	{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe
Token: SeIncBasePriorityPrivilege	2956	{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe
Token: SeIncBasePriorityPrivilege	1616	{5831644E-A2BD-486f-98FF-FDD715083E99}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2480	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	28
PID 2172 wrote to memory of 2480	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	28
PID 2172 wrote to memory of 2480	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	28
PID 2172 wrote to memory of 2480	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	28
PID 2172 wrote to memory of 3032	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	29
PID 2172 wrote to memory of 3032	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	29
PID 2172 wrote to memory of 3032	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	29
PID 2172 wrote to memory of 3032	2172	2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe	29
PID 2480 wrote to memory of 2688	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	30
PID 2480 wrote to memory of 2688	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	30
PID 2480 wrote to memory of 2688	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	30
PID 2480 wrote to memory of 2688	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	30
PID 2480 wrote to memory of 2512	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	31
PID 2480 wrote to memory of 2512	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	31
PID 2480 wrote to memory of 2512	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	31
PID 2480 wrote to memory of 2512	2480	{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe	31
PID 2688 wrote to memory of 2408	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	32
PID 2688 wrote to memory of 2408	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	32
PID 2688 wrote to memory of 2408	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	32
PID 2688 wrote to memory of 2408	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	32
PID 2688 wrote to memory of 2552	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	33
PID 2688 wrote to memory of 2552	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	33
PID 2688 wrote to memory of 2552	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	33
PID 2688 wrote to memory of 2552	2688	{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe	33
PID 2408 wrote to memory of 2116	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	36
PID 2408 wrote to memory of 2116	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	36
PID 2408 wrote to memory of 2116	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	36
PID 2408 wrote to memory of 2116	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	36
PID 2408 wrote to memory of 2776	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	37
PID 2408 wrote to memory of 2776	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	37
PID 2408 wrote to memory of 2776	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	37
PID 2408 wrote to memory of 2776	2408	{345313C9-0222-4a97-AEEC-37B33101CF46}.exe	37
PID 2116 wrote to memory of 2888	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	38
PID 2116 wrote to memory of 2888	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	38
PID 2116 wrote to memory of 2888	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	38
PID 2116 wrote to memory of 2888	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	38
PID 2116 wrote to memory of 1512	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	39
PID 2116 wrote to memory of 1512	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	39
PID 2116 wrote to memory of 1512	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	39
PID 2116 wrote to memory of 1512	2116	{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe	39
PID 2888 wrote to memory of 1884	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	40
PID 2888 wrote to memory of 1884	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	40
PID 2888 wrote to memory of 1884	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	40
PID 2888 wrote to memory of 1884	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	40
PID 2888 wrote to memory of 1548	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	41
PID 2888 wrote to memory of 1548	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	41
PID 2888 wrote to memory of 1548	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	41
PID 2888 wrote to memory of 1548	2888	{F37B67C3-6705-404e-89CA-359238FAE566}.exe	41
PID 1884 wrote to memory of 1564	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	42
PID 1884 wrote to memory of 1564	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	42
PID 1884 wrote to memory of 1564	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	42
PID 1884 wrote to memory of 1564	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	42
PID 1884 wrote to memory of 2640	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	43
PID 1884 wrote to memory of 2640	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	43
PID 1884 wrote to memory of 2640	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	43
PID 1884 wrote to memory of 2640	1884	{55156657-35EE-4df1-A412-45016193B415}.exe	43
PID 1564 wrote to memory of 804	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	44
PID 1564 wrote to memory of 804	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	44
PID 1564 wrote to memory of 804	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	44
PID 1564 wrote to memory of 804	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	44
PID 1564 wrote to memory of 1436	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	45
PID 1564 wrote to memory of 1436	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	45
PID 1564 wrote to memory of 1436	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	45
PID 1564 wrote to memory of 1436	1564	{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-05_8110b0b226009af45b068393a30b8cf0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe
  C:\Windows\{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe
    C:\Windows\{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{345313C9-0222-4a97-AEEC-37B33101CF46}.exe
      C:\Windows\{345313C9-0222-4a97-AEEC-37B33101CF46}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe
        
        C:\Windows\{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\{F37B67C3-6705-404e-89CA-359238FAE566}.exe
        
        C:\Windows\{F37B67C3-6705-404e-89CA-359238FAE566}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{55156657-35EE-4df1-A412-45016193B415}.exe
        
        C:\Windows\{55156657-35EE-4df1-A412-45016193B415}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe
        
        C:\Windows\{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe
        
        C:\Windows\{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe
        
        C:\Windows\{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{5831644E-A2BD-486f-98FF-FDD715083E99}.exe
        
        C:\Windows\{5831644E-A2BD-486f-98FF-FDD715083E99}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{D79F09FC-91C0-43cc-878B-F177BBD81C28}.exe
        
        C:\Windows\{D79F09FC-91C0-43cc-878B-F177BBD81C28}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58316~1.EXE > nul
        12⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39D05~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5792B~1.EXE > nul
        10⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B8EC~1.EXE > nul
        9⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55156~1.EXE > nul
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F37B6~1.EXE > nul
        7⤵
        
        PID:1548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75C70~1.EXE > nul
        6⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34531~1.EXE > nul
        5⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D60D~1.EXE > nul
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6BAE~1.EXE > nul
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B8EC189-4CDE-4508-9C59-689AF65BDF15}.exe

Filesize
408KB

MD5
25583bb208610f10e0f49aba5c18c4d0

SHA1
473f48d1c9f78d480e724f0e9a88ca1ed72ff510

SHA256
6c4728cfd48bf57f994b9ad39f2fa6d7a0e8f51b40b60c52e2c8dead3ea0ce78

SHA512
cf109a3ea0c55ddc66ed86a9867f76b538222d2799561b6d764245ba448d42779d6465f7ec191f773c64e34b856653aa6f5565da638be8c4cace68133e0b423e

Download Submit
C:\Windows\{345313C9-0222-4a97-AEEC-37B33101CF46}.exe

Filesize
408KB

MD5
7d332633af0eb3068756b13b76c52702

SHA1
9f7f5b2c413101035686c329175958dc4620ade6

SHA256
9f0cd4f0c13f7a01f9611cbe4c451837f0feea4d4ce77c301820fd63a8bbc305

SHA512
bcd2eaf6adf2e348abfb0f71eb67032de42340370112f90c5ea0609243e75875b0e68a09ec4ef3cbef03dfae67ecd98789aba7b52fe882e45c5577ed94aad721

Download Submit
C:\Windows\{39D05D48-E7C0-451c-BEC6-F764E9FA98A0}.exe

Filesize
408KB

MD5
2d8cc14ef7f1bccbeefa02027b8448d7

SHA1
7f00087bbf08943856ab00925dc6820e2e27dc4f

SHA256
582a914762876ee45f16c623e2a7921d3dc8300099200bd6babcf4c2c97924ca

SHA512
7d59db56da45fbb6cf982aa7306a9be1aceb7d81fbbf1432e961eb05962f8aa939a032ca9d29442378308e1fd881991395c91a1434dc98624109fc0953bb1b00

Download Submit
C:\Windows\{55156657-35EE-4df1-A412-45016193B415}.exe

Filesize
408KB

MD5
2816fa79624c1b909257cd8860b86a38

SHA1
2026903d1ce8c02eda472a1a7a62f29177e01603

SHA256
729a1464dd8d66f171945d2507106f755128061a387905aa1ca3a3a7a10d8f88

SHA512
233e1fdb106bb78039c794b405c798d8175215a676f7f78fb5b78b8ad8d51d9d617f9d7f3ac94d4cb63bd146145d1b98c064ed48a29e398f47b15de96abe1448

Download Submit
C:\Windows\{5792BB88-E5E7-491c-A0EA-DC6E6A4C9DCD}.exe

Filesize
408KB

MD5
5db0b09fc338bdb4eec7a610528cc475

SHA1
3aa4e92128a4513f25a7302426418e583c7b015b

SHA256
d4acd9a5769e93d5f27783d14f972bf4ac860f1bfed4f0a9a0a116b8500fd488

SHA512
1f6b9ef5a0647650d6114385ab5ecaffc281df1a48faa409eeb4a80af71457f421f260e80621ce97455e707b2992e40b4cbf06ca208bc14661fe55027299b5af

Download Submit
C:\Windows\{5831644E-A2BD-486f-98FF-FDD715083E99}.exe

Filesize
408KB

MD5
c52c68a897ad3cb38dfea47eea34f818

SHA1
f357509775ddb035292eb49e7a8f3a92cf1cffab

SHA256
ec4b6a9edbd83e935d4fc71242d1d6da55a91cb0cdee5d97c087e802cbd493b6

SHA512
f24dcd413fcb9ea37608a48aeafed7a32e4797452fd824f9fd2e515346a690d657bf5a3fb9d00c8922200d4bcff766582855c5d55edbd1f13db2d7e57fa632a3

Download Submit
C:\Windows\{75C700F5-159D-45be-A5F5-4E26FC9D100E}.exe

Filesize
408KB

MD5
e25092a1bc88ec1652a52a1a9576a1c6

SHA1
645edf2d15215bf113159bb65266e2a386199483

SHA256
a4587d28e3671d10eef3be1bb142c7fe4988c622740a6229c3222ac68d350691

SHA512
ba7e5f3dfb550efda3e539ace48d462ccd749dc5a47123cc498ab2bf8fe532fc3a19476d1b3e743f7bc111c9bdc907ae92993cf947d3237abb35b33bcc37a025

Download Submit
C:\Windows\{8D60DB4E-B41F-426d-A767-61CC77B21665}.exe

Filesize
408KB

MD5
3c60352d85fe7cd03eea2e1873a43e09

SHA1
6e62566d9a9fc362971f6d5667601822d29a5496

SHA256
32fd076464b367b061c87bdbd40abcf245b2902b3fe9d068da021742a99538d1

SHA512
b78225285fa783ec5b1ec1546a72a943dc1e1cb58681e4a34c9d7666748f59d88f541480706be026e8928dbf01bae4c66060b95b590dd015f61953850627540b

Download Submit
C:\Windows\{C6BAEF83-90FF-4c8d-861B-F5E8F1A6E942}.exe

Filesize
408KB

MD5
ca56ce18a5aee1f95a75b4f683aa7428

SHA1
259545080c3102599d7a2186ea67fbc12c860d69

SHA256
c777800e1c8e24c692ff5f8de7feccce5e8490d72ddbdb9381788d51bfdcb081

SHA512
e79653d04b873bc909b9ee3627e76f4cdfb809ee94cc2a9362f8eef9786d42f37a6c189919eb58dbd8ba0e956b91b4fd8d6939d3549289d255ae805d08b49ca1

Download Submit
C:\Windows\{D79F09FC-91C0-43cc-878B-F177BBD81C28}.exe

Filesize
408KB

MD5
16aebf528b74deb750258ec17b9e63c6

SHA1
02f430280506f56e10c8624d73bc1c9ebfa03197

SHA256
67784c2a2345109085f808c649fa81491bf9405847aae6bfb4b59203c28d66c8

SHA512
a32bd3790a6a4e1d836f5367c8e102ed1416c525e6cca64be1ffbc707eeb4a7977b2920efc70d46dc21d63b02bb61b76d767b028c73ae99e299cfeee6bdfe7fb

Download Submit
C:\Windows\{F37B67C3-6705-404e-89CA-359238FAE566}.exe

Filesize
408KB

MD5
fbc02040b7b50476110f32aeb22422ea

SHA1
63f4e368b19ffd4d57e8ec94dbd19a17a5fddde0

SHA256
208191ea1a532ec5ed72fae9a8ce71c24bb832a1c1dea87a24caf4c56ab2aff5

SHA512
9771f1235fd51d4917d899a6ccf1d0d689b5b6e40f4379fba3c3cf96ea4f7e61166eabc11e0047e2e18f58b0face4ba40f10f91dc880aec5a6957d12ba05658b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads