97f2372195ab2afef1cd0060b7579d79e630a88c387c75341886fb33fd7a496b

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe
Size

180KB
MD5

284564ee9cbe0b75fb11000507c25b25
SHA1

0b03bf0a3aaa26300003efd212849c9df127c9f4
SHA256

97f2372195ab2afef1cd0060b7579d79e630a88c387c75341886fb33fd7a496b
SHA512

2084a73a6d682ff9d00f7ba4514aa9c52a188af0b15d552b58ee26f581c470b3a052a3ff5a32e2d293298b60c4e67b209eccd8aa85ac8334062a88545aab3d88
SSDEEP

3072:jEGh0oIlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012325-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001444d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F429FD-57AB-4e00-9AC9-6675DE90E260}\stubpath = "C:\\Windows\\{B6F429FD-57AB-4e00-9AC9-6675DE90E260}.exe"	{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07EF0637-3C68-488a-8F9B-044CC8B19CAF}\stubpath = "C:\\Windows\\{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe"	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{616D93BB-596D-48a3-986C-A19176140153}	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04984115-FA09-4c90-8DA2-A47BEFE21231}\stubpath = "C:\\Windows\\{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe"	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}\stubpath = "C:\\Windows\\{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe"	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F700178-F5AF-42aa-B179-1EA7F7C8333B}	{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F429FD-57AB-4e00-9AC9-6675DE90E260}	{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7311A749-F455-4104-8ED4-DA91FA230D09}	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{616D93BB-596D-48a3-986C-A19176140153}\stubpath = "C:\\Windows\\{616D93BB-596D-48a3-986C-A19176140153}.exe"	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2BF5D9-3104-4790-8533-5DF8471AD011}	{616D93BB-596D-48a3-986C-A19176140153}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}\stubpath = "C:\\Windows\\{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe"	{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F700178-F5AF-42aa-B179-1EA7F7C8333B}\stubpath = "C:\\Windows\\{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe"	{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7311A749-F455-4104-8ED4-DA91FA230D09}\stubpath = "C:\\Windows\\{7311A749-F455-4104-8ED4-DA91FA230D09}.exe"	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07EF0637-3C68-488a-8F9B-044CC8B19CAF}	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}\stubpath = "C:\\Windows\\{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe"	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04984115-FA09-4c90-8DA2-A47BEFE21231}	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2BF5D9-3104-4790-8533-5DF8471AD011}\stubpath = "C:\\Windows\\{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe"	{616D93BB-596D-48a3-986C-A19176140153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}\stubpath = "C:\\Windows\\{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe"	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}	{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe

Executes dropped EXE 11 IoCs

pid	Process
1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe
2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe
2860	{616D93BB-596D-48a3-986C-A19176140153}.exe
2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe
2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe
2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe
904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe
1556	{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe
1984	{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe
2960	{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe
880	{B6F429FD-57AB-4e00-9AC9-6675DE90E260}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe
File created	C:\Windows\{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe	{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe
File created	C:\Windows\{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe
File created	C:\Windows\{616D93BB-596D-48a3-986C-A19176140153}.exe	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe
File created	C:\Windows\{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	{616D93BB-596D-48a3-986C-A19176140153}.exe
File created	C:\Windows\{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe
File created	C:\Windows\{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe	{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe
File created	C:\Windows\{B6F429FD-57AB-4e00-9AC9-6675DE90E260}.exe	{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe
File created	C:\Windows\{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe
File created	C:\Windows\{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe
File created	C:\Windows\{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe
Token: SeIncBasePriorityPrivilege	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe
Token: SeIncBasePriorityPrivilege	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe
Token: SeIncBasePriorityPrivilege	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe
Token: SeIncBasePriorityPrivilege	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe
Token: SeIncBasePriorityPrivilege	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe
Token: SeIncBasePriorityPrivilege	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe
Token: SeIncBasePriorityPrivilege	1556	{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe
Token: SeIncBasePriorityPrivilege	1984	{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe
Token: SeIncBasePriorityPrivilege	2960	{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1672	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	28
PID 2108 wrote to memory of 1672	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	28
PID 2108 wrote to memory of 1672	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	28
PID 2108 wrote to memory of 1672	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	28
PID 2108 wrote to memory of 1972	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	29
PID 2108 wrote to memory of 1972	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	29
PID 2108 wrote to memory of 1972	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	29
PID 2108 wrote to memory of 1972	2108	2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe	29
PID 1672 wrote to memory of 2736	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	30
PID 1672 wrote to memory of 2736	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	30
PID 1672 wrote to memory of 2736	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	30
PID 1672 wrote to memory of 2736	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	30
PID 1672 wrote to memory of 2812	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	31
PID 1672 wrote to memory of 2812	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	31
PID 1672 wrote to memory of 2812	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	31
PID 1672 wrote to memory of 2812	1672	{7311A749-F455-4104-8ED4-DA91FA230D09}.exe	31
PID 2736 wrote to memory of 2860	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	32
PID 2736 wrote to memory of 2860	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	32
PID 2736 wrote to memory of 2860	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	32
PID 2736 wrote to memory of 2860	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	32
PID 2736 wrote to memory of 2704	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	33
PID 2736 wrote to memory of 2704	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	33
PID 2736 wrote to memory of 2704	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	33
PID 2736 wrote to memory of 2704	2736	{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe	33
PID 2860 wrote to memory of 2172	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	36
PID 2860 wrote to memory of 2172	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	36
PID 2860 wrote to memory of 2172	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	36
PID 2860 wrote to memory of 2172	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	36
PID 2860 wrote to memory of 2384	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	37
PID 2860 wrote to memory of 2384	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	37
PID 2860 wrote to memory of 2384	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	37
PID 2860 wrote to memory of 2384	2860	{616D93BB-596D-48a3-986C-A19176140153}.exe	37
PID 2172 wrote to memory of 2856	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	38
PID 2172 wrote to memory of 2856	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	38
PID 2172 wrote to memory of 2856	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	38
PID 2172 wrote to memory of 2856	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	38
PID 2172 wrote to memory of 2768	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	39
PID 2172 wrote to memory of 2768	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	39
PID 2172 wrote to memory of 2768	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	39
PID 2172 wrote to memory of 2768	2172	{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe	39
PID 2856 wrote to memory of 2624	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	41
PID 2856 wrote to memory of 2624	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	41
PID 2856 wrote to memory of 2624	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	41
PID 2856 wrote to memory of 2624	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	41
PID 2856 wrote to memory of 2536	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	40
PID 2856 wrote to memory of 2536	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	40
PID 2856 wrote to memory of 2536	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	40
PID 2856 wrote to memory of 2536	2856	{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe	40
PID 2624 wrote to memory of 904	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	42
PID 2624 wrote to memory of 904	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	42
PID 2624 wrote to memory of 904	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	42
PID 2624 wrote to memory of 904	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	42
PID 2624 wrote to memory of 1872	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	43
PID 2624 wrote to memory of 1872	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	43
PID 2624 wrote to memory of 1872	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	43
PID 2624 wrote to memory of 1872	2624	{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe	43
PID 904 wrote to memory of 1556	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	44
PID 904 wrote to memory of 1556	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	44
PID 904 wrote to memory of 1556	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	44
PID 904 wrote to memory of 1556	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	44
PID 904 wrote to memory of 1684	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	45
PID 904 wrote to memory of 1684	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	45
PID 904 wrote to memory of 1684	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	45
PID 904 wrote to memory of 1684	904	{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_284564ee9cbe0b75fb11000507c25b25_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\{7311A749-F455-4104-8ED4-DA91FA230D09}.exe
  C:\Windows\{7311A749-F455-4104-8ED4-DA91FA230D09}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe
    C:\Windows\{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{616D93BB-596D-48a3-986C-A19176140153}.exe
      C:\Windows\{616D93BB-596D-48a3-986C-A19176140153}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe
        
        C:\Windows\{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe
        
        C:\Windows\{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0BE4~1.EXE > nul
        7⤵
        
        PID:2536
        
        C:\Windows\{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe
        
        C:\Windows\{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe
        
        C:\Windows\{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe
        
        C:\Windows\{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE13~1.EXE > nul
        10⤵
        
        PID:1124
        
        C:\Windows\{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe
        
        C:\Windows\{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D806B~1.EXE > nul
        11⤵
        
        PID:2000
        
        C:\Windows\{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe
        
        C:\Windows\{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F700~1.EXE > nul
        12⤵
        
        PID:1468
        
        C:\Windows\{B6F429FD-57AB-4e00-9AC9-6675DE90E260}.exe
        
        C:\Windows\{B6F429FD-57AB-4e00-9AC9-6675DE90E260}.exe
        12⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1395F~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04984~1.EXE > nul
        8⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E2BF~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{616D9~1.EXE > nul
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07EF0~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7311A~1.EXE > nul
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04984115-FA09-4c90-8DA2-A47BEFE21231}.exe

Filesize
180KB

MD5
f37975144b688d5715f53085ff18f27e

SHA1
f07d1b5635baf3d991470d96b2a4643fddceb4cb

SHA256
a90bfde9471dca645a6309d6bd92c7eee3a6efc75bb934cc33d9024bae80e07b

SHA512
322d18e4033807f94a92f81d4c55aaf96bb4666cc234ed5adc450a2fd30a8d9125969841ee5c503d67ff0bac4282840fe17cfc8d071e200b518533590e1e6d85

Download Submit
C:\Windows\{07EF0637-3C68-488a-8F9B-044CC8B19CAF}.exe

Filesize
180KB

MD5
ab7230f52d5b80c3b0fd41fa034324b2

SHA1
9488baad50f97248bd70d5cbaa1254afef5b18fb

SHA256
7ee7f8e3b119f2716f01fbe3e255f23c796fcca8a4f2295288809aa18065fb33

SHA512
4537a43cf21eba4f73c2cfedd1036ff1ae06e266dfd0d4976d2c4a20444e5f5270261bc39c99398fc3067624f06bb33cdb569ae5cf3f2dd047d850365ab3c45b

Download Submit
C:\Windows\{1395F67F-07D8-41b5-9CB2-B6611CB9C0D5}.exe

Filesize
180KB

MD5
c618755ac51e1ca733c8aa0f5e89a2ae

SHA1
d78d8490153be705c7a2f6824bb93b9036619d71

SHA256
92906bc4bba73d631d02fb3f72efa03efd82d3378760a506edadf8df3616b3fd

SHA512
982a190017da70156386791ea1844f84f73862c9d39b176bb1495c6fa1f86f5de9d9648671d187548eb685843787cc7c379de26eb4e603399e253a185c89c4b5

Download Submit
C:\Windows\{4F700178-F5AF-42aa-B179-1EA7F7C8333B}.exe

Filesize
180KB

MD5
f7496f1f97cf5fc755126a919060925c

SHA1
a38feeeca1197d2523319c6a32ea1ed01836a9d3

SHA256
21eb93483fd3dffa04fb53cb55e1d9943396fc4a772711cd334ed86a3180ca1f

SHA512
e2f994f8054cc510b7f1401fee811698522a5b6067305b12f13daaefb3c883c8259e59a16ec9c7729329ff6ab4722566ef1b3b98ed48eb67055f93b33cbbabfc

Download Submit
C:\Windows\{616D93BB-596D-48a3-986C-A19176140153}.exe

Filesize
180KB

MD5
9a5acc8e99b4357d3a5c21bb14f7a5f2

SHA1
53e83617fe15b209eeaa4bef031f16f6867df975

SHA256
6d0c70677bda4480bc2517e13232945d378995ae682ae2c840e650286b4690cd

SHA512
d7a4eafd14ec490762468459e599ee428dc481988ae9c26dc7e383810b9c328c5b7fd5b50bc01472ce8809d6215730540fa1b498d55bb7953e2f7e3481732777

Download Submit
C:\Windows\{6E2BF5D9-3104-4790-8533-5DF8471AD011}.exe

Filesize
180KB

MD5
f2e70e048130286bfef6e9cf050dfad3

SHA1
cec1b50117c339ec9c5e4481ed1ab7f89fb97af7

SHA256
cef14bf13d51e490c4bc385d4f360261b5e9527a4236f98abd5aa8a4c3f4a7ec

SHA512
64541402deb3a738339c99c3cff4f4fecd29a5664b2d85ee24275154e9fbf8ddb4f040e3121b8127c2a11df319ca826b3493fd447708da627c444b792ce2ca3b

Download Submit
C:\Windows\{7311A749-F455-4104-8ED4-DA91FA230D09}.exe

Filesize
180KB

MD5
2096fe2260df708e92603f8f5ed7dd0a

SHA1
cefdd9e7e6fd7725639b242fee22d1dfe502c0bc

SHA256
cfac7283d91d8e78611e97fc3b6acb5fcd45f1e06701d61d9a64023902a10a16

SHA512
273d5d765880a6e707b5cd38b33458e4ed06b6de634403e05e925ddf5aeebfb23f27e1ea46be02122351b5ba28055bf7a2599a7dd97d2941355cd7f2ba6a0368

Download Submit
C:\Windows\{B6F429FD-57AB-4e00-9AC9-6675DE90E260}.exe

Filesize
180KB

MD5
926a2279ce9162a191ad78d09e8659cf

SHA1
be082d2150d2c90ebaba2a8668f014c20974b38f

SHA256
f2ee96e24a4af8f90426db5e191c1d08d4077e8a9431c69d03fa06a142bc8350

SHA512
6bbeae3ca9dda276a7c672a46758ab267ecc8de90a4d9f9bd4e2cad4cbd7ae53337a4dde46514f565a6069ded86d183fea5a78d3c74edc5c50b661b14aea60e9

Download Submit
C:\Windows\{D806BC32-A05D-4afa-BAF3-22C560CEE9DE}.exe

Filesize
180KB

MD5
7dbf7491f3d8f684a42189e4595ef732

SHA1
07cea7b88516503623cdc8ada8b17d1e08c4a158

SHA256
c91da106adcaacf7096d2eed9333a1c7c0ac6eb9e8faf2ef0a77fe1e50f113f1

SHA512
9d89d71733160ab6e5c3e3da996aaf9bba0954595a13ec703f931bf17d21dba862e9b3a4738bea8f3b681bf7a2527a8e71aadb654db52d947baba75a31b5ae1e

Download Submit
C:\Windows\{EFE13B6A-F6B3-4498-B4EA-6DD0C4F9EB49}.exe

Filesize
180KB

MD5
adf1e74ffd291399c3688e67bb8d26b8

SHA1
b8f8e62fb1e087c129f78d5855ead88a3733f704

SHA256
7f39c3aff0fffb88e939bf47032a9f7e97924bc412cdd3a32ec25445d3ce833b

SHA512
6ea563309143da11dacf6b1eee2d7b05013358c4751e81d22dbcc3e847dff19de2bd9db4b9ea6fee0d40305ba1a43b2142805750932e5deca3fedf534094f127

Download Submit
C:\Windows\{F0BE4605-7BEF-40cb-8590-DCD5E2D0CDAB}.exe

Filesize
180KB

MD5
fdc7312c8757214a0575c7eb6a81c0f5

SHA1
2db0d5fd7b59a40e662792cf5b95503b8d3bd728

SHA256
243e33acf1b672bfc003bb97001126418bef74f6f024afb74d15aafdc546da9c

SHA512
810dcd99aee21e4536cacbd1d134c61f23ce88a976873803a5513c9447d3d69fe2b6d61db5956241318573681e5f29a362eec383ac46e78c790102fb83f9d235

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads