8558d283409e810cbd79a711e575d0546eefd974538d1d972f55848ea322897f

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 21:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe
Size

197KB
MD5

5149864c43b8193a1fa82fa3e724fc41
SHA1

b6670e57b52cbfafb81c2839fcce61a099292561
SHA256

8558d283409e810cbd79a711e575d0546eefd974538d1d972f55848ea322897f
SHA512

edae0dafb1dedd67dbaba8f9abf4a02b74cc614d687f0de6dab9ddc4da14cfd5c02d5ca3c8c71b697fbd38c5f3e86925a3885e6c6562ccc77c01d31f98e3dfd5
SSDEEP

3072:jEGh0oml+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGwlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c3-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122c3-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014a92-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{118243A3-388E-49ca-859C-D0327C4DABCF}\stubpath = "C:\\Windows\\{118243A3-388E-49ca-859C-D0327C4DABCF}.exe"	{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{227C4240-7284-4819-8A39-25E99F61F109}	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{227C4240-7284-4819-8A39-25E99F61F109}\stubpath = "C:\\Windows\\{227C4240-7284-4819-8A39-25E99F61F109}.exe"	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184C646C-A8D0-453c-A86D-4DCFF3C049D1}	{227C4240-7284-4819-8A39-25E99F61F109}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF90A52-A33D-46bd-81EB-B31DA5D94389}\stubpath = "C:\\Windows\\{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe"	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}	{118243A3-388E-49ca-859C-D0327C4DABCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}	{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}\stubpath = "C:\\Windows\\{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}.exe"	{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30FDA85-528D-435c-AE64-6CC3F61991D0}	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30FDA85-528D-435c-AE64-6CC3F61991D0}\stubpath = "C:\\Windows\\{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe"	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7636FC25-83DB-436d-9671-80131E3251AF}\stubpath = "C:\\Windows\\{7636FC25-83DB-436d-9671-80131E3251AF}.exe"	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FC3197-02C7-464a-8398-8A04C7E3615D}	{7636FC25-83DB-436d-9671-80131E3251AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}\stubpath = "C:\\Windows\\{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe"	{118243A3-388E-49ca-859C-D0327C4DABCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FC3197-02C7-464a-8398-8A04C7E3615D}\stubpath = "C:\\Windows\\{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe"	{7636FC25-83DB-436d-9671-80131E3251AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF90A52-A33D-46bd-81EB-B31DA5D94389}	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{118243A3-388E-49ca-859C-D0327C4DABCF}	{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184C646C-A8D0-453c-A86D-4DCFF3C049D1}\stubpath = "C:\\Windows\\{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe"	{227C4240-7284-4819-8A39-25E99F61F109}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}\stubpath = "C:\\Windows\\{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe"	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{518BC4D1-FD67-4949-9190-CE45A01156DD}	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{518BC4D1-FD67-4949-9190-CE45A01156DD}\stubpath = "C:\\Windows\\{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe"	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7636FC25-83DB-436d-9671-80131E3251AF}	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe
1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe
2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe
1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe
2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe
1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe
1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe
2616	{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe
2368	{118243A3-388E-49ca-859C-D0327C4DABCF}.exe
2260	{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe
3012	{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	{7636FC25-83DB-436d-9671-80131E3251AF}.exe
File created	C:\Windows\{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe
File created	C:\Windows\{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe
File created	C:\Windows\{227C4240-7284-4819-8A39-25E99F61F109}.exe	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe
File created	C:\Windows\{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	{227C4240-7284-4819-8A39-25E99F61F109}.exe
File created	C:\Windows\{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe
File created	C:\Windows\{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe
File created	C:\Windows\{7636FC25-83DB-436d-9671-80131E3251AF}.exe	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe
File created	C:\Windows\{118243A3-388E-49ca-859C-D0327C4DABCF}.exe	{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe
File created	C:\Windows\{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}.exe	{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe
File created	C:\Windows\{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe	{118243A3-388E-49ca-859C-D0327C4DABCF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe
Token: SeIncBasePriorityPrivilege	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe
Token: SeIncBasePriorityPrivilege	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe
Token: SeIncBasePriorityPrivilege	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe
Token: SeIncBasePriorityPrivilege	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe
Token: SeIncBasePriorityPrivilege	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe
Token: SeIncBasePriorityPrivilege	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe
Token: SeIncBasePriorityPrivilege	2616	{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe
Token: SeIncBasePriorityPrivilege	2368	{118243A3-388E-49ca-859C-D0327C4DABCF}.exe
Token: SeIncBasePriorityPrivilege	2260	{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2152	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	28
PID 2372 wrote to memory of 2152	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	28
PID 2372 wrote to memory of 2152	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	28
PID 2372 wrote to memory of 2152	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	28
PID 2372 wrote to memory of 2968	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	29
PID 2372 wrote to memory of 2968	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	29
PID 2372 wrote to memory of 2968	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	29
PID 2372 wrote to memory of 2968	2372	2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe	29
PID 2152 wrote to memory of 1564	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	30
PID 2152 wrote to memory of 1564	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	30
PID 2152 wrote to memory of 1564	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	30
PID 2152 wrote to memory of 1564	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	30
PID 2152 wrote to memory of 2728	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	31
PID 2152 wrote to memory of 2728	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	31
PID 2152 wrote to memory of 2728	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	31
PID 2152 wrote to memory of 2728	2152	{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe	31
PID 1564 wrote to memory of 2944	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	32
PID 1564 wrote to memory of 2944	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	32
PID 1564 wrote to memory of 2944	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	32
PID 1564 wrote to memory of 2944	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	32
PID 1564 wrote to memory of 2596	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	33
PID 1564 wrote to memory of 2596	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	33
PID 1564 wrote to memory of 2596	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	33
PID 1564 wrote to memory of 2596	1564	{227C4240-7284-4819-8A39-25E99F61F109}.exe	33
PID 2944 wrote to memory of 1192	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	36
PID 2944 wrote to memory of 1192	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	36
PID 2944 wrote to memory of 1192	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	36
PID 2944 wrote to memory of 1192	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	36
PID 2944 wrote to memory of 1360	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	37
PID 2944 wrote to memory of 1360	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	37
PID 2944 wrote to memory of 1360	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	37
PID 2944 wrote to memory of 1360	2944	{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe	37
PID 1192 wrote to memory of 2892	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	38
PID 1192 wrote to memory of 2892	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	38
PID 1192 wrote to memory of 2892	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	38
PID 1192 wrote to memory of 2892	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	38
PID 1192 wrote to memory of 2992	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	39
PID 1192 wrote to memory of 2992	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	39
PID 1192 wrote to memory of 2992	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	39
PID 1192 wrote to memory of 2992	1192	{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe	39
PID 2892 wrote to memory of 1748	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	41
PID 2892 wrote to memory of 1748	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	41
PID 2892 wrote to memory of 1748	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	41
PID 2892 wrote to memory of 1748	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	41
PID 2892 wrote to memory of 1756	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	40
PID 2892 wrote to memory of 1756	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	40
PID 2892 wrote to memory of 1756	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	40
PID 2892 wrote to memory of 1756	2892	{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe	40
PID 1748 wrote to memory of 1816	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	42
PID 1748 wrote to memory of 1816	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	42
PID 1748 wrote to memory of 1816	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	42
PID 1748 wrote to memory of 1816	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	42
PID 1748 wrote to memory of 268	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	43
PID 1748 wrote to memory of 268	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	43
PID 1748 wrote to memory of 268	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	43
PID 1748 wrote to memory of 268	1748	{7636FC25-83DB-436d-9671-80131E3251AF}.exe	43
PID 1816 wrote to memory of 2616	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	44
PID 1816 wrote to memory of 2616	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	44
PID 1816 wrote to memory of 2616	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	44
PID 1816 wrote to memory of 2616	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	44
PID 1816 wrote to memory of 364	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	45
PID 1816 wrote to memory of 364	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	45
PID 1816 wrote to memory of 364	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	45
PID 1816 wrote to memory of 364	1816	{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_5149864c43b8193a1fa82fa3e724fc41_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe
  C:\Windows\{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\{227C4240-7284-4819-8A39-25E99F61F109}.exe
    C:\Windows\{227C4240-7284-4819-8A39-25E99F61F109}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe
      C:\Windows\{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe
        
        C:\Windows\{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe
        
        C:\Windows\{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{518BC~1.EXE > nul
        7⤵
        
        PID:1756
        
        C:\Windows\{7636FC25-83DB-436d-9671-80131E3251AF}.exe
        
        C:\Windows\{7636FC25-83DB-436d-9671-80131E3251AF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe
        
        C:\Windows\{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe
        
        C:\Windows\{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\{118243A3-388E-49ca-859C-D0327C4DABCF}.exe
        
        C:\Windows\{118243A3-388E-49ca-859C-D0327C4DABCF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe
        
        C:\Windows\{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}.exe
        
        C:\Windows\{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}.exe
        12⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88E0C~1.EXE > nul
        12⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11824~1.EXE > nul
        11⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF90~1.EXE > nul
        10⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51FC3~1.EXE > nul
        9⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7636F~1.EXE > nul
        8⤵
        
        PID:268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AA09~1.EXE > nul
        6⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{184C6~1.EXE > nul
        5⤵
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{227C4~1.EXE > nul
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A30FD~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{118243A3-388E-49ca-859C-D0327C4DABCF}.exe

Filesize
197KB

MD5
7b7e67e2c7fee3bf1f0324b7651bfca4

SHA1
dcd88cfcaf0f41b875d1d113af4bf7560ef7bfd2

SHA256
be395f38f496451acad1edf45f9b28ccd079af9e9401269316587caee90845f1

SHA512
30040f913161c56afd64c7f0076c222d2422ae514515580b226728bb071adb01c73ef2473c1a4749e0ce0761840e70a5b908e2a09d4a84139a915dab9fad0adb

Download Submit
C:\Windows\{184C646C-A8D0-453c-A86D-4DCFF3C049D1}.exe

Filesize
197KB

MD5
f96ea00e6cf69b3681a7acf78d0b98aa

SHA1
2fd5d249e0d85aa184c81e75e5e18dd20e04313e

SHA256
57263826a412d9af5cdbd26e05e060ab010ea4dac1af2353e6710ad8eac8a1e4

SHA512
cd345648892baa12c4edf0f577eed8f1c21da37b2d303d29cb92f1244c5d040bbd8e606082441c72963281d3440965b93352fcd5dbdd9d68770b7daae71cba41

Download Submit
C:\Windows\{227C4240-7284-4819-8A39-25E99F61F109}.exe

Filesize
197KB

MD5
198a97b131240258f5aabf2b440fa49c

SHA1
a4e0182c8246cfa05eedcf484f260d6e7fbeebbc

SHA256
c388afaea60c58284791722a2a22105c052c057d17b68a49f4860b3334ecf342

SHA512
904421e0f0797116c1633a6cd79882311ae9a330ddba6443abedfdbcfff90b77ee324b26d784be4d167faa9782a1fdfbe0767df9bd0f536303c27eebd58dcc6f

Download Submit
C:\Windows\{518BC4D1-FD67-4949-9190-CE45A01156DD}.exe

Filesize
197KB

MD5
1a2e4ea2ddb38c4ffa2c7dc639ea223d

SHA1
c60e1d897099e96199dadf0f56ade3a3de15f8f7

SHA256
2600ee2f0f37931b9037a4835a7f01fba531d5dc35240fe6c93c45b2ab749ef2

SHA512
de1eeb33c344d83692ee0e34014e6cb29383c7d31054a51e7a5975d74f1ebd14506e76d9f000994a6082178911ea9fbb1d24a29a5b6b452d4b32f8ed9efcd5a8

Download Submit
C:\Windows\{51FC3197-02C7-464a-8398-8A04C7E3615D}.exe

Filesize
197KB

MD5
66495003f4b7d3101b75e38885e1e0d4

SHA1
3dc6343137852411facc95e8257bdba7a3ca7278

SHA256
40d8b6c72475eeae15359545e207dbb489cbb9cc70276c363f659ccb31c4fe9b

SHA512
347343c8b09310de6391818ed02cc9ad21b351bfb34c284d7bead08664e3aaa55b551aa768d90540dce61c900506bfdcf57754df14506b82a61488ecb7539d39

Download Submit
C:\Windows\{7636FC25-83DB-436d-9671-80131E3251AF}.exe

Filesize
197KB

MD5
6f9bff32933a6e6b335799d55c4f3a60

SHA1
f989d643b0c8bc6f0f039f01ef2b14d4e0b0f9e9

SHA256
7e9d60c5af13c14f4551fd6a9a5cb037041000a2d2b932b792d6d1cf788a6d6e

SHA512
d1a3de79b8c5246cd35830a429a46b1733b7d587624b79c19754c69f4189ba1d58508c116950634baec109f9dea7d24c69a305bdb0f46327f3ae369fa4936509

Download Submit
C:\Windows\{78F756D1-BFF6-4a28-BDB2-EEB6C127B147}.exe

Filesize
197KB

MD5
443a4c33e78a20bebd1c329eb8c2dc28

SHA1
073e1d221e6e767dcf264014db2622a8f323f201

SHA256
5e1d05b69d2066cce94c726fed52963fbb92b31145bd221f6365d939e1595751

SHA512
7ad8f33ea00f64581fc51abe73a91fa7538922f6b242c4b0c3f1a9e37bde333c1a43b6d557a39862bd4fbb7142ed8262d0c389a05cbb93c29c095548fadedd31

Download Submit
C:\Windows\{7AA09406-DAC2-4272-AAF8-58465ADD2FBC}.exe

Filesize
197KB

MD5
4dc220f808463ac9a7a55f3fcd966ae3

SHA1
6faec787afbe816ed804f500490a92f9341a242c

SHA256
ad6358db39911cbe103ffc99955d80bd1dd6aa30e9a51b21dbdbd80c456e753c

SHA512
37737efc9f75cd40f805cd8af515583ad14479f431b7edddda4c63070775a4fc422cc202caf314ff3292e4f30ed3b2842a1d43a88477641badc708f4d8ec1197

Download Submit
C:\Windows\{88E0C037-3DFC-4cfe-A8E0-5C5F4967B903}.exe

Filesize
197KB

MD5
63516c50f3cadaa72ec3369876bc0fea

SHA1
7a34d576682836dca1185fab445a2dc28d5b903d

SHA256
f2dc0061b425f3fa0b6abf5ba29e1d6620795859e993f9928ccddfd22317b0b5

SHA512
da5e7abe739a7ef623e19d9c0ea34ae7f02aec9f01b5388ae5ecf02bca856e4c53f836625710ae0540eeebf9335d30845e6c79b942ab3c07b4d5b988d1d201da

Download Submit
C:\Windows\{9DF90A52-A33D-46bd-81EB-B31DA5D94389}.exe

Filesize
197KB

MD5
dc0d68251803dd9d9f34f032f947c77b

SHA1
2a05c0b34f2b932d1f262593eec0540d51966e17

SHA256
e3727e9769ae647651bd927c124e5677ae4fbbe13d9b67eced26a33b5b70120d

SHA512
b222e99fcadabb0fedb8445b442dca405134e213e6816c687e40ec1837da2f9899a4cafcb617fe27e04bb35c90b3586f1789e963789b88de92df3712dc0749f2

Download Submit
C:\Windows\{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe

Filesize
197KB

MD5
4922d4aa7a0bbfffe31127e84e8c8ce5

SHA1
99451e656d06ffd35139ca74c8b325eeabb31a68

SHA256
86e328184870dac38a20442bafea567711e59314280f52c94a7aaefac9bca3f2

SHA512
a71eb78d8e77025620da062606b7e5d4aa6f2dd464a96dbeb132bda956190a63cf4db34f28a1ed50cedafa843a1d13db4f6494eb193afbd3f3f78f950e217521

Download Submit
C:\Windows\{A30FDA85-528D-435c-AE64-6CC3F61991D0}.exe

Filesize
64KB

MD5
3f4164d9a7b6ff3bb917ebdd032d0a36

SHA1
3644bf8b48864d632d9dce92cdc60c38fa86c69f

SHA256
67dd7dd51806f5513a9c5b69f866ff79b1b6576aeb43c8cb8bd3229b8f163b38

SHA512
b2d0853a9ed97e49fd2d932f9f9bd9a03c85f4413e5cba9d77a252805b254db04fdaf5f6f250bc0019b0eb9f346b1c9ed46a10cd774658c3e416367be1c9f42b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads