605f087fec05cd456a13b1cb89c031c76aaccea52d93e18d3b8d04c879596f47

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 04:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe
Size

168KB
MD5

23a0f8ed07958e18c9d26b9a714b3d12
SHA1

60b2676664b4cc4cbf295eacbbdca664039f5e88
SHA256

605f087fec05cd456a13b1cb89c031c76aaccea52d93e18d3b8d04c879596f47
SHA512

52f6bb798eff90b7b0c5decbdaafe8b626cef45f947806b616cceaf404eeac85d883e9192192f8c9085eedd27f45eb7cd8ff7d51243090d718a98bc35511a723
SSDEEP

1536:1EGh0ocilq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oxlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122a8-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122e4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122a8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122e4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122e4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122e4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122e4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7759CC23-6BA6-4b35-843C-946557D40BD1}\stubpath = "C:\\Windows\\{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe"	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC440621-8211-48fe-9C42-7E4651B0E816}\stubpath = "C:\\Windows\\{EC440621-8211-48fe-9C42-7E4651B0E816}.exe"	{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}	{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}\stubpath = "C:\\Windows\\{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe"	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5767BB0-AE88-4173-8D1E-7E77125EFA07}\stubpath = "C:\\Windows\\{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe"	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F5C708-D407-44c0-93C1-7CE7F947737B}	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}	{EC440621-8211-48fe-9C42-7E4651B0E816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}\stubpath = "C:\\Windows\\{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe"	{EC440621-8211-48fe-9C42-7E4651B0E816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{990FD0F0-69EA-4d50-9301-B6D025F1569E}	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}\stubpath = "C:\\Windows\\{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe"	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38FD3206-9FFD-49d0-9494-8095A214DE2E}\stubpath = "C:\\Windows\\{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe"	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC440621-8211-48fe-9C42-7E4651B0E816}	{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F5C708-D407-44c0-93C1-7CE7F947737B}\stubpath = "C:\\Windows\\{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe"	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{990FD0F0-69EA-4d50-9301-B6D025F1569E}\stubpath = "C:\\Windows\\{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe"	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{786C7542-A7FD-4307-837F-F1E28A4F33ED}	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{786C7542-A7FD-4307-837F-F1E28A4F33ED}\stubpath = "C:\\Windows\\{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe"	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5767BB0-AE88-4173-8D1E-7E77125EFA07}	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7759CC23-6BA6-4b35-843C-946557D40BD1}	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38FD3206-9FFD-49d0-9494-8095A214DE2E}	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}\stubpath = "C:\\Windows\\{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}.exe"	{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe
2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe
2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe
2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe
1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe
2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe
2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe
1372	{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe
3048	{EC440621-8211-48fe-9C42-7E4651B0E816}.exe
1272	{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe
1644	{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe
File created	C:\Windows\{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe
File created	C:\Windows\{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe	{EC440621-8211-48fe-9C42-7E4651B0E816}.exe
File created	C:\Windows\{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}.exe	{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe
File created	C:\Windows\{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe
File created	C:\Windows\{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe
File created	C:\Windows\{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe
File created	C:\Windows\{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe
File created	C:\Windows\{EC440621-8211-48fe-9C42-7E4651B0E816}.exe	{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe
File created	C:\Windows\{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe
File created	C:\Windows\{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe
Token: SeIncBasePriorityPrivilege	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe
Token: SeIncBasePriorityPrivilege	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe
Token: SeIncBasePriorityPrivilege	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe
Token: SeIncBasePriorityPrivilege	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe
Token: SeIncBasePriorityPrivilege	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe
Token: SeIncBasePriorityPrivilege	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe
Token: SeIncBasePriorityPrivilege	1372	{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe
Token: SeIncBasePriorityPrivilege	3048	{EC440621-8211-48fe-9C42-7E4651B0E816}.exe
Token: SeIncBasePriorityPrivilege	1272	{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1840	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	28
PID 2248 wrote to memory of 1840	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	28
PID 2248 wrote to memory of 1840	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	28
PID 2248 wrote to memory of 1840	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	28
PID 2248 wrote to memory of 1736	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	29
PID 2248 wrote to memory of 1736	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	29
PID 2248 wrote to memory of 1736	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	29
PID 2248 wrote to memory of 1736	2248	2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe	29
PID 1840 wrote to memory of 2648	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	30
PID 1840 wrote to memory of 2648	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	30
PID 1840 wrote to memory of 2648	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	30
PID 1840 wrote to memory of 2648	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	30
PID 1840 wrote to memory of 2744	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	31
PID 1840 wrote to memory of 2744	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	31
PID 1840 wrote to memory of 2744	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	31
PID 1840 wrote to memory of 2744	1840	{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe	31
PID 2648 wrote to memory of 2748	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	33
PID 2648 wrote to memory of 2748	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	33
PID 2648 wrote to memory of 2748	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	33
PID 2648 wrote to memory of 2748	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	33
PID 2648 wrote to memory of 2608	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	32
PID 2648 wrote to memory of 2608	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	32
PID 2648 wrote to memory of 2608	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	32
PID 2648 wrote to memory of 2608	2648	{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe	32
PID 2748 wrote to memory of 2660	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	35
PID 2748 wrote to memory of 2660	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	35
PID 2748 wrote to memory of 2660	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	35
PID 2748 wrote to memory of 2660	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	35
PID 2748 wrote to memory of 2492	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	34
PID 2748 wrote to memory of 2492	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	34
PID 2748 wrote to memory of 2492	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	34
PID 2748 wrote to memory of 2492	2748	{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe	34
PID 2660 wrote to memory of 1244	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	39
PID 2660 wrote to memory of 1244	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	39
PID 2660 wrote to memory of 1244	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	39
PID 2660 wrote to memory of 1244	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	39
PID 2660 wrote to memory of 2920	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	38
PID 2660 wrote to memory of 2920	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	38
PID 2660 wrote to memory of 2920	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	38
PID 2660 wrote to memory of 2920	2660	{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe	38
PID 1244 wrote to memory of 2724	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	40
PID 1244 wrote to memory of 2724	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	40
PID 1244 wrote to memory of 2724	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	40
PID 1244 wrote to memory of 2724	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	40
PID 1244 wrote to memory of 2796	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	41
PID 1244 wrote to memory of 2796	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	41
PID 1244 wrote to memory of 2796	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	41
PID 1244 wrote to memory of 2796	1244	{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe	41
PID 2724 wrote to memory of 2832	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	43
PID 2724 wrote to memory of 2832	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	43
PID 2724 wrote to memory of 2832	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	43
PID 2724 wrote to memory of 2832	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	43
PID 2724 wrote to memory of 2668	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	42
PID 2724 wrote to memory of 2668	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	42
PID 2724 wrote to memory of 2668	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	42
PID 2724 wrote to memory of 2668	2724	{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe	42
PID 2832 wrote to memory of 1372	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	45
PID 2832 wrote to memory of 1372	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	45
PID 2832 wrote to memory of 1372	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	45
PID 2832 wrote to memory of 1372	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	45
PID 2832 wrote to memory of 1412	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	44
PID 2832 wrote to memory of 1412	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	44
PID 2832 wrote to memory of 1412	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	44
PID 2832 wrote to memory of 1412	2832	{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_23a0f8ed07958e18c9d26b9a714b3d12_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe
  C:\Windows\{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe
    C:\Windows\{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{005E9~1.EXE > nul
      4⤵
      PID:2608
  - - C:\Windows\{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe
      C:\Windows\{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5767~1.EXE > nul
        5⤵
        
        PID:2492
    - - C:\Windows\{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe
        
        C:\Windows\{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{871C8~1.EXE > nul
        6⤵
        
        PID:2920
      - C:\Windows\{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe
        
        C:\Windows\{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe
        
        C:\Windows\{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F5C~1.EXE > nul
        8⤵
        
        PID:2668
        
        C:\Windows\{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe
        
        C:\Windows\{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7759C~1.EXE > nul
        9⤵
        
        PID:1412
        
        C:\Windows\{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe
        
        C:\Windows\{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38FD3~1.EXE > nul
        10⤵
        
        PID:2084
        
        C:\Windows\{EC440621-8211-48fe-9C42-7E4651B0E816}.exe
        
        C:\Windows\{EC440621-8211-48fe-9C42-7E4651B0E816}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC440~1.EXE > nul
        11⤵
        
        PID:392
        
        C:\Windows\{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe
        
        C:\Windows\{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}.exe
        
        C:\Windows\{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}.exe
        12⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B5E9~1.EXE > nul
        12⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{786C7~1.EXE > nul
        7⤵
        
        PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{990FD~1.EXE > nul
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{005E9A0B-7642-469d-BF03-5B6BB19D3A4F}.exe

Filesize
168KB

MD5
7ff8f165279c625d672347421fcb4bdc

SHA1
12c4a2177aae8ae8045c89fa320f23b4052fdb01

SHA256
ee04dbfbfb630beac1b0d01cf4c9bfdcc12cf93555750e38d89f23738f3ed011

SHA512
1652fce034ceba6e310118c47d9e7f5dd60b5b9ac1b6e9e2b682f53852d0a3c450a6b1fa1b39839324acaa3fb0957aba407a5e2ffb3ddb0f2920a1f5e54b436b

Download Submit
C:\Windows\{38FD3206-9FFD-49d0-9494-8095A214DE2E}.exe

Filesize
168KB

MD5
762a34fac357159ee726e261bab833dc

SHA1
8e3a292fc7f1167d9060a3f1f1ab98ff37e3b656

SHA256
23195e11c488a66b42e050f280cc005397fea4d005b2108d29ea0f6bba824c97

SHA512
1812e96bb89a7d4103ab8148c0fe4a8f82c342034b1d4d3e7101b19f2729ce8c0eea4d28896e8ef1635138c470f0f6ba8dcdb7160bb5ba5a9f4a46f3073b693c

Download Submit
C:\Windows\{6B5E9A0C-EF6C-4a87-91B0-A95D71AFFE59}.exe

Filesize
168KB

MD5
75e017c2ce2e8d8dac2175e65d72a01f

SHA1
1ecf6eba82afb35f6d1f049a003879603d4f6ffe

SHA256
61f5b5c63e9cc1ee390cab80095fdf403865a35344b83a42fed4234c28902b30

SHA512
0b906a033ab98504945cda64e9c330de25e949e1c09f8e9dbf2f6646809f6ddc2951e12111648c03cdea71e8e63fc2c0e242d46f6277b801e2b21c8a4123d6a0

Download Submit
C:\Windows\{6BB26CBE-26D2-4b68-8C3C-7FD057D2B074}.exe

Filesize
168KB

MD5
dbe261611272c9061a385f616d814180

SHA1
29e30e739e9da73bf16a474884c53391e75c7d0c

SHA256
1867182cacbf1d287b2b286fe47353c2d2edd18e814c756ec1f80158d7d54621

SHA512
9e0bd4e8d8d789ce8b838d7e0cf7ea8348ac0ffda071cf7feb0f4297e83a9992f3402b1926874de73a3c89d0e2385fb0f047f1bb8e736604e6676f4b9d42c12b

Download Submit
C:\Windows\{7759CC23-6BA6-4b35-843C-946557D40BD1}.exe

Filesize
168KB

MD5
c014c5fb89fcd99d20e4a56e5be57935

SHA1
c8dcdeb3c02fa1553f53b29b53d57c6698a30e0b

SHA256
b435ca06c6f05e49533817a41f576990ec8b77dcb69c2dcc72e14284fea256cd

SHA512
04f15f4a258d89fb2b41f82382633259c5b9f4787785ec48bbc1cfaea9e65156d7264d2f6db929decf23245c4390dda7e0fce7c1dfefc3a4eafde2526e6f8567

Download Submit
C:\Windows\{786C7542-A7FD-4307-837F-F1E28A4F33ED}.exe

Filesize
168KB

MD5
821d0983d8f216ea25f7de646bd194b5

SHA1
26336f876c5ed12077eef2e7c7413aabd785c41e

SHA256
e4f41df9ae26f0b5ef416661224aaa52f35d347f16fa4e1eb5850fd55fae84e6

SHA512
8fca225ba567aed6ad4586f71d54c2a2d625cd06f34f8387a4636610e8d5a6be0ec5e863d400c02d338359a7f3dc4adbd44d7317c8bed0476b9054a6bbe4f873

Download Submit
C:\Windows\{871C8AE8-9BDA-46a8-AA4B-333362A3A15C}.exe

Filesize
168KB

MD5
f0b316b1316dfd080f09a2681ef8c18d

SHA1
498cff54ad2f7e5981a328bdef8a2a5f1a86f718

SHA256
ea9c39bc5a94c474f2bb33fea8465c480c1e39e67edeee2ac31f2223333c2f43

SHA512
6d9a11d524792263198f91d4d132203f771711fa88a6defe28dd746fc0ad64738eb328dba8f0ec607072a772b350713e054f610acf394b5784ae4b47d1f7e514

Download Submit
C:\Windows\{990FD0F0-69EA-4d50-9301-B6D025F1569E}.exe

Filesize
168KB

MD5
fe3347ee3dc7c9d763ae7cd017461e7f

SHA1
2f214ad3b38c9f72bfea213ed0633c0ee12d88e3

SHA256
656f10c9fcc5f6d9867dd010e4859c08f2da5f7caa4f7028b6bc9b162c6f5726

SHA512
37e8243a696b607224d2eb30479f8aea328adf9237e03233559912d9cfed8bd0e24f2680a0f9ad9cdfaafc8dcf311d447932fa58acd6455f5edf2afd04d3299d

Download Submit
C:\Windows\{C5767BB0-AE88-4173-8D1E-7E77125EFA07}.exe

Filesize
168KB

MD5
137052d735b9e1361d70db913ab3126e

SHA1
ba22f6692188adb3c491e6a4fa0ec7a6ebb70c61

SHA256
0eea2a13fef4c111ece9e06cb6379ad7ef9cb18d121f4087095c40b1225a519f

SHA512
c760ba7dd5fa30a534302e24e05e902791f0d81af39afe4a3913d6f643caf273537ddbe368b9a973e6394d8ce7e0fa1bd63a04675654f02f96b19fd1653dfbf9

Download Submit
C:\Windows\{C5F5C708-D407-44c0-93C1-7CE7F947737B}.exe

Filesize
168KB

MD5
acedf3a3d4ce0a90446227b29dea10b0

SHA1
2c5e98c202c7e74ba787a7c825075c34f905c815

SHA256
d2e302c467d130023427c67b999889380814188d2fc5de908221372ebbf25ad6

SHA512
f488818037dd0ad601ebb2e21c6aad20daeac46c806c183ed04e325066cd222b8ff6279607717871b74ee1dd7e57ab95c48eb3040ba1c84515dcdb3ace5043f6

Download Submit
C:\Windows\{EC440621-8211-48fe-9C42-7E4651B0E816}.exe

Filesize
168KB

MD5
abe39c32bca0eda2289816c8a2e5b2ae

SHA1
2ff1f77bc8965b811f52fc3acf20c82b310aad33

SHA256
16c0fdf7fb04a89c70eec099fa9a30c12b06bfd320a554f4619441da12f27f45

SHA512
85f013016a22ac41eed47385a386bea13e3219fe3875f74ebf84067c5e3e8bacb62a402ef7984fca9d31ce52be8e6e819120965a7943715ea16f541f9dd7f6ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads