6ae8c5fa2b0ba638b05b276ee282f1a47fecde6650dcf53cecf923780fd5e542

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 05:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Size

344KB
MD5

d717ac675d7ee91dac172103ae578f48
SHA1

fe060ad36ecf762117d1dd6d7dc28bd8aa111f48
SHA256

6ae8c5fa2b0ba638b05b276ee282f1a47fecde6650dcf53cecf923780fd5e542
SHA512

0f3b71de1a25a32a1c7a5eb1cca5183a8aad129023dbbf24f6fbb9b91412450605f9f3014fc67203f55e904c5fba2325384b0299e9dbd8a5fc1c7108d7a0e442
SSDEEP

3072:mEGh0oulEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122ee-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003700000001451d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122ee-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014525-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ee-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122ee-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122ee-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}\stubpath = "C:\\Windows\\{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe"	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4115B1F-848D-496e-9D2C-92BEE968035F}\stubpath = "C:\\Windows\\{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe"	{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}\stubpath = "C:\\Windows\\{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}.exe"	{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2DD7410-CF47-47a3-80C8-D1499DC3F595}	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}\stubpath = "C:\\Windows\\{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe"	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}\stubpath = "C:\\Windows\\{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe"	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58FC581C-08D2-438f-99A4-16FD526CEFD2}	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3620E5D-F1DA-4147-82E5-4191A4D7628C}\stubpath = "C:\\Windows\\{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe"	{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}	{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2DD7410-CF47-47a3-80C8-D1499DC3F595}\stubpath = "C:\\Windows\\{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe"	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}\stubpath = "C:\\Windows\\{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe"	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}\stubpath = "C:\\Windows\\{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe"	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5545553-C738-4fd8-80A3-D0C98A4BB968}\stubpath = "C:\\Windows\\{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe"	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5545553-C738-4fd8-80A3-D0C98A4BB968}	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58FC581C-08D2-438f-99A4-16FD526CEFD2}\stubpath = "C:\\Windows\\{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe"	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3620E5D-F1DA-4147-82E5-4191A4D7628C}	{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4115B1F-848D-496e-9D2C-92BEE968035F}	{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe
2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe
2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe
3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe
2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe
284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe
2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe
2216	{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe
2068	{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe
2244	{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe
1504	{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
File created	C:\Windows\{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe
File created	C:\Windows\{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe
File created	C:\Windows\{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe
File created	C:\Windows\{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe
File created	C:\Windows\{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe
File created	C:\Windows\{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe	{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe
File created	C:\Windows\{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe
File created	C:\Windows\{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe
File created	C:\Windows\{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe	{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe
File created	C:\Windows\{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}.exe	{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe
Token: SeIncBasePriorityPrivilege	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe
Token: SeIncBasePriorityPrivilege	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe
Token: SeIncBasePriorityPrivilege	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe
Token: SeIncBasePriorityPrivilege	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe
Token: SeIncBasePriorityPrivilege	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe
Token: SeIncBasePriorityPrivilege	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe
Token: SeIncBasePriorityPrivilege	2216	{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe
Token: SeIncBasePriorityPrivilege	2068	{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe
Token: SeIncBasePriorityPrivilege	2244	{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3064	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	28
PID 1148 wrote to memory of 3064	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	28
PID 1148 wrote to memory of 3064	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	28
PID 1148 wrote to memory of 3064	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	28
PID 1148 wrote to memory of 2748	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	29
PID 1148 wrote to memory of 2748	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	29
PID 1148 wrote to memory of 2748	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	29
PID 1148 wrote to memory of 2748	1148	2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe	29
PID 3064 wrote to memory of 2768	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	30
PID 3064 wrote to memory of 2768	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	30
PID 3064 wrote to memory of 2768	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	30
PID 3064 wrote to memory of 2768	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	30
PID 3064 wrote to memory of 2924	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	31
PID 3064 wrote to memory of 2924	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	31
PID 3064 wrote to memory of 2924	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	31
PID 3064 wrote to memory of 2924	3064	{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe	31
PID 2768 wrote to memory of 2816	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	32
PID 2768 wrote to memory of 2816	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	32
PID 2768 wrote to memory of 2816	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	32
PID 2768 wrote to memory of 2816	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	32
PID 2768 wrote to memory of 2560	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	33
PID 2768 wrote to memory of 2560	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	33
PID 2768 wrote to memory of 2560	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	33
PID 2768 wrote to memory of 2560	2768	{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe	33
PID 2816 wrote to memory of 3008	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	36
PID 2816 wrote to memory of 3008	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	36
PID 2816 wrote to memory of 3008	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	36
PID 2816 wrote to memory of 3008	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	36
PID 2816 wrote to memory of 1884	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	37
PID 2816 wrote to memory of 1884	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	37
PID 2816 wrote to memory of 1884	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	37
PID 2816 wrote to memory of 1884	2816	{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe	37
PID 3008 wrote to memory of 2864	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	38
PID 3008 wrote to memory of 2864	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	38
PID 3008 wrote to memory of 2864	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	38
PID 3008 wrote to memory of 2864	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	38
PID 3008 wrote to memory of 2896	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	39
PID 3008 wrote to memory of 2896	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	39
PID 3008 wrote to memory of 2896	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	39
PID 3008 wrote to memory of 2896	3008	{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe	39
PID 2864 wrote to memory of 284	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	40
PID 2864 wrote to memory of 284	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	40
PID 2864 wrote to memory of 284	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	40
PID 2864 wrote to memory of 284	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	40
PID 2864 wrote to memory of 2024	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	41
PID 2864 wrote to memory of 2024	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	41
PID 2864 wrote to memory of 2024	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	41
PID 2864 wrote to memory of 2024	2864	{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe	41
PID 284 wrote to memory of 2336	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	42
PID 284 wrote to memory of 2336	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	42
PID 284 wrote to memory of 2336	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	42
PID 284 wrote to memory of 2336	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	42
PID 284 wrote to memory of 1412	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	43
PID 284 wrote to memory of 1412	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	43
PID 284 wrote to memory of 1412	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	43
PID 284 wrote to memory of 1412	284	{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe	43
PID 2336 wrote to memory of 2216	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	44
PID 2336 wrote to memory of 2216	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	44
PID 2336 wrote to memory of 2216	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	44
PID 2336 wrote to memory of 2216	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	44
PID 2336 wrote to memory of 1652	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	45
PID 2336 wrote to memory of 1652	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	45
PID 2336 wrote to memory of 1652	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	45
PID 2336 wrote to memory of 1652	2336	{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_d717ac675d7ee91dac172103ae578f48_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe
  C:\Windows\{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe
    C:\Windows\{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe
      C:\Windows\{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe
        
        C:\Windows\{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe
        
        C:\Windows\{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe
        
        C:\Windows\{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe
        
        C:\Windows\{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe
        
        C:\Windows\{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe
        
        C:\Windows\{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe
        
        C:\Windows\{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}.exe
        
        C:\Windows\{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4115~1.EXE > nul
        12⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3620~1.EXE > nul
        11⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CFAE~1.EXE > nul
        10⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58FC5~1.EXE > nul
        9⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70FAC~1.EXE > nul
        8⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5545~1.EXE > nul
        7⤵
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE572~1.EXE > nul
        6⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91187~1.EXE > nul
        5⤵
        
        PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0EEBF~1.EXE > nul
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2DD7~1.EXE > nul
    3⤵
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EEBFCBC-C6BF-4bc1-8CFF-C8B9641430D8}.exe

Filesize
344KB

MD5
90b03bc487fb39d5d1c26d612ba0b3b6

SHA1
0332853042534ef6e3abb485b05d34ab8fe5e97a

SHA256
e63e5e0826711426cbc736de001e841df3024e4ae13937c54228315197178fc8

SHA512
bf0f5c132498f2800ced0a182bc748854a6055e5235cfba07cacd3a1ea0040948c73b8894cc1b0bcadf72ac038ce591eabf54fbddf1bd0083c97e00300076a79

Download Submit
C:\Windows\{0F8792D9-0EFE-4a6e-B752-7EDF406B8BA7}.exe

Filesize
344KB

MD5
25b3352d2350118f5210d4592cdbd546

SHA1
96f126ee20d5e4f68ec1b90de053d31a26b5ee08

SHA256
8f7a6713cb4940cd2529b672b2fdd251ec0c99e561ce15788fee825fc2620682

SHA512
051f2fbe154bddc925532b4fa45ed997c60843a4f44e85cf1d5c6d6d509ac7698b3cfa2780c5b642680eb3ab76b5af4f7ee7ab8174e9b9d1f7dfce3b7090dffb

Download Submit
C:\Windows\{3CFAEBF1-06C4-4cb9-92B3-33BDC6C60CB6}.exe

Filesize
344KB

MD5
549bacbf7f8c57144aca2f9478997ce4

SHA1
ca82113888177ae4b4bf794f0fc1ae83a333c93e

SHA256
c9592d69381566baa548839982a224f1e277f156a5d345de219996c9c6173783

SHA512
dd4ce61ecacc164be606d6832c544e23b2b7634f6fdb30d5847f8f0a8bf689b9da5b18b5f8add00ae4d0544e8a1a5c6a37d78078d7cad9e1a14afca55b010e4d

Download Submit
C:\Windows\{58FC581C-08D2-438f-99A4-16FD526CEFD2}.exe

Filesize
344KB

MD5
341cf093a098af31c9729584a464d3b0

SHA1
894bbce9e2222b57a0834be915498e0b139a65ec

SHA256
ac123d88ed25cb29499b17836c3960c9d13fd53d377b866e6b32598baa6343ee

SHA512
55dab6a3ffc65ad57909b9b6d63c33c78cfc2907588aa744c0839b5fc7e562cf966576fc4e2935226f911a2c4f5b79b6d2a94c472573aaea87c86f09a2afd305

Download Submit
C:\Windows\{70FAC4F5-A524-4f2b-B209-1E7E9D7E2D8C}.exe

Filesize
344KB

MD5
f0f7748cd4fe8cbdb0d92a665feda2fd

SHA1
2f33aab156121e2bde72ca356b7823d573dc4da2

SHA256
12e475a8c382bfbe27fa9a5c91f258abcba446e1a99e9ec134a7f65e33b7c766

SHA512
bf6a4d7b6faa26d60a29d3d112b09b18fb6ffdf1380cacd09ffbddb0eb25f34a15b5faad7a68c86e72f63c717a94ae016a22ec68a85e738a17bf51f558a86bfc

Download Submit
C:\Windows\{911871A2-9F2D-494e-ACDF-1FABAA2E6CAB}.exe

Filesize
344KB

MD5
2f35ced294b919f536a10397d644805c

SHA1
bcd6217bfce68707f094797c1d42afade7003c7d

SHA256
feddaa84a9803a3c613b77c5b7dfd79a5e638cdfa8d48851c5e6091ac05130f8

SHA512
2957cdc0fc568380daf1e61f2000982a08ac0b8a0488ccb0e10ffc5bccf096684b7975a302b338831f014e676de383f0ddf4ebd4d1e0299915d43f44ccc2ac57

Download Submit
C:\Windows\{A3620E5D-F1DA-4147-82E5-4191A4D7628C}.exe

Filesize
344KB

MD5
e3ab6357aa823eeb5d80c47b6e98b79d

SHA1
bdb18860b6d52b6c9e533fc4d806ad08166c19c5

SHA256
e81a3ec57849d71033fab869c83d7b84af70e261dfb7de1be8160155494fa16b

SHA512
a198e5b2577865a94316b5814960625e4f97aa438a1ca20e8a47b5e164df3789a0febb9b24b20f2f22c395c4870d6928c87e944805cfb56ece132b2e3b5d0bee

Download Submit
C:\Windows\{A4115B1F-848D-496e-9D2C-92BEE968035F}.exe

Filesize
344KB

MD5
75e01eb3ab4047f6dae90778ebe408e0

SHA1
d3ab8e38553bd3107b7504bf6a1dbb155e0c1f0a

SHA256
aa31fcd8e783b83828c2d0ae3d70c4f3cd25cf50a180ab0e06440355c03a9854

SHA512
3fae51e4efc36c529edda08dc30baee24fddf5ad9326b31669ed7a5c58b495cfbfb4c83c1e576d4e4d675bd961b35b674f09873be53e268b623030e87c279735

Download Submit
C:\Windows\{A5545553-C738-4fd8-80A3-D0C98A4BB968}.exe

Filesize
344KB

MD5
058f5d76c7c9e4153eccf12449c6f5b6

SHA1
91356eb17dfb8f6f23b5b88317d12b0cf9a72f75

SHA256
1c56a839759cfcd36e2e1a62cf772cb51bf6df5f779e6f6ae2068d4d58941e60

SHA512
868c7209eab5fbb9f0cd8f709478169192f13b961fc143e2841906768eb63774779dc9c001a66d44738f9a0597f4b5747a89f1bc2c07c4cc56cf804039545a5e

Download Submit
C:\Windows\{B2DD7410-CF47-47a3-80C8-D1499DC3F595}.exe

Filesize
344KB

MD5
36ae01178489b198052b10db0e1f271a

SHA1
d73dfca07236fdf17eb539da77c8293c35e78764

SHA256
a2fb8f3b0d2ae4db275214a49833d7eb1b5a751aafa85e57f30903c490b9ee11

SHA512
057bd57c7dd44396514916b95b4f49e52e7a97de216fce80d79eef521d7572e8cea5acc45dcefee4194845f2630b32dcab3bcc570c168aa3ba3400842bca7835

Download Submit
C:\Windows\{CE5729B7-23E9-46f1-83CC-82E0200AC7E5}.exe

Filesize
344KB

MD5
d9039700fe1cfd81e177aa4f1d1501e9

SHA1
6fa25c5b259c800f9175275ee47f5b80f6b6bbd0

SHA256
019a3f51f3db6c7ca6e2b794745e04c19af7e540829fb8233200779a8913d0f9

SHA512
899ab564fd9cafbfd4fe13758e2146c9d2a703d6f3610a1515538f142831bf7e99c2085a12d5617214e99069df9ec0e7f098084d97543ef117bd0b438ce5b190

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads