cd54edc1841d2b1868e2813c19b92f1b50d02736946c22aa7be49b33b79ff482

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Size

344KB
MD5

8f83612f0b6ffb1f4dca2d21d75840d8
SHA1

ef7482b5855b3c1c3f7a155fba7309516e835c6e
SHA256

cd54edc1841d2b1868e2813c19b92f1b50d02736946c22aa7be49b33b79ff482
SHA512

9160f41d14d537a9d8aa9662ba15fa4930f0ce715b7c9e550a0eaf51f6637591b728486d2675d9b90995c25f30cc70358b9ec4fbbeed8b9f2192ddcd5932a7e9
SSDEEP

3072:mEGh0oIlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGGlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x001000000001226b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00370000000164a9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001226b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000001226b-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000001226b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001400000001226b-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001500000001226b-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A47E4A-5740-4069-8356-692E9F00BC5D}\stubpath = "C:\\Windows\\{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe"	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C28787-61FF-4a64-8873-E9176F2E1AB8}	{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE289C32-CCF6-4791-85AB-C30E73E6B78C}	{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEA6B005-9D5D-4235-9290-B2008B82C354}	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37A43D9E-16FE-4625-AC15-D404F91D1A02}\stubpath = "C:\\Windows\\{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe"	{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}\stubpath = "C:\\Windows\\{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe"	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}\stubpath = "C:\\Windows\\{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe"	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD79551-72F4-46b4-ABE7-495B35CE5184}	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}\stubpath = "C:\\Windows\\{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe"	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64733FAC-DA32-4c08-9C06-16AA31619589}	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACC83AF-B63F-45a2-A57D-66872F7203AD}	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C28787-61FF-4a64-8873-E9176F2E1AB8}\stubpath = "C:\\Windows\\{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe"	{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE289C32-CCF6-4791-85AB-C30E73E6B78C}\stubpath = "C:\\Windows\\{DE289C32-CCF6-4791-85AB-C30E73E6B78C}.exe"	{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A47E4A-5740-4069-8356-692E9F00BC5D}	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD79551-72F4-46b4-ABE7-495B35CE5184}\stubpath = "C:\\Windows\\{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe"	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64733FAC-DA32-4c08-9C06-16AA31619589}\stubpath = "C:\\Windows\\{64733FAC-DA32-4c08-9C06-16AA31619589}.exe"	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEA6B005-9D5D-4235-9290-B2008B82C354}\stubpath = "C:\\Windows\\{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe"	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACC83AF-B63F-45a2-A57D-66872F7203AD}\stubpath = "C:\\Windows\\{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe"	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37A43D9E-16FE-4625-AC15-D404F91D1A02}	{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe
2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe
2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe
1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe
2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe
2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe
1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe
768	{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe
1172	{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe
2216	{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe
1656	{DE289C32-CCF6-4791-85AB-C30E73E6B78C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
File created	C:\Windows\{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe
File created	C:\Windows\{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe
File created	C:\Windows\{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe
File created	C:\Windows\{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe
File created	C:\Windows\{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe
File created	C:\Windows\{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe
File created	C:\Windows\{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe
File created	C:\Windows\{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe	{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe
File created	C:\Windows\{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe	{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe
File created	C:\Windows\{DE289C32-CCF6-4791-85AB-C30E73E6B78C}.exe	{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe
Token: SeIncBasePriorityPrivilege	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe
Token: SeIncBasePriorityPrivilege	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe
Token: SeIncBasePriorityPrivilege	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe
Token: SeIncBasePriorityPrivilege	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe
Token: SeIncBasePriorityPrivilege	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe
Token: SeIncBasePriorityPrivilege	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe
Token: SeIncBasePriorityPrivilege	768	{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe
Token: SeIncBasePriorityPrivilege	1172	{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe
Token: SeIncBasePriorityPrivilege	2216	{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2748	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	28
PID 1636 wrote to memory of 2748	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	28
PID 1636 wrote to memory of 2748	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	28
PID 1636 wrote to memory of 2748	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	28
PID 1636 wrote to memory of 3032	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	29
PID 1636 wrote to memory of 3032	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	29
PID 1636 wrote to memory of 3032	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	29
PID 1636 wrote to memory of 3032	1636	2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe	29
PID 2748 wrote to memory of 2728	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	30
PID 2748 wrote to memory of 2728	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	30
PID 2748 wrote to memory of 2728	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	30
PID 2748 wrote to memory of 2728	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	30
PID 2748 wrote to memory of 2576	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	31
PID 2748 wrote to memory of 2576	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	31
PID 2748 wrote to memory of 2576	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	31
PID 2748 wrote to memory of 2576	2748	{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe	31
PID 2728 wrote to memory of 2488	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	32
PID 2728 wrote to memory of 2488	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	32
PID 2728 wrote to memory of 2488	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	32
PID 2728 wrote to memory of 2488	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	32
PID 2728 wrote to memory of 2680	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	33
PID 2728 wrote to memory of 2680	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	33
PID 2728 wrote to memory of 2680	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	33
PID 2728 wrote to memory of 2680	2728	{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe	33
PID 2488 wrote to memory of 1928	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	36
PID 2488 wrote to memory of 1928	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	36
PID 2488 wrote to memory of 1928	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	36
PID 2488 wrote to memory of 1928	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	36
PID 2488 wrote to memory of 2344	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	37
PID 2488 wrote to memory of 2344	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	37
PID 2488 wrote to memory of 2344	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	37
PID 2488 wrote to memory of 2344	2488	{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe	37
PID 1928 wrote to memory of 2512	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	38
PID 1928 wrote to memory of 2512	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	38
PID 1928 wrote to memory of 2512	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	38
PID 1928 wrote to memory of 2512	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	38
PID 1928 wrote to memory of 2668	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	39
PID 1928 wrote to memory of 2668	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	39
PID 1928 wrote to memory of 2668	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	39
PID 1928 wrote to memory of 2668	1928	{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe	39
PID 2512 wrote to memory of 2368	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	40
PID 2512 wrote to memory of 2368	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	40
PID 2512 wrote to memory of 2368	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	40
PID 2512 wrote to memory of 2368	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	40
PID 2512 wrote to memory of 2140	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	41
PID 2512 wrote to memory of 2140	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	41
PID 2512 wrote to memory of 2140	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	41
PID 2512 wrote to memory of 2140	2512	{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe	41
PID 2368 wrote to memory of 1764	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	42
PID 2368 wrote to memory of 1764	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	42
PID 2368 wrote to memory of 1764	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	42
PID 2368 wrote to memory of 1764	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	42
PID 2368 wrote to memory of 236	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	43
PID 2368 wrote to memory of 236	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	43
PID 2368 wrote to memory of 236	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	43
PID 2368 wrote to memory of 236	2368	{64733FAC-DA32-4c08-9C06-16AA31619589}.exe	43
PID 1764 wrote to memory of 768	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	44
PID 1764 wrote to memory of 768	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	44
PID 1764 wrote to memory of 768	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	44
PID 1764 wrote to memory of 768	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	44
PID 1764 wrote to memory of 984	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	45
PID 1764 wrote to memory of 984	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	45
PID 1764 wrote to memory of 984	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	45
PID 1764 wrote to memory of 984	1764	{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_8f83612f0b6ffb1f4dca2d21d75840d8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe
  C:\Windows\{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe
    C:\Windows\{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe
      C:\Windows\{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe
        
        C:\Windows\{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe
        
        C:\Windows\{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{64733FAC-DA32-4c08-9C06-16AA31619589}.exe
        
        C:\Windows\{64733FAC-DA32-4c08-9C06-16AA31619589}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe
        
        C:\Windows\{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe
        
        C:\Windows\{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe
        
        C:\Windows\{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe
        
        C:\Windows\{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{DE289C32-CCF6-4791-85AB-C30E73E6B78C}.exe
        
        C:\Windows\{DE289C32-CCF6-4791-85AB-C30E73E6B78C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1C28~1.EXE > nul
        12⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37A43~1.EXE > nul
        11⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACC8~1.EXE > nul
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEA6B~1.EXE > nul
        9⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64733~1.EXE > nul
        8⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC45C~1.EXE > nul
        7⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAD79~1.EXE > nul
        6⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AE3A~1.EXE > nul
        5⤵
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B09C~1.EXE > nul
      4⤵
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A47~1.EXE > nul
    3⤵
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{37A43D9E-16FE-4625-AC15-D404F91D1A02}.exe

Filesize
344KB

MD5
dbd895fb53756a8fed42ce9a0c7606b4

SHA1
27454c390b5c64e7c2a58cfdf972f85dac38889a

SHA256
7beb77d1f01e5e34c4660bc37df8684eed11775f04651fc8e34cafaba498ac56

SHA512
db7e6a3d85016f7aa9fe04f07e0c01dabf518eca3f989e246a0261107eeaddf898bffc73626b97f88b7650137d0314077986f758eb2f499a10d5d4db2839b36e

Download Submit
C:\Windows\{3ACC83AF-B63F-45a2-A57D-66872F7203AD}.exe

Filesize
344KB

MD5
4c024bb764770ddb551069b36cd612db

SHA1
a73e4a807fa3043981f6617a9f1edb3649954839

SHA256
2338ecd77f3029c5258efbcbae3f70b3b4637b4a859e6b020416c52e07695e02

SHA512
4bdb6f5bfa53f956fe7a6606936efca545f20298b701b97ed21231d2ce58b22214ac6d688d744b67f974b887ccba63685dc97c9b585dc8ab39036ae834fd7ef5

Download Submit
C:\Windows\{64733FAC-DA32-4c08-9C06-16AA31619589}.exe

Filesize
344KB

MD5
7a5d740206341b31c99a6778919415e7

SHA1
13e9646257fa8b5c3269be067bcf8e670e1f0225

SHA256
e392463ba3c03b779b6c03bad16dba59a0a3d4b1b498cfacb52d85aa6cf98e8a

SHA512
21487c9f4847ee95e7e022563117f2e2ce2cf608f1777965a6e1b70d2022157303bc9e947350cb6a8f8b4e15cfbf53a34227c6db3d815630f496c8406253c962

Download Submit
C:\Windows\{8B09CE8C-36AE-475f-8E3E-FD172F8120C1}.exe

Filesize
344KB

MD5
5a1fbd4843e27abd392e5d024d240fdb

SHA1
1dbbe50f5eb4ab05bd7c061dbbbc14994b1b948e

SHA256
6bc43a64b3cd0d69efd6251f40f1ce07200dca05d5422263a5019bb1a36672b4

SHA512
f8472c6c7c224ed508de9470298ad39da470bd13a817f3b03388d03a90aafa18ade912a2dfc79e2ba9eb49c22ff224eeea12efff5562bfb2a0217a3ec44eb53f

Download Submit
C:\Windows\{9AE3A20C-E744-4b9c-828A-79D1D3696D1F}.exe

Filesize
344KB

MD5
35eb2355427908dd70679e0310faa8f6

SHA1
435fb61b2f6d90f9124dc7bca8b7c4ec5e23b6da

SHA256
8e62b984d6827859dc4975e3ac5a52017a2a83913674200c4eb3294226d03d47

SHA512
cb638c13916f543435ec5dfb1170fd76abdaa29d9a75433e72c82ff1e079e229338a44f6c048663536d25bc43ece63ca821e25b893375abe63e21e6897f061a4

Download Submit
C:\Windows\{AEA6B005-9D5D-4235-9290-B2008B82C354}.exe

Filesize
344KB

MD5
9ee566eeef9d6b9786ffe7716a6a9e40

SHA1
2785be511625deb5b5df686af791cd8337d33749

SHA256
25e950d28891a6f64ff29c7a5f4539be5d7fe2f43f8fd676b97bd2285f12e2b2

SHA512
1fc0aface999ca4ad074c23019fc2a929a29d599b8b8dd2b8ba4ee4d025dc5bd33bd07abba6d03f8af8f5f61d4915b75b9ecfbfb52707fe47d4bda286342b3ac

Download Submit
C:\Windows\{B1C28787-61FF-4a64-8873-E9176F2E1AB8}.exe

Filesize
344KB

MD5
5fae6f3bb601195d0933070876c4a978

SHA1
675a80b9b33b8d3b5c5cc4e9a6b25f895e53a100

SHA256
a2ff2c7e852c9b1fd4d9523d276e5d500e359ab0b5da0787a64aa1beae4f1e5d

SHA512
36fac754856de011688aa8fffdbad2c50582a800da4fdf776c86fadad67d710dfe6a02f28fdb61bd1663f7b3e198d02a650d7ee21d480f91332d1b2c3211ff08

Download Submit
C:\Windows\{DC45CA0F-616F-4e5b-8F78-4C3681EB93D3}.exe

Filesize
344KB

MD5
5d2c28bb6d0f6c0264fb5fa9f03b6b49

SHA1
20b038d9cf634212f2f1d32ff49d4b4b81e4afaf

SHA256
1e7bfef1b660703ed3b2bbde8b1563c260683d5278140c96f509f18e50742886

SHA512
82ba8f792e57b78f7d7f12744a454b2e5bafd6eb22f59613b599e5b7784c56ac8c1b93b55b6445db04bccecdf6e9d91e0b64ab95c4a905b9738cbd4c7b57ed1d

Download Submit
C:\Windows\{DE289C32-CCF6-4791-85AB-C30E73E6B78C}.exe

Filesize
344KB

MD5
f37262094892b24a8777079b44debffa

SHA1
756c54316636465ea223350494d3644e21291ef2

SHA256
40970091eb70ecc2b4096303e0a7f01e5cb6e4567482a93d5f2629148e91eabf

SHA512
5dd31eff6b86975c0ace20402625d9c229e83e2c0dfa58a859b0cc400a7bc19379ac26da9e18be043c730ae2b66134dca869748449970676abc48b9c0d2a00fc

Download Submit
C:\Windows\{F8A47E4A-5740-4069-8356-692E9F00BC5D}.exe

Filesize
344KB

MD5
bc9ac8ebcba2df0b21cd36b15e1b63b6

SHA1
a85fba4256586f7e4275905ebc51c689620684a1

SHA256
d7d2eee21b3b1ff03a0ceabe23a4c64d8c0d917540c7ec53efde991967bf6484

SHA512
e377a9cc2a5177affa3ec8bcf02fefee092ccbbdc3ca8614c5e2ecda1c817f770287b5eab9477221baf5eb49f58e453a93ccb8bce94862e95e728e3340c2372c

Download Submit
C:\Windows\{FAD79551-72F4-46b4-ABE7-495B35CE5184}.exe

Filesize
344KB

MD5
f0a2eb456aa4eaae8e99925efd65d2c5

SHA1
956740176f5b21ec74d2d51eb281079751a6be55

SHA256
a0245b9eb0548f8bc2a7d5cd8d638f76216d6b0933d44a394635f6d81444bdc4

SHA512
7135e8c87618a7ac2d4c2d161a6db15c0d6a99e204cd9a1c622cb75abe3539e880cbdf468fc0e575ca5b85b950e8b30cc3e1088ae5c0555017fdf76929f7e7c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads