815e162576a1af21b4b0c98ac57e08daa8973343cc0dbeeeb0da3c0bbe3d1f47

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Size

197KB
MD5

710e29806463078c8a0df7f12f4e433f
SHA1

4d50330b06b9f2b96894856dc4a0a44995708915
SHA256

815e162576a1af21b4b0c98ac57e08daa8973343cc0dbeeeb0da3c0bbe3d1f47
SHA512

7fb2783a036ba07fa975e30f25ea742d2e79546770ae423b20f2918da2f99049216095863fd17b28f0c36e36346d36fe78636966b92ae2a951c0a67e20413c20
SSDEEP

3072:jEGh0oxl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG7lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016a29-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016ca5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016a29-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016cb6-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016a29-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016a29-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016a29-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}\stubpath = "C:\\Windows\\{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe"	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{939B33DE-D985-435f-856C-7D23BE3AED8E}\stubpath = "C:\\Windows\\{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe"	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AADDE564-F662-4bee-BE29-C00C6AAB0767}	{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38137B4F-F93F-4461-ADCB-A50326FB1226}	{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38137B4F-F93F-4461-ADCB-A50326FB1226}\stubpath = "C:\\Windows\\{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe"	{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8632453-F838-491d-86C2-FECB1791D7E1}	{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B5D88A9-9A2A-469f-B9F5-D748665E0807}	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4B9C32-F435-4f60-B026-4F0DEA27C273}\stubpath = "C:\\Windows\\{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe"	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{939B33DE-D985-435f-856C-7D23BE3AED8E}	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B5D88A9-9A2A-469f-B9F5-D748665E0807}\stubpath = "C:\\Windows\\{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe"	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AADDE564-F662-4bee-BE29-C00C6AAB0767}\stubpath = "C:\\Windows\\{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe"	{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8632453-F838-491d-86C2-FECB1791D7E1}\stubpath = "C:\\Windows\\{A8632453-F838-491d-86C2-FECB1791D7E1}.exe"	{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C2271D-4816-47c3-93C6-61FA9C8AA87C}	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}\stubpath = "C:\\Windows\\{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe"	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0D369CD-D4A1-4680-AA96-4B8E960F3438}\stubpath = "C:\\Windows\\{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe"	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0D369CD-D4A1-4680-AA96-4B8E960F3438}	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4B9C32-F435-4f60-B026-4F0DEA27C273}	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}\stubpath = "C:\\Windows\\{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe"	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C2271D-4816-47c3-93C6-61FA9C8AA87C}\stubpath = "C:\\Windows\\{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe"	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe
2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe
2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe
2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe
948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe
636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe
2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe
876	{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe
1900	{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe
1896	{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe
2624	{A8632453-F838-491d-86C2-FECB1791D7E1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe
File created	C:\Windows\{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe
File created	C:\Windows\{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe
File created	C:\Windows\{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe	{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe
File created	C:\Windows\{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe	{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe
File created	C:\Windows\{A8632453-F838-491d-86C2-FECB1791D7E1}.exe	{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe
File created	C:\Windows\{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
File created	C:\Windows\{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe
File created	C:\Windows\{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe
File created	C:\Windows\{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe
File created	C:\Windows\{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe
Token: SeIncBasePriorityPrivilege	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe
Token: SeIncBasePriorityPrivilege	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe
Token: SeIncBasePriorityPrivilege	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe
Token: SeIncBasePriorityPrivilege	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe
Token: SeIncBasePriorityPrivilege	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe
Token: SeIncBasePriorityPrivilege	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe
Token: SeIncBasePriorityPrivilege	876	{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe
Token: SeIncBasePriorityPrivilege	1900	{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe
Token: SeIncBasePriorityPrivilege	1896	{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1580	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	28
PID 2060 wrote to memory of 1580	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	28
PID 2060 wrote to memory of 1580	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	28
PID 2060 wrote to memory of 1580	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	28
PID 2060 wrote to memory of 3060	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	29
PID 2060 wrote to memory of 3060	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	29
PID 2060 wrote to memory of 3060	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	29
PID 2060 wrote to memory of 3060	2060	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	29
PID 1580 wrote to memory of 2636	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	30
PID 1580 wrote to memory of 2636	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	30
PID 1580 wrote to memory of 2636	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	30
PID 1580 wrote to memory of 2636	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	30
PID 1580 wrote to memory of 2672	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	31
PID 1580 wrote to memory of 2672	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	31
PID 1580 wrote to memory of 2672	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	31
PID 1580 wrote to memory of 2672	1580	{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe	31
PID 2636 wrote to memory of 2276	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	32
PID 2636 wrote to memory of 2276	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	32
PID 2636 wrote to memory of 2276	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	32
PID 2636 wrote to memory of 2276	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	32
PID 2636 wrote to memory of 2608	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	33
PID 2636 wrote to memory of 2608	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	33
PID 2636 wrote to memory of 2608	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	33
PID 2636 wrote to memory of 2608	2636	{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe	33
PID 2276 wrote to memory of 2796	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	36
PID 2276 wrote to memory of 2796	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	36
PID 2276 wrote to memory of 2796	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	36
PID 2276 wrote to memory of 2796	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	36
PID 2276 wrote to memory of 3028	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	37
PID 2276 wrote to memory of 3028	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	37
PID 2276 wrote to memory of 3028	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	37
PID 2276 wrote to memory of 3028	2276	{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe	37
PID 2796 wrote to memory of 948	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	38
PID 2796 wrote to memory of 948	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	38
PID 2796 wrote to memory of 948	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	38
PID 2796 wrote to memory of 948	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	38
PID 2796 wrote to memory of 1396	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	39
PID 2796 wrote to memory of 1396	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	39
PID 2796 wrote to memory of 1396	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	39
PID 2796 wrote to memory of 1396	2796	{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe	39
PID 948 wrote to memory of 636	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	40
PID 948 wrote to memory of 636	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	40
PID 948 wrote to memory of 636	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	40
PID 948 wrote to memory of 636	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	40
PID 948 wrote to memory of 2764	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	41
PID 948 wrote to memory of 2764	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	41
PID 948 wrote to memory of 2764	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	41
PID 948 wrote to memory of 2764	948	{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe	41
PID 636 wrote to memory of 2736	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	42
PID 636 wrote to memory of 2736	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	42
PID 636 wrote to memory of 2736	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	42
PID 636 wrote to memory of 2736	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	42
PID 636 wrote to memory of 2800	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	43
PID 636 wrote to memory of 2800	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	43
PID 636 wrote to memory of 2800	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	43
PID 636 wrote to memory of 2800	636	{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe	43
PID 2736 wrote to memory of 876	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	44
PID 2736 wrote to memory of 876	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	44
PID 2736 wrote to memory of 876	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	44
PID 2736 wrote to memory of 876	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	44
PID 2736 wrote to memory of 1080	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	45
PID 2736 wrote to memory of 1080	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	45
PID 2736 wrote to memory of 1080	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	45
PID 2736 wrote to memory of 1080	2736	{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe
  C:\Windows\{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe
    C:\Windows\{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe
      C:\Windows\{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe
        
        C:\Windows\{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe
        
        C:\Windows\{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe
        
        C:\Windows\{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe
        
        C:\Windows\{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe
        
        C:\Windows\{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe
        
        C:\Windows\{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe
        
        C:\Windows\{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\{A8632453-F838-491d-86C2-FECB1791D7E1}.exe
        
        C:\Windows\{A8632453-F838-491d-86C2-FECB1791D7E1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38137~1.EXE > nul
        12⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AADDE~1.EXE > nul
        11⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A75F~1.EXE > nul
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{939B3~1.EXE > nul
        9⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB4B9~1.EXE > nul
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B5D8~1.EXE > nul
        7⤵
        
        PID:2764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D36~1.EXE > nul
        6⤵
        
        PID:1396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD66~1.EXE > nul
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{92C22~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2D95~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B5D88A9-9A2A-469f-B9F5-D748665E0807}.exe

Filesize
197KB

MD5
a0cbcef129c85032e5f5a1c01572cc0d

SHA1
2e567dab549d0268f7037393187212fd62ae8081

SHA256
feda0132ab16e154653f0b6fd06e0b4be4d7b0abfd971d64e4073b242bbc8e1c

SHA512
b3edc10789680433c7fc9435bb75f29433d710175c428c155d34df0b8b0d035c7d147376dfa981c22ae96ccf243ba0c1cdb67e76d43e7ecb6e0b41099faf16f7

Download Submit
C:\Windows\{38137B4F-F93F-4461-ADCB-A50326FB1226}.exe

Filesize
197KB

MD5
237a808c97379b857465ec0e03779d61

SHA1
d23f4498d4bac4cd6b7b4303dc6435e49235a48b

SHA256
4f0775f686ebb67b468705ad04591a614bee92f69c1a9d48b48c68966cabc8f1

SHA512
5a5e1e8d3d785f1f3ced75f55541d1d08d3aa1cd7579fa1f63c31a6e4c1197e417e7ee2c333421015802c7880c93cf790ccc3a11edb062ca3a9a56bae6da627a

Download Submit
C:\Windows\{6A75F304-5AD8-40cd-9D2E-A50A700BE1A5}.exe

Filesize
197KB

MD5
58db2527e74e35762434551ef47b9448

SHA1
7e3af04f7513810d8e4cda5ac2aa5a3f1adc748c

SHA256
e11d1d7a1c2bb32b563f37bce24bb0e7494ffbef168cd5bb17cb709318a377cb

SHA512
39b2e75de6748a0957dfa1e141e430238a85ea462cac6b4e52b244f36099da06c23a9ac9dfea6f367554007312b4a4ab97ccdb237cab3bd582c865fcc7ba7834

Download Submit
C:\Windows\{92C2271D-4816-47c3-93C6-61FA9C8AA87C}.exe

Filesize
197KB

MD5
01d2e51707bf8e857049d6a837e4fafd

SHA1
ce2cb81653d30d6b4c83e425bf5a7786e8940c12

SHA256
5e90e18fc807e542b12242d166e3859f718a32f3215928380e58271a2e1ef92e

SHA512
1311dce23b3b2c56f4155510c7595fe39568fa394ef7d321ef39f8697a840d5cb2ba14ddf4efbc4c205596821979ac0594df9834c07b6ae734fcfb49ebc3bd91

Download Submit
C:\Windows\{939B33DE-D985-435f-856C-7D23BE3AED8E}.exe

Filesize
197KB

MD5
ae8e041186d7f55e060657c0cfb805fb

SHA1
d46f873b0e95500842605a71078f0905dcfc3446

SHA256
fe69a288bcb7fedf7cdf650d98bbb6fae93dfefb20e41bdd6c667d1324ad5688

SHA512
e0d35e8557b5e837c20134684bf7ec1d41a1f06e619fca517fd40b8956f4e7b6bde1ab49cc8af9bc4809988de4efa2a598d42ee90c5d912a2ca837a189470469

Download Submit
C:\Windows\{A0D369CD-D4A1-4680-AA96-4B8E960F3438}.exe

Filesize
197KB

MD5
ae0f56a8eb9d7dbed8d234569950d8d5

SHA1
c0b000caa13b62a2056ce2827e0e2b7a4e1c8ead

SHA256
f1934f6e14151ab81c768b012facf9c4d425dda8b15a7a06043714950fb5ab06

SHA512
1954401cbcc3231eefbf35614280a644b0e749fcbd9a463060b333347101e13bba2d90db1b6b245fc7a60da2e61ce82b7bf9232c91ed3bd85bbbea6e35201bdd

Download Submit
C:\Windows\{A2D95F26-6E81-4f4c-AD04-F0D2F8D2C1D9}.exe

Filesize
197KB

MD5
175e0743300fb63f710e1e79bc6cacea

SHA1
b426d66f57fd87bc1226d1b3721ff1d534402dd9

SHA256
bb9d748f12d090c4d25c4699c67e37de99cc13f252193ac573d8dbee9038c07d

SHA512
ba75cbebdc73fb2e62d162a5689384a00fe36216e7d009d3448a7acd141085fda3173b3b4dc658ac8cd624c26fc6efce6c800336af65cc63c59fe7039d89a8ad

Download Submit
C:\Windows\{A8632453-F838-491d-86C2-FECB1791D7E1}.exe

Filesize
197KB

MD5
4ab33419fd61cac91efe8ee288374ac3

SHA1
25c29455e0a488c5ba4e8cdaecffd9f40896d598

SHA256
c390a857e600cc8256802aa3767e63cd5705364a4bff8da3cdb82d0a8cd1ab20

SHA512
9c909b876976ba6232ee57bb104b3575273cf985e4010dcd73930dae69b9624f03b5cbda7229fd4d143233a9f3ee0ae7a41791c0fce216e1992632accd68b884

Download Submit
C:\Windows\{AADDE564-F662-4bee-BE29-C00C6AAB0767}.exe

Filesize
197KB

MD5
817f88d017e92565a656f48ce53e5f58

SHA1
819cc3e9f4d6a9deb298b6680cfe4f507a5770ef

SHA256
6ce6d5681dd12267a65db9b8345a364998d7491455fe3587cbba65e663b706fa

SHA512
2cc1a52ac6d726fc9f10e7495eb84173c0acf8edf75cf92707c818d7de42bc3b269631d1725802b5404ab566144bb6a317086eca87690a6ba179500ad62107cd

Download Submit
C:\Windows\{CBD66E4D-3961-47cb-8F82-D3880D4CF2CA}.exe

Filesize
197KB

MD5
c28a551393607d14d76d1f3f9122aeb8

SHA1
2e0d7533b5ae9e25dac5c7608dbe433c4737ad6e

SHA256
5422ba1686f96517801d3b2843edf288fe322e4b301a9b1d3f5cac5de8bd69be

SHA512
14f36225a4e52709c0df40aa5307f44a7eeb64fc95053bc5f94c120e9f6f5193dcd5e4b5c707b2d85303e9a654d1743134d0992ea26a1a2e141b8997f9df614b

Download Submit
C:\Windows\{DB4B9C32-F435-4f60-B026-4F0DEA27C273}.exe

Filesize
197KB

MD5
b52b1776bfdb7ac6c00a973e61eea04e

SHA1
068378b9cde767280a232df547ec35258de94535

SHA256
9ec8750a10e69f2e4e8cee903b308b17ddf4e986090ec5b3a9f4a7dae7d4845b

SHA512
244c3e4a4a481c5b11e8fcbfbf1d2a8eaecc7ac505aa9f2608b7c33ce75c91c0f15d9ef6ec6613c29f933440018a46ad71b61acdecf9528c8dc1a1a5a95fd45a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads