904147c27963f3c001688455bbd6deea0a3cfa28e20ad908578887709fe828ad

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe
Size

344KB
MD5

66182377f7188dad8ae4d1fc3a2df772
SHA1

a56b8a187405e47778c6d647d6a3c88992bc6ab0
SHA256

904147c27963f3c001688455bbd6deea0a3cfa28e20ad908578887709fe828ad
SHA512

c07ff812870c82c4851a49f86d931420e71f77f731283fdb58e9fa03968a14c7145b773e7d6709d9efe23b327f7ae8ab16cb47c9c4cd941ee58758c5a8fa2b5f
SSDEEP

3072:mEGh0orlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGtlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015b40-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015bc8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015b40-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c71-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015b40-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c86-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c86-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}	{40336A4C-E57F-405b-A91F-A848324ECC48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EFBA381-1803-45a3-B483-A30E341E5891}	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B24F8F2E-7A64-4544-86E6-856680D25778}	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E55BCC5F-78DD-4817-8513-D85FEC6953D7}\stubpath = "C:\\Windows\\{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe"	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18434C31-5C46-4178-A459-0A877C328FDE}\stubpath = "C:\\Windows\\{18434C31-5C46-4178-A459-0A877C328FDE}.exe"	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E2A02B-AA0B-48b7-AB35-DB98E155B548}	{18434C31-5C46-4178-A459-0A877C328FDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40336A4C-E57F-405b-A91F-A848324ECC48}	{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B24F8F2E-7A64-4544-86E6-856680D25778}\stubpath = "C:\\Windows\\{B24F8F2E-7A64-4544-86E6-856680D25778}.exe"	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}\stubpath = "C:\\Windows\\{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe"	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E34EA75-1090-4f1e-A388-79D169E1F08E}\stubpath = "C:\\Windows\\{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe"	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E55BCC5F-78DD-4817-8513-D85FEC6953D7}	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}\stubpath = "C:\\Windows\\{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe"	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E2A02B-AA0B-48b7-AB35-DB98E155B548}\stubpath = "C:\\Windows\\{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe"	{18434C31-5C46-4178-A459-0A877C328FDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40336A4C-E57F-405b-A91F-A848324ECC48}\stubpath = "C:\\Windows\\{40336A4C-E57F-405b-A91F-A848324ECC48}.exe"	{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EFBA381-1803-45a3-B483-A30E341E5891}\stubpath = "C:\\Windows\\{0EFBA381-1803-45a3-B483-A30E341E5891}.exe"	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E34EA75-1090-4f1e-A388-79D169E1F08E}	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18434C31-5C46-4178-A459-0A877C328FDE}	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}	{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}\stubpath = "C:\\Windows\\{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe"	{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}\stubpath = "C:\\Windows\\{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}.exe"	{40336A4C-E57F-405b-A91F-A848324ECC48}.exe

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe
2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe
2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe
2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe
1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe
1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe
2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe
3032	{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe
2088	{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe
668	{40336A4C-E57F-405b-A91F-A848324ECC48}.exe
584	{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe
File created	C:\Windows\{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe
File created	C:\Windows\{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe
File created	C:\Windows\{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe
File created	C:\Windows\{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe
File created	C:\Windows\{18434C31-5C46-4178-A459-0A877C328FDE}.exe	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe
File created	C:\Windows\{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe	{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe
File created	C:\Windows\{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe
File created	C:\Windows\{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe	{18434C31-5C46-4178-A459-0A877C328FDE}.exe
File created	C:\Windows\{40336A4C-E57F-405b-A91F-A848324ECC48}.exe	{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe
File created	C:\Windows\{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}.exe	{40336A4C-E57F-405b-A91F-A848324ECC48}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe
Token: SeIncBasePriorityPrivilege	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe
Token: SeIncBasePriorityPrivilege	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe
Token: SeIncBasePriorityPrivilege	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe
Token: SeIncBasePriorityPrivilege	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe
Token: SeIncBasePriorityPrivilege	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe
Token: SeIncBasePriorityPrivilege	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe
Token: SeIncBasePriorityPrivilege	3032	{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe
Token: SeIncBasePriorityPrivilege	2088	{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe
Token: SeIncBasePriorityPrivilege	668	{40336A4C-E57F-405b-A91F-A848324ECC48}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2284	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	28
PID 2336 wrote to memory of 2284	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	28
PID 2336 wrote to memory of 2284	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	28
PID 2336 wrote to memory of 2284	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	28
PID 2336 wrote to memory of 2728	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	29
PID 2336 wrote to memory of 2728	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	29
PID 2336 wrote to memory of 2728	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	29
PID 2336 wrote to memory of 2728	2336	2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe	29
PID 2284 wrote to memory of 2748	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	30
PID 2284 wrote to memory of 2748	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	30
PID 2284 wrote to memory of 2748	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	30
PID 2284 wrote to memory of 2748	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	30
PID 2284 wrote to memory of 2752	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	31
PID 2284 wrote to memory of 2752	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	31
PID 2284 wrote to memory of 2752	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	31
PID 2284 wrote to memory of 2752	2284	{0EFBA381-1803-45a3-B483-A30E341E5891}.exe	31
PID 2748 wrote to memory of 2732	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	32
PID 2748 wrote to memory of 2732	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	32
PID 2748 wrote to memory of 2732	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	32
PID 2748 wrote to memory of 2732	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	32
PID 2748 wrote to memory of 2700	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	33
PID 2748 wrote to memory of 2700	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	33
PID 2748 wrote to memory of 2700	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	33
PID 2748 wrote to memory of 2700	2748	{B24F8F2E-7A64-4544-86E6-856680D25778}.exe	33
PID 2732 wrote to memory of 2616	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	36
PID 2732 wrote to memory of 2616	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	36
PID 2732 wrote to memory of 2616	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	36
PID 2732 wrote to memory of 2616	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	36
PID 2732 wrote to memory of 3048	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	37
PID 2732 wrote to memory of 3048	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	37
PID 2732 wrote to memory of 3048	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	37
PID 2732 wrote to memory of 3048	2732	{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe	37
PID 2616 wrote to memory of 1236	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	38
PID 2616 wrote to memory of 1236	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	38
PID 2616 wrote to memory of 1236	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	38
PID 2616 wrote to memory of 1236	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	38
PID 2616 wrote to memory of 2896	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	39
PID 2616 wrote to memory of 2896	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	39
PID 2616 wrote to memory of 2896	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	39
PID 2616 wrote to memory of 2896	2616	{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe	39
PID 1236 wrote to memory of 1612	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	40
PID 1236 wrote to memory of 1612	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	40
PID 1236 wrote to memory of 1612	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	40
PID 1236 wrote to memory of 1612	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	40
PID 1236 wrote to memory of 1528	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	41
PID 1236 wrote to memory of 1528	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	41
PID 1236 wrote to memory of 1528	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	41
PID 1236 wrote to memory of 1528	1236	{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe	41
PID 1612 wrote to memory of 2600	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	42
PID 1612 wrote to memory of 2600	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	42
PID 1612 wrote to memory of 2600	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	42
PID 1612 wrote to memory of 2600	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	42
PID 1612 wrote to memory of 2888	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	43
PID 1612 wrote to memory of 2888	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	43
PID 1612 wrote to memory of 2888	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	43
PID 1612 wrote to memory of 2888	1612	{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe	43
PID 2600 wrote to memory of 3032	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	44
PID 2600 wrote to memory of 3032	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	44
PID 2600 wrote to memory of 3032	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	44
PID 2600 wrote to memory of 3032	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	44
PID 2600 wrote to memory of 3020	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	45
PID 2600 wrote to memory of 3020	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	45
PID 2600 wrote to memory of 3020	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	45
PID 2600 wrote to memory of 3020	2600	{18434C31-5C46-4178-A459-0A877C328FDE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_66182377f7188dad8ae4d1fc3a2df772_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{0EFBA381-1803-45a3-B483-A30E341E5891}.exe
  C:\Windows\{0EFBA381-1803-45a3-B483-A30E341E5891}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\{B24F8F2E-7A64-4544-86E6-856680D25778}.exe
    C:\Windows\{B24F8F2E-7A64-4544-86E6-856680D25778}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe
      C:\Windows\{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe
        
        C:\Windows\{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe
        
        C:\Windows\{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe
        
        C:\Windows\{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{18434C31-5C46-4178-A459-0A877C328FDE}.exe
        
        C:\Windows\{18434C31-5C46-4178-A459-0A877C328FDE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe
        
        C:\Windows\{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe
        
        C:\Windows\{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\{40336A4C-E57F-405b-A91F-A848324ECC48}.exe
        
        C:\Windows\{40336A4C-E57F-405b-A91F-A848324ECC48}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}.exe
        
        C:\Windows\{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}.exe
        12⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40336~1.EXE > nul
        12⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A9E5~1.EXE > nul
        11⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96E2A~1.EXE > nul
        10⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18434~1.EXE > nul
        9⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E34E~1.EXE > nul
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0D2F~1.EXE > nul
        7⤵
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E55BC~1.EXE > nul
        6⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D8F~1.EXE > nul
        5⤵
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B24F8~1.EXE > nul
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0EFBA~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EFBA381-1803-45a3-B483-A30E341E5891}.exe

Filesize
344KB

MD5
44ce056263435affd1662d0dd5daecc5

SHA1
09993b9716453f6c4cb0787a0b568bf0d1d6b59c

SHA256
f96baf0709d425a8e16986f1761c8f93d9853f74f81b5f618552822961ed9e38

SHA512
0cb17a16a1a49a0bcc665bf557832add14ab94723bdbfd8ab782ea7faecf96adf5367c43562a5b3443eefb9dd813a49f7eac6f8645f0a0ab40e7479dd2083135

Download Submit
C:\Windows\{0F8D5F9C-A9D6-4518-B776-E7EC005367B3}.exe

Filesize
344KB

MD5
81a5a3958591e54f17c0ebb997fb5976

SHA1
c8e0927ac4b4b837e3447a415562fc91767b8760

SHA256
b40a42116223bad015e63d418553956bca9fcb4457ed6ab0da0097abe95e530f

SHA512
1d0a199898f53e3500bfef16f7b484992973797b12a8f82d67291009909021754cba388bd9e5d39a535d040093c4572e01ae45563ab6c81de8f8ca22aa3cf76a

Download Submit
C:\Windows\{18434C31-5C46-4178-A459-0A877C328FDE}.exe

Filesize
344KB

MD5
5a8302a02c690ee4d7dd81f4f19cd33e

SHA1
6f842e6bca6a3d805d4ba4785138953d8a65c02d

SHA256
b4d0749780ddca12d6e1ecf20abd362508cea78dbf14794d5eee599c09cdb809

SHA512
4fd28eff390713657162353910fffe535095d48e8b4e98e6c2f8306b6d1035755e67701ff0811c23474ad19e3505672dd8c909d592ba85d5a4e94d790b989604

Download Submit
C:\Windows\{3A9E5E9B-7AB2-424e-BA41-8559BC675D67}.exe

Filesize
344KB

MD5
1e59ce2f5721995dd9e26342ae599bc4

SHA1
d9ed3882803104f560b7bca9c76042680f80ec54

SHA256
0144d204160a8f5d2c5da7496a3beacfe04ed03752c1e3f507ceb6caedba2ad4

SHA512
593732404e6645ed309a8239ffab369baea91d46deca4fcbd3805909fb9f2fb374c38df6fb6709533f90fd965ab0d4fe2a4724c33100bce82a4a9444a4352edd

Download Submit
C:\Windows\{40336A4C-E57F-405b-A91F-A848324ECC48}.exe

Filesize
344KB

MD5
08f93dbd2455edda8f5578c8c5317285

SHA1
0c61ee499081587e86b7f5bdd8095af6b68d8a1e

SHA256
203a9395d71dcadc70895e25bf8d373b3a6037926ca6de4d5d6a99ae86301a13

SHA512
e1ad438ba29aac494ee2f325ff0091a7ed6098dff9e2ba960ff067eab0420ac4b385bd20b366d34830769d43a2993e8816d3757f209907bedb2e1f5f85311cef

Download Submit
C:\Windows\{4E34EA75-1090-4f1e-A388-79D169E1F08E}.exe

Filesize
344KB

MD5
c5f676ce9b8f63468d375a48d17bd8de

SHA1
1b3cd6e0ee17b077cd92479e166d139bd66ce59e

SHA256
eea987497b396f1c6f082605d4bc67e5df3fc96bc00d8787173b7d164abee02f

SHA512
b9fa19fa6b3a6e9d655fc34e1559bdc930a9b0566ee8b8d5e6024eff9dae25af80c5af3f2336d6eb31ceb826344aea9f3a732631a054b3ebee358de0b4d26997

Download Submit
C:\Windows\{96E2A02B-AA0B-48b7-AB35-DB98E155B548}.exe

Filesize
344KB

MD5
aebb6852ef9dfa741f9d93d764797392

SHA1
957181cfae5e7beffdc43b02aa657e09b21ec8ff

SHA256
97540c559514455ad84ce8b059ad63ecbe7041b8e0636fb770d49e2313b15f55

SHA512
4c8ac44f7a5d6ce2d66e6c474efaaddad7312d449936f1e7c719731aaa973aeaa9debaf5da2028c84e1d1a065482892a10e9d13a057300f1645ce842042d36bf

Download Submit
C:\Windows\{B24F8F2E-7A64-4544-86E6-856680D25778}.exe

Filesize
344KB

MD5
de62289c15ee0b81b367b4b51b67355e

SHA1
c934a0f9265918e61b6e846bddea9d488781b035

SHA256
44243dac7456e3ea0747e80bb798c63027875fef9b05e4a8f13e5643d916d8cc

SHA512
3a88192788b82430de5fe26ddd5e87d31d16dc17f3b7bed31db9c704add07112403b8b16c22b875b4e491dbcc064f2254a48c554556afc4fa1e3e8daba4b60b8

Download Submit
C:\Windows\{E55BCC5F-78DD-4817-8513-D85FEC6953D7}.exe

Filesize
344KB

MD5
1bae07062fa86d29cf50c4459f5878a1

SHA1
299e0363cc55637ab0d4a6bee8ec92c3176d8517

SHA256
9b449458ef61d4751df3dd7cd663b4541c2709711eb43cafb1114355041c93f1

SHA512
feacd9de765943289a28be1405b8866c4968dcd9e2ae322084f5d93103cb8e6e7eb9634aeed0c4095a4b09e7005532c7691c40355de114a5200244a5cca99a0e

Download Submit
C:\Windows\{F0D2F29E-F794-491d-A17C-5FF412EE3AC6}.exe

Filesize
344KB

MD5
0b107f0e75fb77d7a5075e8c4dc69491

SHA1
075d25179b440f4e77039b4c8b502ce9def19e09

SHA256
188ca5193f85c1485a7af03d4eab240c6e87a960748a398f6591695028ff49ba

SHA512
445920459dc8b3026a483ea6bcf11c5f31ae9edd162ce7c19e86bca04b042c0da9d655ffd7ac2bce775533d0499f12ff0cf9b18ed1e316ee73461f393425b65e

Download Submit
C:\Windows\{F2D8FB92-91EE-45aa-B38E-7BC9E64082C6}.exe

Filesize
344KB

MD5
5653534d490640c2b6c50594256351e9

SHA1
6fbbc041a23931cc8f488402a019b7cb1e4d743e

SHA256
457bbf4bd478b44ebdb1f2b68a4486dd5ad4d77166da1b1abd4a54ecf2e4e53e

SHA512
caf208bc6c6f0d6a01c1c864fad0498c718e017672be8a46f77737bed21442e3d369cd4a42626f6ed8bc02a3eaa4368328243e6ea1282535df9cc866a7824cbd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads