fe81d86b318facffe9a124b9428beb4bf60f477928b4cb0b81e1011f9ba5c5bc

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe
Size

372KB
MD5

ce7258d50e41f59a7115ee8ed9e9b87c
SHA1

009e61b451df7c8820de3267834b17b317f4cf94
SHA256

fe81d86b318facffe9a124b9428beb4bf60f477928b4cb0b81e1011f9ba5c5bc
SHA512

d8b406997be1c02478677b909dfad81cdfd106e7a70ae0aab52591c9846610ae37fc220ebf3c229385cbcaae0fbddf252aa947f6667fd13028dc01d15876fbb8
SSDEEP

3072:CEGh0oJlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGflkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012333-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00350000000149ea-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012333-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014b12-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012333-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012333-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012333-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2879E20D-FA83-4d60-892F-F30493D0630E}	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2879E20D-FA83-4d60-892F-F30493D0630E}\stubpath = "C:\\Windows\\{2879E20D-FA83-4d60-892F-F30493D0630E}.exe"	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44924D86-1953-4d8c-823D-AE7D7251FCF2}\stubpath = "C:\\Windows\\{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe"	{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}	{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF6A318-488B-438e-BE66-83DFD1EABB59}\stubpath = "C:\\Windows\\{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe"	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372E5E3E-85DB-4c93-A9C0-AA994504C75B}	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{372E5E3E-85DB-4c93-A9C0-AA994504C75B}\stubpath = "C:\\Windows\\{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe"	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19131B25-1BB4-4965-ACB0-1724512A223A}	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19131B25-1BB4-4965-ACB0-1724512A223A}\stubpath = "C:\\Windows\\{19131B25-1BB4-4965-ACB0-1724512A223A}.exe"	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}	{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF6A318-488B-438e-BE66-83DFD1EABB59}	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22FF016-2546-44a2-858D-5C9A523AD71A}\stubpath = "C:\\Windows\\{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe"	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4E2A71-F77F-4f01-920F-E45EABC06C73}	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4E2A71-F77F-4f01-920F-E45EABC06C73}\stubpath = "C:\\Windows\\{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe"	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44924D86-1953-4d8c-823D-AE7D7251FCF2}	{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}\stubpath = "C:\\Windows\\{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}.exe"	{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}\stubpath = "C:\\Windows\\{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe"	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}\stubpath = "C:\\Windows\\{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe"	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22FF016-2546-44a2-858D-5C9A523AD71A}	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}\stubpath = "C:\\Windows\\{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe"	{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe
2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe
2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe
556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe
2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe
884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe
1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe
2644	{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe
2384	{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe
2280	{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe
560	{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe
File created	C:\Windows\{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe
File created	C:\Windows\{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe
File created	C:\Windows\{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe	{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe
File created	C:\Windows\{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe
File created	C:\Windows\{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe
File created	C:\Windows\{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe
File created	C:\Windows\{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe
File created	C:\Windows\{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe	{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe
File created	C:\Windows\{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}.exe	{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe
File created	C:\Windows\{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe
Token: SeIncBasePriorityPrivilege	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe
Token: SeIncBasePriorityPrivilege	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe
Token: SeIncBasePriorityPrivilege	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe
Token: SeIncBasePriorityPrivilege	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe
Token: SeIncBasePriorityPrivilege	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe
Token: SeIncBasePriorityPrivilege	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe
Token: SeIncBasePriorityPrivilege	2644	{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe
Token: SeIncBasePriorityPrivilege	2384	{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe
Token: SeIncBasePriorityPrivilege	2280	{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2108	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	28
PID 2420 wrote to memory of 2108	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	28
PID 2420 wrote to memory of 2108	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	28
PID 2420 wrote to memory of 2108	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	28
PID 2420 wrote to memory of 2640	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	29
PID 2420 wrote to memory of 2640	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	29
PID 2420 wrote to memory of 2640	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	29
PID 2420 wrote to memory of 2640	2420	2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe	29
PID 2108 wrote to memory of 2720	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	30
PID 2108 wrote to memory of 2720	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	30
PID 2108 wrote to memory of 2720	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	30
PID 2108 wrote to memory of 2720	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	30
PID 2108 wrote to memory of 2616	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	31
PID 2108 wrote to memory of 2616	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	31
PID 2108 wrote to memory of 2616	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	31
PID 2108 wrote to memory of 2616	2108	{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe	31
PID 2720 wrote to memory of 2768	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	32
PID 2720 wrote to memory of 2768	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	32
PID 2720 wrote to memory of 2768	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	32
PID 2720 wrote to memory of 2768	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	32
PID 2720 wrote to memory of 2484	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	33
PID 2720 wrote to memory of 2484	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	33
PID 2720 wrote to memory of 2484	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	33
PID 2720 wrote to memory of 2484	2720	{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe	33
PID 2768 wrote to memory of 556	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	36
PID 2768 wrote to memory of 556	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	36
PID 2768 wrote to memory of 556	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	36
PID 2768 wrote to memory of 556	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	36
PID 2768 wrote to memory of 2476	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	37
PID 2768 wrote to memory of 2476	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	37
PID 2768 wrote to memory of 2476	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	37
PID 2768 wrote to memory of 2476	2768	{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe	37
PID 556 wrote to memory of 2792	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	38
PID 556 wrote to memory of 2792	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	38
PID 556 wrote to memory of 2792	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	38
PID 556 wrote to memory of 2792	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	38
PID 556 wrote to memory of 2936	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	39
PID 556 wrote to memory of 2936	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	39
PID 556 wrote to memory of 2936	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	39
PID 556 wrote to memory of 2936	556	{2879E20D-FA83-4d60-892F-F30493D0630E}.exe	39
PID 2792 wrote to memory of 884	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	40
PID 2792 wrote to memory of 884	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	40
PID 2792 wrote to memory of 884	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	40
PID 2792 wrote to memory of 884	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	40
PID 2792 wrote to memory of 1664	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	41
PID 2792 wrote to memory of 1664	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	41
PID 2792 wrote to memory of 1664	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	41
PID 2792 wrote to memory of 1664	2792	{19131B25-1BB4-4965-ACB0-1724512A223A}.exe	41
PID 884 wrote to memory of 1680	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	42
PID 884 wrote to memory of 1680	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	42
PID 884 wrote to memory of 1680	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	42
PID 884 wrote to memory of 1680	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	42
PID 884 wrote to memory of 1632	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	43
PID 884 wrote to memory of 1632	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	43
PID 884 wrote to memory of 1632	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	43
PID 884 wrote to memory of 1632	884	{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe	43
PID 1680 wrote to memory of 2644	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	44
PID 1680 wrote to memory of 2644	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	44
PID 1680 wrote to memory of 2644	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	44
PID 1680 wrote to memory of 2644	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	44
PID 1680 wrote to memory of 776	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	45
PID 1680 wrote to memory of 776	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	45
PID 1680 wrote to memory of 776	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	45
PID 1680 wrote to memory of 776	1680	{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_ce7258d50e41f59a7115ee8ed9e9b87c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe
  C:\Windows\{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe
    C:\Windows\{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe
      C:\Windows\{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\{2879E20D-FA83-4d60-892F-F30493D0630E}.exe
        
        C:\Windows\{2879E20D-FA83-4d60-892F-F30493D0630E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\{19131B25-1BB4-4965-ACB0-1724512A223A}.exe
        
        C:\Windows\{19131B25-1BB4-4965-ACB0-1724512A223A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe
        
        C:\Windows\{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe
        
        C:\Windows\{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe
        
        C:\Windows\{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe
        
        C:\Windows\{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe
        
        C:\Windows\{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}.exe
        
        C:\Windows\{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}.exe
        12⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44924~1.EXE > nul
        12⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22A3E~1.EXE > nul
        11⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D4E2~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B22FF~1.EXE > nul
        9⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{927EE~1.EXE > nul
        8⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19131~1.EXE > nul
        7⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2879E~1.EXE > nul
        6⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{372E5~1.EXE > nul
        5⤵
        
        PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF6A~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A88B9~1.EXE > nul
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19131B25-1BB4-4965-ACB0-1724512A223A}.exe

Filesize
372KB

MD5
5324bb5f7a876eb7f9b41707f29841a7

SHA1
1446dddfd8e87a037a0a7520caad409466675f00

SHA256
cd6927cae37bc22df4d8847ace46922c1d6940cad3d9c5e1ab47be266f6b59a5

SHA512
f456b09cd05f3abef29315b5088650a91480c10ac58ff0235d86d7f43b6fa35cd2065a4831d6ca8ec3e35b85f69ef5180d402016c60b1318a2b1f5f83b3095d8

Download Submit
C:\Windows\{22A3ED35-943D-4d98-B4C9-C7B435EA1D8F}.exe

Filesize
372KB

MD5
a2ed39d5a547a5f32e4a5a13d7544d88

SHA1
d9d241cc487d900d5595e2b9395203e53d418797

SHA256
bb06624e9bd8d83ff88a2d1ec42a2ee364051a88df3abfeaecfbb609e764b0b1

SHA512
a7958d91f124dd1daa6530dc0ee2b507b77f6d279e7821ce36e40cde40542cd5bac76bc15f43e4b839f8e56e6b32e804797d520cd612b6788de7fd2e99b414bc

Download Submit
C:\Windows\{2879E20D-FA83-4d60-892F-F30493D0630E}.exe

Filesize
372KB

MD5
8d0cfc60fa2af5c97c5e66f8f25a9161

SHA1
77206f17b6dad8b2200d948494cf418e66083b75

SHA256
12fe158aa192a2965c32cbba3cdbcb91bab3fe5c9ffe348e316be306a9f360b4

SHA512
741b8982fa33169bd83956025f2016e9b9183441ca7cbe0f4b6e3ec30a6add2ca40233e7cbe96561013926c937c026403c236af7379c129a93868c9da7d0189e

Download Submit
C:\Windows\{372E5E3E-85DB-4c93-A9C0-AA994504C75B}.exe

Filesize
372KB

MD5
b677cd4e4f936b140161fb2ebe58181b

SHA1
5c2102102d727589d3a34838cce319fe45acbd7e

SHA256
6a2f56ae1cdc25eec9f307bcb4fd7ebb87d6a2b3c5ec8af570ddd65c1b5e2216

SHA512
48efc61a54f1d1ea73757af2a27d2b382f77604667f9ed50f821301ab22b2d27856df03e240e227d93eb81f43f119dedd2435e31493af503d216c42a66441d05

Download Submit
C:\Windows\{44924D86-1953-4d8c-823D-AE7D7251FCF2}.exe

Filesize
372KB

MD5
d9233c6e90591be3922b9a69ecd6b933

SHA1
7b29e24b6ac99e31c63bbe4df4895e15815e4a78

SHA256
7f57aa7c25eeea3bcd77e7257c16dafdef6877a8bcc42f59e8454177667a7011

SHA512
ca10ab07a1928506b27b8653e3b49dde47322ab23205e8ab9d325bcf4227b0e2c0834e0746641e1bb54637e0e26fb8d630334af012ceaec932c12654a7930ba5

Download Submit
C:\Windows\{5D4E2A71-F77F-4f01-920F-E45EABC06C73}.exe

Filesize
372KB

MD5
f7153d78efe7b1949f9a30a5cc037adb

SHA1
f6579a57e22719adef7a805f3c8ff412088d8eab

SHA256
c9389c657383ba518a7a0672b07640ee047887893aa9370c7f33bffc7f483660

SHA512
689dc59141362386e63a2f975738fb5833e85961b4e0ef0f38cd7c17be2108a5a373d26c5c5dc38572f17e1d67e6e501ccae0347a98ac008dc93c3dcf9e19d8f

Download Submit
C:\Windows\{927EEEC2-C65D-4f29-AF69-E415E1CBD5FC}.exe

Filesize
372KB

MD5
ace3211565bb1185525a1ad897770919

SHA1
d654745e7b059bb1310a5d25e12bc0feaead162f

SHA256
2f49564bb1ffcae7560ded243297d4010fff4dbddf2b03ecfbf2fa327db11788

SHA512
7c52e2dec874b828b808b03c5bfe1fc36b2f215c44520f802c732158d2277066b6eddd186fece2b76b739bdd88f3206e7d00871f1d2c96323500932f188bb6b0

Download Submit
C:\Windows\{9DF6A318-488B-438e-BE66-83DFD1EABB59}.exe

Filesize
372KB

MD5
7924d773460e2fc79359d34cd18e147c

SHA1
093c2d263e334cbb4abc2333dbb5191bbf54ca45

SHA256
d31e5c5cd5537f4e0c8981d4fea61e552753caf5e6c64970fa97dd866af38c92

SHA512
7f35e7e769e0f12af0ca329d458cfb8a98a9454138b2fa3c4db6c5c516e82d6b172f41b2dc4e7e2b6ca160d91ade7c235455059869a37fc121ca4d2e151ed830

Download Submit
C:\Windows\{A88B9AE6-1CA1-4ed3-85DB-4DB5AAFE52BD}.exe

Filesize
372KB

MD5
366c43a9c081709faaa9e2db594f2444

SHA1
767ba79c9c23a1d37d49b1a313a1fce515e6231d

SHA256
2ed3952458183f5c2f140002694359389bafbbb5ce843cf1e8e6a15de5cf02d2

SHA512
10978ff65039e9f9df4bf56d64ea718e39b8a6602941de36439240e33cb9767c931a125267c2ef92da4bbd95568517e293f1519805a2e3b0c570acb5bf0746c3

Download Submit
C:\Windows\{B22FF016-2546-44a2-858D-5C9A523AD71A}.exe

Filesize
372KB

MD5
cb5d0b69b461dcfea1230f587230f5b6

SHA1
cc37691b3095dbf8084a35ca2671533c4f3e9da1

SHA256
53ca095390ec21b5765ceac2a80dc088189303ff12a81767cbfb22b321450b15

SHA512
9ec3fa6c81fc45d6fa8febf5767493003a8c46bf540c93649721d8acb49a879652e060d2b09e02e2222f9896b8b2c4fc29eaf0eb0f3f0ea37b0fe79c7cab603c

Download Submit
C:\Windows\{DD2540A0-56AE-4012-AA02-CCD89D8F47D0}.exe

Filesize
372KB

MD5
5efb50c1c63cbb5c0ef8200e72f17193

SHA1
440e4c5f05e69853be8a40b66bd68f75fc26b571

SHA256
dad374b140da345dd742c9104293474d638194330dfbd01c1a45dba54eb2c5ec

SHA512
b72efc2dd74bd8fd3ade37b040583fe7eeb6b8a60280449598f531973ac7932e8492c614c040833f1f8a6c75f8798fe1635b804d08f288f3aa909d3f1610d84c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads