ae68a4f5ab9cdc5ae5e3c144986dc8cfd51476826199c79b3b8d4808c64ccd63

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Size

197KB
MD5

41fc29f916636233652684f7ea14011b
SHA1

6990594236bce3aa7399eb048c73e21ebdca114e
SHA256

ae68a4f5ab9cdc5ae5e3c144986dc8cfd51476826199c79b3b8d4808c64ccd63
SHA512

8488a5e50cc475acf83e34e339e28e1dd2a10c12c31a2c0703fa333865f043c3322d85d307e37b05de58cc6e3febb2a36f5d5e731f72ed8cd3cc2481b2bedc03
SSDEEP

3072:jEGh0oOl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGUlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012707-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014f57-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CF0857-3BC5-4937-8296-037F4D556EE5}\stubpath = "C:\\Windows\\{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe"	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B56DACC-17EE-423a-923B-6C601997355D}	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ED03E10-2656-4673-AC58-6BF982FB00FF}	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}	{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F832D70-1E4B-4d04-9356-3657C6111551}	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECF0E39-156F-4524-A931-54B4D9AD8883}\stubpath = "C:\\Windows\\{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe"	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C428045A-E71A-45cc-8004-D581CB12DD9C}	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C428045A-E71A-45cc-8004-D581CB12DD9C}\stubpath = "C:\\Windows\\{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe"	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE02A08-40C7-4067-AF9A-9C71A161634F}	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}	{7B56DACC-17EE-423a-923B-6C601997355D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}\stubpath = "C:\\Windows\\{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe"	{7B56DACC-17EE-423a-923B-6C601997355D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ED03E10-2656-4673-AC58-6BF982FB00FF}\stubpath = "C:\\Windows\\{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe"	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}	{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ECF0E39-156F-4524-A931-54B4D9AD8883}	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CF0857-3BC5-4937-8296-037F4D556EE5}	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE02A08-40C7-4067-AF9A-9C71A161634F}\stubpath = "C:\\Windows\\{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe"	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}\stubpath = "C:\\Windows\\{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe"	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B56DACC-17EE-423a-923B-6C601997355D}\stubpath = "C:\\Windows\\{7B56DACC-17EE-423a-923B-6C601997355D}.exe"	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}\stubpath = "C:\\Windows\\{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe"	{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}\stubpath = "C:\\Windows\\{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}.exe"	{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F832D70-1E4B-4d04-9356-3657C6111551}\stubpath = "C:\\Windows\\{9F832D70-1E4B-4d04-9356-3657C6111551}.exe"	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe
2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe
2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe
1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe
2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe
296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe
2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe
2024	{7B56DACC-17EE-423a-923B-6C601997355D}.exe
2864	{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe
1932	{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe
1392	{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe
File created	C:\Windows\{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe
File created	C:\Windows\{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe
File created	C:\Windows\{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe
File created	C:\Windows\{7B56DACC-17EE-423a-923B-6C601997355D}.exe	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe
File created	C:\Windows\{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
File created	C:\Windows\{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe
File created	C:\Windows\{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe
File created	C:\Windows\{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe	{7B56DACC-17EE-423a-923B-6C601997355D}.exe
File created	C:\Windows\{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe	{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe
File created	C:\Windows\{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}.exe	{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe
Token: SeIncBasePriorityPrivilege	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe
Token: SeIncBasePriorityPrivilege	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe
Token: SeIncBasePriorityPrivilege	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe
Token: SeIncBasePriorityPrivilege	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe
Token: SeIncBasePriorityPrivilege	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe
Token: SeIncBasePriorityPrivilege	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe
Token: SeIncBasePriorityPrivilege	2024	{7B56DACC-17EE-423a-923B-6C601997355D}.exe
Token: SeIncBasePriorityPrivilege	2864	{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe
Token: SeIncBasePriorityPrivilege	1932	{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2704	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	28
PID 2872 wrote to memory of 2704	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	28
PID 2872 wrote to memory of 2704	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	28
PID 2872 wrote to memory of 2704	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	28
PID 2872 wrote to memory of 2508	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	29
PID 2872 wrote to memory of 2508	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	29
PID 2872 wrote to memory of 2508	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	29
PID 2872 wrote to memory of 2508	2872	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	29
PID 2704 wrote to memory of 2548	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	30
PID 2704 wrote to memory of 2548	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	30
PID 2704 wrote to memory of 2548	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	30
PID 2704 wrote to memory of 2548	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	30
PID 2704 wrote to memory of 2708	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	31
PID 2704 wrote to memory of 2708	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	31
PID 2704 wrote to memory of 2708	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	31
PID 2704 wrote to memory of 2708	2704	{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe	31
PID 2548 wrote to memory of 2728	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	32
PID 2548 wrote to memory of 2728	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	32
PID 2548 wrote to memory of 2728	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	32
PID 2548 wrote to memory of 2728	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	32
PID 2548 wrote to memory of 2564	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	33
PID 2548 wrote to memory of 2564	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	33
PID 2548 wrote to memory of 2564	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	33
PID 2548 wrote to memory of 2564	2548	{9F832D70-1E4B-4d04-9356-3657C6111551}.exe	33
PID 2728 wrote to memory of 1588	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	36
PID 2728 wrote to memory of 1588	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	36
PID 2728 wrote to memory of 1588	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	36
PID 2728 wrote to memory of 1588	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	36
PID 2728 wrote to memory of 2468	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	37
PID 2728 wrote to memory of 2468	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	37
PID 2728 wrote to memory of 2468	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	37
PID 2728 wrote to memory of 2468	2728	{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe	37
PID 1588 wrote to memory of 2740	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	38
PID 1588 wrote to memory of 2740	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	38
PID 1588 wrote to memory of 2740	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	38
PID 1588 wrote to memory of 2740	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	38
PID 1588 wrote to memory of 2780	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	39
PID 1588 wrote to memory of 2780	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	39
PID 1588 wrote to memory of 2780	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	39
PID 1588 wrote to memory of 2780	1588	{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe	39
PID 2740 wrote to memory of 296	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	40
PID 2740 wrote to memory of 296	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	40
PID 2740 wrote to memory of 296	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	40
PID 2740 wrote to memory of 296	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	40
PID 2740 wrote to memory of 804	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	41
PID 2740 wrote to memory of 804	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	41
PID 2740 wrote to memory of 804	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	41
PID 2740 wrote to memory of 804	2740	{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe	41
PID 296 wrote to memory of 2356	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	42
PID 296 wrote to memory of 2356	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	42
PID 296 wrote to memory of 2356	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	42
PID 296 wrote to memory of 2356	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	42
PID 296 wrote to memory of 1408	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	43
PID 296 wrote to memory of 1408	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	43
PID 296 wrote to memory of 1408	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	43
PID 296 wrote to memory of 1408	296	{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe	43
PID 2356 wrote to memory of 2024	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	44
PID 2356 wrote to memory of 2024	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	44
PID 2356 wrote to memory of 2024	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	44
PID 2356 wrote to memory of 2024	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	44
PID 2356 wrote to memory of 2040	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	45
PID 2356 wrote to memory of 2040	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	45
PID 2356 wrote to memory of 2040	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	45
PID 2356 wrote to memory of 2040	2356	{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe
  C:\Windows\{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\{9F832D70-1E4B-4d04-9356-3657C6111551}.exe
    C:\Windows\{9F832D70-1E4B-4d04-9356-3657C6111551}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe
      C:\Windows\{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe
        
        C:\Windows\{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe
        
        C:\Windows\{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe
        
        C:\Windows\{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe
        
        C:\Windows\{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{7B56DACC-17EE-423a-923B-6C601997355D}.exe
        
        C:\Windows\{7B56DACC-17EE-423a-923B-6C601997355D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe
        
        C:\Windows\{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe
        
        C:\Windows\{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}.exe
        
        C:\Windows\{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}.exe
        12⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07001~1.EXE > nul
        12⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4564F~1.EXE > nul
        11⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B56D~1.EXE > nul
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6CAC~1.EXE > nul
        9⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE02~1.EXE > nul
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4280~1.EXE > nul
        7⤵
        
        PID:804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7CF0~1.EXE > nul
        6⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ECF0~1.EXE > nul
        5⤵
        
        PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9F832~1.EXE > nul
      4⤵
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5ED03~1.EXE > nul
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0700199E-87CE-4f57-9F12-25D4B3AD8AD4}.exe

Filesize
197KB

MD5
69c567c626d55dc71d5cb11d7df1d3bb

SHA1
ce12278e315c4d7f8670b6d808dc3bd03813cff4

SHA256
33304a55cc39461949fcd9107c9154cffbcb4ca186e4c25a94ce6568803c3b8d

SHA512
916c312f23f1853f9294299e0d99772e62cbaf4a9b81cfb60543be9cc4e55a2aa741cee426897f06e24e700076edf6d7c9426d96768d6e6fcc93d6998b564fa1

Download Submit
C:\Windows\{0B8EFD9B-6E29-46a6-A7AE-930EC17F0611}.exe

Filesize
197KB

MD5
d762a14fc4c5d0b186538819cfa6c0cf

SHA1
1ba30e68b6e935dcaa56a0fc6fa52f7ddbbff594

SHA256
d3c873715068cbc540cccd6b00829ab2078719cd812e479f2f38e824a47957aa

SHA512
5af0c30ea3ed2d12b49f92979839d48dc507d3dfeac1f3257491dfec34cf84caa03e5a1ae391521959d0e42b9b3424793419a59d473cf664a53f7589029ac5a6

Download Submit
C:\Windows\{4564FD43-6D4B-48a7-BABD-B872D1A9AC67}.exe

Filesize
197KB

MD5
99f91292c866b8359e76aedf7731de7e

SHA1
6b63a876784d865af91d845283ca0bdb22f3885d

SHA256
77583d3dee3bf187eb6a4117c5f7c0a8e4ef4b2f5a68fc227d15e97a5625107b

SHA512
26b94bf9e707a8430c956775006005c8246aab1a3fb3b6ca3de47a4246df2f14fb67dcf79487e66392c014f5f5ecf3fbbd18d227faf23fc36e15bdca833336d3

Download Submit
C:\Windows\{5ED03E10-2656-4673-AC58-6BF982FB00FF}.exe

Filesize
197KB

MD5
df6e0e2e0c2bc10522d59b687731c465

SHA1
af407d5d0452b68f01ddb4092a7eca5a82ebca99

SHA256
650ac824bd360cf3e6fce02c7ccccb58aac7642746fa9d453500346352020994

SHA512
82830d2b011ab2f584cc381221858bccfb412224e09b275de479fc8f4602de68f4282ef0d5346960a16458115dc86fde36bf78a8b492c4579c69f2cecb6fb710

Download Submit
C:\Windows\{7B56DACC-17EE-423a-923B-6C601997355D}.exe

Filesize
197KB

MD5
a6355262564b2cb24469a729405918cc

SHA1
ca78e3ac417d0800702d41f870808870d7094032

SHA256
ed735e4f8b5054f69b5821c00b0c8adaaecd0e29c4e5548a23f04cdf21e19327

SHA512
760d4bf2937930adb3c47664bc36983c29b0bb87e689b5a67bab61ab09d06925ac62d0810a6efbbfe9ce33ef7112177ee35bea3405bb54ca9816fa930177ed92

Download Submit
C:\Windows\{9ECF0E39-156F-4524-A931-54B4D9AD8883}.exe

Filesize
197KB

MD5
6ea55283330a72f2d7a225a264fb7886

SHA1
42405432efb69ddec7181e02e98fa4fb9c1042b5

SHA256
cf3c396cabe07fb8dbba8bbc07afa9a555e845c1baafdb4f20aade0eacc4ca4e

SHA512
e609b697f5ad6d9328cd2a0bba3389c47a2152bd009d2f9b47cddc9e09de8b03956bcdf6bb5f45d1435ea3f38be2ba0d0f8a4f1313cf2a249dd09ab1a99d22a1

Download Submit
C:\Windows\{9F832D70-1E4B-4d04-9356-3657C6111551}.exe

Filesize
197KB

MD5
5407094590eb992c55558f52c7c9da01

SHA1
e8054f1748742eb7690a67a481c16c31deacd74a

SHA256
f89abd7bb0454345ae3a10e6e001e694848f0f73b0e575c1dbdcca7bbbb42f40

SHA512
392a488f00de3f0e46e22146b80ee8de35c0eb96009e8a6c712a9a66f735b5edd0ff8d6f7351358626f354123ac59ab8f90a7de0aa782307c41f4b6bd563cf7a

Download Submit
C:\Windows\{B7CF0857-3BC5-4937-8296-037F4D556EE5}.exe

Filesize
197KB

MD5
24f95541cd45fee1f037f92bbf78b861

SHA1
d7c129f0c0d46a36719fdb039234abbdbc44fe9c

SHA256
78551853f9a55e08eb945f5e2535ae3ad9ea280f8ff78cafd2c860a1aae044c1

SHA512
8c9b3de1cbea95ddd6d15744394390bee4edc85b33363e5d77f90d3ce22a0f17835d5368e9c25927168abaf01e7544b5136d76a63dd32035e1156ad756c26de3

Download Submit
C:\Windows\{C428045A-E71A-45cc-8004-D581CB12DD9C}.exe

Filesize
197KB

MD5
0bc7357b87adcb7d80cfa4a30fb6cbec

SHA1
f30c15974ac26464ca8c66fb1859b96a4a04d20c

SHA256
4283ff08d9ed46a8ba4de22de5ef689de8b07a43f85c2b9acf65cdeddadce712

SHA512
4de324c9b02bbb8e74ac9cdf58deabbcd382ffa6e787f272d09e5560824570b4caa48acc2f2373dbd23b3393e7470a0f0cc5577098928b1f8db52fa840c1bfeb

Download Submit
C:\Windows\{EFE02A08-40C7-4067-AF9A-9C71A161634F}.exe

Filesize
197KB

MD5
4a766b23301a1804e8d3634417a97fed

SHA1
1cebaebbcc8ea634b65468376bf49a713aa93a7e

SHA256
6d8107b35d527823f8722d7d30662cdb0b2bff0d5e36b9acf0946ad79da34912

SHA512
2ceee9bc9f412aa1c198da853f39bea82daf5b4765192bd6a813eeffcb9e7f692f43d94ab5c435d367bdabefc75a6fb51c5252f0dfd96fff7c4277e0b65c41a5

Download Submit
C:\Windows\{F6CACD90-1A87-43ca-AC8C-798B1E505DB6}.exe

Filesize
197KB

MD5
98e78ea1973d415fcedcd8a3eed8c721

SHA1
773c84071f4ee133c14a9d62b9fad5a400c1d3e0

SHA256
4dbf9b8861061b1034047d5f5af82b057d5b36038da69172e49bebad9b3b3b56

SHA512
5ca36e911a3209c17b01ea65c54722108e00c556218ace64f5e289bc914d7f173cf9440380e35fc052ae7eb44e1d9697ea1ffe72b5520018e394e5dfb9b57038

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads