4c15437f90b36de8c3ea197ce984b74f9e69e60415ae6a583d24937b9e11c016

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe
Size

344KB
MD5

f0dce31ec2b7222984b067994d5ad79a
SHA1

797748eabdc402b7439e3eac335735d818cc93e6
SHA256

4c15437f90b36de8c3ea197ce984b74f9e69e60415ae6a583d24937b9e11c016
SHA512

bbcd56c8e04324f231b3960a728f886b8b18ce56464c801c25a6f4f83668ff4739024cb3c7cce0d3739be1985246266eee519b0f2439487febcd01c7f702bb12
SSDEEP

3072:mEGh0o+lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG8lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001342e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000013adc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000013f2c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001342e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001342e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001342e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9601528F-4FCB-461f-94DC-61FCDD10E2DB}\stubpath = "C:\\Windows\\{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe"	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5743D616-9910-4e46-B516-A1BEFBD7D405}\stubpath = "C:\\Windows\\{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe"	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E0F88F-5374-4881-BCF3-31B8E144E9C4}\stubpath = "C:\\Windows\\{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe"	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6736FBE-74B4-4228-A7E5-649EAD0278CA}\stubpath = "C:\\Windows\\{F6736FBE-74B4-4228-A7E5-649EAD0278CA}.exe"	{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C980246F-E3B2-48c8-BAA4-5A9837D9481D}	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5743D616-9910-4e46-B516-A1BEFBD7D405}	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}\stubpath = "C:\\Windows\\{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe"	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B64958E-68F3-44ae-8743-B504BCF27A9C}	{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B64958E-68F3-44ae-8743-B504BCF27A9C}\stubpath = "C:\\Windows\\{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe"	{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6736FBE-74B4-4228-A7E5-649EAD0278CA}	{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C980246F-E3B2-48c8-BAA4-5A9837D9481D}\stubpath = "C:\\Windows\\{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe"	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E0F88F-5374-4881-BCF3-31B8E144E9C4}	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}\stubpath = "C:\\Windows\\{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe"	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}\stubpath = "C:\\Windows\\{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe"	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}\stubpath = "C:\\Windows\\{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe"	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}	{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}\stubpath = "C:\\Windows\\{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe"	{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9601528F-4FCB-461f-94DC-61FCDD10E2DB}	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe
2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe
2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe
2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe
2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe
1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe
1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe
1560	{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe
2308	{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe
1232	{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe
1352	{F6736FBE-74B4-4228-A7E5-649EAD0278CA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe
File created	C:\Windows\{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe
File created	C:\Windows\{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe	{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe
File created	C:\Windows\{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe
File created	C:\Windows\{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe
File created	C:\Windows\{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe
File created	C:\Windows\{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe	{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe
File created	C:\Windows\{F6736FBE-74B4-4228-A7E5-649EAD0278CA}.exe	{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe
File created	C:\Windows\{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe
File created	C:\Windows\{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe
File created	C:\Windows\{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe
Token: SeIncBasePriorityPrivilege	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe
Token: SeIncBasePriorityPrivilege	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe
Token: SeIncBasePriorityPrivilege	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe
Token: SeIncBasePriorityPrivilege	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe
Token: SeIncBasePriorityPrivilege	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe
Token: SeIncBasePriorityPrivilege	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe
Token: SeIncBasePriorityPrivilege	1560	{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe
Token: SeIncBasePriorityPrivilege	2308	{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe
Token: SeIncBasePriorityPrivilege	1232	{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2836	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	28
PID 2364 wrote to memory of 2836	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	28
PID 2364 wrote to memory of 2836	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	28
PID 2364 wrote to memory of 2836	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	28
PID 2364 wrote to memory of 3004	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	29
PID 2364 wrote to memory of 3004	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	29
PID 2364 wrote to memory of 3004	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	29
PID 2364 wrote to memory of 3004	2364	2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe	29
PID 2836 wrote to memory of 2720	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	30
PID 2836 wrote to memory of 2720	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	30
PID 2836 wrote to memory of 2720	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	30
PID 2836 wrote to memory of 2720	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	30
PID 2836 wrote to memory of 1296	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	31
PID 2836 wrote to memory of 1296	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	31
PID 2836 wrote to memory of 1296	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	31
PID 2836 wrote to memory of 1296	2836	{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe	31
PID 2720 wrote to memory of 2492	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	32
PID 2720 wrote to memory of 2492	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	32
PID 2720 wrote to memory of 2492	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	32
PID 2720 wrote to memory of 2492	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	32
PID 2720 wrote to memory of 2792	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	33
PID 2720 wrote to memory of 2792	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	33
PID 2720 wrote to memory of 2792	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	33
PID 2720 wrote to memory of 2792	2720	{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe	33
PID 2492 wrote to memory of 2628	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	36
PID 2492 wrote to memory of 2628	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	36
PID 2492 wrote to memory of 2628	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	36
PID 2492 wrote to memory of 2628	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	36
PID 2492 wrote to memory of 1036	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	37
PID 2492 wrote to memory of 1036	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	37
PID 2492 wrote to memory of 1036	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	37
PID 2492 wrote to memory of 1036	2492	{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe	37
PID 2628 wrote to memory of 2804	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	38
PID 2628 wrote to memory of 2804	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	38
PID 2628 wrote to memory of 2804	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	38
PID 2628 wrote to memory of 2804	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	38
PID 2628 wrote to memory of 2812	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	39
PID 2628 wrote to memory of 2812	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	39
PID 2628 wrote to memory of 2812	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	39
PID 2628 wrote to memory of 2812	2628	{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe	39
PID 2804 wrote to memory of 1428	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	40
PID 2804 wrote to memory of 1428	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	40
PID 2804 wrote to memory of 1428	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	40
PID 2804 wrote to memory of 1428	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	40
PID 2804 wrote to memory of 1944	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	41
PID 2804 wrote to memory of 1944	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	41
PID 2804 wrote to memory of 1944	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	41
PID 2804 wrote to memory of 1944	2804	{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe	41
PID 1428 wrote to memory of 1624	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	42
PID 1428 wrote to memory of 1624	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	42
PID 1428 wrote to memory of 1624	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	42
PID 1428 wrote to memory of 1624	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	42
PID 1428 wrote to memory of 1548	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	43
PID 1428 wrote to memory of 1548	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	43
PID 1428 wrote to memory of 1548	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	43
PID 1428 wrote to memory of 1548	1428	{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe	43
PID 1624 wrote to memory of 1560	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	44
PID 1624 wrote to memory of 1560	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	44
PID 1624 wrote to memory of 1560	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	44
PID 1624 wrote to memory of 1560	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	44
PID 1624 wrote to memory of 1680	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	45
PID 1624 wrote to memory of 1680	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	45
PID 1624 wrote to memory of 1680	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	45
PID 1624 wrote to memory of 1680	1624	{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_f0dce31ec2b7222984b067994d5ad79a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe
  C:\Windows\{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe
    C:\Windows\{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe
      C:\Windows\{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe
        
        C:\Windows\{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe
        
        C:\Windows\{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe
        
        C:\Windows\{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe
        
        C:\Windows\{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe
        
        C:\Windows\{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe
        
        C:\Windows\{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe
        
        C:\Windows\{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\{F6736FBE-74B4-4228-A7E5-649EAD0278CA}.exe
        
        C:\Windows\{F6736FBE-74B4-4228-A7E5-649EAD0278CA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4FD9~1.EXE > nul
        12⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B649~1.EXE > nul
        11⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1390~1.EXE > nul
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C4D8~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFD6D~1.EXE > nul
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAE9B~1.EXE > nul
        7⤵
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E0F~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5743D~1.EXE > nul
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96015~1.EXE > nul
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C9802~1.EXE > nul
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24E0F88F-5374-4881-BCF3-31B8E144E9C4}.exe

Filesize
344KB

MD5
d152940201c8d958df0997e6ed874ce2

SHA1
ffcf3312754e1712f54f121c3b35e6b07479e4de

SHA256
b3ec4851f216756aa8c5d880bc196291b8b2555fb3a10fa8cf975527251f663f

SHA512
1dfd86cae88b9650fb9abe61a2169bdc9987b24eae5ddd78acd7dac8cff87377a5816c9ac0a7425b23c0d066bf7b56afedf714736ffbba92cf7e5401967cd72f

Download Submit
C:\Windows\{4C4D89DA-FB4F-43f9-9C97-610B2C2AB983}.exe

Filesize
344KB

MD5
9e2ca6b1eb24d350e16b99979b69e3fa

SHA1
7b385921a2f9529abdcd6f31a485596ea7ea09e2

SHA256
82715977c82a4151998e561f96e0f326bddf4ea46868c8d96e605b22a8a92e6f

SHA512
8dc5e5ceb606352d30d27f6066c83e0674fb97b77f255ecef87f12988db931704b8a80d4b99e5a85e34753216eea0b6f5ad3c910b3102973b5154e9c3f3f7adb

Download Submit
C:\Windows\{5743D616-9910-4e46-B516-A1BEFBD7D405}.exe

Filesize
344KB

MD5
c7248cd7f6a574e4cb586b77c1d02edb

SHA1
3d4339d8d1f3875866a04d51c6c952d4222ffc51

SHA256
7d4505a33675b209ec65c2b8928f05d98e361288cc3b3a59f16dac190988bf05

SHA512
607ad51b45c18d1cbd6fe0852ad660c0c2935f3fbc21d0917b632c5e14ca4592ec63d215549f378bc423461ec1e427d0bd36c0ba4dcd964ab31212b327bb8d37

Download Submit
C:\Windows\{5B64958E-68F3-44ae-8743-B504BCF27A9C}.exe

Filesize
344KB

MD5
61139568bd07133d6418b580b97c9324

SHA1
2973f82f56b5bd81dc1b419c2bd450bacf99d89e

SHA256
7ac575e3e05651fd1c366764ab7b127296c6a16e61c278945b4d6887d505c314

SHA512
02715362e3a8f3b21d2b38b330018a9761bd3c4aeee70ee798bd6016f8a57cc83ddf4b00b7294bb47275760de11c06489df75cc780bb6ed4974cf6c889364f04

Download Submit
C:\Windows\{9601528F-4FCB-461f-94DC-61FCDD10E2DB}.exe

Filesize
344KB

MD5
61ee3416503ba6c673462762be9d080f

SHA1
7a8ab8b14f67f237766be2b80ae84eb675982299

SHA256
0edae2809ed6c8205dbbaf9ff5f8d055b8d719df6dd7c804e3124861ab4fb87b

SHA512
d574a13372e21ace39ba28fc374e06d290e271215ab9f437729b835b5a60ed11883c69ed88d3ef5b341e5ce0736752713d966c21820d1d7218d67341659394f8

Download Submit
C:\Windows\{B4FD9B4B-80A9-4c7e-AF38-D76C170520E6}.exe

Filesize
344KB

MD5
5003a5dca0ab350c27da5758f5fcdb0d

SHA1
7662530a8a40f17cd561c70882a870b428fae084

SHA256
701c1f16d91e7ccbe61a394e1c11f87941971fd58d790de341c5ea5e9731295c

SHA512
c1f4b456800f4af302ceccda62169788a53376ba8610ca57c2c42acba1ad734634f2ea891e96890049bfce0220cd18e89157d79aff661d1837f610159147e47c

Download Submit
C:\Windows\{C1390EA4-9B46-43f8-BD78-6AF5D7D8606C}.exe

Filesize
344KB

MD5
e6705f1df561e4cc9417ed7494cc08ef

SHA1
a412cdcc87037b2a2a3d4705374a2de92590b81c

SHA256
8b8e20825dd457db2a03cf89c7a0cb86c2c5724417704a451ee3c0141fadba15

SHA512
3e0c672c280d74d716c135ff68d6cb9577c6572485b9b16af48cef09866f01d12dfe8ea629c25857f691eec7c9ea650b02620732b9d43f18d611d9e8c508adc9

Download Submit
C:\Windows\{C980246F-E3B2-48c8-BAA4-5A9837D9481D}.exe

Filesize
344KB

MD5
417a265f4827cd6b609592204eb6accf

SHA1
b0fcd18cc50a5ef590c6a7558af7469dbf6b5797

SHA256
6dc452f8775d6540a407deb93f7f422f331056b2830c9898c8cc5ca4f6cb1070

SHA512
ab17094cc7d2a1545c47dc1c6db3f9bf03f4779cbb6fff491e782d95b0e013c8cb0d78b4370555e434e7bf6ff64bf42417b0c2d3e02c8f4633df47155bb3084d

Download Submit
C:\Windows\{CFD6D629-8D59-4bca-AB87-CE641F3C5D7E}.exe

Filesize
344KB

MD5
052c1ae79c19de7048bdd729d528f074

SHA1
6eb27f06974eb1facb71b688e5b33671eccd811b

SHA256
3dbf7df8d84850e6e80aeb7e84e21d8d2254fa7e86e98574b65745eece857191

SHA512
56fe24b5ef100de9cffeabd58dd31f886c4d99f025b760b4c92dfb3a81abc2009766b3f57abb5653f6c03a26c279699176b29b96bba354709a6ee42024c736bf

Download Submit
C:\Windows\{EAE9B6FE-4376-44d3-AEE1-6D385F2BD8D6}.exe

Filesize
344KB

MD5
fe26c8bede772e6f26a04f09282d39ab

SHA1
d434e4f6ec11c687c0dcd8db885276e9e1e4ba95

SHA256
1e7700223b920589f9a642591a5958c140e3702a673bbb06a5606fbd3e4657ab

SHA512
a63e834ffda2a29449fd080edc2bfffe9fbb19b67c89afa20163b9a461c802246163b3d2f439e33a219e4d876a3e7a73c17f9289ab94e4ceccc3e4b43eb31235

Download Submit
C:\Windows\{F6736FBE-74B4-4228-A7E5-649EAD0278CA}.exe

Filesize
344KB

MD5
19a5dc42d6bfb22b0b30cbfeb3a37ce7

SHA1
401e2b6ab8675e2e4d77c50ba001e67fdaaa651d

SHA256
899e6301db50f88b94199c9a8557557675e2addd0c8011a6db26a5b262e70d93

SHA512
2eb507a3a3a8242db44452a9f7d40fa76def5a2d25f8fe42c22af8d7468827664c075321658b73ce4ff7b646a04cc9b6ee8be6e6712d379b32b97268d8ac90ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads