a35ec3c81265d38a0640be4c50d0600621b55e464cbd2c7d778c314125bac3b3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 03:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe
Size

180KB
MD5

9bd667e4dc9abc0e504646ec46b23c21
SHA1

fb87366d80fa53c1ff7a98dbbf90f219846afec8
SHA256

a35ec3c81265d38a0640be4c50d0600621b55e464cbd2c7d778c314125bac3b3
SHA512

0b8eb477d76f08dc25a9ebad8bc0b71f2d1fabca5a8d4c17215e1a8c0ccdd2dd596913e460ff2b3718d622c1bbdcbbd2a7f6cfc1d9ec95945f5b768bf7a318d8
SSDEEP

3072:jEGh0oDlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGpl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012286-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015670-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012286-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015678-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012286-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012286-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012286-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C2720E9-9FBA-420e-B48B-8F4AD155799E}	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6F50C9-9A51-4074-BCC5-F89DE956C285}\stubpath = "C:\\Windows\\{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe"	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1A8059A-FEC1-463e-8A2A-05221C85CA80}\stubpath = "C:\\Windows\\{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe"	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A463279-F90F-4a6c-A687-123D6F94AC8C}\stubpath = "C:\\Windows\\{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe"	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B4B487E-A515-48da-BF1A-23645AB113B3}\stubpath = "C:\\Windows\\{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe"	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A463279-F90F-4a6c-A687-123D6F94AC8C}	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}\stubpath = "C:\\Windows\\{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe"	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}\stubpath = "C:\\Windows\\{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe"	{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A34FE56-A914-4784-8136-F27AF74CA06D}	{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}	{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}\stubpath = "C:\\Windows\\{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}.exe"	{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1A8059A-FEC1-463e-8A2A-05221C85CA80}	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9E51038-0E86-417d-95F4-2E5ACB437271}	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C2720E9-9FBA-420e-B48B-8F4AD155799E}\stubpath = "C:\\Windows\\{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe"	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B6F50C9-9A51-4074-BCC5-F89DE956C285}	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9E51038-0E86-417d-95F4-2E5ACB437271}\stubpath = "C:\\Windows\\{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe"	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B4B487E-A515-48da-BF1A-23645AB113B3}	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E44D023E-B04B-4079-A02C-9399DB1DAEA1}	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E44D023E-B04B-4079-A02C-9399DB1DAEA1}\stubpath = "C:\\Windows\\{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe"	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}	{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A34FE56-A914-4784-8136-F27AF74CA06D}\stubpath = "C:\\Windows\\{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe"	{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe
2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe
2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe
2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe
2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe
1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe
1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe
1924	{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe
1800	{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe
2484	{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe
1468	{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe
File created	C:\Windows\{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe
File created	C:\Windows\{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe	{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe
File created	C:\Windows\{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}.exe	{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe
File created	C:\Windows\{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe
File created	C:\Windows\{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe
File created	C:\Windows\{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe
File created	C:\Windows\{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe
File created	C:\Windows\{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe
File created	C:\Windows\{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe	{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe
File created	C:\Windows\{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe
Token: SeIncBasePriorityPrivilege	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe
Token: SeIncBasePriorityPrivilege	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe
Token: SeIncBasePriorityPrivilege	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe
Token: SeIncBasePriorityPrivilege	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe
Token: SeIncBasePriorityPrivilege	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe
Token: SeIncBasePriorityPrivilege	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe
Token: SeIncBasePriorityPrivilege	1924	{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe
Token: SeIncBasePriorityPrivilege	1800	{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe
Token: SeIncBasePriorityPrivilege	2484	{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2000	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	28
PID 1916 wrote to memory of 2000	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	28
PID 1916 wrote to memory of 2000	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	28
PID 1916 wrote to memory of 2000	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	28
PID 1916 wrote to memory of 2792	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	29
PID 1916 wrote to memory of 2792	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	29
PID 1916 wrote to memory of 2792	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	29
PID 1916 wrote to memory of 2792	1916	2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe	29
PID 2000 wrote to memory of 2892	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	30
PID 2000 wrote to memory of 2892	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	30
PID 2000 wrote to memory of 2892	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	30
PID 2000 wrote to memory of 2892	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	30
PID 2000 wrote to memory of 2628	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	31
PID 2000 wrote to memory of 2628	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	31
PID 2000 wrote to memory of 2628	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	31
PID 2000 wrote to memory of 2628	2000	{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe	31
PID 2892 wrote to memory of 2264	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	32
PID 2892 wrote to memory of 2264	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	32
PID 2892 wrote to memory of 2264	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	32
PID 2892 wrote to memory of 2264	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	32
PID 2892 wrote to memory of 2768	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	33
PID 2892 wrote to memory of 2768	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	33
PID 2892 wrote to memory of 2768	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	33
PID 2892 wrote to memory of 2768	2892	{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe	33
PID 2264 wrote to memory of 2964	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	36
PID 2264 wrote to memory of 2964	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	36
PID 2264 wrote to memory of 2964	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	36
PID 2264 wrote to memory of 2964	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	36
PID 2264 wrote to memory of 1640	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	37
PID 2264 wrote to memory of 1640	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	37
PID 2264 wrote to memory of 1640	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	37
PID 2264 wrote to memory of 1640	2264	{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe	37
PID 2964 wrote to memory of 2824	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	38
PID 2964 wrote to memory of 2824	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	38
PID 2964 wrote to memory of 2824	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	38
PID 2964 wrote to memory of 2824	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	38
PID 2964 wrote to memory of 2860	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	39
PID 2964 wrote to memory of 2860	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	39
PID 2964 wrote to memory of 2860	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	39
PID 2964 wrote to memory of 2860	2964	{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe	39
PID 2824 wrote to memory of 1960	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	40
PID 2824 wrote to memory of 1960	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	40
PID 2824 wrote to memory of 1960	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	40
PID 2824 wrote to memory of 1960	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	40
PID 2824 wrote to memory of 1972	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	41
PID 2824 wrote to memory of 1972	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	41
PID 2824 wrote to memory of 1972	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	41
PID 2824 wrote to memory of 1972	2824	{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe	41
PID 1960 wrote to memory of 1992	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	42
PID 1960 wrote to memory of 1992	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	42
PID 1960 wrote to memory of 1992	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	42
PID 1960 wrote to memory of 1992	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	42
PID 1960 wrote to memory of 1604	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	43
PID 1960 wrote to memory of 1604	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	43
PID 1960 wrote to memory of 1604	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	43
PID 1960 wrote to memory of 1604	1960	{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe	43
PID 1992 wrote to memory of 1924	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	44
PID 1992 wrote to memory of 1924	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	44
PID 1992 wrote to memory of 1924	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	44
PID 1992 wrote to memory of 1924	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	44
PID 1992 wrote to memory of 1504	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	45
PID 1992 wrote to memory of 1504	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	45
PID 1992 wrote to memory of 1504	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	45
PID 1992 wrote to memory of 1504	1992	{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_9bd667e4dc9abc0e504646ec46b23c21_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe
  C:\Windows\{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe
    C:\Windows\{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe
      C:\Windows\{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe
        
        C:\Windows\{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe
        
        C:\Windows\{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe
        
        C:\Windows\{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe
        
        C:\Windows\{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe
        
        C:\Windows\{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe
        
        C:\Windows\{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe
        
        C:\Windows\{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}.exe
        
        C:\Windows\{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A34F~1.EXE > nul
        12⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D6AE~1.EXE > nul
        11⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E44D0~1.EXE > nul
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B4B4~1.EXE > nul
        9⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9E51~1.EXE > nul
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4D84~1.EXE > nul
        7⤵
        
        PID:1972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A463~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1A80~1.EXE > nul
        5⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B6F5~1.EXE > nul
      4⤵
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C272~1.EXE > nul
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B4B487E-A515-48da-BF1A-23645AB113B3}.exe

Filesize
180KB

MD5
b554c82a8e6a5441f2b2a53be7f56574

SHA1
2c5852d0c02ea66846469baf2ef12b4aeaf0ab46

SHA256
800327a1a3519ad30ffbf703bd84108f082f968a833a67586d3c2c6e9cb05e0e

SHA512
165a1eeb1c15342768d45eda81afea0296c5d749b0363d083fca62407a9200f98217a4ca19e23b7e5ae36f2ec879928c61d75a4323f0e9f0de41a1a4a42a3c57

Download Submit
C:\Windows\{1C2720E9-9FBA-420e-B48B-8F4AD155799E}.exe

Filesize
180KB

MD5
bb6b73247363d1ec74abc983f5274af9

SHA1
c571c3caec61feb735f08efb022b89890b89df3b

SHA256
428f1c51b26daec5ff705f852358adc560667d89a0d0076818704f2500dc1ac2

SHA512
86522352574d9dfbc34af65c1fb013430931c18d08eb7d6aee4541e0e7469052222179b6e205640fd40ee7892632698363f7809b2305ff9c86f1e8be226d7e98

Download Submit
C:\Windows\{3AF3AFE6-E63C-4b79-8CE5-34F88E1BC59F}.exe

Filesize
180KB

MD5
7518f3fb9e6a21c6bcd9f613f7e79956

SHA1
4e8a13c5690d84fb4e571ea9d59cbca41480ad23

SHA256
797725095f5624cb95cfb5443d1d90d1e66a91237605e72cbc40fade1b5c124a

SHA512
0f12aa0045c8b0dd303165bcd8a4c9569ccc240aa21ac88f2a951698d8fd603ae2ee16563fec2162857b24476daa7277bbfa83713b8e102eb15a6962c4f4e674

Download Submit
C:\Windows\{4A463279-F90F-4a6c-A687-123D6F94AC8C}.exe

Filesize
180KB

MD5
cabc735823a26f771161b031539faf22

SHA1
501ae9e9ee236567518123daf81d6865215719af

SHA256
b2bde4f42e77842e757508dbf7f0a4a56f1a788f5c9d7441a2e579bb028f7848

SHA512
7bfb3c07b91db95532351336e42679de18703eb3c0a4e087c11d70df27e24d7109d45282640ceaed718ceba31d9e3adebb032b854d0f19c6012fc4ec571e974b

Download Submit
C:\Windows\{5B6F50C9-9A51-4074-BCC5-F89DE956C285}.exe

Filesize
180KB

MD5
1e8741bbc46f7f2a4b749e206e376416

SHA1
d00c7f0bed0650264eea2a21cf25dc1169938a4f

SHA256
99b47994f91af6ccf89e43be284276272550c4d18d9357ff51f5059ad5a4c109

SHA512
6b80f86e833d142a65239fa7262e6bcdc73c4c9b58cb8e09da42a80a25c6bcf10a41795f4d1c46ebadbca3a4ba67d2cc79b37afce8ab5e853b4f7b3313bc2612

Download Submit
C:\Windows\{8A34FE56-A914-4784-8136-F27AF74CA06D}.exe

Filesize
180KB

MD5
09f0becd48fce5c32cbe3a047d4f3d2a

SHA1
cdf57d70c288554ea03265034b1e1afdf5c273d0

SHA256
04dc7f0f14793de3d1e365510d5d53ceda0f4c7b2f8c9ee1768f918ec8ed623e

SHA512
d61070f5bce059abae370e99e73a38073c4d2eb9856cb56cfcd833a3a1839e29144b56446b9efe731406892eac1e7bed10900c1536870a5dcade1405c19f1a1d

Download Submit
C:\Windows\{9D6AE265-536B-4ba8-BB92-3ED306D46CAD}.exe

Filesize
180KB

MD5
6208ff8ca4c2f1e6c358de417e1d7d16

SHA1
ce9dbec9f3ca8ca8dd147345f40b9e37c7733321

SHA256
114b01a04b7bd68d30af5b76c6943321d85348787274595f804d4de0bfed0cfc

SHA512
5baf58704b78919eb51e2f969cbee7dc0200bd65ff9fa263fe041a8c45d8e6457d5763b7247b6051e6a017baf0c019bb8a320d98f066aca39b3fd506d0cfc3f8

Download Submit
C:\Windows\{D4D8481D-EB9B-4fe8-86F9-4DF7B1CDB317}.exe

Filesize
180KB

MD5
c4e2a1fa087fce1152bd1fb8e2569c5e

SHA1
f8acab1fe9b7d9afdb52d769082b40f326b713d8

SHA256
f89e82138fe50935b275263c3e171b7ad0c5b854bf2f4b5989ea40942f4f3a17

SHA512
d91539a8a961a620439f9b862318b174f70daefb7e5e9e228b38167db227c3d80f13a2b872352fc7ffc3a6c6fc0f407eab6b9d7414d7799a8d23b52cdb2c178a

Download Submit
C:\Windows\{E44D023E-B04B-4079-A02C-9399DB1DAEA1}.exe

Filesize
180KB

MD5
c53c935fc4cd1ce72774199da227cf4b

SHA1
116472dcfe0bd9ca24e3048eaebe57d0ecec0900

SHA256
8b7b098986e401e9e9816611540c32172780853d6bb55854e90a122f66c15aa2

SHA512
71fdd7fd9c1331c8801ed7051c34c7474bc0e85864e829c00e0210c7777c9fe669be05b7fdae7b3ffe46441140ba78fca5523439f2786a173d1ad1bbe8fc1a8a

Download Submit
C:\Windows\{E9E51038-0E86-417d-95F4-2E5ACB437271}.exe

Filesize
180KB

MD5
8a10272b8a3a2af725ab42adc3b84099

SHA1
d0179001188f60829a4eb2fec5cbd4d2eae2b260

SHA256
c16f07368c80c4fa40afb75eeb551a4804e857b77509346ea1057c7804ada706

SHA512
5045f65005e00a85bfa1d8444a517fb90712d5ff9c661ff656c9c696190b77c8dc8c3aea609735ac900f810f5c9a0916f1dec0b8b73f7726adf99091ac2c0008

Download Submit
C:\Windows\{F1A8059A-FEC1-463e-8A2A-05221C85CA80}.exe

Filesize
180KB

MD5
593a30366a264d1576723ebd27aaf885

SHA1
892c36091a1ac8e9b7e1194021de1a2dfc07aac9

SHA256
e65c5944e91f19746b308d3bbcea0fcb14860a0534aca4d7981f9df57bf4fa8d

SHA512
671a2c1b6457f7c1ad884b0c9031a747edc08130dd2347b503deef0cb6545e7dd73ca3d4cfe40be9afbab5826d195d7d4bb186e82d66564baa0eb321b2a280c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads