a40060d3bcc43af3123b2b90f4d1e775190f3df626b866411ccadef5a0a9f5e6

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe
Size

168KB
MD5

7a74af8273ff547010a7a1ac14c05e45
SHA1

36f26deca1ca2092f8567c0cd75b40a84c57179b
SHA256

a40060d3bcc43af3123b2b90f4d1e775190f3df626b866411ccadef5a0a9f5e6
SHA512

1b3eade4501ddca0f9ccf93391a1a9039cd3537d9eacd8a3f14895b3fcc2c2c9c535b4b63aca5e74f2c1442e1c3adf625d9e34326ad710fd6e6aa7b4cc020549
SSDEEP

1536:1EGh0oHlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oHlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012238-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014fc0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122c0-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122c0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122c0-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122c0-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}\stubpath = "C:\\Windows\\{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe"	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F030897A-284E-4b69-A598-B0E5A0D72111}\stubpath = "C:\\Windows\\{F030897A-284E-4b69-A598-B0E5A0D72111}.exe"	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}\stubpath = "C:\\Windows\\{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe"	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA24C070-5F78-4d80-A544-596129B0F56D}\stubpath = "C:\\Windows\\{DA24C070-5F78-4d80-A544-596129B0F56D}.exe"	{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7EDD80-3434-4417-8899-A18B383DBD40}\stubpath = "C:\\Windows\\{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe"	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E473BB35-2739-4118-BCFA-AA2134656767}	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22B13EBE-0998-4b09-A2DE-D02F9932F503}\stubpath = "C:\\Windows\\{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe"	{E473BB35-2739-4118-BCFA-AA2134656767}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60EDFE33-C161-44ca-89B5-765B8EDBDF39}\stubpath = "C:\\Windows\\{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe"	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}	{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA24C070-5F78-4d80-A544-596129B0F56D}	{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7EDD80-3434-4417-8899-A18B383DBD40}	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E473BB35-2739-4118-BCFA-AA2134656767}\stubpath = "C:\\Windows\\{E473BB35-2739-4118-BCFA-AA2134656767}.exe"	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22B13EBE-0998-4b09-A2DE-D02F9932F503}	{E473BB35-2739-4118-BCFA-AA2134656767}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}\stubpath = "C:\\Windows\\{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe"	{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}	{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}\stubpath = "C:\\Windows\\{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe"	{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}\stubpath = "C:\\Windows\\{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe"	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F030897A-284E-4b69-A598-B0E5A0D72111}	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60EDFE33-C161-44ca-89B5-765B8EDBDF39}	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe

Deletes itself 1 IoCs

pid	Process
816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe
2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe
2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe
1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe
2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe
2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe
1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe
2876	{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe
1528	{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe
1464	{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe
2316	{DA24C070-5F78-4d80-A544-596129B0F56D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	{E473BB35-2739-4118-BCFA-AA2134656767}.exe
File created	C:\Windows\{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe
File created	C:\Windows\{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe	{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe
File created	C:\Windows\{DA24C070-5F78-4d80-A544-596129B0F56D}.exe	{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe
File created	C:\Windows\{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe
File created	C:\Windows\{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe
File created	C:\Windows\{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe
File created	C:\Windows\{E473BB35-2739-4118-BCFA-AA2134656767}.exe	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe
File created	C:\Windows\{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe
File created	C:\Windows\{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe
File created	C:\Windows\{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe	{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe
Token: SeIncBasePriorityPrivilege	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe
Token: SeIncBasePriorityPrivilege	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe
Token: SeIncBasePriorityPrivilege	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe
Token: SeIncBasePriorityPrivilege	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe
Token: SeIncBasePriorityPrivilege	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe
Token: SeIncBasePriorityPrivilege	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe
Token: SeIncBasePriorityPrivilege	2876	{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe
Token: SeIncBasePriorityPrivilege	1528	{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe
Token: SeIncBasePriorityPrivilege	1464	{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2732	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	28
PID 2336 wrote to memory of 2732	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	28
PID 2336 wrote to memory of 2732	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	28
PID 2336 wrote to memory of 2732	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	28
PID 2336 wrote to memory of 816	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	29
PID 2336 wrote to memory of 816	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	29
PID 2336 wrote to memory of 816	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	29
PID 2336 wrote to memory of 816	2336	2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe	29
PID 2732 wrote to memory of 2576	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	30
PID 2732 wrote to memory of 2576	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	30
PID 2732 wrote to memory of 2576	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	30
PID 2732 wrote to memory of 2576	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	30
PID 2732 wrote to memory of 2984	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	31
PID 2732 wrote to memory of 2984	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	31
PID 2732 wrote to memory of 2984	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	31
PID 2732 wrote to memory of 2984	2732	{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe	31
PID 2576 wrote to memory of 2416	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	34
PID 2576 wrote to memory of 2416	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	34
PID 2576 wrote to memory of 2416	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	34
PID 2576 wrote to memory of 2416	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	34
PID 2576 wrote to memory of 2524	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	35
PID 2576 wrote to memory of 2524	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	35
PID 2576 wrote to memory of 2524	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	35
PID 2576 wrote to memory of 2524	2576	{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe	35
PID 2416 wrote to memory of 1180	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	36
PID 2416 wrote to memory of 1180	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	36
PID 2416 wrote to memory of 1180	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	36
PID 2416 wrote to memory of 1180	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	36
PID 2416 wrote to memory of 1368	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	37
PID 2416 wrote to memory of 1368	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	37
PID 2416 wrote to memory of 1368	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	37
PID 2416 wrote to memory of 1368	2416	{F030897A-284E-4b69-A598-B0E5A0D72111}.exe	37
PID 1180 wrote to memory of 2900	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	38
PID 1180 wrote to memory of 2900	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	38
PID 1180 wrote to memory of 2900	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	38
PID 1180 wrote to memory of 2900	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	38
PID 1180 wrote to memory of 2924	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	39
PID 1180 wrote to memory of 2924	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	39
PID 1180 wrote to memory of 2924	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	39
PID 1180 wrote to memory of 2924	1180	{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe	39
PID 2900 wrote to memory of 2632	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	40
PID 2900 wrote to memory of 2632	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	40
PID 2900 wrote to memory of 2632	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	40
PID 2900 wrote to memory of 2632	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	40
PID 2900 wrote to memory of 2152	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	41
PID 2900 wrote to memory of 2152	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	41
PID 2900 wrote to memory of 2152	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	41
PID 2900 wrote to memory of 2152	2900	{E473BB35-2739-4118-BCFA-AA2134656767}.exe	41
PID 2632 wrote to memory of 1392	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	42
PID 2632 wrote to memory of 1392	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	42
PID 2632 wrote to memory of 1392	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	42
PID 2632 wrote to memory of 1392	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	42
PID 2632 wrote to memory of 1764	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	43
PID 2632 wrote to memory of 1764	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	43
PID 2632 wrote to memory of 1764	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	43
PID 2632 wrote to memory of 1764	2632	{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe	43
PID 1392 wrote to memory of 2876	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	45
PID 1392 wrote to memory of 2876	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	45
PID 1392 wrote to memory of 2876	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	45
PID 1392 wrote to memory of 2876	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	45
PID 1392 wrote to memory of 1940	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	44
PID 1392 wrote to memory of 1940	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	44
PID 1392 wrote to memory of 1940	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	44
PID 1392 wrote to memory of 1940	1392	{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_7a74af8273ff547010a7a1ac14c05e45_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe
  C:\Windows\{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe
    C:\Windows\{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\{F030897A-284E-4b69-A598-B0E5A0D72111}.exe
      C:\Windows\{F030897A-284E-4b69-A598-B0E5A0D72111}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe
        
        C:\Windows\{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Windows\{E473BB35-2739-4118-BCFA-AA2134656767}.exe
        
        C:\Windows\{E473BB35-2739-4118-BCFA-AA2134656767}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe
        
        C:\Windows\{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe
        
        C:\Windows\{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD15A~1.EXE > nul
        9⤵
        
        PID:1940
        
        C:\Windows\{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe
        
        C:\Windows\{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe
        
        C:\Windows\{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe
        
        C:\Windows\{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{DA24C070-5F78-4d80-A544-596129B0F56D}.exe
        
        C:\Windows\{DA24C070-5F78-4d80-A544-596129B0F56D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E82D3~1.EXE > nul
        12⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0359D~1.EXE > nul
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60EDF~1.EXE > nul
        10⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22B13~1.EXE > nul
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E473B~1.EXE > nul
        7⤵
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE7ED~1.EXE > nul
        6⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0308~1.EXE > nul
        5⤵
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0BAC1~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{76E26~1.EXE > nul
    3⤵
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0359D4CD-AC3A-441b-856A-4B7ADC8BA5B5}.exe

Filesize
168KB

MD5
746e198f1ee2aa048116b4e9a9e1364f

SHA1
e5bf841dd62ddb570261f12f0fb31f50809407f7

SHA256
cac631c136c54b40af36d99cd1636c1f806b14e82d0c2348cc0a1fbaa4bea5f8

SHA512
b69357f7702043ea762e7ea79c2cac506fb3e76ec8735b772a407596a8fba129b6783a664915b3da54b38f41cdc3e3ee431a0bc4008891ea3d3f461be2d5db2b

Download Submit
C:\Windows\{0BAC1D48-ED3B-4915-BC4F-49EEC02CE989}.exe

Filesize
168KB

MD5
176fcdc0a0c3a2e39f54f1ae686103d2

SHA1
9b9853c4bc239a7e56c056d4be065406f677d1b3

SHA256
12ff27b19026f8fbd8a9144957733e7001939afc8437189b9129baafeed30585

SHA512
946c339fd959ec4023afc99aee00c645a32e2192a3c9dec21d20ce8b20225d8e49fed7ad094e798adf3a6b4f8d88dd494eb13fcf1d8f2a32d1c144c4d96b6efb

Download Submit
C:\Windows\{22B13EBE-0998-4b09-A2DE-D02F9932F503}.exe

Filesize
168KB

MD5
b722040a025236764ccbe8ffbbcfcd82

SHA1
e19a2fedfa1925c8fee086cde8a81fb275ec2f33

SHA256
3adc728c61eb585103a964a385f9725061fc9e154a515d1f46a44e3857b8471c

SHA512
114df7eb0a8719c51d2a4a04a82241db0fc0fed88bd3a5ffe58577d129024f96121741f46253f6af5775a130f57e4002e002789eb87b1c86e045ccb2d5d3a844

Download Submit
C:\Windows\{60EDFE33-C161-44ca-89B5-765B8EDBDF39}.exe

Filesize
168KB

MD5
28a9225778ea357bfdc9f45b32aacd90

SHA1
a143aea5782615f0ed84654269254dad13f00062

SHA256
8fe2297fc0757d1079c97503003d90fc73ce98949bfe6f372df3439f866f4705

SHA512
b651c44bbdb84d7b27d0cb6d46e47f6ea1ea2ffd46a039ef88adef41fb4c46e73466016c298df2cfa5c69d1a07448d3d467baab2b0aae68024816a02b1d7fe5a

Download Submit
C:\Windows\{76E265F2-2A22-493b-A07E-AB0D9EB4B9F6}.exe

Filesize
168KB

MD5
fbe1f0b1a6705f1d01a097f8024bd6f6

SHA1
7b2ed71c20b3f68e9bcb6b103c09f8d39836db8f

SHA256
91bb72f28af2c622222b4955ea777bc4675d73345f77bfdbc0d6dc40443f39a5

SHA512
00a58cf68c8ad74b7bf55b0b9ae6d2e6eb83dff5c3f2233aaeb242b7ac1189b95b27e17b317070524647daf0b816da11c14ad80cb42badea33c798c3aa3e5e00

Download Submit
C:\Windows\{AD15A58C-17C8-4e69-9AAC-6DBFDE06A95B}.exe

Filesize
168KB

MD5
21c39b53bc56879e80279639db1831d8

SHA1
9a8dd9fb172d7ee5776b04a9eb4f4bb770a096f1

SHA256
ac77ba0a35b1e2094e112f7012479eb4c01329d473ad717fc6903e0ce910f0cc

SHA512
2028e35c63daf0828d2ac2623384fefa03c3259da9b342b4d5a90f4771eb9c96dc78760563bdd0bbfd0f2385069cdd04eb274b5f150b8928433bd43c168c04df

Download Submit
C:\Windows\{AE7EDD80-3434-4417-8899-A18B383DBD40}.exe

Filesize
168KB

MD5
6fc37b37ccb79ba5715b2f112d252f83

SHA1
1ed7b1261505b8232595809035ee2bb89143cfbf

SHA256
8758479caff02f221113240be321225fcb80eeca4e32043c41b8c2cbad7e4104

SHA512
bc1c3899a885273edd5b439b20e951cd21b32c8b37fc3ae6209d7e3982a49d9a0a20615d92c85759749da6186a246f8c06246168fe966b4af6d75746f947823f

Download Submit
C:\Windows\{DA24C070-5F78-4d80-A544-596129B0F56D}.exe

Filesize
168KB

MD5
ecb883be11dd835580ea0235c57279d2

SHA1
d92789772581572d28215712f1e68a5c0a8c73f0

SHA256
207f6b8130a92f5686e0e96274b34f67eb63476082be96bca96889354b463a0c

SHA512
b176e6a16720309d11bab6adadb723b08e02473ddd2f4a312bb97e8c72ef2b5961433ecea9bcdc9b565f96a41a1454cf0c27f0a5692dc0a4679c9a797122e68d

Download Submit
C:\Windows\{E473BB35-2739-4118-BCFA-AA2134656767}.exe

Filesize
168KB

MD5
71dbb430f44d5bda739eb394990d7908

SHA1
16162025ac54738c516597b745ab74a9922e0992

SHA256
71628c30b610a7c6daca69c886de6ccf89c64c2d6ca8a9312a60cabc58decdcb

SHA512
170156f14180044f0c61379e60d2ffe5e2e00f563e801944b8fd09a7163e79d2d302db3bab96dcaff5690e1b3078d1dcfe2113ce66c0925d7eb11153ceba05cc

Download Submit
C:\Windows\{E82D3BDC-02BB-4aa5-9796-F09EE3E53E50}.exe

Filesize
168KB

MD5
fd6b38932ab6e82e5f5dcaaf7eda65b2

SHA1
3dc805be52649976b90b54ce2cd2ce825a7a82cc

SHA256
3fa91f73dcbf48fe3c4a5a5d3c04d1afafe02ce402dbf40d101b470f874a6653

SHA512
5e26791ed450eefa57c83e01a825b8dfacbbd4ceee832675ae3e00b65a02f6c65eb1f8a95862aa703af1c80c8c9849364f94b231684a9fbdb6f7dcb1da2b7fef

Download Submit
C:\Windows\{F030897A-284E-4b69-A598-B0E5A0D72111}.exe

Filesize
168KB

MD5
94e8a78561fc51d836321556cd68640c

SHA1
df9d9cb17c258f0767dc39278d9f9bb605be9c47

SHA256
3bdb5df8386cec40f6b48aa701c5d9af857ef4a13d9a500988d676db7850b047

SHA512
93d8885011bc47d3c9988c747af08b551d59e18172815cc33db648cf98b69bf2ce40eb5abc993b34358675f610e069e191a3dacaf02a72dd3778d361e507a418

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads