151b8c97676b8a49587c3ebd2e84412b3759396aeee2a69ec65a9f7c30db2cb4

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Size

380KB
MD5

4922dd021c18bbd3d5fc0a36d268f28e
SHA1

cfe2ae4c1167095e08f85bc88ac741a41a0710de
SHA256

151b8c97676b8a49587c3ebd2e84412b3759396aeee2a69ec65a9f7c30db2cb4
SHA512

a323ab69224b2b59f36ea13684b082798c632bf008558f0f72248c31f70d355f967cff44a96a9a71ddc1fef1b8d3396e35a24caa733a2cc096d36b168818c5b7
SSDEEP

3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00070000000122cd-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a45-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a7c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122cd-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122cd-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a7c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122cd-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a7c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6670A82E-142E-429e-BBF6-2A340A678F5B}\stubpath = "C:\\Windows\\{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe"	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43344D2E-1A52-4445-87C2-25045AFE56AD}\stubpath = "C:\\Windows\\{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe"	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC415425-9B35-4714-886D-1AD606866D0E}	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21CA4B67-AFDC-450e-B810-12AD739CCE07}	{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21CA4B67-AFDC-450e-B810-12AD739CCE07}\stubpath = "C:\\Windows\\{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe"	{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BA77E71-3B48-4984-BD08-4830C42CBA13}	{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BA77E71-3B48-4984-BD08-4830C42CBA13}\stubpath = "C:\\Windows\\{9BA77E71-3B48-4984-BD08-4830C42CBA13}.exe"	{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43344D2E-1A52-4445-87C2-25045AFE56AD}	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD56996-B8DC-4713-BD98-40063937963E}	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B159F86E-671B-41c6-8BF8-BE639C05E239}\stubpath = "C:\\Windows\\{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe"	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}\stubpath = "C:\\Windows\\{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe"	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD1AB78-1691-47a0-B60F-C83C280E2742}\stubpath = "C:\\Windows\\{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe"	{DC415425-9B35-4714-886D-1AD606866D0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA20094-3A30-4389-A84C-B2D2D82B9690}	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD56996-B8DC-4713-BD98-40063937963E}\stubpath = "C:\\Windows\\{7DD56996-B8DC-4713-BD98-40063937963E}.exe"	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC69ECD-BC47-42bc-8931-343C902B1EBF}\stubpath = "C:\\Windows\\{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe"	{7DD56996-B8DC-4713-BD98-40063937963E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC415425-9B35-4714-886D-1AD606866D0E}\stubpath = "C:\\Windows\\{DC415425-9B35-4714-886D-1AD606866D0E}.exe"	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA20094-3A30-4389-A84C-B2D2D82B9690}\stubpath = "C:\\Windows\\{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe"	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6670A82E-142E-429e-BBF6-2A340A678F5B}	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC69ECD-BC47-42bc-8931-343C902B1EBF}	{7DD56996-B8DC-4713-BD98-40063937963E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B159F86E-671B-41c6-8BF8-BE639C05E239}	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD1AB78-1691-47a0-B60F-C83C280E2742}	{DC415425-9B35-4714-886D-1AD606866D0E}.exe

Deletes itself 1 IoCs

pid	Process
2160	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe
2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe
2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe
2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe
1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe
2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe
1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe
2720	{DC415425-9B35-4714-886D-1AD606866D0E}.exe
2892	{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe
2200	{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe
588	{9BA77E71-3B48-4984-BD08-4830C42CBA13}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
File created	C:\Windows\{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe
File created	C:\Windows\{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe
File created	C:\Windows\{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe
File created	C:\Windows\{DC415425-9B35-4714-886D-1AD606866D0E}.exe	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe
File created	C:\Windows\{9BA77E71-3B48-4984-BD08-4830C42CBA13}.exe	{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe
File created	C:\Windows\{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe
File created	C:\Windows\{7DD56996-B8DC-4713-BD98-40063937963E}.exe	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe
File created	C:\Windows\{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	{7DD56996-B8DC-4713-BD98-40063937963E}.exe
File created	C:\Windows\{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe	{DC415425-9B35-4714-886D-1AD606866D0E}.exe
File created	C:\Windows\{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe	{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe
Token: SeIncBasePriorityPrivilege	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe
Token: SeIncBasePriorityPrivilege	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe
Token: SeIncBasePriorityPrivilege	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe
Token: SeIncBasePriorityPrivilege	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe
Token: SeIncBasePriorityPrivilege	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe
Token: SeIncBasePriorityPrivilege	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe
Token: SeIncBasePriorityPrivilege	2720	{DC415425-9B35-4714-886D-1AD606866D0E}.exe
Token: SeIncBasePriorityPrivilege	2892	{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe
Token: SeIncBasePriorityPrivilege	2200	{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2128	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	28
PID 2156 wrote to memory of 2128	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	28
PID 2156 wrote to memory of 2128	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	28
PID 2156 wrote to memory of 2128	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	28
PID 2156 wrote to memory of 2160	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	29
PID 2156 wrote to memory of 2160	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	29
PID 2156 wrote to memory of 2160	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	29
PID 2156 wrote to memory of 2160	2156	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	29
PID 2128 wrote to memory of 2788	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	30
PID 2128 wrote to memory of 2788	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	30
PID 2128 wrote to memory of 2788	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	30
PID 2128 wrote to memory of 2788	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	30
PID 2128 wrote to memory of 2544	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	31
PID 2128 wrote to memory of 2544	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	31
PID 2128 wrote to memory of 2544	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	31
PID 2128 wrote to memory of 2544	2128	{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe	31
PID 2788 wrote to memory of 2568	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	32
PID 2788 wrote to memory of 2568	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	32
PID 2788 wrote to memory of 2568	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	32
PID 2788 wrote to memory of 2568	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	32
PID 2788 wrote to memory of 2640	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	33
PID 2788 wrote to memory of 2640	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	33
PID 2788 wrote to memory of 2640	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	33
PID 2788 wrote to memory of 2640	2788	{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe	33
PID 2568 wrote to memory of 2608	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	36
PID 2568 wrote to memory of 2608	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	36
PID 2568 wrote to memory of 2608	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	36
PID 2568 wrote to memory of 2608	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	36
PID 2568 wrote to memory of 2652	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	37
PID 2568 wrote to memory of 2652	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	37
PID 2568 wrote to memory of 2652	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	37
PID 2568 wrote to memory of 2652	2568	{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe	37
PID 2608 wrote to memory of 1416	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	38
PID 2608 wrote to memory of 1416	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	38
PID 2608 wrote to memory of 1416	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	38
PID 2608 wrote to memory of 1416	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	38
PID 2608 wrote to memory of 2208	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	39
PID 2608 wrote to memory of 2208	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	39
PID 2608 wrote to memory of 2208	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	39
PID 2608 wrote to memory of 2208	2608	{7DD56996-B8DC-4713-BD98-40063937963E}.exe	39
PID 1416 wrote to memory of 2700	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	40
PID 1416 wrote to memory of 2700	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	40
PID 1416 wrote to memory of 2700	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	40
PID 1416 wrote to memory of 2700	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	40
PID 1416 wrote to memory of 280	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	41
PID 1416 wrote to memory of 280	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	41
PID 1416 wrote to memory of 280	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	41
PID 1416 wrote to memory of 280	1416	{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe	41
PID 2700 wrote to memory of 1860	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	42
PID 2700 wrote to memory of 1860	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	42
PID 2700 wrote to memory of 1860	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	42
PID 2700 wrote to memory of 1860	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	42
PID 2700 wrote to memory of 2600	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	43
PID 2700 wrote to memory of 2600	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	43
PID 2700 wrote to memory of 2600	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	43
PID 2700 wrote to memory of 2600	2700	{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe	43
PID 1860 wrote to memory of 2720	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	44
PID 1860 wrote to memory of 2720	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	44
PID 1860 wrote to memory of 2720	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	44
PID 1860 wrote to memory of 2720	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	44
PID 1860 wrote to memory of 1620	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	45
PID 1860 wrote to memory of 1620	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	45
PID 1860 wrote to memory of 1620	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	45
PID 1860 wrote to memory of 1620	1860	{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe
  C:\Windows\{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe
    C:\Windows\{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe
      C:\Windows\{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{7DD56996-B8DC-4713-BD98-40063937963E}.exe
        
        C:\Windows\{7DD56996-B8DC-4713-BD98-40063937963E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe
        
        C:\Windows\{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe
        
        C:\Windows\{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe
        
        C:\Windows\{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\{DC415425-9B35-4714-886D-1AD606866D0E}.exe
        
        C:\Windows\{DC415425-9B35-4714-886D-1AD606866D0E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe
        
        C:\Windows\{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe
        
        C:\Windows\{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{9BA77E71-3B48-4984-BD08-4830C42CBA13}.exe
        
        C:\Windows\{9BA77E71-3B48-4984-BD08-4830C42CBA13}.exe
        12⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21CA4~1.EXE > nul
        12⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD1A~1.EXE > nul
        11⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC415~1.EXE > nul
        10⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{618DB~1.EXE > nul
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B159F~1.EXE > nul
        8⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AC69~1.EXE > nul
        7⤵
        
        PID:280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DD56~1.EXE > nul
        6⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43344~1.EXE > nul
        5⤵
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6670A~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA20~1.EXE > nul
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21CA4B67-AFDC-450e-B810-12AD739CCE07}.exe

Filesize
380KB

MD5
82676c75c168dc0fbe366d1f1d240c90

SHA1
15e93625a03035c4752353391774be02e5d34823

SHA256
4f7f49d34f26fa47e0998666168bd35e4fb069a05460fe44df1d0a2ca43ec3c4

SHA512
00d9dea0044c08418e784f1355b71315e78d1fbb4bdbf6f70619cad8f5fcb006f1ed295abbd7355dcfc1c88a966a80900fc17b95edea1a0d30d29bac033175fc

Download Submit
C:\Windows\{43344D2E-1A52-4445-87C2-25045AFE56AD}.exe

Filesize
380KB

MD5
30e55426fcf262715b585e5f5b92e1a5

SHA1
0e76efa70c05967954e48c3ab402d5d370d225a6

SHA256
f09cc9b4a53a5b216ec9c92f993dd7b4549bbfbaaa106acd6ccc3c6727e2ab55

SHA512
35b81dde387caa85751f3c9b46eed540a70b4d27fd2c84f9eae2b6ca26211c13443960fc7616c8c5fcbb79750c09253445bb62ee969066611695b4c173f549d1

Download Submit
C:\Windows\{5CD1AB78-1691-47a0-B60F-C83C280E2742}.exe

Filesize
380KB

MD5
77fd1088a38d543f2d92cf91d51b7cd3

SHA1
c8fdd9d3ac7a3a1c6f8e05b9f664db0276cfd757

SHA256
a7f8b224858838dfd8f26fcc558be1955d28f83e80a9560ef56209480b2fb898

SHA512
36c2f5ebe22b323c99db8753649574d02223b432477da6554ada6f0494cf2965a8345e55fc01220eb1c0fe5ef9e6bdf353ae1c2106d0ba463dac410518917378

Download Submit
C:\Windows\{618DBB4F-5DF7-4541-AE56-C7E00CE4B388}.exe

Filesize
380KB

MD5
7b4b4c88f6dc36ebe8d3025a6b927369

SHA1
4eef8f876ea677bb9eccb0dfd45a438e540eb0f9

SHA256
7d0ba8a75993e44f48e0ac927e2e826596a66185d2ee64fc9874079c8d9468f0

SHA512
5c16a4858e4a4c0ce7488f30b720078e0a84799b952b0b3a21a773c10420d9f77c1335b200cf32e53a848d28c24fbd47c7de1bdb8922e8bb71b921904e159d7b

Download Submit
C:\Windows\{6670A82E-142E-429e-BBF6-2A340A678F5B}.exe

Filesize
380KB

MD5
cacd4fec91a1f9379a0b08678d340767

SHA1
5ed9286dcbc0e9a10a6baf9e509d99d4aa54867f

SHA256
2871808c2f4d810fed5637e3bfe31f32ce90699641c1f37a2abdbe6dff9e4b1d

SHA512
aecea211c9cf1f12b16f520ba27a0c9e4f9bd2d07e481728ec427d6eae7b0ed246c9180f36dff02a3f22e4c8a00806372f6a3b36512820dbc6b2a7b123174490

Download Submit
C:\Windows\{7AC69ECD-BC47-42bc-8931-343C902B1EBF}.exe

Filesize
380KB

MD5
a8361cdcd63beb660d3ad62846222f62

SHA1
5dfc6f4209b4fc6bc441a9a50bded062bf24863e

SHA256
6b033ff0d3637bef2883f613787779dd0d5cd2c46167e9895f6c71ceead262d2

SHA512
72fd9156ef7b0c3a4b78642aa507dd0dc4361783fe855e58d3294cfc2a3ec0d30f27827dde5a6a350cee50c88f66836d90e90278cafe8bc9da009cdd9faef331

Download Submit
C:\Windows\{7DD56996-B8DC-4713-BD98-40063937963E}.exe

Filesize
380KB

MD5
8ab04698f1b541039b5b2721ce9d9165

SHA1
257e32674f948c74e9084911f5531678200ad583

SHA256
67b54d9d216c85d3de990dfd77dd441b122ec58a1bc2f046f9595fd6ca65925a

SHA512
9c0375b92459f51b890c237cd4607677fa180321462ed1f34ed6c6a909cd82c466ac6bf4c549b7fe9d0bd78c8f28d89565639b3159ef72fccbf9edc542e8c566

Download Submit
C:\Windows\{9BA77E71-3B48-4984-BD08-4830C42CBA13}.exe

Filesize
380KB

MD5
926a27673d07fb7971faa0b6767babb1

SHA1
946c4e54408bff18182ecb552c7b99285ad2f589

SHA256
020cd67d57c9457b5ebb762b2307f6be44b97f75a9bdc57d66699057fa1e96de

SHA512
ea79ee95edfc195326f24af8d0164844821a76707c4b8a6c3fa57486971b6df16125ac0f9ebfb361fe245d7523ad50a6740157189ac67ae6e423bef80f7111b3

Download Submit
C:\Windows\{B159F86E-671B-41c6-8BF8-BE639C05E239}.exe

Filesize
380KB

MD5
8ec203227184a8902615e2d27843fa67

SHA1
60d69577b26aaccd013371890bd3ba06450254b4

SHA256
090ae3fbc6abd66cc95debc801fa18ef080fbed6360273e71f411a01a7407ca3

SHA512
515b040bce72697dbe213665371a976f1b877c1d8656db9e872e70cc9733bf72b37bad36e2b483de695b919b1a49ce4b9e0a31de818ba822dbbef67f1fff8269

Download Submit
C:\Windows\{DC415425-9B35-4714-886D-1AD606866D0E}.exe

Filesize
380KB

MD5
d85639b3a77c1dbb0c18255d3d307525

SHA1
8a56de5a3c38536341ae8f16594895ca65cfda4c

SHA256
b33ab5223de94442f2a85b227951afeeb87c2a9c6234753da663fd0b5a2719ff

SHA512
f59fe490d48776f673ea8da7c79d6e1e02bdafe285bf607753b46f6e18228561b1b4cd5c71e6df046e7b0ba59f5fa867a450cef7ad1f41634e1db7331176fe9b

Download Submit
C:\Windows\{FDA20094-3A30-4389-A84C-B2D2D82B9690}.exe

Filesize
380KB

MD5
aac7b2950cf4f2ebfab00631754e1418

SHA1
7d377dc27bd527b1c86799c7dd1b4aa49e77507a

SHA256
5df8a2a79ef4a8da7c4c5b6dc9c908feae5da8a61a4e44936ceeb60cbaa2b9ed

SHA512
5337559a6a793dd1acc0c5e374e26a6d558cf2abd297cd4bb4c4b163258a9475984125e8243bbb3fce568d1d0877523d1e8913a44494e0b91f9baecee2503e89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads