7c69232702fc24d6ea40cc8c714757c864318f8287a01aecfb11989fd71d88ae

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Size

168KB
MD5

578f015a1d5da7bd270cb43c7fc71d40
SHA1

3b698fc3e2f00a73ef22321e1835c707014282d6
SHA256

7c69232702fc24d6ea40cc8c714757c864318f8287a01aecfb11989fd71d88ae
SHA512

04d2df931e0b72f1f0917f9711961f010fe07eee0dd6e470b7e1ae859e45040088e5b7118dd9c648c56836c3b01a0e4e8b32ec459afba0bec5eb856b078ca6cc
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012120-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000015fbb-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012120-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000016020-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012120-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012120-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012120-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49D639D4-4A5B-4769-898D-E931DF7D31B7}	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}\stubpath = "C:\\Windows\\{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe"	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}\stubpath = "C:\\Windows\\{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe"	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49D639D4-4A5B-4769-898D-E931DF7D31B7}\stubpath = "C:\\Windows\\{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe"	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}\stubpath = "C:\\Windows\\{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe"	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21352165-B6B8-42a6-BC49-ED7159C9F8A0}	{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}\stubpath = "C:\\Windows\\{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}.exe"	{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21352165-B6B8-42a6-BC49-ED7159C9F8A0}\stubpath = "C:\\Windows\\{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe"	{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF1AD36-730B-4dea-809D-D70F4FD07A47}	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}\stubpath = "C:\\Windows\\{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe"	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}\stubpath = "C:\\Windows\\{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe"	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A845ED1-6907-4aa5-BB37-DD33649A1153}	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A845ED1-6907-4aa5-BB37-DD33649A1153}\stubpath = "C:\\Windows\\{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe"	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF1AD36-730B-4dea-809D-D70F4FD07A47}\stubpath = "C:\\Windows\\{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe"	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}	{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}\stubpath = "C:\\Windows\\{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe"	{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}	{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe

Deletes itself 1 IoCs

pid	Process
2408	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe
2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe
2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe
2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe
2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe
3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe
2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe
3040	{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe
852	{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe
2104	{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe
332	{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe
File created	C:\Windows\{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe
File created	C:\Windows\{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe
File created	C:\Windows\{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe	{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe
File created	C:\Windows\{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe
File created	C:\Windows\{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe	{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe
File created	C:\Windows\{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}.exe	{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe
File created	C:\Windows\{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
File created	C:\Windows\{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe
File created	C:\Windows\{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe
File created	C:\Windows\{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe
Token: SeIncBasePriorityPrivilege	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe
Token: SeIncBasePriorityPrivilege	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe
Token: SeIncBasePriorityPrivilege	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe
Token: SeIncBasePriorityPrivilege	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe
Token: SeIncBasePriorityPrivilege	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe
Token: SeIncBasePriorityPrivilege	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe
Token: SeIncBasePriorityPrivilege	3040	{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe
Token: SeIncBasePriorityPrivilege	852	{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe
Token: SeIncBasePriorityPrivilege	2104	{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2448	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	28
PID 1992 wrote to memory of 2448	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	28
PID 1992 wrote to memory of 2448	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	28
PID 1992 wrote to memory of 2448	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	28
PID 1992 wrote to memory of 2408	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	29
PID 1992 wrote to memory of 2408	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	29
PID 1992 wrote to memory of 2408	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	29
PID 1992 wrote to memory of 2408	1992	2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe	29
PID 2448 wrote to memory of 2644	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	30
PID 2448 wrote to memory of 2644	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	30
PID 2448 wrote to memory of 2644	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	30
PID 2448 wrote to memory of 2644	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	30
PID 2448 wrote to memory of 2716	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	31
PID 2448 wrote to memory of 2716	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	31
PID 2448 wrote to memory of 2716	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	31
PID 2448 wrote to memory of 2716	2448	{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe	31
PID 2644 wrote to memory of 2504	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	32
PID 2644 wrote to memory of 2504	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	32
PID 2644 wrote to memory of 2504	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	32
PID 2644 wrote to memory of 2504	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	32
PID 2644 wrote to memory of 2616	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	33
PID 2644 wrote to memory of 2616	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	33
PID 2644 wrote to memory of 2616	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	33
PID 2644 wrote to memory of 2616	2644	{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe	33
PID 2504 wrote to memory of 2572	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	36
PID 2504 wrote to memory of 2572	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	36
PID 2504 wrote to memory of 2572	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	36
PID 2504 wrote to memory of 2572	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	36
PID 2504 wrote to memory of 3028	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	37
PID 2504 wrote to memory of 3028	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	37
PID 2504 wrote to memory of 3028	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	37
PID 2504 wrote to memory of 3028	2504	{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe	37
PID 2572 wrote to memory of 2844	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	38
PID 2572 wrote to memory of 2844	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	38
PID 2572 wrote to memory of 2844	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	38
PID 2572 wrote to memory of 2844	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	38
PID 2572 wrote to memory of 2888	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	39
PID 2572 wrote to memory of 2888	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	39
PID 2572 wrote to memory of 2888	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	39
PID 2572 wrote to memory of 2888	2572	{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe	39
PID 2844 wrote to memory of 3068	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	40
PID 2844 wrote to memory of 3068	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	40
PID 2844 wrote to memory of 3068	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	40
PID 2844 wrote to memory of 3068	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	40
PID 2844 wrote to memory of 1908	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	41
PID 2844 wrote to memory of 1908	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	41
PID 2844 wrote to memory of 1908	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	41
PID 2844 wrote to memory of 1908	2844	{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe	41
PID 3068 wrote to memory of 2876	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	42
PID 3068 wrote to memory of 2876	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	42
PID 3068 wrote to memory of 2876	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	42
PID 3068 wrote to memory of 2876	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	42
PID 3068 wrote to memory of 1640	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	43
PID 3068 wrote to memory of 1640	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	43
PID 3068 wrote to memory of 1640	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	43
PID 3068 wrote to memory of 1640	3068	{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe	43
PID 2876 wrote to memory of 3040	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	44
PID 2876 wrote to memory of 3040	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	44
PID 2876 wrote to memory of 3040	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	44
PID 2876 wrote to memory of 3040	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	44
PID 2876 wrote to memory of 2864	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	45
PID 2876 wrote to memory of 2864	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	45
PID 2876 wrote to memory of 2864	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	45
PID 2876 wrote to memory of 2864	2876	{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_578f015a1d5da7bd270cb43c7fc71d40_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe
  C:\Windows\{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe
    C:\Windows\{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe
      C:\Windows\{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe
        
        C:\Windows\{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe
        
        C:\Windows\{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe
        
        C:\Windows\{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe
        
        C:\Windows\{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe
        
        C:\Windows\{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe
        
        C:\Windows\{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe
        
        C:\Windows\{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}.exe
        
        C:\Windows\{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}.exe
        12⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD4C~1.EXE > nul
        12⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21352~1.EXE > nul
        11⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B9F0~1.EXE > nul
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7508E~1.EXE > nul
        9⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A845~1.EXE > nul
        8⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{593A2~1.EXE > nul
        7⤵
        
        PID:1908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8B32~1.EXE > nul
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A8F4~1.EXE > nul
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EEF1A~1.EXE > nul
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{49D63~1.EXE > nul
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21352165-B6B8-42a6-BC49-ED7159C9F8A0}.exe

Filesize
168KB

MD5
9b3cdd9f619dffcfcb9d45a8c2a27afe

SHA1
10a5ec1ac625aaa6b80aeb0d1df9e76ecadc0d4e

SHA256
77712f1c04b2a40d3c3066ae1dc35369e22a316b9dfa633f0e4016b286818baf

SHA512
21f15f2ea5aecf6cd2e47a7f8269257c05c77a8f5d901e2ff184942346f9c5a09607edf44f83525b2110d2785be7b14e390a1fd2e119bcb91159e56bfe2fb3c6

Download Submit
C:\Windows\{49D639D4-4A5B-4769-898D-E931DF7D31B7}.exe

Filesize
168KB

MD5
8b086d2f4596ff2ead6cf5551e6f19cf

SHA1
8e91ff836eca94c4a65999308c821c3795369d05

SHA256
2d2a7f90a8824f1b3b0348bb1127e0bcf38f3b608190f5db54ba0db1980edc35

SHA512
f48d96fc0a0b87fe29e1edf8e4b46cda60f6b265639aaa2c54b61bd70ec3ac09d6f37882486ee30f30e5e80e8c75fd5c62958b9ab105a727e08fd98c5171db93

Download Submit
C:\Windows\{4A845ED1-6907-4aa5-BB37-DD33649A1153}.exe

Filesize
168KB

MD5
b5f0478e824abf5ce9f2573d483b2b9f

SHA1
3e3db4cb97894a285fcf8b42744cd64e06b9d48e

SHA256
9cc47f3532a9bf201f54b3e4bc6e8f2f37bf24fc6d8af6445ecba188f8829cda

SHA512
1c8dca7c6439ed8410a43cadc559948a47a6814ad4c28ea2a5861a51381cfc0e15b07d4051b9ab3066e9fce98cbe0571f74c1555e3f4b242ebb3be05a9d81ef3

Download Submit
C:\Windows\{4DD4C242-A63C-41c6-901F-1B41F4FE3A8D}.exe

Filesize
168KB

MD5
e3fac6451ae72fef1df22d7d3ba78fff

SHA1
a4d000ce86e08aca2cf5c120a0e2d549882fc28b

SHA256
f68d5ae355873ad4bf4fddb37e2c9552a0fd1da846a0a10db9dea6d3892d0401

SHA512
0b49c31a18514657774a89be16aa6707c00575d7faba3eb8be21c97ba0f5433efe267d89899204ebcd81891fd64ee7382967ed1a0ab4efe1771d9f2ad9c488ed

Download Submit
C:\Windows\{593A2CB8-87BB-4104-9AD6-9C3CE6FE57A0}.exe

Filesize
168KB

MD5
ba3082ef63c5c7ac8d8fea5958239c08

SHA1
50e7f2d128f19ee1696dad5246e44b8e4fe5c35e

SHA256
83b8c6744df9898fb4308d6bd60dafe221205c1357563d55bec01576b4a093d1

SHA512
15f62e274d774f009814a0cad70deb25427caa45ba978ba7f35025175165f459a7edf9b5552ac8c49c92a578de34638379575c51cee9d3dacb7087960dc62a11

Download Submit
C:\Windows\{5A8F4FA2-208F-4423-BBF1-1DBF4E0B5F0F}.exe

Filesize
168KB

MD5
1f1063b53907c92905cef703af7dca96

SHA1
b24b8e29f708f40e807b0b35ca592bb22eadc62c

SHA256
609dc910d33b0186e9ae1b46ddc3d0e81f9e2280882c0dcbfaf711eb1f31891b

SHA512
94a170d434c9a2635d35991b8b6b07dc6163d2152740975702a03aa738230669a8f29d4709d521a24980218262a3a3baef085b3fa6a786a086b5124512a50958

Download Submit
C:\Windows\{5B9F0946-5162-46ea-B449-BE67FFF4A2FC}.exe

Filesize
168KB

MD5
9d5f797058255dce592bc41d59839a6a

SHA1
e652e24269ea3974337d04ad396f41ef5732985b

SHA256
bbc32bf7406dacea345898cd1fdba5174675b41463e924806790fb23e4362622

SHA512
0283f627178ef520b1fca8ab2923b66a1c4b72cd2b7ab6fdd0367121bd961be8b0351b6c90553105bab17309c13a1bca815a0052595d304b25d658d6cee26cba

Download Submit
C:\Windows\{7508E4D9-4EF1-4687-AE55-7B5CF6BABE43}.exe

Filesize
168KB

MD5
7a407fc837f92d44306a68c883c64c11

SHA1
7520fa2902158985489de99f83f4f55fabf29d33

SHA256
09df48e9e67bf073fb93f534bcdd158312bec55fd8519559a64dfb61072e1e0a

SHA512
21ab91f8e678bc1b59ffd2dd4ee0888e690093ded5ca244aecb41b54304f1a6f418844c415acfce683b3b2496c218542ad51e07c008acd3ec073e703a2a54755

Download Submit
C:\Windows\{ACAAEE50-69EA-4ea8-9F27-603E8E42D83A}.exe

Filesize
168KB

MD5
d790b15c84501c8c114bc1b86c69df72

SHA1
395b521d4733b240d798e0f15d8866d72f998160

SHA256
2031eb1d9dcd181e750139328530e921228db53903a93e15164619df8d2c07e9

SHA512
62c47a6abb5af27dfc95e5ad3a5324886cc66fff1d91507d4252350012738c1fcd0cbd05d02e28f498de2863d916d4f603411a21e38a69cbb7f6d000072ad6cc

Download Submit
C:\Windows\{E8B32B9F-6DFC-4df0-A66E-06F71C3994E3}.exe

Filesize
168KB

MD5
2c27e3fc828a5eb0ef8094b7b04d83dd

SHA1
74ae755905915edc0d178e20da638a52e7354bb1

SHA256
e4bdc0f241b11439cd5622a4ae38c24832b235483dc351944e5e65dd103cbf17

SHA512
901122400f7b7deeedfe2b640248df52b3b0cedfa3b54e4ed379b99aed937f482e8c44318c01dfedd6260a486cc9776f164fe62c9ce162cc275cab0f50e6d52e

Download Submit
C:\Windows\{EEF1AD36-730B-4dea-809D-D70F4FD07A47}.exe

Filesize
168KB

MD5
c4c0a6cd812a19f44ad913e136d3bf40

SHA1
968fc3ee2a78eba503afbaaa0ce347a618f27124

SHA256
cfbe23c5cad8125dbfe2fc20a10334c7b70d035f112556d6d935f810d23666bd

SHA512
4656d706fad19624ba0c6b8354b9220e573e93eed663625e6274ed59c0c73b3952b78b56b49b698b51a4f98f99e13b4942f5dbe5b42d681930f3fc7969d17e9e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads