993a902c6a4ca8105457c241f0df8e4628422d28ef09a1859822c20c8bf9c93f

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Size

408KB
MD5

bdbade173d5e08d397afb9f906920746
SHA1

6c1c48fb220b03df58275eb3659bb248c0064e9b
SHA256

993a902c6a4ca8105457c241f0df8e4628422d28ef09a1859822c20c8bf9c93f
SHA512

4b5214b085c89f09f7ac02fa2feb12ac444d393b3f3b0c1d9b75dddc4e1450b1f6cff4197221371532f658fd96e34bf8fc6cac2448fc4c86dfced9f288163341
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGwldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015cd2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d39-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001225d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41A663E2-F954-4064-9693-5960B196BA44}\stubpath = "C:\\Windows\\{41A663E2-F954-4064-9693-5960B196BA44}.exe"	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D653032-B450-4ac4-A253-81B0E9FA23CC}\stubpath = "C:\\Windows\\{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe"	{41A663E2-F954-4064-9693-5960B196BA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8144512A-768A-4b62-8CCF-B311E9C215CF}	{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}\stubpath = "C:\\Windows\\{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe"	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6852199E-CCE6-405d-BB99-839102327B8F}\stubpath = "C:\\Windows\\{6852199E-CCE6-405d-BB99-839102327B8F}.exe"	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DD3E02B-664F-474a-9773-08AC5677C48B}\stubpath = "C:\\Windows\\{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe"	{6852199E-CCE6-405d-BB99-839102327B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}	{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}	{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}\stubpath = "C:\\Windows\\{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}.exe"	{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}\stubpath = "C:\\Windows\\{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe"	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}\stubpath = "C:\\Windows\\{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe"	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DD3E02B-664F-474a-9773-08AC5677C48B}	{6852199E-CCE6-405d-BB99-839102327B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41A663E2-F954-4064-9693-5960B196BA44}	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}\stubpath = "C:\\Windows\\{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe"	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}\stubpath = "C:\\Windows\\{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe"	{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6852199E-CCE6-405d-BB99-839102327B8F}	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D653032-B450-4ac4-A253-81B0E9FA23CC}	{41A663E2-F954-4064-9693-5960B196BA44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8144512A-768A-4b62-8CCF-B311E9C215CF}\stubpath = "C:\\Windows\\{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe"	{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe
2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe
2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe
1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe
2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe
1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe
2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe
2012	{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe
2252	{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe
2092	{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe
1592	{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6852199E-CCE6-405d-BB99-839102327B8F}.exe	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe
File created	C:\Windows\{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe	{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe
File created	C:\Windows\{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe	{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe
File created	C:\Windows\{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}.exe	{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe
File created	C:\Windows\{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe	{41A663E2-F954-4064-9693-5960B196BA44}.exe
File created	C:\Windows\{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
File created	C:\Windows\{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe
File created	C:\Windows\{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe
File created	C:\Windows\{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe
File created	C:\Windows\{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	{6852199E-CCE6-405d-BB99-839102327B8F}.exe
File created	C:\Windows\{41A663E2-F954-4064-9693-5960B196BA44}.exe	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe
Token: SeIncBasePriorityPrivilege	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe
Token: SeIncBasePriorityPrivilege	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe
Token: SeIncBasePriorityPrivilege	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe
Token: SeIncBasePriorityPrivilege	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe
Token: SeIncBasePriorityPrivilege	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe
Token: SeIncBasePriorityPrivilege	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe
Token: SeIncBasePriorityPrivilege	2012	{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe
Token: SeIncBasePriorityPrivilege	2252	{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe
Token: SeIncBasePriorityPrivilege	2092	{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2688	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	29
PID 2192 wrote to memory of 2688	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	29
PID 2192 wrote to memory of 2688	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	29
PID 2192 wrote to memory of 2688	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	29
PID 2192 wrote to memory of 2496	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	30
PID 2192 wrote to memory of 2496	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	30
PID 2192 wrote to memory of 2496	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	30
PID 2192 wrote to memory of 2496	2192	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	30
PID 2688 wrote to memory of 2536	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	31
PID 2688 wrote to memory of 2536	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	31
PID 2688 wrote to memory of 2536	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	31
PID 2688 wrote to memory of 2536	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	31
PID 2688 wrote to memory of 1040	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	32
PID 2688 wrote to memory of 1040	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	32
PID 2688 wrote to memory of 1040	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	32
PID 2688 wrote to memory of 1040	2688	{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe	32
PID 2536 wrote to memory of 2408	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	33
PID 2536 wrote to memory of 2408	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	33
PID 2536 wrote to memory of 2408	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	33
PID 2536 wrote to memory of 2408	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	33
PID 2536 wrote to memory of 2440	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	34
PID 2536 wrote to memory of 2440	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	34
PID 2536 wrote to memory of 2440	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	34
PID 2536 wrote to memory of 2440	2536	{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe	34
PID 2408 wrote to memory of 1516	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	38
PID 2408 wrote to memory of 1516	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	38
PID 2408 wrote to memory of 1516	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	38
PID 2408 wrote to memory of 1516	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	38
PID 2408 wrote to memory of 1512	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	37
PID 2408 wrote to memory of 1512	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	37
PID 2408 wrote to memory of 1512	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	37
PID 2408 wrote to memory of 1512	2408	{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe	37
PID 1516 wrote to memory of 2700	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	39
PID 1516 wrote to memory of 2700	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	39
PID 1516 wrote to memory of 2700	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	39
PID 1516 wrote to memory of 2700	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	39
PID 1516 wrote to memory of 1880	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	40
PID 1516 wrote to memory of 1880	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	40
PID 1516 wrote to memory of 1880	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	40
PID 1516 wrote to memory of 1880	1516	{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe	40
PID 2700 wrote to memory of 1736	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	41
PID 2700 wrote to memory of 1736	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	41
PID 2700 wrote to memory of 1736	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	41
PID 2700 wrote to memory of 1736	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	41
PID 2700 wrote to memory of 1580	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	42
PID 2700 wrote to memory of 1580	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	42
PID 2700 wrote to memory of 1580	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	42
PID 2700 wrote to memory of 1580	2700	{6852199E-CCE6-405d-BB99-839102327B8F}.exe	42
PID 1736 wrote to memory of 2180	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	44
PID 1736 wrote to memory of 2180	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	44
PID 1736 wrote to memory of 2180	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	44
PID 1736 wrote to memory of 2180	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	44
PID 1736 wrote to memory of 1276	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	43
PID 1736 wrote to memory of 1276	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	43
PID 1736 wrote to memory of 1276	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	43
PID 1736 wrote to memory of 1276	1736	{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe	43
PID 2180 wrote to memory of 2012	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	45
PID 2180 wrote to memory of 2012	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	45
PID 2180 wrote to memory of 2012	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	45
PID 2180 wrote to memory of 2012	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	45
PID 2180 wrote to memory of 2008	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	46
PID 2180 wrote to memory of 2008	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	46
PID 2180 wrote to memory of 2008	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	46
PID 2180 wrote to memory of 2008	2180	{41A663E2-F954-4064-9693-5960B196BA44}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe
  C:\Windows\{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe
    C:\Windows\{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe
      C:\Windows\{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA89~1.EXE > nul
        5⤵
        
        PID:1512
    - - C:\Windows\{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe
        
        C:\Windows\{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Windows\{6852199E-CCE6-405d-BB99-839102327B8F}.exe
        
        C:\Windows\{6852199E-CCE6-405d-BB99-839102327B8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe
        
        C:\Windows\{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DD3E~1.EXE > nul
        8⤵
        
        PID:1276
        
        C:\Windows\{41A663E2-F954-4064-9693-5960B196BA44}.exe
        
        C:\Windows\{41A663E2-F954-4064-9693-5960B196BA44}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe
        
        C:\Windows\{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe
        
        C:\Windows\{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe
        
        C:\Windows\{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}.exe
        
        C:\Windows\{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F8B9~1.EXE > nul
        12⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81445~1.EXE > nul
        11⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D653~1.EXE > nul
        10⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41A66~1.EXE > nul
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68521~1.EXE > nul
        7⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA29~1.EXE > nul
        6⤵
        
        PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06C9C~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C87C~1.EXE > nul
    3⤵
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06C9CAA8-4ED2-432c-8C77-1D01B7EEAA3F}.exe

Filesize
408KB

MD5
cab0441d667eaed0305876223c937295

SHA1
cdbed56f881f0bba7914ae9e2d4cd6c32b5a212d

SHA256
c84ad8b58b747763acd815bb991e1da73a29d1967ea5a356b4d34ec7db17adca

SHA512
adf26aadd3c672b2e5ba07ee186eb1f8877268c6c9474fa1fcc6ebe73f6eea8909c5b8025701c1de4863350ccaa7867142935c223b8704f019d637ec762798ad

Download Submit
C:\Windows\{0DD3E02B-664F-474a-9773-08AC5677C48B}.exe

Filesize
408KB

MD5
f81899fca04d9d36f206d6f443073fc2

SHA1
6fda619e90583663ee7ac71819beb2e194ad8d49

SHA256
699f7dce2ed0f36666fc97cd9064d0a359bee4314d3935a2c29479312ffe1f4f

SHA512
35a6ba20f3cbf6b198d97a93b948d39466ba63c87a8609b7596f3b7ae4f80a7d3c43e6493910fb019a0eea18f0f69b15401f8146692eb449bb3cd3777eb0cb89

Download Submit
C:\Windows\{1C87C728-A63E-4a53-BB9F-601BE6BAFCEA}.exe

Filesize
408KB

MD5
437cb14e092d8c5c0369ea6245948cf6

SHA1
022661020e7a3289447423817e1982bd20702d7d

SHA256
644583e16d88fac99410456408c7cd1326aa5741c1c23aa9104e14e1b31e65f0

SHA512
d7e8e8ab9269bd4667487b2369503ba70fa249441249be4391f3cc590ea7a5326690b2b53b31624ddd569d682620409a334c9aaeeee23d8e2ee591f65e894536

Download Submit
C:\Windows\{1F8B9DE9-5B72-4514-8DFD-9416CE8E553A}.exe

Filesize
408KB

MD5
ceb520a1db1868899dce7e813402e87d

SHA1
ade206896b15111d819c11ffd1a26a526a401842

SHA256
d71b5815c80dbe8a0812d248e5dae3a517710603b2b58dd1835353533b1c0e2d

SHA512
651700f97c8463287f730ad78b3e754c579259212e9c8a56379f3ac991832f4609917d39a00f7d7057321f886ab056cb11ad63fca9f84798e641865d0aab62ea

Download Submit
C:\Windows\{41A663E2-F954-4064-9693-5960B196BA44}.exe

Filesize
408KB

MD5
68bd0034764e8d0027bcb94f5c9033cd

SHA1
68cce2cada2a316453f936ed2092ba1628eacd67

SHA256
c35fb93a2773a2aaf6cc4f85b40d426b40e9a506535c6f9b1b0d29645aad1e72

SHA512
13a6ffa8e5dace85670082013d349982122a1bd5b2fd506ca28d5e03703a9f239dd5544b41438b5aed9db09ceef88ec34d6b0e8a048f5c7290e020ae0c64d8be

Download Submit
C:\Windows\{5AA291B9-E8BA-4cff-8A3A-6A9ABA94C76F}.exe

Filesize
408KB

MD5
9189f229929af90b5f498853b1fae088

SHA1
8931a1553a6edaad3086cd61b289eb395c47792f

SHA256
8b79c1f1c35eadc3a117aceb84de06d90d6b35d6507d564ad96e5a70e98b03ce

SHA512
f77b1b5873e03dd75b92673f7b0cee010e953d10504b2eb63d7eea4d0f87621d915acbf9da2aaf3ae51f1ad6c20da547c0376aff91a4eab911ced6db08393e65

Download Submit
C:\Windows\{6852199E-CCE6-405d-BB99-839102327B8F}.exe

Filesize
408KB

MD5
75662d3f848b6d41793a757e06155347

SHA1
51736c7829a899804fb64d5525d18c8cebcc4880

SHA256
43d04d3b518bd4e55bc23c7a718eac669ddb4866bd62e4070ddb9282d43d7cae

SHA512
90d133caf4e2fb648598dc872280bf3ded6557043fbc1eb13c1db1a9b719b20fa240285b500a7006bedbf5863ca1d677dda5a4460ab9cae154e73bf1e9520494

Download Submit
C:\Windows\{8144512A-768A-4b62-8CCF-B311E9C215CF}.exe

Filesize
408KB

MD5
5a5998f46b5ff5c05bc65d2fd8ae7308

SHA1
61526c809d87571ab64b3ae603a8a9bb75ebe293

SHA256
4ad721357bab1c1949c7fc05fa8e5edf1f4331ce8d5295bf90879ae2f229a631

SHA512
2cff9b559d1a4343eab86ee4f9df04c33f82fc271a7cd1f5177623acc01298d765306be7304494140ea015bb23a1e211804dd53c93a9b51826f42b12e4f1a7e9

Download Submit
C:\Windows\{8D653032-B450-4ac4-A253-81B0E9FA23CC}.exe

Filesize
408KB

MD5
07a186ecb0abcdd56c4d374f0eacf5c5

SHA1
82a9cd79be6d67fd11b0e3b69fe0ef5f32cba4e5

SHA256
fb1ac78b5a2aed59a17e0588da2a1b455c6fb2696d3ad6369ce0baf29599a33d

SHA512
d0b226a1f4d7bcfd994795bd25c80f856adfc439227afa1e97770f783eddc1f591e4258e99792547178dd40421d0c343dbc5f3960f1dc25137e3532535090755

Download Submit
C:\Windows\{9C8E0553-6D2D-4a0e-8DE3-435ABF8813B7}.exe

Filesize
408KB

MD5
167f1134d61be6ef6e25b53bad3a79b9

SHA1
4bc878424c1a2b7d235180fc84164cd709b6bce5

SHA256
f79a6c18282b823e7f26779e4d0c1f1ad3631edf217beebdbd7330cb54c5bcde

SHA512
2ab00369cd25841b976a69d5c96fec0a6e91bc395d960509444a25dbf4ae8e5f356fc237d34e230aab22f25bc6e801e821363502b41b5b633cb65181f59d0344

Download Submit
C:\Windows\{EFA89F83-B037-41ea-B47D-675EDC7C2D0E}.exe

Filesize
408KB

MD5
71ec658be765d68afb0419c5c29dd547

SHA1
f9046afbe206fe2a598e525848a7c4410034781f

SHA256
4f7fc00653d5f08615ee76bd71de668f599780614d943829920f48bdca8c9e44

SHA512
67ba2c91e33aef68ef32bd6842f8de1c571d75ab63ac3187a283be1e5e93332c8416605af5a59a1b318a610ff178e8d7557f1e7a6e8400da8d8cffaebc48fc0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads