7b892c5ef18fff161c0c47faf1b375f88beee383c70f4f1ac1b8c6ba3dca6431

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe
Size

372KB
MD5

d144631a0c9b6e159f012805d2f9f1a2
SHA1

1650540f2a8ebce7e4ef4c04276db08f0dafc409
SHA256

7b892c5ef18fff161c0c47faf1b375f88beee383c70f4f1ac1b8c6ba3dca6431
SHA512

c5d68cae71c876e4dbe8130c5cceae82dbdf72eded326c6c0f0075fc20813ee34ed8a540d4bebf1859701733cfbbb23d91ba3b2c29ad80e29d881ca22337131f
SSDEEP

3072:CEGh0oKmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGpl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 15 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012331-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000013a88-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000013a88-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2602FA50-642F-44d3-96AB-E362100CAC8D}\stubpath = "C:\\Windows\\{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe"	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8339B11B-046D-44ca-A135-C1192D85E655}\stubpath = "C:\\Windows\\{8339B11B-046D-44ca-A135-C1192D85E655}.exe"	{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}\stubpath = "C:\\Windows\\{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe"	{8339B11B-046D-44ca-A135-C1192D85E655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD160DCC-4389-4e5d-B7BF-835313A12364}\stubpath = "C:\\Windows\\{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe"	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E933F2-B4F3-4ae7-9814-0975C51021B3}\stubpath = "C:\\Windows\\{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe"	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}\stubpath = "C:\\Windows\\{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}.exe"	{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}	{8339B11B-046D-44ca-A135-C1192D85E655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10A5497-86A9-4c93-86D7-BC521C91368D}	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10A5497-86A9-4c93-86D7-BC521C91368D}\stubpath = "C:\\Windows\\{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe"	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}\stubpath = "C:\\Windows\\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe"	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}\stubpath = "C:\\Windows\\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe"	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2602FA50-642F-44d3-96AB-E362100CAC8D}	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8339B11B-046D-44ca-A135-C1192D85E655}	{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}	{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD160DCC-4389-4e5d-B7BF-835313A12364}	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}\stubpath = "C:\\Windows\\{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe"	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}\stubpath = "C:\\Windows\\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe"	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E933F2-B4F3-4ae7-9814-0975C51021B3}	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe
2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe
2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe
2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe
2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe
2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe
1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe
3068	{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe
1912	{8339B11B-046D-44ca-A135-C1192D85E655}.exe
2836	{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe
584	{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe
File created	C:\Windows\{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe
File created	C:\Windows\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe
File created	C:\Windows\{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe
File created	C:\Windows\{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe	{8339B11B-046D-44ca-A135-C1192D85E655}.exe
File created	C:\Windows\{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe
File created	C:\Windows\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe
File created	C:\Windows\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe
File created	C:\Windows\{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe
File created	C:\Windows\{8339B11B-046D-44ca-A135-C1192D85E655}.exe	{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe
File created	C:\Windows\{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}.exe	{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe
Token: SeIncBasePriorityPrivilege	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe
Token: SeIncBasePriorityPrivilege	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe
Token: SeIncBasePriorityPrivilege	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe
Token: SeIncBasePriorityPrivilege	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe
Token: SeIncBasePriorityPrivilege	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe
Token: SeIncBasePriorityPrivilege	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe
Token: SeIncBasePriorityPrivilege	3068	{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe
Token: SeIncBasePriorityPrivilege	1912	{8339B11B-046D-44ca-A135-C1192D85E655}.exe
Token: SeIncBasePriorityPrivilege	2836	{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1932	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	28
PID 2912 wrote to memory of 1932	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	28
PID 2912 wrote to memory of 1932	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	28
PID 2912 wrote to memory of 1932	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	28
PID 2912 wrote to memory of 2980	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	29
PID 2912 wrote to memory of 2980	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	29
PID 2912 wrote to memory of 2980	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	29
PID 2912 wrote to memory of 2980	2912	2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe	29
PID 1932 wrote to memory of 2028	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	30
PID 1932 wrote to memory of 2028	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	30
PID 1932 wrote to memory of 2028	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	30
PID 1932 wrote to memory of 2028	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	30
PID 1932 wrote to memory of 2676	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	31
PID 1932 wrote to memory of 2676	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	31
PID 1932 wrote to memory of 2676	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	31
PID 1932 wrote to memory of 2676	1932	{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe	31
PID 2028 wrote to memory of 2556	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	32
PID 2028 wrote to memory of 2556	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	32
PID 2028 wrote to memory of 2556	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	32
PID 2028 wrote to memory of 2556	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	32
PID 2028 wrote to memory of 2656	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	33
PID 2028 wrote to memory of 2656	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	33
PID 2028 wrote to memory of 2656	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	33
PID 2028 wrote to memory of 2656	2028	{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe	33
PID 2556 wrote to memory of 2116	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	36
PID 2556 wrote to memory of 2116	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	36
PID 2556 wrote to memory of 2116	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	36
PID 2556 wrote to memory of 2116	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	36
PID 2556 wrote to memory of 2644	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	37
PID 2556 wrote to memory of 2644	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	37
PID 2556 wrote to memory of 2644	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	37
PID 2556 wrote to memory of 2644	2556	{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe	37
PID 2116 wrote to memory of 2784	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	38
PID 2116 wrote to memory of 2784	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	38
PID 2116 wrote to memory of 2784	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	38
PID 2116 wrote to memory of 2784	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	38
PID 2116 wrote to memory of 1772	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	39
PID 2116 wrote to memory of 1772	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	39
PID 2116 wrote to memory of 1772	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	39
PID 2116 wrote to memory of 1772	2116	{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe	39
PID 2784 wrote to memory of 2300	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	40
PID 2784 wrote to memory of 2300	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	40
PID 2784 wrote to memory of 2300	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	40
PID 2784 wrote to memory of 2300	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	40
PID 2784 wrote to memory of 1268	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	41
PID 2784 wrote to memory of 1268	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	41
PID 2784 wrote to memory of 1268	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	41
PID 2784 wrote to memory of 1268	2784	{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe	41
PID 2300 wrote to memory of 1380	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	42
PID 2300 wrote to memory of 1380	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	42
PID 2300 wrote to memory of 1380	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	42
PID 2300 wrote to memory of 1380	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	42
PID 2300 wrote to memory of 1152	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	43
PID 2300 wrote to memory of 1152	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	43
PID 2300 wrote to memory of 1152	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	43
PID 2300 wrote to memory of 1152	2300	{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe	43
PID 1380 wrote to memory of 3068	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	44
PID 1380 wrote to memory of 3068	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	44
PID 1380 wrote to memory of 3068	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	44
PID 1380 wrote to memory of 3068	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	44
PID 1380 wrote to memory of 2020	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	45
PID 1380 wrote to memory of 2020	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	45
PID 1380 wrote to memory of 2020	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	45
PID 1380 wrote to memory of 2020	1380	{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_d144631a0c9b6e159f012805d2f9f1a2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe
  C:\Windows\{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe
    C:\Windows\{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe
      C:\Windows\{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe
        
        C:\Windows\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe
        
        C:\Windows\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe
        
        C:\Windows\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe
        
        C:\Windows\{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe
        
        C:\Windows\{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\{8339B11B-046D-44ca-A135-C1192D85E655}.exe
        
        C:\Windows\{8339B11B-046D-44ca-A135-C1192D85E655}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe
        
        C:\Windows\{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}.exe
        
        C:\Windows\{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}.exe
        12⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB6D6~1.EXE > nul
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8339B~1.EXE > nul
        11⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2602F~1.EXE > nul
        10⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96E93~1.EXE > nul
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEAE9~1.EXE > nul
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{882E2~1.EXE > nul
        7⤵
        
        PID:1268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0711F~1.EXE > nul
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DF15~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FD160~1.EXE > nul
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B10A5~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe

Filesize
372KB

MD5
3ceb9f7dee80705dff98d179241a665b

SHA1
fbc0e7b5aca144888b4c9df5cffec867db28d225

SHA256
b0207873ae9c0f72bb3ba2561f2fe81e675817092cef6729cd4ddf86b78f39ad

SHA512
7ca39c24ca7a0f4c6a7df8f386891d37e30032426059714b0aa0ae1381356b4742623754d5db630e6f13971a5ce10b5777a868aca60cb7ec464deebd8f07b454

Download Submit
C:\Windows\{0711F4C1-7D9C-4e47-B3F2-B0012919AADD}.exe

Filesize
226KB

MD5
b96cca68ea2770c68f276e1281508123

SHA1
11d9898cda9221d156441a05d7df879457a6f510

SHA256
b69946d66b892314055c7af78b89965a398450a2416db78a9ed5368f31c7173e

SHA512
de25f36950dd4093a1f0538595135b08405f3c319240146f115fb6361c86ec3b84e933409fa3765b61afd5b7b24c156e18dfbb9fda3af45e6245356a249d3407

Download Submit
C:\Windows\{2602FA50-642F-44d3-96AB-E362100CAC8D}.exe

Filesize
372KB

MD5
e5a09243cd8a6e3ae08997991aa6c564

SHA1
c98cdb1ce5afa47ab3549f6ea8b2601bab52024d

SHA256
b3d3c16bdf4122390f5e86e7671876acc50c86533f15e0dd6b6957f5b6d84504

SHA512
8b5479b083d1e21a9d2409753b75c7de9283d4b4b6c8fc8614a6f9e1c1483e6ce9e23631cdc86ff6ea3f3bf71cc7751ce07042eae36edb0afd2176494f192089

Download Submit
C:\Windows\{8339B11B-046D-44ca-A135-C1192D85E655}.exe

Filesize
372KB

MD5
495218f4c0ff2be37da42f24d83d349b

SHA1
a4891f249fe14f56033a824fcfe3d90005a2680a

SHA256
6e12e0f08e90c0e7e8c4515146b5b561cdbbc6ea1c2947eb19c5f37185cf2cd1

SHA512
9b64624db06c73014d3fa97fb7305c5157b62be90b9820e3efab168f2924fc7c1989aa483a0e1eb34a1ffc667d1e103f556b680c93332999e4f826c12e5463b1

Download Submit
C:\Windows\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe

Filesize
273KB

MD5
c364048bf52d41d5f6e375d9724c70b1

SHA1
d09c828c4e45306eab9e3a5ef765c844fc13c827

SHA256
fb414c833992b300cc006686d2c6f4e50ecdb48f1ec8a74c2b54213161d2e514

SHA512
c4e2c27639593add4852b0e29f63a4a3e5cf12cc81c05800c03acb3169e76a928fb22dd41032f75ad345b41aa88a7bef23b7e7d19932d29c9391ea879c35f2f8

Download Submit
C:\Windows\{882E2989-4F94-4ba1-949E-8EDF1DD2DE48}.exe

Filesize
14KB

MD5
1162deeaf87942fbdc4bdc3987ef2d3c

SHA1
5a262493b34533421b257c7a257cc1d967193c10

SHA256
5178ed71d42ed57f6a61051e32bb4b038d182997858f255458b75079e8e67147

SHA512
6d783eb4a6c2fd1e27610e9dacd84aa505a8749d5492609f19cdef1c6d6824d378b66ceeece6a78d7d633b92df7816be6da02f55d963cf2d8f435755e89d4192

Download Submit
C:\Windows\{8DF1509E-3ED7-4bd6-B4CA-ED6014E3B042}.exe

Filesize
372KB

MD5
0e21181d773e11202550afb988ae5928

SHA1
4b59976b4e632ac35111e5b7d800964bf6502acb

SHA256
c95d4ad1850c5dcfae0668a32ad3cdfb5210a4ca924cfae37f12601c899ef819

SHA512
ca1cd5a227499ee185f797a2109fe3addb0e6e0d60945c7fba9c89d1e1d7c47f761228bef6cca44524ce3a4fd1414df5b98fc2e2995c25ddbc8776b9d0f46cce

Download Submit
C:\Windows\{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe

Filesize
29KB

MD5
d1efef93278145353330f7b869e5f073

SHA1
7d30bb3f878acbf48a3497d80b959cc12da2e86d

SHA256
47d78d43ee779e67ac3ddea15c5b440e8aa1cfd0251e42ebc63ed5f076e44926

SHA512
94eab335973c16106b0f57362945c3acdb94b3ea1222b7054c85ef8e576d598c6d8e29d1507f4f857fbbb1a6c2aafa50a5b7baa5507d23468f01e69c82f64e08

Download Submit
C:\Windows\{96E933F2-B4F3-4ae7-9814-0975C51021B3}.exe

Filesize
372KB

MD5
2dbcd7861071e3c5db3020478c97f516

SHA1
5e86e30b491a2202f2e258a3f3adf08c400c8058

SHA256
fdc6dd7400075ca4501666fe60912d840f4b6e7d6f111f8d24cc989054cf1422

SHA512
ae26047ba8bd83a54a0e4a6d6277b47ba4b643deac2a8f78395815e7406b16a1bbb56f5178f3bc52a518a2c4b5023f3822adb02495c52f2e0828f8d38e1a4bed

Download Submit
C:\Windows\{9FCA1C71-43CC-41f8-AED9-D5AB614AB406}.exe

Filesize
372KB

MD5
a5e1094e7458ed3f1123c29e50674505

SHA1
4de23a887e74d920e8d5b88503a883b927caa86a

SHA256
e67cd5806d2a2dce962e47cbe784c3cbf0db3c49196fc12ada348d1668a98aff

SHA512
bd9368b3b3afc8bf3c4dae15707ca91770533823db614d22d91b7e6a2306005c565934529784b641d7123edbffd176d40d8f0b59280a228ddddf4e6343e94fab

Download Submit
C:\Windows\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe

Filesize
372KB

MD5
19b87cbc3d5238021ffedfbed7732668

SHA1
975dfb4a6e2ed9d7818eb7b053604133b605f352

SHA256
3da266ed4227f535067de7f74386a4c647fa9833a45d9514624cf45393c2c662

SHA512
c6d5331d838b7e1f9be550f365d913740fa2ed3f4a682f4825b6e64d65a2adef9580518e306d0b5432828a16c288839139133698b09b2c1793e828a4d9f094b9

Download Submit
C:\Windows\{AEAE988A-EF2C-407a-9FBB-E64A98718FDD}.exe

Filesize
50KB

MD5
7da8cce0d84ddf05141e905ef09695a0

SHA1
56fde7f6e7dc1f0cfa58909635c7a3e168d834c6

SHA256
aa4232b43ec5bd40085d21a6f031ffe4bc23db29bed4a7d0ef749b7d82c5e57d

SHA512
bee5c5b0c09b478be1372025e388fe6be83aaa20c701e629846a9349a6aceab23a03ed3685e9d5198a9212292138e7269000b397a4f6a2aa4b17d75022ed7897

Download Submit
C:\Windows\{B10A5497-86A9-4c93-86D7-BC521C91368D}.exe

Filesize
372KB

MD5
197a1b54524da1ad160a88f51f3998a6

SHA1
884a0963916c21b7cf00e296515c0148394ed957

SHA256
51b83decce1d3a5e94d92fa14864fea1974fcbc88431ac07369d32730d4197b4

SHA512
fb2fd0471ea44a3791c14d5b9642b1074957c4bc4fdbecad6970e19c97f8d63601950a77320ab5ad0211a42e4cc1c80a125d2aee95361b99e1eecab94f7c80f5

Download Submit
C:\Windows\{BB6D696B-3D0E-4334-B811-DC2B537EFDBD}.exe

Filesize
372KB

MD5
9f750de43d733e8aac6dc84f15b09930

SHA1
ee3f06950e15418418c2c271411dca24e19a5357

SHA256
c3edf5acd1dbf485c148c4066fd0e0f098a1041602125ea8f340b14fa4e3e04e

SHA512
df651ead800000f59c281052704abe136fbb8420d3971f7daa0e987db075ea6d21bce542d08919f4b856e90a0e1456ae2c304c6da11d969c0d8932c9f1eae430

Download Submit
C:\Windows\{FD160DCC-4389-4e5d-B7BF-835313A12364}.exe

Filesize
372KB

MD5
bbf3313c5b0e452b8df85f2009308210

SHA1
6f14e4fc507a06281d4b6f6ec279f5bf002d7679

SHA256
1f944d452af7b0c16f3e28b8902d390017041b863f6930ffd15d70bd53879b16

SHA512
34d4191288d4f1392a5740d59b853dd7ff6fe38c7af1580645ce10888f07d2ae19e5c5df3694e390fb014401907f02c0b87b02717bf57b28b2d336f83c738ce7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads