e80e615bc39b40f8c7ed568193c29893c7fa6fcf068541bfb40a768ca5130c39

Analysis

max time kernel
157s
max time network
30s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Size

168KB
MD5

802d9acdcfaa66254239bdb94226ed94
SHA1

902c9091efda132c9008aa30978a50eb6000e840
SHA256

e80e615bc39b40f8c7ed568193c29893c7fa6fcf068541bfb40a768ca5130c39
SHA512

4b7f6785223821ee2681850ca43694ec71466e256a9117bbb791e2d6e958ae5bc38b0a1ea31b3d0db58878680556317a76333561ba87a9f32034ef098c4c7f32
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x002900000000b1f4-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a00000000b1f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012270-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b00000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012270-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c00000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016047-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d00000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016047-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000001604f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}	{86B630FC-110B-480f-80E7-8291BED8882F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5E51392-3AD3-475e-B34E-EBCC673F7B92}\stubpath = "C:\\Windows\\{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe"	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D546E93-5DA4-4283-BC41-84A46DE6CA11}	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{520A870F-0CDF-42c9-A2B6-7E8C5374F119}	{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F05852D3-EE1A-42df-8B4D-E66235FDDE78}	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C166916C-3F02-4744-8C2E-614EC153A254}\stubpath = "C:\\Windows\\{C166916C-3F02-4744-8C2E-614EC153A254}.exe"	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86B630FC-110B-480f-80E7-8291BED8882F}\stubpath = "C:\\Windows\\{86B630FC-110B-480f-80E7-8291BED8882F}.exe"	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B795FF26-25A3-40a1-B9B0-76B864B707E3}	{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{520A870F-0CDF-42c9-A2B6-7E8C5374F119}\stubpath = "C:\\Windows\\{520A870F-0CDF-42c9-A2B6-7E8C5374F119}.exe"	{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C166916C-3F02-4744-8C2E-614EC153A254}	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}\stubpath = "C:\\Windows\\{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe"	{C166916C-3F02-4744-8C2E-614EC153A254}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C86E8CF2-6109-4206-8D9B-E8277978E091}\stubpath = "C:\\Windows\\{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe"	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FAE40DE-133D-4889-B01F-736ECF31F4D0}	{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FAE40DE-133D-4889-B01F-736ECF31F4D0}\stubpath = "C:\\Windows\\{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe"	{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}	{C166916C-3F02-4744-8C2E-614EC153A254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86B630FC-110B-480f-80E7-8291BED8882F}	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}\stubpath = "C:\\Windows\\{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe"	{86B630FC-110B-480f-80E7-8291BED8882F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D546E93-5DA4-4283-BC41-84A46DE6CA11}\stubpath = "C:\\Windows\\{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe"	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B795FF26-25A3-40a1-B9B0-76B864B707E3}\stubpath = "C:\\Windows\\{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe"	{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F05852D3-EE1A-42df-8B4D-E66235FDDE78}\stubpath = "C:\\Windows\\{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe"	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C86E8CF2-6109-4206-8D9B-E8277978E091}	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5E51392-3AD3-475e-B34E-EBCC673F7B92}	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe
2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe
1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe
2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe
1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe
1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe
1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe
1648	{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe
2108	{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe
2392	{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe
1752	{520A870F-0CDF-42c9-A2B6-7E8C5374F119}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
File created	C:\Windows\{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe
File created	C:\Windows\{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe	{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe
File created	C:\Windows\{520A870F-0CDF-42c9-A2B6-7E8C5374F119}.exe	{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe
File created	C:\Windows\{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe
File created	C:\Windows\{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe
File created	C:\Windows\{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe	{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe
File created	C:\Windows\{C166916C-3F02-4744-8C2E-614EC153A254}.exe	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe
File created	C:\Windows\{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	{C166916C-3F02-4744-8C2E-614EC153A254}.exe
File created	C:\Windows\{86B630FC-110B-480f-80E7-8291BED8882F}.exe	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe
File created	C:\Windows\{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	{86B630FC-110B-480f-80E7-8291BED8882F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe
Token: SeIncBasePriorityPrivilege	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe
Token: SeIncBasePriorityPrivilege	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe
Token: SeIncBasePriorityPrivilege	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe
Token: SeIncBasePriorityPrivilege	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe
Token: SeIncBasePriorityPrivilege	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe
Token: SeIncBasePriorityPrivilege	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe
Token: SeIncBasePriorityPrivilege	1648	{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe
Token: SeIncBasePriorityPrivilege	2108	{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe
Token: SeIncBasePriorityPrivilege	2392	{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2900	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	30
PID 2304 wrote to memory of 2900	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	30
PID 2304 wrote to memory of 2900	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	30
PID 2304 wrote to memory of 2900	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	30
PID 2304 wrote to memory of 2760	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	31
PID 2304 wrote to memory of 2760	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	31
PID 2304 wrote to memory of 2760	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	31
PID 2304 wrote to memory of 2760	2304	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	31
PID 2900 wrote to memory of 2632	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	32
PID 2900 wrote to memory of 2632	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	32
PID 2900 wrote to memory of 2632	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	32
PID 2900 wrote to memory of 2632	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	32
PID 2900 wrote to memory of 2676	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	33
PID 2900 wrote to memory of 2676	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	33
PID 2900 wrote to memory of 2676	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	33
PID 2900 wrote to memory of 2676	2900	{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe	33
PID 2632 wrote to memory of 1800	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	34
PID 2632 wrote to memory of 1800	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	34
PID 2632 wrote to memory of 1800	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	34
PID 2632 wrote to memory of 1800	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	34
PID 2632 wrote to memory of 676	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	35
PID 2632 wrote to memory of 676	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	35
PID 2632 wrote to memory of 676	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	35
PID 2632 wrote to memory of 676	2632	{C166916C-3F02-4744-8C2E-614EC153A254}.exe	35
PID 1800 wrote to memory of 2952	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	36
PID 1800 wrote to memory of 2952	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	36
PID 1800 wrote to memory of 2952	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	36
PID 1800 wrote to memory of 2952	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	36
PID 1800 wrote to memory of 2968	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	37
PID 1800 wrote to memory of 2968	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	37
PID 1800 wrote to memory of 2968	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	37
PID 1800 wrote to memory of 2968	1800	{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe	37
PID 2952 wrote to memory of 1208	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	38
PID 2952 wrote to memory of 1208	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	38
PID 2952 wrote to memory of 1208	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	38
PID 2952 wrote to memory of 1208	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	38
PID 2952 wrote to memory of 1068	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	39
PID 2952 wrote to memory of 1068	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	39
PID 2952 wrote to memory of 1068	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	39
PID 2952 wrote to memory of 1068	2952	{86B630FC-110B-480f-80E7-8291BED8882F}.exe	39
PID 1208 wrote to memory of 1172	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	40
PID 1208 wrote to memory of 1172	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	40
PID 1208 wrote to memory of 1172	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	40
PID 1208 wrote to memory of 1172	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	40
PID 1208 wrote to memory of 1412	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	41
PID 1208 wrote to memory of 1412	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	41
PID 1208 wrote to memory of 1412	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	41
PID 1208 wrote to memory of 1412	1208	{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe	41
PID 1172 wrote to memory of 1124	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	42
PID 1172 wrote to memory of 1124	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	42
PID 1172 wrote to memory of 1124	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	42
PID 1172 wrote to memory of 1124	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	42
PID 1172 wrote to memory of 2364	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	43
PID 1172 wrote to memory of 2364	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	43
PID 1172 wrote to memory of 2364	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	43
PID 1172 wrote to memory of 2364	1172	{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe	43
PID 1124 wrote to memory of 1648	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	44
PID 1124 wrote to memory of 1648	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	44
PID 1124 wrote to memory of 1648	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	44
PID 1124 wrote to memory of 1648	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	44
PID 1124 wrote to memory of 320	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	45
PID 1124 wrote to memory of 320	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	45
PID 1124 wrote to memory of 320	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	45
PID 1124 wrote to memory of 320	1124	{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe
  C:\Windows\{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\{C166916C-3F02-4744-8C2E-614EC153A254}.exe
    C:\Windows\{C166916C-3F02-4744-8C2E-614EC153A254}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe
      C:\Windows\{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\{86B630FC-110B-480f-80E7-8291BED8882F}.exe
        
        C:\Windows\{86B630FC-110B-480f-80E7-8291BED8882F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe
        
        C:\Windows\{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe
        
        C:\Windows\{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe
        
        C:\Windows\{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe
        
        C:\Windows\{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe
        
        C:\Windows\{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe
        
        C:\Windows\{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\{520A870F-0CDF-42c9-A2B6-7E8C5374F119}.exe
        
        C:\Windows\{520A870F-0CDF-42c9-A2B6-7E8C5374F119}.exe
        12⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FAE4~1.EXE > nul
        12⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B795F~1.EXE > nul
        11⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D546~1.EXE > nul
        10⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5E51~1.EXE > nul
        9⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C86E8~1.EXE > nul
        8⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9578A~1.EXE > nul
        7⤵
        
        PID:1412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86B63~1.EXE > nul
        6⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA0E~1.EXE > nul
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1669~1.EXE > nul
      4⤵
      PID:676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0585~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D546E93-5DA4-4283-BC41-84A46DE6CA11}.exe

Filesize
168KB

MD5
b8b9fe97701b6e432b8149976593e9d5

SHA1
199858d6987c13ea4def72eedf1a7bec134b7050

SHA256
eb7cbb64bf4488872bfccfbff6922a6343a0efc03c56267de39aa58e69f6417f

SHA512
ca9daf77952022446d0f2581299cbb4ccbe4fcffb88ed015bb050eb002354716d245751e855a96b50983ed88bc6106a20de365fb42b392c73a220b5c372e6dc1

Download Submit
C:\Windows\{0FAE40DE-133D-4889-B01F-736ECF31F4D0}.exe

Filesize
168KB

MD5
94a43bb6596516df4824a6443d3b03be

SHA1
4957c5543075e1e9da8e4f0b0062c8cbebea66ba

SHA256
77b34a65e888d261665b664b34c12c158d672c53434a8296c8527a29b1f0c636

SHA512
df0d241a8237e7b740e82b2c5d2c43888366a3a598391b0b5265bf4bf48923fbd5435a53cf4951586b50bdaad2a147c6ce246eb34a7b0f64206732265206bcd9

Download Submit
C:\Windows\{520A870F-0CDF-42c9-A2B6-7E8C5374F119}.exe

Filesize
168KB

MD5
4f7c7153523507b8fcc053a005dcfab6

SHA1
e2ac1e575fc5b4a086bbf2f4d99aeaf9d88cdd3f

SHA256
6d6e1ae4c6b6f2d47fdbceea28151f3a1188431efd13890a58da91a80d3be6b9

SHA512
6f0866ab1cd022c223bde9e37522c570d086e7f7b785e98fbb36885be959c294a75d42b28a25a76636c5de6ff6ae4c246d7e1150b936aecc3e1ed624e6f815ea

Download Submit
C:\Windows\{86B630FC-110B-480f-80E7-8291BED8882F}.exe

Filesize
168KB

MD5
01ab526586674e299fdd28c36debd47a

SHA1
064087a23291bbf2cffd4e937970042a86aefd47

SHA256
95bd557839417315b62b3a6faeb7470864389b49b623f48e3a8406ef17bfbb5a

SHA512
eb466b0731d361a6dc61245769a98a72a5e9307a977e9ef8215b343d54fa1b9182bf01c9957c68d24a9014028e4fb256d0d2697db858354a653e1ccf06fbbaa5

Download Submit
C:\Windows\{9578AD2A-1A6E-48be-906E-34DCBCBD5DCA}.exe

Filesize
168KB

MD5
53076da4dbecbc6bbcfc8c4f70ecd4c0

SHA1
c1d055da2065f30a5c74d5954399763664d7997a

SHA256
5ab14c1440a5c6fe750fa207476359a4fd589081465d8e6a54004bb6f897af86

SHA512
2ffd43fec84ef597f029b128b88e6c26506118cdd4c2b4f412fcfa8830398bac30a869ee05f666f3a98041f39257f16460b237bf7b937f08144fcb1cdd000c86

Download Submit
C:\Windows\{A5E51392-3AD3-475e-B34E-EBCC673F7B92}.exe

Filesize
168KB

MD5
7357c9211e2469c0e2bcf0c66d2dc1a7

SHA1
49030ee31055af305317e0f65d61e21c7f14d343

SHA256
32085445b02200aa519c589bd080efba225b14e54544e59a80a7a30fb438502f

SHA512
d1d660e6a0e100c3afe8cd73f3431a6985fef416bf8baea6a68933d0d92704350e8102a215fe583bb64c528889aa839756e3bfe4fd602605ad590d330e437e00

Download Submit
C:\Windows\{B795FF26-25A3-40a1-B9B0-76B864B707E3}.exe

Filesize
168KB

MD5
cd7c94f044355b7aa259dc7359cbf553

SHA1
33c73fa5821adb9d2c3489092fe47a7cd2f72ae5

SHA256
ef237eb88b1db15f920aee283dd36816e62297e811793d8a8fbc6d878c8628c5

SHA512
2aa31e450cc09de6c52b967a2af37fead6687f199b4721badab55f716ad2b2ef70ed904322a36e59077206351534d690d732ed58fb9362547d9cb98023f1c146

Download Submit
C:\Windows\{C166916C-3F02-4744-8C2E-614EC153A254}.exe

Filesize
168KB

MD5
2e78b0a9835a8cda348b21d2812ec1a5

SHA1
42c1f2c20eb48c0be6248b58c3d01c738316fc19

SHA256
6883109df738b55517dde6e5991412211b883cc936b8f4e8e10d811410889822

SHA512
3e41e8493e6c76759b1fc26e0737fdaf6bb32141e7f8b66e706bc7cbd1aa4cb8e767227cc29c5d107f6182bddabfda39194a64033521381652a3c864620d6985

Download Submit
C:\Windows\{C86E8CF2-6109-4206-8D9B-E8277978E091}.exe

Filesize
168KB

MD5
45537fce9f1f79a38a2949cebb5314e8

SHA1
b06937ed837b171a9ada09d26b940c29ae5322f2

SHA256
06e069031560356340c9569c8b75d2809c37805d8a70736ff3b1c5ee367522c4

SHA512
3801483d6410692cce6e81357f5cf40953886af25ce7a510d4d1cf9195fde4bb360a15854e2ffa1e5f0d353667dbd2c277631660395493618ea60c90c85a3f2f

Download Submit
C:\Windows\{DEA0E6B4-AF67-4219-B6DA-BC232F7C5920}.exe

Filesize
168KB

MD5
0b7fb1c651ad4acd36f12aa571dc1bef

SHA1
efd20b7449d4e80022be2a7e76cfd8bc5e9fd14e

SHA256
e74097d8ab07a9148e76c1d502058d6b4620c4a2294182d39df5dd2f763ef8ad

SHA512
d305c807ca3c0fb95a2abd728b8cb19d89950e79e868d27746e6950d19c7902408e5625afb76cea4b4876590d3ee273222d530477a728f8d64b39b753e8fde1d

Download Submit
C:\Windows\{F05852D3-EE1A-42df-8B4D-E66235FDDE78}.exe

Filesize
168KB

MD5
1c4eaf303ef0b3bf6d25ff08500cb118

SHA1
ccf5eaa2de2fa39c9ca09d7df9e026e146e380e8

SHA256
d01864a0c526679d267845d030e90ca1972d4380abdb22da638205e504c45bdc

SHA512
ba350c024c7630bdad510b211628b991cb32bee13cb979ba527e23cf018758c26a95f05a1f36c7b4007530a3d680cc2217da78da16315ec1f39aeb9529b35cb9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads