1b7d4a816555c33ac62274d93257e21976aede1a2ec42d224daf6cc645d9946c

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe
Size

216KB
MD5

d544707af96583c5b71bf78a495f28bf
SHA1

3ce72026d0ca1e43b54c23274579a7c3cd4314d3
SHA256

1b7d4a816555c33ac62274d93257e21976aede1a2ec42d224daf6cc645d9946c
SHA512

3ed89ea7de8bc3e3d4ecde2be803ac63eb253670cd79d54484732d76fbe7f8e9dd2ead0adb2134d8ced6feebafe0625b9ebca6019743e2e0acf73faad8f6c30c
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGrlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b309-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0066000000015d37-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b309-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0066000000015d40-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b309-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000b309-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000b309-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94482A37-ECAE-4c09-AEBF-198E0558939D}\stubpath = "C:\\Windows\\{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe"	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22F96815-7996-43f2-A229-C8E81FEB026D}	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22F96815-7996-43f2-A229-C8E81FEB026D}\stubpath = "C:\\Windows\\{22F96815-7996-43f2-A229-C8E81FEB026D}.exe"	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C389E5-1F08-4acf-B991-93B1286EE18E}\stubpath = "C:\\Windows\\{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe"	{22F96815-7996-43f2-A229-C8E81FEB026D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE5413FB-AB5A-45dc-B369-A7FE1106290C}	{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94482A37-ECAE-4c09-AEBF-198E0558939D}	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28C389E5-1F08-4acf-B991-93B1286EE18E}	{22F96815-7996-43f2-A229-C8E81FEB026D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}	{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}\stubpath = "C:\\Windows\\{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}.exe"	{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1068BCF9-7433-4f32-B497-F316093D2A46}	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1068BCF9-7433-4f32-B497-F316093D2A46}\stubpath = "C:\\Windows\\{1068BCF9-7433-4f32-B497-F316093D2A46}.exe"	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C964E55-34B0-4b53-9A29-21A2172262F0}\stubpath = "C:\\Windows\\{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe"	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}\stubpath = "C:\\Windows\\{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe"	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE5413FB-AB5A-45dc-B369-A7FE1106290C}\stubpath = "C:\\Windows\\{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe"	{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{148789A7-25E8-4902-8EC4-C740A63EF6FE}	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C964E55-34B0-4b53-9A29-21A2172262F0}	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}\stubpath = "C:\\Windows\\{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe"	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}\stubpath = "C:\\Windows\\{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe"	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{148789A7-25E8-4902-8EC4-C740A63EF6FE}\stubpath = "C:\\Windows\\{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe"	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe
2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe
2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe
3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe
2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe
1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe
1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe
3032	{22F96815-7996-43f2-A229-C8E81FEB026D}.exe
1132	{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe
2072	{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe
792	{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe
File created	C:\Windows\{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe
File created	C:\Windows\{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe
File created	C:\Windows\{22F96815-7996-43f2-A229-C8E81FEB026D}.exe	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe
File created	C:\Windows\{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe	{22F96815-7996-43f2-A229-C8E81FEB026D}.exe
File created	C:\Windows\{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}.exe	{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe
File created	C:\Windows\{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe
File created	C:\Windows\{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe
File created	C:\Windows\{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe
File created	C:\Windows\{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe
File created	C:\Windows\{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe	{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe
Token: SeIncBasePriorityPrivilege	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe
Token: SeIncBasePriorityPrivilege	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe
Token: SeIncBasePriorityPrivilege	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe
Token: SeIncBasePriorityPrivilege	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe
Token: SeIncBasePriorityPrivilege	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe
Token: SeIncBasePriorityPrivilege	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe
Token: SeIncBasePriorityPrivilege	3032	{22F96815-7996-43f2-A229-C8E81FEB026D}.exe
Token: SeIncBasePriorityPrivilege	1132	{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe
Token: SeIncBasePriorityPrivilege	2072	{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1996	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	28
PID 2460 wrote to memory of 1996	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	28
PID 2460 wrote to memory of 1996	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	28
PID 2460 wrote to memory of 1996	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	28
PID 2460 wrote to memory of 1932	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	29
PID 2460 wrote to memory of 1932	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	29
PID 2460 wrote to memory of 1932	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	29
PID 2460 wrote to memory of 1932	2460	2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe	29
PID 1996 wrote to memory of 2824	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	30
PID 1996 wrote to memory of 2824	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	30
PID 1996 wrote to memory of 2824	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	30
PID 1996 wrote to memory of 2824	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	30
PID 1996 wrote to memory of 2680	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	31
PID 1996 wrote to memory of 2680	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	31
PID 1996 wrote to memory of 2680	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	31
PID 1996 wrote to memory of 2680	1996	{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe	31
PID 2824 wrote to memory of 2776	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	32
PID 2824 wrote to memory of 2776	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	32
PID 2824 wrote to memory of 2776	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	32
PID 2824 wrote to memory of 2776	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	32
PID 2824 wrote to memory of 2868	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	33
PID 2824 wrote to memory of 2868	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	33
PID 2824 wrote to memory of 2868	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	33
PID 2824 wrote to memory of 2868	2824	{1068BCF9-7433-4f32-B497-F316093D2A46}.exe	33
PID 2776 wrote to memory of 3044	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	36
PID 2776 wrote to memory of 3044	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	36
PID 2776 wrote to memory of 3044	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	36
PID 2776 wrote to memory of 3044	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	36
PID 2776 wrote to memory of 3048	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	37
PID 2776 wrote to memory of 3048	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	37
PID 2776 wrote to memory of 3048	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	37
PID 2776 wrote to memory of 3048	2776	{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe	37
PID 3044 wrote to memory of 2296	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	38
PID 3044 wrote to memory of 2296	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	38
PID 3044 wrote to memory of 2296	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	38
PID 3044 wrote to memory of 2296	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	38
PID 3044 wrote to memory of 2112	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	39
PID 3044 wrote to memory of 2112	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	39
PID 3044 wrote to memory of 2112	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	39
PID 3044 wrote to memory of 2112	3044	{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe	39
PID 2296 wrote to memory of 1864	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	40
PID 2296 wrote to memory of 1864	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	40
PID 2296 wrote to memory of 1864	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	40
PID 2296 wrote to memory of 1864	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	40
PID 2296 wrote to memory of 2748	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	41
PID 2296 wrote to memory of 2748	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	41
PID 2296 wrote to memory of 2748	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	41
PID 2296 wrote to memory of 2748	2296	{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe	41
PID 1864 wrote to memory of 1064	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	42
PID 1864 wrote to memory of 1064	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	42
PID 1864 wrote to memory of 1064	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	42
PID 1864 wrote to memory of 1064	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	42
PID 1864 wrote to memory of 2596	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	43
PID 1864 wrote to memory of 2596	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	43
PID 1864 wrote to memory of 2596	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	43
PID 1864 wrote to memory of 2596	1864	{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe	43
PID 1064 wrote to memory of 3032	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	44
PID 1064 wrote to memory of 3032	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	44
PID 1064 wrote to memory of 3032	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	44
PID 1064 wrote to memory of 3032	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	44
PID 1064 wrote to memory of 2332	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	45
PID 1064 wrote to memory of 2332	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	45
PID 1064 wrote to memory of 2332	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	45
PID 1064 wrote to memory of 2332	1064	{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_d544707af96583c5b71bf78a495f28bf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe
  C:\Windows\{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\{1068BCF9-7433-4f32-B497-F316093D2A46}.exe
    C:\Windows\{1068BCF9-7433-4f32-B497-F316093D2A46}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe
      C:\Windows\{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe
        
        C:\Windows\{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe
        
        C:\Windows\{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe
        
        C:\Windows\{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe
        
        C:\Windows\{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{22F96815-7996-43f2-A229-C8E81FEB026D}.exe
        
        C:\Windows\{22F96815-7996-43f2-A229-C8E81FEB026D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe
        
        C:\Windows\{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe
        
        C:\Windows\{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}.exe
        
        C:\Windows\{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}.exe
        12⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE541~1.EXE > nul
        12⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28C38~1.EXE > nul
        11⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22F96~1.EXE > nul
        10⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA3DE~1.EXE > nul
        9⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBF92~1.EXE > nul
        8⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D93D~1.EXE > nul
        7⤵
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94482~1.EXE > nul
        6⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C964~1.EXE > nul
        5⤵
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1068B~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14878~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1068BCF9-7433-4f32-B497-F316093D2A46}.exe

Filesize
216KB

MD5
728804dfa3cfc3d3856c0170a23dff4d

SHA1
619bfc73181fac610910bf47296166b4efb53f40

SHA256
6495c278ea7ac4269057bc41de10809b085bcca7884dd084ae25b6c82cff4c2d

SHA512
2464db618fac59ece8a30098f282b55dd38e5be182fe3fe9d828bf0821860b7231b6c4e5d7ef1ec6ff13b8096ad9de4afc49b8d4c49181bfd9246fe13b56d034

Download Submit
C:\Windows\{148789A7-25E8-4902-8EC4-C740A63EF6FE}.exe

Filesize
216KB

MD5
9c43e46f4d76a0cf4d5fa86b9f6fd44c

SHA1
3c98a094271694701a993b39696dee729b51b300

SHA256
b1464d5ee64065f57c1933ff489ce6de1c0abb0e244c2d5ae62be748bf6d6c00

SHA512
2f7f42e484783251ee4c17b352813a055389f955399d9787c2d309d6bb08caa221265659efb64dc4d4745058c39f8fea6e9c6c3bfbe2ec6d359c0a9f8970d7be

Download Submit
C:\Windows\{22F96815-7996-43f2-A229-C8E81FEB026D}.exe

Filesize
216KB

MD5
0b292f1a7b0d223ed5f9a656f7929f35

SHA1
32c5156eae8ee2229e2ead39868253f535cdc694

SHA256
012bc9724bcd0a526cd32775efdc4b2bcb2766ccf0b660d11454d91278b1245f

SHA512
938a73ad9e7251e2cb8dc25eee26145536e33c54a27a4793663b3e290ceb0efdee7a8e1d0f2c6afadc03183abfff261a7b2e1192b721666449b9476952714e94

Download Submit
C:\Windows\{274D37CF-2B0E-4c96-B43A-28A5A3A30B31}.exe

Filesize
216KB

MD5
56784209cea2fdcc69ca85ecf3c86c2b

SHA1
094793856978e06f7fea1b3cb145f0dccb69f772

SHA256
cc5aef188e92d7745d67664918d6a6ed4d936538aae9cfde397e1ff2de426bf4

SHA512
5c9d38cb286fe66930093a23d0f88967f9766e7d55507c9b1fef22dda2a1ed43d021452bc2564252359d257e2ef167f35f0f4eccb413a0a20900cee006df8818

Download Submit
C:\Windows\{28C389E5-1F08-4acf-B991-93B1286EE18E}.exe

Filesize
216KB

MD5
df58dc3d7ee361cc8153155f2b421d1f

SHA1
855db78e079fbb347be410c52832fdcfc5769399

SHA256
802f427a7d72476100d07824e8baea519fdc3687ea738fc12d35f3e5f676ec71

SHA512
16867aed062a282944e199f342c8a65768d66b66f1c1cada070e9bd82451be26838978119e0cd85958fe4c498e333014b45d9eee1e21d5618b7e58dc38818fda

Download Submit
C:\Windows\{3C964E55-34B0-4b53-9A29-21A2172262F0}.exe

Filesize
216KB

MD5
dfb176d80a3309644baebe953650f6c6

SHA1
07453b61b5b82eefc804b33caf0ea3412dd7c9b0

SHA256
ad9f552d0b85dd9ccb58d6e74013a152adaf0c4a7618112e161963e99f2522ad

SHA512
6066545f28c646bc36efe65461895e0469d544f1aee14d42ad5a0fe5a502e86ecccb2a2f3b60fe384869fba4933881ae90296e243b505c6df0c1173e9fc5ddd2

Download Submit
C:\Windows\{94482A37-ECAE-4c09-AEBF-198E0558939D}.exe

Filesize
216KB

MD5
ab50d008269bca91c5408108728fd7e1

SHA1
25370aa51dcc2c54dc78f615399f50a4b298e1df

SHA256
4fa59a802a6be19dbaaf2019b03827238856207aa5e876e49ff24162c6255329

SHA512
b53d602e8b36e8ecc6eee4bcfe4fe724b00d94dcafe3c8437914b6348e5afdef5dc597d5cdb9ded84f57db282a7977ccb1ac9c03bec13a7a32d210f0dc5743cb

Download Submit
C:\Windows\{9D93D5FE-B6DC-42e2-908F-0113C90F21D0}.exe

Filesize
216KB

MD5
26e693d89eff2c95ce1f531edb848f92

SHA1
b1e6e428b20704cb435269c092906ac7f03b88d8

SHA256
ed4f09270e52d2ec45c4e8b8b7f8c72f6b8d7f11c96bfb5b409b484af72f29a6

SHA512
e58e74809da7e3bc66c2d43b657ca387f8e01da0c2235633401cd0655fa8d9a90729cb5b74b03242aca1fd855a655092ce82aaa526125699a09fbf457216c86e

Download Submit
C:\Windows\{BA3DEDC3-C776-45dd-A1C6-1B87A754D6A9}.exe

Filesize
216KB

MD5
fa81cdb437e5d96bc4834dea0080e3e7

SHA1
356442bcf016cf9b40e27caccc13562e9ac86dab

SHA256
f951fa2a8cf6e3a6ec343613b3fe9040c9a524a76f2c78125b914010957b598c

SHA512
70c617bf869a6599e8daad37cac1b447f0ae886f51d70ed8dbe52bd734b592bca24a7be850f7cdbf76712b7141f0341905658c4ff728bd69e675396eaaac54ce

Download Submit
C:\Windows\{BE5413FB-AB5A-45dc-B369-A7FE1106290C}.exe

Filesize
216KB

MD5
9b1da6d9b30342791b34430928325d11

SHA1
6fbbbe39f4b6462effe8eb0b2dda27c8ab4896da

SHA256
ee235948aba169e8424479e7584bb348c308ffc6a818b73807a6f3379cd67825

SHA512
b17f88df8352e705e83eaf9274844ab7cf3426d601128074eec0c146cf20a824a9178cfd5827de724588144d296c7e7a76fdfa8656c319b732a90ed61243b826

Download Submit
C:\Windows\{FBF924E9-62BC-42e4-BE32-C42CD2B4D468}.exe

Filesize
216KB

MD5
194b19f54135eadf5d6e19e93d3fb0c8

SHA1
409fa2f8a39a6bebd0202b7787d3e48b2b8a5104

SHA256
eb5b94ac4151cb84e17b68cb331a81bb0cb608e4921d9b6dfcf860854f62119c

SHA512
cab3140547ffced1e4ba7766e0246f6f915a282c3e61750453945d1c02db88e009710adb0b73e2a84192b3f1bb8ba1d5b3f3d6f33def3413059e924875449762

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads