7d9f91e966c5db3c43ac87388a8e41aa4f93777a727b10d699fa32686292e6d8

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Size

408KB
MD5

088a7ee9f1de414a2e82b22927a13737
SHA1

bfff33cdbb85af2fdbf9a1bd1383d60d3e096b10
SHA256

7d9f91e966c5db3c43ac87388a8e41aa4f93777a727b10d699fa32686292e6d8
SHA512

d24e1ad10787784295344d566b1e3759af50d3a633468318856daf7c70c88093d3eaeaeaf0b3bba3b598c5062c1765ee4cbab238c6ccec166682327d52a37bda
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGZldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014457-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014709-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014457-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014713-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014457-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014457-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014457-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188CB46C-7809-41a4-90B4-8DFD65CACF14}\stubpath = "C:\\Windows\\{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe"	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2604F43F-278E-451b-A976-5C5DCFBD73D4}	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0144D00-944E-4cca-8410-473B4097657D}\stubpath = "C:\\Windows\\{C0144D00-944E-4cca-8410-473B4097657D}.exe"	{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF708DE5-23B7-4c1e-A617-73498F430710}	{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}\stubpath = "C:\\Windows\\{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe"	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7F4312A-3A89-4d22-A3D5-2799DF549569}	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}	{C0144D00-944E-4cca-8410-473B4097657D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF708DE5-23B7-4c1e-A617-73498F430710}\stubpath = "C:\\Windows\\{CF708DE5-23B7-4c1e-A617-73498F430710}.exe"	{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}\stubpath = "C:\\Windows\\{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe"	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF4FE315-2981-4767-B42A-64E4388227BF}	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7F4312A-3A89-4d22-A3D5-2799DF549569}\stubpath = "C:\\Windows\\{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe"	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C80F34-1366-4cce-A346-DE0F1D692E95}\stubpath = "C:\\Windows\\{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe"	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0144D00-944E-4cca-8410-473B4097657D}	{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}\stubpath = "C:\\Windows\\{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe"	{C0144D00-944E-4cca-8410-473B4097657D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}\stubpath = "C:\\Windows\\{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe"	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188CB46C-7809-41a4-90B4-8DFD65CACF14}	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF4FE315-2981-4767-B42A-64E4388227BF}\stubpath = "C:\\Windows\\{DF4FE315-2981-4767-B42A-64E4388227BF}.exe"	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2604F43F-278E-451b-A976-5C5DCFBD73D4}\stubpath = "C:\\Windows\\{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe"	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C80F34-1366-4cce-A346-DE0F1D692E95}	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe

Executes dropped EXE 11 IoCs

pid	Process
2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe
2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe
2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe
2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe
1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe
300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe
2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe
1312	{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe
2604	{C0144D00-944E-4cca-8410-473B4097657D}.exe
2200	{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe
1392	{CF708DE5-23B7-4c1e-A617-73498F430710}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe
File created	C:\Windows\{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe	{C0144D00-944E-4cca-8410-473B4097657D}.exe
File created	C:\Windows\{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
File created	C:\Windows\{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe
File created	C:\Windows\{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe
File created	C:\Windows\{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe
File created	C:\Windows\{C0144D00-944E-4cca-8410-473B4097657D}.exe	{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe
File created	C:\Windows\{CF708DE5-23B7-4c1e-A617-73498F430710}.exe	{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe
File created	C:\Windows\{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe
File created	C:\Windows\{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe
File created	C:\Windows\{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe
Token: SeIncBasePriorityPrivilege	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe
Token: SeIncBasePriorityPrivilege	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe
Token: SeIncBasePriorityPrivilege	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe
Token: SeIncBasePriorityPrivilege	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe
Token: SeIncBasePriorityPrivilege	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe
Token: SeIncBasePriorityPrivilege	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe
Token: SeIncBasePriorityPrivilege	1312	{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe
Token: SeIncBasePriorityPrivilege	2604	{C0144D00-944E-4cca-8410-473B4097657D}.exe
Token: SeIncBasePriorityPrivilege	2200	{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2848	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	28
PID 2932 wrote to memory of 2848	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	28
PID 2932 wrote to memory of 2848	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	28
PID 2932 wrote to memory of 2848	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	28
PID 2932 wrote to memory of 2844	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	29
PID 2932 wrote to memory of 2844	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	29
PID 2932 wrote to memory of 2844	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	29
PID 2932 wrote to memory of 2844	2932	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	29
PID 2848 wrote to memory of 2464	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	30
PID 2848 wrote to memory of 2464	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	30
PID 2848 wrote to memory of 2464	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	30
PID 2848 wrote to memory of 2464	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	30
PID 2848 wrote to memory of 2644	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	31
PID 2848 wrote to memory of 2644	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	31
PID 2848 wrote to memory of 2644	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	31
PID 2848 wrote to memory of 2644	2848	{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe	31
PID 2464 wrote to memory of 2364	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	32
PID 2464 wrote to memory of 2364	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	32
PID 2464 wrote to memory of 2364	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	32
PID 2464 wrote to memory of 2364	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	32
PID 2464 wrote to memory of 2504	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	33
PID 2464 wrote to memory of 2504	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	33
PID 2464 wrote to memory of 2504	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	33
PID 2464 wrote to memory of 2504	2464	{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe	33
PID 2364 wrote to memory of 2252	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	36
PID 2364 wrote to memory of 2252	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	36
PID 2364 wrote to memory of 2252	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	36
PID 2364 wrote to memory of 2252	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	36
PID 2364 wrote to memory of 2064	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	37
PID 2364 wrote to memory of 2064	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	37
PID 2364 wrote to memory of 2064	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	37
PID 2364 wrote to memory of 2064	2364	{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe	37
PID 2252 wrote to memory of 1452	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	38
PID 2252 wrote to memory of 1452	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	38
PID 2252 wrote to memory of 1452	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	38
PID 2252 wrote to memory of 1452	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	38
PID 2252 wrote to memory of 1260	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	39
PID 2252 wrote to memory of 1260	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	39
PID 2252 wrote to memory of 1260	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	39
PID 2252 wrote to memory of 1260	2252	{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe	39
PID 1452 wrote to memory of 300	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	40
PID 1452 wrote to memory of 300	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	40
PID 1452 wrote to memory of 300	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	40
PID 1452 wrote to memory of 300	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	40
PID 1452 wrote to memory of 1696	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	41
PID 1452 wrote to memory of 1696	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	41
PID 1452 wrote to memory of 1696	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	41
PID 1452 wrote to memory of 1696	1452	{DF4FE315-2981-4767-B42A-64E4388227BF}.exe	41
PID 300 wrote to memory of 2096	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	42
PID 300 wrote to memory of 2096	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	42
PID 300 wrote to memory of 2096	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	42
PID 300 wrote to memory of 2096	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	42
PID 300 wrote to memory of 1568	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	43
PID 300 wrote to memory of 1568	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	43
PID 300 wrote to memory of 1568	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	43
PID 300 wrote to memory of 1568	300	{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe	43
PID 2096 wrote to memory of 1312	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	44
PID 2096 wrote to memory of 1312	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	44
PID 2096 wrote to memory of 1312	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	44
PID 2096 wrote to memory of 1312	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	44
PID 2096 wrote to memory of 2040	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	45
PID 2096 wrote to memory of 2040	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	45
PID 2096 wrote to memory of 2040	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	45
PID 2096 wrote to memory of 2040	2096	{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe
  C:\Windows\{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe
    C:\Windows\{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe
      C:\Windows\{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe
        
        C:\Windows\{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\{DF4FE315-2981-4767-B42A-64E4388227BF}.exe
        
        C:\Windows\{DF4FE315-2981-4767-B42A-64E4388227BF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe
        
        C:\Windows\{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe
        
        C:\Windows\{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe
        
        C:\Windows\{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\{C0144D00-944E-4cca-8410-473B4097657D}.exe
        
        C:\Windows\{C0144D00-944E-4cca-8410-473B4097657D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe
        
        C:\Windows\{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{CF708DE5-23B7-4c1e-A617-73498F430710}.exe
        
        C:\Windows\{CF708DE5-23B7-4c1e-A617-73498F430710}.exe
        12⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7FF9~1.EXE > nul
        12⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0144~1.EXE > nul
        11⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0C80~1.EXE > nul
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7F43~1.EXE > nul
        9⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2604F~1.EXE > nul
        8⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF4FE~1.EXE > nul
        7⤵
        
        PID:1696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{188CB~1.EXE > nul
        6⤵
        
        PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC5DA~1.EXE > nul
        5⤵
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ACAFD~1.EXE > nul
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D04A8~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{188CB46C-7809-41a4-90B4-8DFD65CACF14}.exe

Filesize
408KB

MD5
95e8cd4a98f2797bbf6d27f634710e85

SHA1
b1c954fb42f9f8005dd3e44ddb81bb1935938f71

SHA256
88de9c54251085eb00bfc5a831a586eb8a2f711d586cad1a1c132de71d78efc5

SHA512
ee2c01df5ea340f4900e9e7a3197425fcb2d03fba75523b20a7c1d8851167b604b00bb1deb4623fe43d807c764c95a3e9554ce91c81a16115af7a5fbe710c6c7

Download Submit
C:\Windows\{2604F43F-278E-451b-A976-5C5DCFBD73D4}.exe

Filesize
408KB

MD5
71d9a0c22f9b50b32681f17a265f6de7

SHA1
94dcc33a60c9102f6dc39dc1f4d214ba8eaa31b1

SHA256
54fc03f9eb2f78af16a6ca6a3a556c63a09311f2e3d599ab1c1cded3e087e09c

SHA512
8918629ff79d1c7184edea65794e566605c4abf93746de137cdca9c1c422cca43e546937065ad16465b95f7972f237fce08216e1c202d4d25a2888a1af85c324

Download Submit
C:\Windows\{ACAFDAFC-36DD-4b3f-B0AD-B0149BDDA4F6}.exe

Filesize
408KB

MD5
71c86e2ea7f3ed49d822d929e4f64ca9

SHA1
200b8d48f786c455f1ed8bde3ca48500f8e5694f

SHA256
6af0a772e0769cb287b5ce2e5a1a7e98b0467cc1a89746888ed679ee36f955c2

SHA512
bdeaeaa2d5abff85c157729800d5c2dcc67cea6f799917c925f9282096a662ccfc30a8718158f9e29a7e2351974b41f149c91d9ca1685d714876dc3288b771e4

Download Submit
C:\Windows\{C0144D00-944E-4cca-8410-473B4097657D}.exe

Filesize
408KB

MD5
5da8b2fffcd88dc102ebdebf013cbed3

SHA1
9f32b7039c6ae762b5e2a8a04d6c39d797e7b465

SHA256
69d16ea7560836da4dae6c2d6d10ef6cd3684f4dfe742cc129f8fef82e900950

SHA512
65d1839c8f34f46cb5edacb05ec81d58e136f0eb6f4339596fee9612f44fb819b901d4bf418f089ce006d8088c70122340106d78c0fdff674ec6cd337f37b389

Download Submit
C:\Windows\{C7FF9BCD-14BF-49c7-9422-C6C7BADD7324}.exe

Filesize
408KB

MD5
10ef3326fd4a3284fea4a4e9052ab741

SHA1
8915db1b70be0d2c008afd1b5d7d7be45cef0bed

SHA256
7758ae9cecbab379635b71ec7436806c89c3cad750d8dccbb8d0a7ab2a09c36e

SHA512
dd175a7a2b1b8f3d1bfa658906c11bbdfc112d5b15d99f5978c5dcb7d439cb94ddc768ddb30c5ae4ac86c41689ac53d3ffb847f4c360a4147dea53db8720f71f

Download Submit
C:\Windows\{CF708DE5-23B7-4c1e-A617-73498F430710}.exe

Filesize
408KB

MD5
eed5a1dfd4293251719b7f81c168cc95

SHA1
bd621c442c6a3f66f43aa2f170e2d11acbb632d4

SHA256
9ef25af52c36b19268a1baf356541dbd181418ecdac49776077ed21a341e9a3e

SHA512
291e1c9bd3bd674b2e222c446b356fe76ab64265c19425bcae0a64304144264f21fe6a64dd2c51231b0e93cb97ce019c301bc9864073ad0fbe08163db9d3aec0

Download Submit
C:\Windows\{D04A84EB-A303-4dd8-AA74-F9CF58C648B8}.exe

Filesize
408KB

MD5
b75d41a4a80d84d9f3e0a6f2ea9596c7

SHA1
bd364595ad764cf5215a3fff58d4e487b62bb127

SHA256
ba356ae086000dbb0f404ba1f33bb2b4e9a00d464d19a9341bb09d35e327c89a

SHA512
e1ef16435a2a7dffa5d8dacd42d42d3a6696d5c0902cce8b6d5f22d0c29b2c9ad1029cc0025644fdc2b9f2d51182fe480e48da8d1369bfce73d1e77926a40cef

Download Submit
C:\Windows\{D0C80F34-1366-4cce-A346-DE0F1D692E95}.exe

Filesize
408KB

MD5
1e73d6c1e2691f5f7608eb2fee2f2a27

SHA1
5f034bacdcef401e56b0681f2a3054d29e854df1

SHA256
7f670ce5b64a0ce82aa094e998aa8cb3f2129154bd893cff3705c93d46e19f1f

SHA512
31eb9c72534a4a5035df829e09952cbfcd67111e8f54ac38a430e54f4405d369ed34138e27c6c77aef3835c4b6c3e94058ac8074b0b2e23c448015fe7e388ed3

Download Submit
C:\Windows\{DF4FE315-2981-4767-B42A-64E4388227BF}.exe

Filesize
408KB

MD5
3328b04d0678aec5be227ceaaad8463e

SHA1
3d57b37c4d6098040c171ab1010d73cda1ca56ad

SHA256
4f5b919f6498c6239f21725c16cd2c269a4e3c9634839639e06bd8ce1ce753a7

SHA512
3c7fc64872bba03f61767bfbe50893daf911dd4841802e8b337183463d64ea647b622953c085b5fa70bb6a171effdee512f65bdf62b78251c025ca8fff9710d4

Download Submit
C:\Windows\{E7F4312A-3A89-4d22-A3D5-2799DF549569}.exe

Filesize
408KB

MD5
8daf87ce1d812e602e5174d74ef0f810

SHA1
8e5167587d4b04932e35423eb895fdc42b15878e

SHA256
c0df2de29619fe7c839cac91ca1f04d15921e086e67da94e68ef14f6dd840333

SHA512
b69b42cce2f3f96ac2f25733949ac1a0b0d8ff9c784290e43f292ca1962806c6c6c372b228e7e0555522d8e59a774966b2f64e1fba305ced44582e85a64ba1a4

Download Submit
C:\Windows\{FC5DA605-1F9A-45ae-819D-0EAF18AC5E0C}.exe

Filesize
408KB

MD5
d9e0a165b906873276a4acf0c85c281e

SHA1
0bbda34f83579291c19c58316a65cb7a4f6e97f9

SHA256
1218a7cfb47e249359ce9fa79401c3714f8c8a0bb7ce39725cfc2b10cce76d32

SHA512
3b82292c13a8ac30793d89fd623761561786d0e5650a4b24c9ca6f0946c128ef66edbe8fd9f9052dccb4810d0a2155c16b9f7b1ae6fdd4a300d16142ab9b908e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads