86d50db4e06a996c70f632d44f0d912101942e09b69301d0587af4d93b9b7b0f

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe
Size

204KB
MD5

7aebed87fa0f2fda96987a41576ec70a
SHA1

8c886d955c37045b6657d51967f45325ac28bad7
SHA256

86d50db4e06a996c70f632d44f0d912101942e09b69301d0587af4d93b9b7b0f
SHA512

76b4de41ab8fa59957bac5b641d24dd3ddbb32bade801420f9e13b976e1567555d3e7a56aa0965485c42701b12ba4492381e6b9c5d8bfcf492e584443dad1d78
SSDEEP

1536:1EGh0oOl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oOl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014b31-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155f7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014b31-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015616-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014b31-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014b31-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014b31-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}\stubpath = "C:\\Windows\\{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe"	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B50F848-093E-45af-A878-C84D1CC4A62B}\stubpath = "C:\\Windows\\{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe"	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46464A9B-D517-434e-BB1C-55B226BC7A48}	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FEF8330-356F-47de-8744-F794285B7904}\stubpath = "C:\\Windows\\{0FEF8330-356F-47de-8744-F794285B7904}.exe"	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}	{08537601-A0BE-4753-BCBA-020400285C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA6E08F-93BE-41ad-AC39-A27763ED213D}	{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA6E08F-93BE-41ad-AC39-A27763ED213D}\stubpath = "C:\\Windows\\{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe"	{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FDF318-5223-4fc7-A3A4-E55910134FD9}\stubpath = "C:\\Windows\\{B1FDF318-5223-4fc7-A3A4-E55910134FD9}.exe"	{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B50F848-093E-45af-A878-C84D1CC4A62B}	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}\stubpath = "C:\\Windows\\{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe"	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FEF8330-356F-47de-8744-F794285B7904}	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}\stubpath = "C:\\Windows\\{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe"	{08537601-A0BE-4753-BCBA-020400285C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46464A9B-D517-434e-BB1C-55B226BC7A48}\stubpath = "C:\\Windows\\{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe"	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08537601-A0BE-4753-BCBA-020400285C9E}	{0FEF8330-356F-47de-8744-F794285B7904}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C5AC45A-9041-4347-93DC-AC60665F289E}	{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C5AC45A-9041-4347-93DC-AC60665F289E}\stubpath = "C:\\Windows\\{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe"	{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E471A250-921B-4b93-86FE-E28CD0566DC1}	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E471A250-921B-4b93-86FE-E28CD0566DC1}\stubpath = "C:\\Windows\\{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe"	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08537601-A0BE-4753-BCBA-020400285C9E}\stubpath = "C:\\Windows\\{08537601-A0BE-4753-BCBA-020400285C9E}.exe"	{0FEF8330-356F-47de-8744-F794285B7904}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FDF318-5223-4fc7-A3A4-E55910134FD9}	{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe
2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe
2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe
2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe
1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe
1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe
2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe
500	{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe
2152	{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe
1704	{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe
1480	{B1FDF318-5223-4fc7-A3A4-E55910134FD9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe
File created	C:\Windows\{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe	{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe
File created	C:\Windows\{B1FDF318-5223-4fc7-A3A4-E55910134FD9}.exe	{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe
File created	C:\Windows\{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe
File created	C:\Windows\{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe
File created	C:\Windows\{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe
File created	C:\Windows\{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe	{08537601-A0BE-4753-BCBA-020400285C9E}.exe
File created	C:\Windows\{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe	{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe
File created	C:\Windows\{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe
File created	C:\Windows\{0FEF8330-356F-47de-8744-F794285B7904}.exe	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe
File created	C:\Windows\{08537601-A0BE-4753-BCBA-020400285C9E}.exe	{0FEF8330-356F-47de-8744-F794285B7904}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe
Token: SeIncBasePriorityPrivilege	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe
Token: SeIncBasePriorityPrivilege	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe
Token: SeIncBasePriorityPrivilege	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe
Token: SeIncBasePriorityPrivilege	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe
Token: SeIncBasePriorityPrivilege	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe
Token: SeIncBasePriorityPrivilege	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe
Token: SeIncBasePriorityPrivilege	500	{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe
Token: SeIncBasePriorityPrivilege	2152	{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe
Token: SeIncBasePriorityPrivilege	1704	{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2968	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	28
PID 2368 wrote to memory of 2968	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	28
PID 2368 wrote to memory of 2968	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	28
PID 2368 wrote to memory of 2968	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	28
PID 2368 wrote to memory of 3048	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	29
PID 2368 wrote to memory of 3048	2368	2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe	29
PID 2968 wrote to memory of 2600	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	30
PID 2968 wrote to memory of 2600	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	30
PID 2968 wrote to memory of 2600	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	30
PID 2968 wrote to memory of 2600	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	30
PID 2968 wrote to memory of 2664	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	31
PID 2968 wrote to memory of 2664	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	31
PID 2968 wrote to memory of 2664	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	31
PID 2968 wrote to memory of 2664	2968	{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe	31
PID 2600 wrote to memory of 2852	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	32
PID 2600 wrote to memory of 2852	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	32
PID 2600 wrote to memory of 2852	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	32
PID 2600 wrote to memory of 2852	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	32
PID 2600 wrote to memory of 2100	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	33
PID 2600 wrote to memory of 2100	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	33
PID 2600 wrote to memory of 2100	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	33
PID 2600 wrote to memory of 2100	2600	{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe	33
PID 2852 wrote to memory of 2572	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	36
PID 2852 wrote to memory of 2572	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	36
PID 2852 wrote to memory of 2572	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	36
PID 2852 wrote to memory of 2572	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	36
PID 2852 wrote to memory of 2928	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	37
PID 2852 wrote to memory of 2928	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	37
PID 2852 wrote to memory of 2928	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	37
PID 2852 wrote to memory of 2928	2852	{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe	37
PID 2572 wrote to memory of 1556	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	38
PID 2572 wrote to memory of 1556	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	38
PID 2572 wrote to memory of 1556	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	38
PID 2572 wrote to memory of 1556	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	38
PID 2572 wrote to memory of 2764	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	39
PID 2572 wrote to memory of 2764	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	39
PID 2572 wrote to memory of 2764	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	39
PID 2572 wrote to memory of 2764	2572	{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe	39
PID 1556 wrote to memory of 1948	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	40
PID 1556 wrote to memory of 1948	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	40
PID 1556 wrote to memory of 1948	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	40
PID 1556 wrote to memory of 1948	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	40
PID 1556 wrote to memory of 1196	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	41
PID 1556 wrote to memory of 1196	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	41
PID 1556 wrote to memory of 1196	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	41
PID 1556 wrote to memory of 1196	1556	{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe	41
PID 1948 wrote to memory of 2700	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	42
PID 1948 wrote to memory of 2700	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	42
PID 1948 wrote to memory of 2700	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	42
PID 1948 wrote to memory of 2700	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	42
PID 1948 wrote to memory of 2820	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	43
PID 1948 wrote to memory of 2820	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	43
PID 1948 wrote to memory of 2820	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	43
PID 1948 wrote to memory of 2820	1948	{0FEF8330-356F-47de-8744-F794285B7904}.exe	43
PID 2700 wrote to memory of 500	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	44
PID 2700 wrote to memory of 500	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	44
PID 2700 wrote to memory of 500	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	44
PID 2700 wrote to memory of 500	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	44
PID 2700 wrote to memory of 960	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	45
PID 2700 wrote to memory of 960	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	45
PID 2700 wrote to memory of 960	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	45
PID 2700 wrote to memory of 960	2700	{08537601-A0BE-4753-BCBA-020400285C9E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_7aebed87fa0f2fda96987a41576ec70a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe
  C:\Windows\{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe
    C:\Windows\{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe
      C:\Windows\{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe
        
        C:\Windows\{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe
        
        C:\Windows\{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{0FEF8330-356F-47de-8744-F794285B7904}.exe
        
        C:\Windows\{0FEF8330-356F-47de-8744-F794285B7904}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{08537601-A0BE-4753-BCBA-020400285C9E}.exe
        
        C:\Windows\{08537601-A0BE-4753-BCBA-020400285C9E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe
        
        C:\Windows\{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:500
        
        C:\Windows\{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe
        
        C:\Windows\{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe
        
        C:\Windows\{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\{B1FDF318-5223-4fc7-A3A4-E55910134FD9}.exe
        
        C:\Windows\{B1FDF318-5223-4fc7-A3A4-E55910134FD9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C5AC~1.EXE > nul
        12⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA6E~1.EXE > nul
        11⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B1AF~1.EXE > nul
        10⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08537~1.EXE > nul
        9⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FEF8~1.EXE > nul
        8⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46464~1.EXE > nul
        7⤵
        
        PID:1196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD866~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B50F~1.EXE > nul
        5⤵
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E471A~1.EXE > nul
      4⤵
      PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D9B2~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08537601-A0BE-4753-BCBA-020400285C9E}.exe

Filesize
204KB

MD5
2d439ba671cc602ef471512cb78ce981

SHA1
64ab7f771eb2abc3957f5ccf1f2fba3c7368c552

SHA256
4761d63687076c06ede03554f5dd2c8d764a10c89640c1de7a638aeeb81dcb72

SHA512
7dc79018036b64ec8291e43fb1d1b8714dc34e8672bd75d0035c2ca57b64327dedcf9c26a144e91869822ace50f9b9583d796641d8c7b50ff22afae3e5d08261

Download Submit
C:\Windows\{0FEF8330-356F-47de-8744-F794285B7904}.exe

Filesize
204KB

MD5
ef1ae4cd523afdebace6a13867ae5134

SHA1
9fe1f0591cb3703223a51982839455bf6937b658

SHA256
b2daf1ad0d5a077dbc4a1d7070842ac18a20c3170a7d6a8066303c89ebcd2736

SHA512
a67bfb60303aa923e0695e1dd3e4c21b40e1032f2334f396710a2717fb22c633f29073b60cd4d6f11dd27cd6d85e433b81f8742dc470da7ed58dced59ac26564

Download Submit
C:\Windows\{2D9B265E-C96D-4cf6-9A59-A6537C6B2300}.exe

Filesize
204KB

MD5
8cb9aeb26e2e583b86369cb2c622ed17

SHA1
1b616c8efd3cf2cbbf2d4c5977fcac4be4bf4558

SHA256
abe463a8fcc138d7f0d8cf9a3932e6aef15c8c59503d52f0f4f7dd6ac5e57c42

SHA512
3b67fc66e710df106ebdf882ddf9c32c267bbd025e31f8de0239725f066511d5513428cb85d806cc22c11461b133ba50d9d5907b6a0d5fc94c778bf8d447b1c6

Download Submit
C:\Windows\{3CA6E08F-93BE-41ad-AC39-A27763ED213D}.exe

Filesize
204KB

MD5
83675728a82d66576aa49b59911bb07c

SHA1
ca306a20d99fc0162afc0e2ffde6e8bcb1c2e5aa

SHA256
01c9f1a20aa8328972f3127c0db1ea1cd389479f1b1a72a478ce8af27eafb889

SHA512
b729ccf3423b67c01ef0992603c1422e61b4ce3c5bd04547395155c056a2634b891b45910a80525f374d3e067c7a20fa346e76ec9952d52ffae22d7d575d3feb

Download Submit
C:\Windows\{46464A9B-D517-434e-BB1C-55B226BC7A48}.exe

Filesize
204KB

MD5
2cabc65402f56c8012dc2b01ee155c1e

SHA1
ad15aa89edcf96e4001f9c307897c13ac7bc1b7e

SHA256
08888fbe9d3d428347078c8d1cc88d0021f3b302dca18d69cfcc38038efea0fc

SHA512
ad435f395cacc4987d0c2f7ff2a310f946960e5e04215f4d349000b4e5d5f0868a89c5da103fe6ac7805ea67c2d8a6e6ad66b0dfc7864210e7cf174470918e29

Download Submit
C:\Windows\{8B1AF7A4-5848-401f-8885-08C2F3F88FDD}.exe

Filesize
204KB

MD5
678dc9820b7df69d9007caec41effb0c

SHA1
87e125f360696a6f204be28690c156320faa41cf

SHA256
4ebcc851ae8a843638124b9f05a1d0a8aa285bc77cf6e7f68550fb52045f4adc

SHA512
1b261a285e88336f7ae17b361c1915d2b3d16db34cb1720829a1f7dc211ce6649f68e8085f4c7565da1f24deeb56f46031c367579779b482ad24ba7b4d594ffa

Download Submit
C:\Windows\{8B50F848-093E-45af-A878-C84D1CC4A62B}.exe

Filesize
204KB

MD5
e8c62cfe2f33873b8006c8435e6e656b

SHA1
6029528f2bd83305508c6b08513b860e09b4387d

SHA256
45a436bb67bae09c9fbc051229d97c072ec7500a8449d0a219183a3ee797558e

SHA512
d9d9ec29fb252696ac8458e30f765c6b4fae4c91fb4721435d342c02f1f9c5d346fcb9272e4afe141fe7c71c8e00231cc74661f469f84872bc0f4ac1163b889b

Download Submit
C:\Windows\{9C5AC45A-9041-4347-93DC-AC60665F289E}.exe

Filesize
204KB

MD5
8ee6bd79adb495e93ae13b4668be4dca

SHA1
84504b9b28136254e2fe2f1685391e2f859c6b9d

SHA256
9162c810b10b1a6632ac67562ac9f40c9dbd67039b1c20b21e42e593428a7d47

SHA512
271e27d366d41dead55e61d4a38d946584639696680323631e2d1bb5678ce506cc56b41f9db0ccfe57925e19219d8c9164c4af20a8cac042391c7f578be35629

Download Submit
C:\Windows\{AD866F60-9B1A-47cb-AD44-EB68BEB6C54C}.exe

Filesize
204KB

MD5
34e963dafc53ed8175d652e5150ddddd

SHA1
f31b915299d6972a52b8a92cbdd2350e6aecd596

SHA256
011ba6ed1705c0d125e0252c953959b2661843d648c3e00762dc86ba115d8121

SHA512
7d870735ca78a5c7bfea1fa2601a8a277d873daad06e76228b13be1161e08055b5a2a491aee020185f3e023a36d5522f0d851b48159d30474107e4f3918057bf

Download Submit
C:\Windows\{B1FDF318-5223-4fc7-A3A4-E55910134FD9}.exe

Filesize
204KB

MD5
7e8b903c3c573abf267f2abfe6517399

SHA1
6426d1a68df2f55688d79372faa8f7777dae872e

SHA256
a01f13554341a62610eb6d326905f322c5321b103ac10477154e8ea419b35c45

SHA512
d2086130953a5b1accc4e2fa992da5a66c9b9a1d5beb11e8db989d4869ad0e327fe5ff64848fc75bc6a7fd61fe059d4436fb0b5a961e9f68c573c255787c3984

Download Submit
C:\Windows\{E471A250-921B-4b93-86FE-E28CD0566DC1}.exe

Filesize
204KB

MD5
04eba5009c3ebfe594402a77ba5ff8ae

SHA1
5d27e8ab62f82b46475a64a9e8a58c134a3b8ecf

SHA256
b6ebf899389271ca7f2f8b7f11c32dcbe8a9459847493aaac97cf6be143fb210

SHA512
1dc9e4058648af752b6a9e5872bee1b7cafc850062dc9db90b74a092152e6e92a29cbc3f69ac328691f113c3a1b7c15f90c7d2a1af83e92fc136444acd18d0cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads