05b072ab68744bb0a57a8d7b5218d9bebbdd298b12886d84dd43bc3273743b8a

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe
Size

344KB
MD5

d04bce6636aa4300613ef5535624baa8
SHA1

d3321a829d8bd2f44e983e9d8b4f4d5e7c8c27a2
SHA256

05b072ab68744bb0a57a8d7b5218d9bebbdd298b12886d84dd43bc3273743b8a
SHA512

3054af43181b0b8c929eed5dfdfb07425b0f26c445b4e33d1165a4f957b494188de1602b2255cb2416ea7dcdc15cadbcf0642ef5fc97fad2d701840dc4056d28
SSDEEP

3072:mEGh0ovlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013413-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a3a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013413-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000013a46-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013413-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013413-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000013413-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBAFDC47-CBF5-4058-A376-1A183E50CD53}	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}\stubpath = "C:\\Windows\\{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe"	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09F15602-D171-4f38-8256-D2DED2772ED5}\stubpath = "C:\\Windows\\{09F15602-D171-4f38-8256-D2DED2772ED5}.exe"	{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9720A731-9A18-48b3-8898-9B7108C002AA}	{09F15602-D171-4f38-8256-D2DED2772ED5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9720A731-9A18-48b3-8898-9B7108C002AA}\stubpath = "C:\\Windows\\{9720A731-9A18-48b3-8898-9B7108C002AA}.exe"	{09F15602-D171-4f38-8256-D2DED2772ED5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}\stubpath = "C:\\Windows\\{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe"	{810B78FA-7C42-474d-8574-E6A68177F123}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2099D899-1185-4d60-9E6E-48A277BDD325}	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2099D899-1185-4d60-9E6E-48A277BDD325}\stubpath = "C:\\Windows\\{2099D899-1185-4d60-9E6E-48A277BDD325}.exe"	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBAFDC47-CBF5-4058-A376-1A183E50CD53}\stubpath = "C:\\Windows\\{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe"	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}	{810B78FA-7C42-474d-8574-E6A68177F123}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}\stubpath = "C:\\Windows\\{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe"	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}\stubpath = "C:\\Windows\\{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe"	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}	{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}\stubpath = "C:\\Windows\\{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe"	{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09F15602-D171-4f38-8256-D2DED2772ED5}	{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810B78FA-7C42-474d-8574-E6A68177F123}	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810B78FA-7C42-474d-8574-E6A68177F123}\stubpath = "C:\\Windows\\{810B78FA-7C42-474d-8574-E6A68177F123}.exe"	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{703FD438-03F4-41c3-8C87-4615481AA90E}	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{703FD438-03F4-41c3-8C87-4615481AA90E}\stubpath = "C:\\Windows\\{703FD438-03F4-41c3-8C87-4615481AA90E}.exe"	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe
2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe
2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe
3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe
2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe
1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe
2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe
1676	{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe
2060	{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe
2392	{09F15602-D171-4f38-8256-D2DED2772ED5}.exe
688	{9720A731-9A18-48b3-8898-9B7108C002AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe
File created	C:\Windows\{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe	{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe
File created	C:\Windows\{09F15602-D171-4f38-8256-D2DED2772ED5}.exe	{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe
File created	C:\Windows\{9720A731-9A18-48b3-8898-9B7108C002AA}.exe	{09F15602-D171-4f38-8256-D2DED2772ED5}.exe
File created	C:\Windows\{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	{810B78FA-7C42-474d-8574-E6A68177F123}.exe
File created	C:\Windows\{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe
File created	C:\Windows\{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe
File created	C:\Windows\{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe
File created	C:\Windows\{810B78FA-7C42-474d-8574-E6A68177F123}.exe	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe
File created	C:\Windows\{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe
File created	C:\Windows\{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe
Token: SeIncBasePriorityPrivilege	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe
Token: SeIncBasePriorityPrivilege	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe
Token: SeIncBasePriorityPrivilege	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe
Token: SeIncBasePriorityPrivilege	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe
Token: SeIncBasePriorityPrivilege	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe
Token: SeIncBasePriorityPrivilege	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe
Token: SeIncBasePriorityPrivilege	1676	{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe
Token: SeIncBasePriorityPrivilege	2060	{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe
Token: SeIncBasePriorityPrivilege	2392	{09F15602-D171-4f38-8256-D2DED2772ED5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2952	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	28
PID 1940 wrote to memory of 2952	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	28
PID 1940 wrote to memory of 2952	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	28
PID 1940 wrote to memory of 2952	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	28
PID 1940 wrote to memory of 2628	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	29
PID 1940 wrote to memory of 2628	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	29
PID 1940 wrote to memory of 2628	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	29
PID 1940 wrote to memory of 2628	1940	2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe	29
PID 2952 wrote to memory of 2660	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	30
PID 2952 wrote to memory of 2660	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	30
PID 2952 wrote to memory of 2660	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	30
PID 2952 wrote to memory of 2660	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	30
PID 2952 wrote to memory of 2600	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	31
PID 2952 wrote to memory of 2600	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	31
PID 2952 wrote to memory of 2600	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	31
PID 2952 wrote to memory of 2600	2952	{810B78FA-7C42-474d-8574-E6A68177F123}.exe	31
PID 2660 wrote to memory of 2708	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	32
PID 2660 wrote to memory of 2708	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	32
PID 2660 wrote to memory of 2708	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	32
PID 2660 wrote to memory of 2708	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	32
PID 2660 wrote to memory of 2472	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	33
PID 2660 wrote to memory of 2472	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	33
PID 2660 wrote to memory of 2472	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	33
PID 2660 wrote to memory of 2472	2660	{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe	33
PID 2708 wrote to memory of 3012	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	36
PID 2708 wrote to memory of 3012	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	36
PID 2708 wrote to memory of 3012	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	36
PID 2708 wrote to memory of 3012	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	36
PID 2708 wrote to memory of 2108	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	37
PID 2708 wrote to memory of 2108	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	37
PID 2708 wrote to memory of 2108	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	37
PID 2708 wrote to memory of 2108	2708	{703FD438-03F4-41c3-8C87-4615481AA90E}.exe	37
PID 3012 wrote to memory of 2776	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	38
PID 3012 wrote to memory of 2776	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	38
PID 3012 wrote to memory of 2776	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	38
PID 3012 wrote to memory of 2776	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	38
PID 3012 wrote to memory of 2764	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	39
PID 3012 wrote to memory of 2764	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	39
PID 3012 wrote to memory of 2764	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	39
PID 3012 wrote to memory of 2764	3012	{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe	39
PID 2776 wrote to memory of 1856	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	40
PID 2776 wrote to memory of 1856	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	40
PID 2776 wrote to memory of 1856	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	40
PID 2776 wrote to memory of 1856	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	40
PID 2776 wrote to memory of 1428	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	41
PID 2776 wrote to memory of 1428	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	41
PID 2776 wrote to memory of 1428	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	41
PID 2776 wrote to memory of 1428	2776	{2099D899-1185-4d60-9E6E-48A277BDD325}.exe	41
PID 1856 wrote to memory of 2160	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	42
PID 1856 wrote to memory of 2160	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	42
PID 1856 wrote to memory of 2160	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	42
PID 1856 wrote to memory of 2160	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	42
PID 1856 wrote to memory of 2360	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	43
PID 1856 wrote to memory of 2360	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	43
PID 1856 wrote to memory of 2360	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	43
PID 1856 wrote to memory of 2360	1856	{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe	43
PID 2160 wrote to memory of 1676	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	44
PID 2160 wrote to memory of 1676	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	44
PID 2160 wrote to memory of 1676	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	44
PID 2160 wrote to memory of 1676	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	44
PID 2160 wrote to memory of 2200	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	45
PID 2160 wrote to memory of 2200	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	45
PID 2160 wrote to memory of 2200	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	45
PID 2160 wrote to memory of 2200	2160	{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_d04bce6636aa4300613ef5535624baa8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\{810B78FA-7C42-474d-8574-E6A68177F123}.exe
  C:\Windows\{810B78FA-7C42-474d-8574-E6A68177F123}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe
    C:\Windows\{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{703FD438-03F4-41c3-8C87-4615481AA90E}.exe
      C:\Windows\{703FD438-03F4-41c3-8C87-4615481AA90E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe
        
        C:\Windows\{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\{2099D899-1185-4d60-9E6E-48A277BDD325}.exe
        
        C:\Windows\{2099D899-1185-4d60-9E6E-48A277BDD325}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe
        
        C:\Windows\{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe
        
        C:\Windows\{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe
        
        C:\Windows\{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe
        
        C:\Windows\{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\{09F15602-D171-4f38-8256-D2DED2772ED5}.exe
        
        C:\Windows\{09F15602-D171-4f38-8256-D2DED2772ED5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\{9720A731-9A18-48b3-8898-9B7108C002AA}.exe
        
        C:\Windows\{9720A731-9A18-48b3-8898-9B7108C002AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09F15~1.EXE > nul
        12⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BAB7~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEB9~1.EXE > nul
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EE52~1.EXE > nul
        9⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBAFD~1.EXE > nul
        8⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2099D~1.EXE > nul
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19E1C~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{703FD~1.EXE > nul
        5⤵
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5254~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{810B7~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09F15602-D171-4f38-8256-D2DED2772ED5}.exe

Filesize
344KB

MD5
e13b0f689720e4a5aed8dbb36aa686de

SHA1
b69aec93d50b89e066c5521ee2876aeed2fda067

SHA256
add00cba2a5ae8a8eb6bab774e1986ac19aa28ee3e181069ae77594fd061429a

SHA512
72d2e1367a7626f43377691ca4d2e94dbbc7e0e972ab50711624d7f09ae106750bbdedcd5ad034ebb9d900b571e8565ee1e69b806aee9e44187603080652013d

Download Submit
C:\Windows\{19E1CAF2-90A9-4b8b-BCFC-133C1A7DC2CA}.exe

Filesize
344KB

MD5
e42006cf17be9faf1cf57aadf3994466

SHA1
a26003218f7f4a671c447b7759b353305d9e76f7

SHA256
0b06c29897a78ac3bb357998cd37d3ec0f030ae99946d13a377da142a1743310

SHA512
cb725555ac581d20237eac401481f4bd03acbd02aa4c83deaa6aaaae095a7fab09fd948e29d9e8a9e49f00bb283892d739194fb1593d85aee7ab42148610f6a3

Download Submit
C:\Windows\{2099D899-1185-4d60-9E6E-48A277BDD325}.exe

Filesize
344KB

MD5
94603f9adf2cf7f97df0f4b6be63878f

SHA1
73224a60ad677a40bc2f56e66d33819b5a26240e

SHA256
203de6a8a7bd1de5a174477bfbcd4d519918bea18ea25cdbf2e532d2adf082a0

SHA512
8e031d6721b21691970c1e2871bbb32cc02dcfb3b4bbaa69012e9c60be47a85cf8cd680ec2e6b06b7a34d0f11b232eab88814d9113ba3a9ef0f3f4b55ab34c5a

Download Submit
C:\Windows\{4BAB74C9-ECBD-4c5e-BA90-9E3B02820F80}.exe

Filesize
344KB

MD5
591f17bfc0120d4ec59dcd980706c76e

SHA1
493ab737d45049ffa632905c99e1d6d2aff6a96f

SHA256
4c416b44b47a303eadbe80562cab53ed9c464edaf0e02c77d8eb8d6c6d5d2977

SHA512
8fcae4ea0c124d3979c4c4d00ca61d4ff6fc02f6dce87d8e72fbb0aa79f1ce0435b4d08ca21bc404ff33671460da64b69cb2ecb6ec69851b8c8a85c7f040a536

Download Submit
C:\Windows\{5EE52A6A-0770-4782-A03B-7DBB5837A5EA}.exe

Filesize
344KB

MD5
d311d84168289fbf65dd7f08d5ccb5f8

SHA1
44f0de617db364aa98f61b5299f4bac70a014edd

SHA256
832e6f5c0c39f1280b5b414ef7d84e51296447585e134289bb0988214a3b002f

SHA512
041ae86c2fd5a4881fa039e7b9c2ef132ab70b786fd6e193a4e1ac114fe91a3bf0282f3499cf845034efd10f2c07b5e164781a08895911ca055881cbdd732cec

Download Submit
C:\Windows\{703FD438-03F4-41c3-8C87-4615481AA90E}.exe

Filesize
344KB

MD5
3d5384beca932b4ca77ac6ac83222b7a

SHA1
877d671d9a560364cfe0ae56edeff828a88c7420

SHA256
22d33e362552d30ca9a91ecf1b86c15c1d26b92280abbb5513db1322f7fda88f

SHA512
e9a1a53b2a663d2f37c35d387cb8bd65d8c1491b78a9de9889b7354c48fd533c2b23be5db39803de5a5a216d9aa4d7361da6cbb21b67e362f049d1432619b3df

Download Submit
C:\Windows\{810B78FA-7C42-474d-8574-E6A68177F123}.exe

Filesize
344KB

MD5
155b1c985754f612387293df69e84450

SHA1
016c103d6487d8f1a3cd37f1bda4553ff6bcfc25

SHA256
8ea2e419f956b54a21dd33f0f9f71f962522dc82c8384273cb909592be114a15

SHA512
d8f1187e7a85ea11b113b848988afed46be55046354fa09a44e6ab7fe419cb247366dc346d88b0d355e3516aae70dd8f3f13d0483b43e663018c55eecbe65cdd

Download Submit
C:\Windows\{9720A731-9A18-48b3-8898-9B7108C002AA}.exe

Filesize
344KB

MD5
177112dc577c0f3938db55fed4415025

SHA1
870f95c65831d7844869e810db118b5a7d7306df

SHA256
0c810fd13b9a4ef4192e18ecd266e6993bb36193f08300a628ac296493fdc80a

SHA512
cd90041be2e20ddb33f1bdc25f9a4c8d453340bfba05caaf26e662f0c156eb184bf5d91793d31b43d19be9258ff367857d1ef06e024990828463157fa1b33717

Download Submit
C:\Windows\{BBAFDC47-CBF5-4058-A376-1A183E50CD53}.exe

Filesize
344KB

MD5
e9f21f2c59c455b9a8b880b0ad5cfd3f

SHA1
9054b4939e6170017de22bc92ee3dd8fd62caae4

SHA256
a1643c3fd8a3788913ad09ab00d4c6d9fbe1e51eddf973879e86d64350548b23

SHA512
46e44bb57f1a7ad6a81dd5e155dae93f955654e875bc74c606cee2899bcbcc698b6f90ad6d51c5e51e9feb93297b38096c72bb2d41a5b68c37bcbcc07f725cea

Download Submit
C:\Windows\{DFEB94F6-60C7-4f9d-83AF-D2AEF51356F0}.exe

Filesize
344KB

MD5
4f42ceb5231f33c48e1aef276546b8be

SHA1
44e208209390c0437a8848884831fccd9227cf20

SHA256
0ef5dea3e96ff9998a41907014052a9b8177cffa4d79f5702ed174d23705eabd

SHA512
c9659d8a1fac483c3f0b14798f52acc5ca4066bf1ea2b2421c9290172126ff02c96f5811bae8ce5273aa066a49d9a9ab6bc9d6af11367bf3eec1ffa650aabd98

Download Submit
C:\Windows\{F5254E86-C4A2-4b7c-94F2-3F86A81BEE1F}.exe

Filesize
344KB

MD5
204108d8d22d176db6072b23d7f21677

SHA1
5c61b97cbf8db0e793504c723a2ed99349bc0b72

SHA256
36e271ae5fa837603ed96b7cea7cf0aac4f14c94997c4f7d69ef52c4986e8610

SHA512
231c0c578eed79ee2745ba64c53b2c3cb1b46c8cb63c8e2672e76471dd3849297e1d79bb5034ed64fb21892b74ae20051f2d8ce6c030647532838144e8461aa8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads