defeaaf7b5717c752996f42d1eb79697acb97fef85b95ce320257151996d36a5

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe
Size

180KB
MD5

59ffb0624b302acdc97c867190301fe1
SHA1

1364f5fb65fc1b6c7c3aea6f94d4307288f90675
SHA256

defeaaf7b5717c752996f42d1eb79697acb97fef85b95ce320257151996d36a5
SHA512

e79cce50618b272165dbebb47fe042797c73c4ef81a9dc56eb751c48046ddba2c3201a42234f7585883f47852b997e5a7728ad164fe53394e9aa2ed75e2beffd
SSDEEP

3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGil5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a1a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001410b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000142cc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a1a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a1a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a1a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a1a-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AD8EAD0-6251-4414-A6F5-093E3623018D}	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0A62E8-0913-4def-8D79-52B236C366EB}	{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61D97121-52CA-4c2d-9069-240DA74A6B09}\stubpath = "C:\\Windows\\{61D97121-52CA-4c2d-9069-240DA74A6B09}.exe"	{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7727CCC5-45F7-4d77-9114-E0DBF5A60188}\stubpath = "C:\\Windows\\{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe"	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B6E1688-766C-4711-B57A-C0444718CD2E}	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E49ED91-ABA5-4942-9BCB-854634D00AAD}\stubpath = "C:\\Windows\\{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe"	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01C9C829-BFBE-4d87-A79C-DD4C104CD188}\stubpath = "C:\\Windows\\{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe"	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B6E1688-766C-4711-B57A-C0444718CD2E}\stubpath = "C:\\Windows\\{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe"	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61D97121-52CA-4c2d-9069-240DA74A6B09}	{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17ECABA5-4588-4586-A70F-A370949A3B5D}\stubpath = "C:\\Windows\\{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe"	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E49ED91-ABA5-4942-9BCB-854634D00AAD}	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AD8EAD0-6251-4414-A6F5-093E3623018D}\stubpath = "C:\\Windows\\{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe"	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6794371-C00C-4fe9-A640-F71AC2B96846}\stubpath = "C:\\Windows\\{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe"	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55C6B2D3-27B8-48fc-9377-B2CB9675C802}	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55C6B2D3-27B8-48fc-9377-B2CB9675C802}\stubpath = "C:\\Windows\\{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe"	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17ECABA5-4588-4586-A70F-A370949A3B5D}	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC8B67B4-C653-464f-A749-8B3A55D01186}	{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC8B67B4-C653-464f-A749-8B3A55D01186}\stubpath = "C:\\Windows\\{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe"	{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0A62E8-0913-4def-8D79-52B236C366EB}\stubpath = "C:\\Windows\\{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe"	{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7727CCC5-45F7-4d77-9114-E0DBF5A60188}	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01C9C829-BFBE-4d87-A79C-DD4C104CD188}	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6794371-C00C-4fe9-A640-F71AC2B96846}	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe
2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe
2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe
2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe
1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe
1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe
2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe
1644	{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe
2964	{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe
2900	{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe
2904	{61D97121-52CA-4c2d-9069-240DA74A6B09}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe
File created	C:\Windows\{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe
File created	C:\Windows\{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe
File created	C:\Windows\{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe
File created	C:\Windows\{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe	{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe
File created	C:\Windows\{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe	{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe
File created	C:\Windows\{61D97121-52CA-4c2d-9069-240DA74A6B09}.exe	{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe
File created	C:\Windows\{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe
File created	C:\Windows\{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe
File created	C:\Windows\{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe
File created	C:\Windows\{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe
Token: SeIncBasePriorityPrivilege	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe
Token: SeIncBasePriorityPrivilege	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe
Token: SeIncBasePriorityPrivilege	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe
Token: SeIncBasePriorityPrivilege	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe
Token: SeIncBasePriorityPrivilege	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe
Token: SeIncBasePriorityPrivilege	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe
Token: SeIncBasePriorityPrivilege	1644	{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe
Token: SeIncBasePriorityPrivilege	2964	{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe
Token: SeIncBasePriorityPrivilege	2900	{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3016	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	28
PID 2420 wrote to memory of 3016	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	28
PID 2420 wrote to memory of 3016	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	28
PID 2420 wrote to memory of 3016	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	28
PID 2420 wrote to memory of 3028	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	29
PID 2420 wrote to memory of 3028	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	29
PID 2420 wrote to memory of 3028	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	29
PID 2420 wrote to memory of 3028	2420	2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe	29
PID 3016 wrote to memory of 2704	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	30
PID 3016 wrote to memory of 2704	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	30
PID 3016 wrote to memory of 2704	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	30
PID 3016 wrote to memory of 2704	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	30
PID 3016 wrote to memory of 2624	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	31
PID 3016 wrote to memory of 2624	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	31
PID 3016 wrote to memory of 2624	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	31
PID 3016 wrote to memory of 2624	3016	{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe	31
PID 2704 wrote to memory of 2872	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	32
PID 2704 wrote to memory of 2872	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	32
PID 2704 wrote to memory of 2872	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	32
PID 2704 wrote to memory of 2872	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	32
PID 2704 wrote to memory of 2828	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	33
PID 2704 wrote to memory of 2828	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	33
PID 2704 wrote to memory of 2828	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	33
PID 2704 wrote to memory of 2828	2704	{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe	33
PID 2872 wrote to memory of 2976	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	36
PID 2872 wrote to memory of 2976	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	36
PID 2872 wrote to memory of 2976	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	36
PID 2872 wrote to memory of 2976	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	36
PID 2872 wrote to memory of 2296	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	37
PID 2872 wrote to memory of 2296	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	37
PID 2872 wrote to memory of 2296	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	37
PID 2872 wrote to memory of 2296	2872	{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe	37
PID 2976 wrote to memory of 1988	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	39
PID 2976 wrote to memory of 1988	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	39
PID 2976 wrote to memory of 1988	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	39
PID 2976 wrote to memory of 1988	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	39
PID 2976 wrote to memory of 2984	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	38
PID 2976 wrote to memory of 2984	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	38
PID 2976 wrote to memory of 2984	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	38
PID 2976 wrote to memory of 2984	2976	{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe	38
PID 1988 wrote to memory of 1488	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	40
PID 1988 wrote to memory of 1488	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	40
PID 1988 wrote to memory of 1488	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	40
PID 1988 wrote to memory of 1488	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	40
PID 1988 wrote to memory of 2788	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	41
PID 1988 wrote to memory of 2788	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	41
PID 1988 wrote to memory of 2788	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	41
PID 1988 wrote to memory of 2788	1988	{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe	41
PID 1488 wrote to memory of 2784	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	43
PID 1488 wrote to memory of 2784	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	43
PID 1488 wrote to memory of 2784	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	43
PID 1488 wrote to memory of 2784	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	43
PID 1488 wrote to memory of 2824	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	42
PID 1488 wrote to memory of 2824	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	42
PID 1488 wrote to memory of 2824	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	42
PID 1488 wrote to memory of 2824	1488	{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe	42
PID 2784 wrote to memory of 1644	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	44
PID 2784 wrote to memory of 1644	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	44
PID 2784 wrote to memory of 1644	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	44
PID 2784 wrote to memory of 1644	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	44
PID 2784 wrote to memory of 1580	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	45
PID 2784 wrote to memory of 1580	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	45
PID 2784 wrote to memory of 1580	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	45
PID 2784 wrote to memory of 1580	2784	{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_59ffb0624b302acdc97c867190301fe1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe
  C:\Windows\{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe
    C:\Windows\{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe
      C:\Windows\{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe
        
        C:\Windows\{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B6E1~1.EXE > nul
        6⤵
        
        PID:2984
      - C:\Windows\{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe
        
        C:\Windows\{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe
        
        C:\Windows\{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E49E~1.EXE > nul
        8⤵
        
        PID:2824
        
        C:\Windows\{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe
        
        C:\Windows\{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe
        
        C:\Windows\{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe
        
        C:\Windows\{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe
        
        C:\Windows\{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0A6~1.EXE > nul
        12⤵
        
        PID:1908
        
        C:\Windows\{61D97121-52CA-4c2d-9069-240DA74A6B09}.exe
        
        C:\Windows\{61D97121-52CA-4c2d-9069-240DA74A6B09}.exe
        12⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC8B6~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6794~1.EXE > nul
        10⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD8E~1.EXE > nul
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17ECA~1.EXE > nul
        7⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01C9C~1.EXE > nul
        5⤵
        
        PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55C6B~1.EXE > nul
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7727C~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01C9C829-BFBE-4d87-A79C-DD4C104CD188}.exe

Filesize
180KB

MD5
a92ceea59346fe5652a0393449d9f7bf

SHA1
9f354cdff538917d39d7933300bfe80d2c8af489

SHA256
f2fadedecab80c5436106c2aa4b2280a7d2da91e2fecb84cb4c78d6f5f312cfa

SHA512
182d8ef1fc5faf4b55d83959739a07210686fa09539fcd276fc937d8172881fec76a013ec5c4a1a434ff044287fbe2b9fa56c44fcb90514870f209ffbf9b49fd

Download Submit
C:\Windows\{17ECABA5-4588-4586-A70F-A370949A3B5D}.exe

Filesize
180KB

MD5
30dceb4c5b7469c660f568915f0b54a6

SHA1
7e79cca643df33b5d90d232c20feb65af739710c

SHA256
0cec66a055ce0a5ec5bbbbcee1e629f2f78e5887b24df39a9982a14a2056b1b7

SHA512
34cad855a0dedadc9d1e259a660ccad3bd7a3b599cad55a305686f73333b1ae009193b56a1eb548489b8f6cd152f4662273e5fe70ac02631ac1d14c052bae1c3

Download Submit
C:\Windows\{55C6B2D3-27B8-48fc-9377-B2CB9675C802}.exe

Filesize
180KB

MD5
f685d99bc119e7b52bf4a7d003b7d996

SHA1
75a65e34f8118fa075d84bcd45b939ddabcbb83f

SHA256
250034364815e42f6bd430e5bf98d64fba17809353a5cd456c5fec7912f3c49d

SHA512
d68f66973571b7aacd7eee070f080540b43e5fc2ce930bec6380287272901149bcc6d50af962ba4abb4b8eee12663d4f308eaa7c628a7a254517c55c0dcecd26

Download Submit
C:\Windows\{61D97121-52CA-4c2d-9069-240DA74A6B09}.exe

Filesize
180KB

MD5
fefe0b701e4a54fc2c34acaac763037e

SHA1
5ad1153ef4cdc80555067801aa6d83ed6a01edb4

SHA256
2ac557eadf1663f9243e4f249a8a4c2d85c9d9bcef0940dd127b0f6eee96f971

SHA512
931a069ae2ac11358629b4f5476c5c23356e166e55e25ffd9f2d95b224ab939d94397556d610251d7286a846ed142631df4110a07731b5f376c0fe0b8a31cbc7

Download Submit
C:\Windows\{7727CCC5-45F7-4d77-9114-E0DBF5A60188}.exe

Filesize
180KB

MD5
91baa6e7f1fec7ea899da815c152f0a9

SHA1
106a52956ffa463ded9cc78a0d3256bcf7e1e663

SHA256
cd193449326418948f655803920d0ad41d1c25825f87a375d9fbca0c406b0518

SHA512
f72a7f485e5cdeb54932723c2580ebb57b5475dc3a34a74d32829a67dbe8902867a63752d0b16bb25489cca98601ee70fb6437d43bcd6b9576deff682007df44

Download Submit
C:\Windows\{8B6E1688-766C-4711-B57A-C0444718CD2E}.exe

Filesize
180KB

MD5
0cf2655e8df4fbb8506c860c054e154f

SHA1
b766dc009dd227925c03b5c5d0f5bae20fba7de0

SHA256
4362e6d5b93cd45fb31c80c88721b1ebf0145f0cd32a72d40f97cffd53942206

SHA512
22d3f312bc8584064d1bbaea041aa46c83faa6becfe4d0d80a7855c0b6eac8fe12d1033abf4a1ec735b3418aedd539cf61f11f999a51f7dda9c7983ca465cfc8

Download Submit
C:\Windows\{9AD8EAD0-6251-4414-A6F5-093E3623018D}.exe

Filesize
180KB

MD5
12147132040ff234e29bfa7ef2014015

SHA1
bd11d42e98f0ee8563b38e3a3bdbe12ee9b5a6f3

SHA256
2452028036dbd5b84bec16b2da596e083fd06a3b1f9c228403e7f5021a509f37

SHA512
7fa445754db7469343a418e72201015a667f1ee3a14f345e70747b6db0cec9cd588fd3b146b4690581689e8035d1c0aef733ae49b73c2fd5cf6e03359529e38a

Download Submit
C:\Windows\{9E49ED91-ABA5-4942-9BCB-854634D00AAD}.exe

Filesize
180KB

MD5
9317a1e694f25467ee0dae58c9159b62

SHA1
095b808912cd51bfe5b85a3136ae2f74750d0c6c

SHA256
2f49b87cc319a9300b5d2309e34eff2ee8a320e320452540cc375d8206d3490a

SHA512
dc3c52bab6dd8eaa90b89111fa72d67480ffe4fc26debd603e440f9dce177a6501a8e9669ee414d12a08c7d47c19a400476134208acc00a471855c6c133152ad

Download Submit
C:\Windows\{D6794371-C00C-4fe9-A640-F71AC2B96846}.exe

Filesize
180KB

MD5
ee457fa9e3abd2dc765223e7aeac2aa9

SHA1
94a58ddf744182b9d5e8ba684f952030255566cc

SHA256
d207d5bdd7c40e94c08963b6f6fb81d68bad3b2f96c8aae97931891f2041f8fa

SHA512
bd944527644465908fba821a955cd37372d6f572a14ab4b1555a6149c7c76bcbcd8b3e98c7c706bed9bb75d56a42160e42a9532c8425d4b6e85b91326e624c57

Download Submit
C:\Windows\{EC8B67B4-C653-464f-A749-8B3A55D01186}.exe

Filesize
180KB

MD5
64e430cb1572ff7a546d0b8405af6071

SHA1
73ff58612b0f3ceb29db31e7153b3748be5deb8f

SHA256
a326066b74615b8a67f4f4b55267e3a54cb85512aa68ebd68f925d518afe385e

SHA512
5e6c880bcc93f9c08cded9198f971446fd8acfc3ec987dee0003d1ad204cc35e470532e00d3b5250c12f120187e7d12ba7428559a0b7d6860624121cadd0b170

Download Submit
C:\Windows\{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe

Filesize
180KB

MD5
10822fd4244ac02ae4a3a4d613f1b8cf

SHA1
947743505281dfef014129392fa7e8df0e7de468

SHA256
39be446f7ad3d1ba6df1ddd9e1873c561cf7e681b1d7cd4f81428dfe18799caa

SHA512
2c5b3a6c9171a0e0c34d41fbeb345ea9d0ad2f679d8e00ff85431887d8dfdc2925eb90f2e45330483e28fe353a7141dc659e76437e67d4d9d31b1466fa4db3a7

Download Submit
C:\Windows\{FC0A62E8-0913-4def-8D79-52B236C366EB}.exe

Filesize
4KB

MD5
20e68d522972601599cb52f61b2c4d7d

SHA1
eb1c0e6f9a58c6732e19a150430708fbd8d40267

SHA256
8d6e912059ad442675b14f94a94e7548b78c84935f79363a56422f1a92490bb9

SHA512
ef653f0786e2c9ca55ea2b42b8310e4180636f2026c2ad7847686f0656cc97c42f963ce2d72ee5acff55dad84af8b9e1a6850b342c77921e77b154018ce18ac8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads