06d6dbd9f51e44492d0e84fc1d1261282776b2f48edd64cd400b0dbac8946357

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Size

180KB
MD5

53f508ec285ad8189f209fbf347bc9c6
SHA1

4005dd86fba247d163098b792da1dde9a37a91c3
SHA256

06d6dbd9f51e44492d0e84fc1d1261282776b2f48edd64cd400b0dbac8946357
SHA512

ae26e1af1b71247d6aa94a998da77c0a868957bc792809dd0ad3b26d40401fcd3500f03069c01130b83ed699de9a451cd1fa135cf2735b3b3bcb42587a91be8f
SSDEEP

3072:jEGh0oVlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGjl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001445e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000014698-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014698-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014698-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014698-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014698-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F93ED2C-0C86-43ce-8958-6CA570F2847D}\stubpath = "C:\\Windows\\{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe"	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}\stubpath = "C:\\Windows\\{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe"	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A770D5EB-3B81-4600-951D-692222C59783}	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A770D5EB-3B81-4600-951D-692222C59783}\stubpath = "C:\\Windows\\{A770D5EB-3B81-4600-951D-692222C59783}.exe"	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}\stubpath = "C:\\Windows\\{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe"	{A770D5EB-3B81-4600-951D-692222C59783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F93ED2C-0C86-43ce-8958-6CA570F2847D}	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F085882-2773-45a9-9911-7D62A180EA07}	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F085882-2773-45a9-9911-7D62A180EA07}\stubpath = "C:\\Windows\\{6F085882-2773-45a9-9911-7D62A180EA07}.exe"	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750F894B-0C44-4ad5-A02F-F12EADE250C1}	{6F085882-2773-45a9-9911-7D62A180EA07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750F894B-0C44-4ad5-A02F-F12EADE250C1}\stubpath = "C:\\Windows\\{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe"	{6F085882-2773-45a9-9911-7D62A180EA07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B8AFC47-9F01-4738-A810-FD039A1E5119}\stubpath = "C:\\Windows\\{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe"	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}	{A770D5EB-3B81-4600-951D-692222C59783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}\stubpath = "C:\\Windows\\{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe"	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D816A06F-B5BB-4f26-B68A-EED0955A6E91}	{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D816A06F-B5BB-4f26-B68A-EED0955A6E91}\stubpath = "C:\\Windows\\{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe"	{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50121609-D57D-4508-8058-5EC12C6166AB}\stubpath = "C:\\Windows\\{50121609-D57D-4508-8058-5EC12C6166AB}.exe"	{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}\stubpath = "C:\\Windows\\{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe"	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50121609-D57D-4508-8058-5EC12C6166AB}	{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B8AFC47-9F01-4738-A810-FD039A1E5119}	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe
2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe
2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe
568	{A770D5EB-3B81-4600-951D-692222C59783}.exe
1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe
1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe
1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe
1500	{6F085882-2773-45a9-9911-7D62A180EA07}.exe
1528	{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe
2740	{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe
2992	{50121609-D57D-4508-8058-5EC12C6166AB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe
File created	C:\Windows\{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe	{6F085882-2773-45a9-9911-7D62A180EA07}.exe
File created	C:\Windows\{50121609-D57D-4508-8058-5EC12C6166AB}.exe	{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe
File created	C:\Windows\{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe
File created	C:\Windows\{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	{A770D5EB-3B81-4600-951D-692222C59783}.exe
File created	C:\Windows\{A770D5EB-3B81-4600-951D-692222C59783}.exe	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe
File created	C:\Windows\{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe
File created	C:\Windows\{6F085882-2773-45a9-9911-7D62A180EA07}.exe	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe
File created	C:\Windows\{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe	{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe
File created	C:\Windows\{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
File created	C:\Windows\{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe
Token: SeIncBasePriorityPrivilege	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe
Token: SeIncBasePriorityPrivilege	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe
Token: SeIncBasePriorityPrivilege	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe
Token: SeIncBasePriorityPrivilege	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe
Token: SeIncBasePriorityPrivilege	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe
Token: SeIncBasePriorityPrivilege	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe
Token: SeIncBasePriorityPrivilege	1500	{6F085882-2773-45a9-9911-7D62A180EA07}.exe
Token: SeIncBasePriorityPrivilege	1528	{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe
Token: SeIncBasePriorityPrivilege	2740	{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2500	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	28
PID 2744 wrote to memory of 2500	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	28
PID 2744 wrote to memory of 2500	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	28
PID 2744 wrote to memory of 2500	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	28
PID 2744 wrote to memory of 2516	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	29
PID 2744 wrote to memory of 2516	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	29
PID 2744 wrote to memory of 2516	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	29
PID 2744 wrote to memory of 2516	2744	2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe	29
PID 2500 wrote to memory of 2644	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	30
PID 2500 wrote to memory of 2644	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	30
PID 2500 wrote to memory of 2644	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	30
PID 2500 wrote to memory of 2644	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	30
PID 2500 wrote to memory of 2416	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	31
PID 2500 wrote to memory of 2416	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	31
PID 2500 wrote to memory of 2416	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	31
PID 2500 wrote to memory of 2416	2500	{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe	31
PID 2644 wrote to memory of 2484	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	34
PID 2644 wrote to memory of 2484	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	34
PID 2644 wrote to memory of 2484	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	34
PID 2644 wrote to memory of 2484	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	34
PID 2644 wrote to memory of 2828	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	35
PID 2644 wrote to memory of 2828	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	35
PID 2644 wrote to memory of 2828	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	35
PID 2644 wrote to memory of 2828	2644	{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe	35
PID 2484 wrote to memory of 568	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	36
PID 2484 wrote to memory of 568	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	36
PID 2484 wrote to memory of 568	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	36
PID 2484 wrote to memory of 568	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	36
PID 2484 wrote to memory of 2324	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	37
PID 2484 wrote to memory of 2324	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	37
PID 2484 wrote to memory of 2324	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	37
PID 2484 wrote to memory of 2324	2484	{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe	37
PID 568 wrote to memory of 1492	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	38
PID 568 wrote to memory of 1492	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	38
PID 568 wrote to memory of 1492	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	38
PID 568 wrote to memory of 1492	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	38
PID 568 wrote to memory of 1096	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	39
PID 568 wrote to memory of 1096	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	39
PID 568 wrote to memory of 1096	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	39
PID 568 wrote to memory of 1096	568	{A770D5EB-3B81-4600-951D-692222C59783}.exe	39
PID 1492 wrote to memory of 1644	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	40
PID 1492 wrote to memory of 1644	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	40
PID 1492 wrote to memory of 1644	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	40
PID 1492 wrote to memory of 1644	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	40
PID 1492 wrote to memory of 1008	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	41
PID 1492 wrote to memory of 1008	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	41
PID 1492 wrote to memory of 1008	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	41
PID 1492 wrote to memory of 1008	1492	{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe	41
PID 1644 wrote to memory of 1032	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	42
PID 1644 wrote to memory of 1032	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	42
PID 1644 wrote to memory of 1032	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	42
PID 1644 wrote to memory of 1032	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	42
PID 1644 wrote to memory of 540	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	43
PID 1644 wrote to memory of 540	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	43
PID 1644 wrote to memory of 540	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	43
PID 1644 wrote to memory of 540	1644	{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe	43
PID 1032 wrote to memory of 1500	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	44
PID 1032 wrote to memory of 1500	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	44
PID 1032 wrote to memory of 1500	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	44
PID 1032 wrote to memory of 1500	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	44
PID 1032 wrote to memory of 2240	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	45
PID 1032 wrote to memory of 2240	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	45
PID 1032 wrote to memory of 2240	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	45
PID 1032 wrote to memory of 2240	1032	{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_53f508ec285ad8189f209fbf347bc9c6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe
  C:\Windows\{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe
    C:\Windows\{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe
      C:\Windows\{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\{A770D5EB-3B81-4600-951D-692222C59783}.exe
        
        C:\Windows\{A770D5EB-3B81-4600-951D-692222C59783}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Windows\{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe
        
        C:\Windows\{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe
        
        C:\Windows\{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe
        
        C:\Windows\{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{6F085882-2773-45a9-9911-7D62A180EA07}.exe
        
        C:\Windows\{6F085882-2773-45a9-9911-7D62A180EA07}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe
        
        C:\Windows\{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe
        
        C:\Windows\{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\{50121609-D57D-4508-8058-5EC12C6166AB}.exe
        
        C:\Windows\{50121609-D57D-4508-8058-5EC12C6166AB}.exe
        12⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D816A~1.EXE > nul
        12⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{750F8~1.EXE > nul
        11⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F085~1.EXE > nul
        10⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B8AF~1.EXE > nul
        9⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8DA0~1.EXE > nul
        8⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B17B~1.EXE > nul
        7⤵
        
        PID:1008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A770D~1.EXE > nul
        6⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE1EE~1.EXE > nul
        5⤵
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B371E~1.EXE > nul
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1F93E~1.EXE > nul
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B17BC0E-E7A7-4b37-A027-012C19A96C0E}.exe

Filesize
180KB

MD5
a31c875230386e10348cb490bd9fe33e

SHA1
6648475502303a16af31b59ffa6c0a14a0f67eb2

SHA256
41148fed2f9f96cd9e2d20641f07d4e5427b50b3d98aa2c1565dff27ddc93ff6

SHA512
aa4cdb01e2bb3e9ad0e285cf57e0d2d328c47235402edb145b521bdc20c766278a998faf4df50e275ccc62f1528d971a9cddd6e205014c2e0ad486190988a919

Download Submit
C:\Windows\{1F93ED2C-0C86-43ce-8958-6CA570F2847D}.exe

Filesize
180KB

MD5
7c029f8662cb10728028e6487ad04784

SHA1
15670b9690baecfef55bdf15cad38ee7fdc4e697

SHA256
c725f13f1e2899c4b7e20a5061d4565180cea244f304ed0ca2873d9c9db5a4a1

SHA512
0f3a7393306fb0ccaa23e15a8634603509fee61c4782a230d360edd5e2fe9bcd6bf76375e0ccc27c1264430df269bea2cf81518f49de151063974541f8e4609b

Download Submit
C:\Windows\{50121609-D57D-4508-8058-5EC12C6166AB}.exe

Filesize
180KB

MD5
37f59a7c4f56e5ac69614638d6df33ce

SHA1
c2aab2ef63bc4c8912bdbb2c5fe59f83d116f5b4

SHA256
c01fcd720ea5f7ea0372e83f7caff1ac46db58ccdbb12f529619935ec3b6df93

SHA512
e8e2ea6d9129fb9195bbbb9e881db62993cd56c66aa1d27c8fbbf6baaa55c1d94f278827b5ce8c8ecf5a809a4f348cc2101782221bed202727fede4ef21bbdde

Download Submit
C:\Windows\{6F085882-2773-45a9-9911-7D62A180EA07}.exe

Filesize
180KB

MD5
7fce36ac967e39ec08a9f3227656e637

SHA1
38a8f4fbd77a0a17960e26dd0d54d6c81410afeb

SHA256
4919aa48c7463793fa39c5acc6c59642ed07c94431d874dc1b21c650654fc8ad

SHA512
cdfae74fed10652ee79f8c59bddff1ab6b6b7f20663d2e017575df87ddef4f8a14ddb1a8c87f584928ca7917da53a59fcb315415e1f7aaeccc40c805033bb2c3

Download Submit
C:\Windows\{750F894B-0C44-4ad5-A02F-F12EADE250C1}.exe

Filesize
180KB

MD5
52d1e69cb13c370ed043e16f5077306d

SHA1
d095fdc57f0085272926953fd038f99feef8f7a8

SHA256
229b937c4828cd5413bbde8c1ba2c78923f6f169b11ca98bfa7e009fdf61d643

SHA512
9d8360bd917361b561bec281a9c60981f1afa675568357f71a7dae0b800caf3a90318670999d37f77c6ca2547a72176618434d3568bd084c6029e403fe5545a2

Download Submit
C:\Windows\{7B8AFC47-9F01-4738-A810-FD039A1E5119}.exe

Filesize
180KB

MD5
a36feba41976dd7e4a650c8b1e17af25

SHA1
25a9022354a09d94fee77c6d3a6f3c5c24f02b0a

SHA256
e2f10494d7e07ec0233ea15197b442e751488527a090208239d9a7d54f282fe8

SHA512
e026528c8bbe47304171e83ad739c1a99fbb0b31275e2338b70919ca56d111f96ce121851f93c144d926dd3d415588a2e9a1f01b54b526d89fa22d0a12e0ad2b

Download Submit
C:\Windows\{A770D5EB-3B81-4600-951D-692222C59783}.exe

Filesize
180KB

MD5
bcd10254b9eee2025a3c94d17cfcb84a

SHA1
d9d3e450c287af74937c84afb54037f9636d2609

SHA256
c1ccbdbc55901a03ebfba971127a429e5501ef014d916f17f075da34910d31f8

SHA512
a7b3eb8d02bcf417fa49dc924cf04512abf6f8bbf6fdbe9dbaaf0e7ad59c0113401759175aa9e1bb088bd54682e27331fabb8703aecb57c5f222c1ff05f10757

Download Submit
C:\Windows\{B371E8DB-AA7F-4ff3-B232-E87493FF3FE9}.exe

Filesize
180KB

MD5
7ffacfadd3a11f3a63e2534dbdfa31fb

SHA1
1f761f373c8788f69303f3c493c958e48572e05d

SHA256
4e0f753e26093de8cb7ce843af76e61d04bac422f871a5e429149bcce01c6b9e

SHA512
16b0a7454047f600b57f5c334630edf964f1a4e9c43a623d802c171b764f5cec4746bdb3ebd4d150348235e2f3cd10de813a581fa9f6344fca0feea1e9841665

Download Submit
C:\Windows\{D816A06F-B5BB-4f26-B68A-EED0955A6E91}.exe

Filesize
180KB

MD5
7cda817e0fbdd80368df596c9aaea447

SHA1
c8dde5b3111ae58e20a6c7470cfd23b42b516da1

SHA256
b7461e46f0196223159aae03d5cc2c06b6a4b9085fc67a75d06e510a69fd4359

SHA512
b914b0df9941571fea59039a1669c68af4f26a377e0534010b6253f52ea2e45a766df321690feef1907b5d7710cbf1b5af47b5605f5bb018d5f0d54000f4d27e

Download Submit
C:\Windows\{D8DA00EB-4AD3-4b1c-AA16-220B7CE3C3BD}.exe

Filesize
180KB

MD5
6370ae65fdb34b6fd7ac85b41c4490c6

SHA1
5c357fe63bf5243f4b4f8500a3dd057ce7118f4a

SHA256
7bd2415e93b623671268896814bbb4a02acb80ee95367c7d7f6f988bd48674cf

SHA512
427cb0839c003fc2617d27e9548065b05d8a68a82231dd60da738926b955c1ecedf48eaabb5d1b2754c349a8f3228d4448b8636e988d4687c1ac5953ee5ed5d9

Download Submit
C:\Windows\{DE1EE6C0-ED4A-40ec-ACF0-D2DCC57C3D54}.exe

Filesize
180KB

MD5
9d179983e9d77d32cf6e3136f9ee5999

SHA1
856e6499438c10afa1eec1285bfa8ba9ddc26035

SHA256
e5f46f91fb2d002485e376ccc92d63ecadfc10e6ece96f139c66d10f790c1294

SHA512
f183e92c38c2d4a117dc3fceb0818dd97140e2b37f704af7aba325df7162c5bbd14c32e486cf1c379921703e62b33dd4debdb2888507cdf82b6b783fd82eb877

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads