10c6c3c1ab9fbeedfcde89468855457344460e598fc2fdaa1865393b14ad568f

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe
Size

216KB
MD5

2a4583e23ed4f503f2758f46bdacc03b
SHA1

ef8be04aead070a1618805d4fed98ea1d78378fe
SHA256

10c6c3c1ab9fbeedfcde89468855457344460e598fc2fdaa1865393b14ad568f
SHA512

a6042cbe22a8798fdbccc1d4fd579d92e6c4b3844c7e73c8523eb8b12fac07f265ed807714d24767ac1b2a254ecb3baa80fe7090cfdd4d5c58ce3fed550833b7
SSDEEP

3072:jEGh0ojl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGZlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012262-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001230d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012262-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED33994-BC27-4501-9901-820F039364CD}	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED33994-BC27-4501-9901-820F039364CD}\stubpath = "C:\\Windows\\{AED33994-BC27-4501-9901-820F039364CD}.exe"	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}\stubpath = "C:\\Windows\\{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe"	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D883C07B-A49F-469e-B6BD-78D5A817E370}\stubpath = "C:\\Windows\\{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe"	{B6942209-3B49-434a-B680-5EB2967D435B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718B2484-7148-4adf-BB35-2D0C756D44A5}\stubpath = "C:\\Windows\\{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe"	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}\stubpath = "C:\\Windows\\{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe"	{AED33994-BC27-4501-9901-820F039364CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C935FB63-E43D-49dd-9425-4E6AA310D263}\stubpath = "C:\\Windows\\{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe"	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718B2484-7148-4adf-BB35-2D0C756D44A5}	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C935FB63-E43D-49dd-9425-4E6AA310D263}	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}\stubpath = "C:\\Windows\\{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe"	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6942209-3B49-434a-B680-5EB2967D435B}\stubpath = "C:\\Windows\\{B6942209-3B49-434a-B680-5EB2967D435B}.exe"	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092A809D-8E89-45c6-88F1-77F94CBF169A}	{56CE4BE4-643E-44e3-86E6-B88661592035}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092A809D-8E89-45c6-88F1-77F94CBF169A}\stubpath = "C:\\Windows\\{092A809D-8E89-45c6-88F1-77F94CBF169A}.exe"	{56CE4BE4-643E-44e3-86E6-B88661592035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}	{AED33994-BC27-4501-9901-820F039364CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6942209-3B49-434a-B680-5EB2967D435B}	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D883C07B-A49F-469e-B6BD-78D5A817E370}	{B6942209-3B49-434a-B680-5EB2967D435B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56CE4BE4-643E-44e3-86E6-B88661592035}	{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56CE4BE4-643E-44e3-86E6-B88661592035}\stubpath = "C:\\Windows\\{56CE4BE4-643E-44e3-86E6-B88661592035}.exe"	{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}\stubpath = "C:\\Windows\\{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe"	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe

Executes dropped EXE 11 IoCs

pid	Process
2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe
2672	{AED33994-BC27-4501-9901-820F039364CD}.exe
2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe
2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe
2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe
1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe
1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe
544	{B6942209-3B49-434a-B680-5EB2967D435B}.exe
288	{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe
2568	{56CE4BE4-643E-44e3-86E6-B88661592035}.exe
1884	{092A809D-8E89-45c6-88F1-77F94CBF169A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B6942209-3B49-434a-B680-5EB2967D435B}.exe	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe
File created	C:\Windows\{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe	{B6942209-3B49-434a-B680-5EB2967D435B}.exe
File created	C:\Windows\{56CE4BE4-643E-44e3-86E6-B88661592035}.exe	{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe
File created	C:\Windows\{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe
File created	C:\Windows\{AED33994-BC27-4501-9901-820F039364CD}.exe	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe
File created	C:\Windows\{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	{AED33994-BC27-4501-9901-820F039364CD}.exe
File created	C:\Windows\{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe
File created	C:\Windows\{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe
File created	C:\Windows\{092A809D-8E89-45c6-88F1-77F94CBF169A}.exe	{56CE4BE4-643E-44e3-86E6-B88661592035}.exe
File created	C:\Windows\{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe
File created	C:\Windows\{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe
Token: SeIncBasePriorityPrivilege	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe
Token: SeIncBasePriorityPrivilege	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe
Token: SeIncBasePriorityPrivilege	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe
Token: SeIncBasePriorityPrivilege	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe
Token: SeIncBasePriorityPrivilege	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe
Token: SeIncBasePriorityPrivilege	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe
Token: SeIncBasePriorityPrivilege	544	{B6942209-3B49-434a-B680-5EB2967D435B}.exe
Token: SeIncBasePriorityPrivilege	288	{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe
Token: SeIncBasePriorityPrivilege	2568	{56CE4BE4-643E-44e3-86E6-B88661592035}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2380	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	28
PID 2980 wrote to memory of 2380	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	28
PID 2980 wrote to memory of 2380	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	28
PID 2980 wrote to memory of 2380	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	28
PID 2980 wrote to memory of 2188	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	29
PID 2980 wrote to memory of 2188	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	29
PID 2980 wrote to memory of 2188	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	29
PID 2980 wrote to memory of 2188	2980	2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe	29
PID 2380 wrote to memory of 2672	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	30
PID 2380 wrote to memory of 2672	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	30
PID 2380 wrote to memory of 2672	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	30
PID 2380 wrote to memory of 2672	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	30
PID 2380 wrote to memory of 2688	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	31
PID 2380 wrote to memory of 2688	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	31
PID 2380 wrote to memory of 2688	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	31
PID 2380 wrote to memory of 2688	2380	{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe	31
PID 2672 wrote to memory of 2852	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	32
PID 2672 wrote to memory of 2852	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	32
PID 2672 wrote to memory of 2852	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	32
PID 2672 wrote to memory of 2852	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	32
PID 2672 wrote to memory of 2832	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	33
PID 2672 wrote to memory of 2832	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	33
PID 2672 wrote to memory of 2832	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	33
PID 2672 wrote to memory of 2832	2672	{AED33994-BC27-4501-9901-820F039364CD}.exe	33
PID 2852 wrote to memory of 2580	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	36
PID 2852 wrote to memory of 2580	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	36
PID 2852 wrote to memory of 2580	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	36
PID 2852 wrote to memory of 2580	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	36
PID 2852 wrote to memory of 2612	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	37
PID 2852 wrote to memory of 2612	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	37
PID 2852 wrote to memory of 2612	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	37
PID 2852 wrote to memory of 2612	2852	{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe	37
PID 2580 wrote to memory of 2264	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	38
PID 2580 wrote to memory of 2264	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	38
PID 2580 wrote to memory of 2264	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	38
PID 2580 wrote to memory of 2264	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	38
PID 2580 wrote to memory of 2560	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	39
PID 2580 wrote to memory of 2560	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	39
PID 2580 wrote to memory of 2560	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	39
PID 2580 wrote to memory of 2560	2580	{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe	39
PID 2264 wrote to memory of 1372	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	41
PID 2264 wrote to memory of 1372	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	41
PID 2264 wrote to memory of 1372	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	41
PID 2264 wrote to memory of 1372	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	41
PID 2264 wrote to memory of 1656	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	40
PID 2264 wrote to memory of 1656	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	40
PID 2264 wrote to memory of 1656	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	40
PID 2264 wrote to memory of 1656	2264	{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe	40
PID 1372 wrote to memory of 1208	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	43
PID 1372 wrote to memory of 1208	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	43
PID 1372 wrote to memory of 1208	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	43
PID 1372 wrote to memory of 1208	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	43
PID 1372 wrote to memory of 1460	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	42
PID 1372 wrote to memory of 1460	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	42
PID 1372 wrote to memory of 1460	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	42
PID 1372 wrote to memory of 1460	1372	{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe	42
PID 1208 wrote to memory of 544	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	45
PID 1208 wrote to memory of 544	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	45
PID 1208 wrote to memory of 544	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	45
PID 1208 wrote to memory of 544	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	45
PID 1208 wrote to memory of 328	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	44
PID 1208 wrote to memory of 328	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	44
PID 1208 wrote to memory of 328	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	44
PID 1208 wrote to memory of 328	1208	{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_2a4583e23ed4f503f2758f46bdacc03b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe
  C:\Windows\{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{AED33994-BC27-4501-9901-820F039364CD}.exe
    C:\Windows\{AED33994-BC27-4501-9901-820F039364CD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe
      C:\Windows\{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe
        
        C:\Windows\{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe
        
        C:\Windows\{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CA4C~1.EXE > nul
        7⤵
        
        PID:1656
        
        C:\Windows\{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe
        
        C:\Windows\{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C8D0~1.EXE > nul
        8⤵
        
        PID:1460
        
        C:\Windows\{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe
        
        C:\Windows\{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98C24~1.EXE > nul
        9⤵
        
        PID:328
        
        C:\Windows\{B6942209-3B49-434a-B680-5EB2967D435B}.exe
        
        C:\Windows\{B6942209-3B49-434a-B680-5EB2967D435B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe
        
        C:\Windows\{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\{56CE4BE4-643E-44e3-86E6-B88661592035}.exe
        
        C:\Windows\{56CE4BE4-643E-44e3-86E6-B88661592035}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\{092A809D-8E89-45c6-88F1-77F94CBF169A}.exe
        
        C:\Windows\{092A809D-8E89-45c6-88F1-77F94CBF169A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56CE4~1.EXE > nul
        12⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D883C~1.EXE > nul
        11⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6942~1.EXE > nul
        10⤵
        
        PID:1592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C935F~1.EXE > nul
        6⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6AAC~1.EXE > nul
        5⤵
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AED33~1.EXE > nul
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{718B2~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{092A809D-8E89-45c6-88F1-77F94CBF169A}.exe

Filesize
216KB

MD5
64077724bd1e38d7a15f4df5fe828e0f

SHA1
7623d4d538a0530c79d832afa45dbb191de93fdb

SHA256
f530c0fef3fc555ca260f05b83d3d80086a7ffa620d3586fe7aac25bf698ac39

SHA512
8d4c34166033e6ad7c52ed31cdf589ea71020b405ec4fed59739496050a5df5479e5a39eb31795a9ae71874642487fc5ba28736abc9b8ef5e76a6b402eb7c4fb

Download Submit
C:\Windows\{1CA4CA87-1F68-40a3-A9C7-32F3598B016B}.exe

Filesize
216KB

MD5
51f6fb0e947efd3d10690aef1fb4dd7a

SHA1
923be84e4110128d0b72872de401977f6a43b1e0

SHA256
83b748a56b11ca808ae7cb35067412bc769803bf363a3d69c8a9b194799203ab

SHA512
d4d3a9043134379a1d9e312b40247844a6a860c6bc593c9bc29f5c9fdfef9fc6365ef886c55c3e299adf1f7849dedad4a7a7bb3f1fb5bc581eb264c18517ffc4

Download Submit
C:\Windows\{56CE4BE4-643E-44e3-86E6-B88661592035}.exe

Filesize
216KB

MD5
89eb6c218ab9e01130af84f8f384b3cf

SHA1
8008379741725e2708914965dec917e340594023

SHA256
467d91323dc8a2963f2993d243a41f34720f59785f4874614e406e399c4c3122

SHA512
4b9fda0af1c7eaa322b4e0397a71c43e7e6495759d8d08c95fae569675ec824aede9cb5637455e183f3d8b3170e0c0f5770bbb3d2100309a0f9a5ebfaab1bba9

Download Submit
C:\Windows\{718B2484-7148-4adf-BB35-2D0C756D44A5}.exe

Filesize
216KB

MD5
a6cf24974466e7045d6c33c76ce71299

SHA1
befd398ee325835f68dee87bf59190fd161f0830

SHA256
c7eae3b515f7783dde64fcdebca3acc7bfd6e5178611ddf8b497683827164585

SHA512
c5206d12d6d5abfcaf3bfbd590f28ce5e40792fa6f3c51be3858178df167613a450329ce4defc3fbae6b892971d08fc72e12d1532c762cc51cb532853a2a331f

Download Submit
C:\Windows\{8C8D01CF-2166-4dd4-B0BA-B07660E8BAC0}.exe

Filesize
216KB

MD5
4d07110ae5f75d5dc7eb9d780c845260

SHA1
851da2a59b785e671e750c16d7f3c2c3cce0962e

SHA256
7f51ab68f1bb0849dc03d03605ce2fa67a0c1bf4d93112833f433a65de8e1c68

SHA512
1d795be48f232fc61928d17d48d8589f8f4f4780931788f37e5b87a1fef2d5152981a6c77ee997bc7a58d63c7768c5be9e6ae3d828a44168da65994244d63cea

Download Submit
C:\Windows\{98C24831-F81E-4920-B6FB-CDFEAD34AEBB}.exe

Filesize
216KB

MD5
8b70e21c70b7fdc94cab195a8fb8588f

SHA1
c1ff5a092057bb659a86eddbe300e5cc0025a8cf

SHA256
feb09efd1d42f227e20145842ade58d3b4b49b9bae5d23d5da122d91a1d7af02

SHA512
d7dd8daa19b4b742b13aff96c4641b5f501a97dac634815da9465e4a0ad8a85693193c5f4786ae653823faaee2545abac5192e156b808d3e59ef45e689354887

Download Submit
C:\Windows\{AED33994-BC27-4501-9901-820F039364CD}.exe

Filesize
216KB

MD5
c89c9e97af1304ded5c1466d623cb562

SHA1
fbcf3da07bf1aa1d27c82a4338bffe5290b8c17b

SHA256
b9f2f4c160ea50f5aa7d83a42501953ac96cb61b2671ff514b330df29a8fd75a

SHA512
92915ee0f99102de85e05637d5eaa455a6b721ef1351c7401260a43c676ed8dba72e5f7efdf3c1203b29f62aa2c82d9c851c242e2ff665beafb16055df4797ac

Download Submit
C:\Windows\{B6942209-3B49-434a-B680-5EB2967D435B}.exe

Filesize
216KB

MD5
e6f96088b5c60a4aaff5e9c1c02b1171

SHA1
3c363f8e862cafa6ee306abd464cc27875765ab9

SHA256
f095e671314c4ab8a8da6e67ca2ae27c3625ef0d94eee20303ac5b80be370e35

SHA512
54b90463bb1238ec2fc549ec78bd5458565af4f306bf6cf96afef824c845eef5dc6279ca85095895789c27860861882ed269058df139bb1a0ea3caaf47c19768

Download Submit
C:\Windows\{C935FB63-E43D-49dd-9425-4E6AA310D263}.exe

Filesize
216KB

MD5
f4066c52647fccc334e5377e3a4bb949

SHA1
b397de58f5c1fd42fdbc485e3a63f89efde2c9d5

SHA256
e1f5b7b3691c76069e5a871511aaadbcbb2624f61f7364d5efda7c6517abb290

SHA512
f2afb9b50871fcf780244f43350f93edb56994a64a2c9afccfc545ccf431299f3e1cced1c87b18424a973498d01302077d0dafa1fbe901b3f77319d2ba8e02b8

Download Submit
C:\Windows\{D883C07B-A49F-469e-B6BD-78D5A817E370}.exe

Filesize
216KB

MD5
843e4f6b4e37f4888d7df192b10ee0f1

SHA1
d42dee66093d0790a5fe94c17822a03e9ecbdb02

SHA256
5add1c3038aa06bb8c060a1084d3f20f11bd381a16ccc47e4973763ec1b2ac56

SHA512
4ab36fd3ca8b18b12a7027f8da2760c2785e45d1f7c938756ec7c91790ba80144834dd5f5f243e450aee8c0441cc9115532bb04d7a167ddeb6d97d4498d4c533

Download Submit
C:\Windows\{F6AAC1D5-81D9-49e0-9EA8-F799F65F7DC4}.exe

Filesize
216KB

MD5
fe0200bfc660a48c2c74d9e9b159c890

SHA1
30f27382bbad3bf9f67568b8e8e1e76988b280c0

SHA256
d19a9579b5ad1c735fdab321b7322ab78a61209e933e6dd139c2b551c6fbe778

SHA512
e81f8d89872d2068bafe138f354d433c901ba54025e39dff701ed8b93697d3e96f0287fa02efd756ef29118e094d60ed27898769d6a165e1ed28d0f593c19f65

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads