d645c9c70c41e682d69d5f2cc98d1b4330ba603785b32c4bd17812f8b76e1090

Analysis

max time kernel
112s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 20:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe
Size

168KB
MD5

aff472e264114917bdb53f4ba5fbcb8d
SHA1

f69c6c031cf98b04ed052287e20393ec9e62988b
SHA256

d645c9c70c41e682d69d5f2cc98d1b4330ba603785b32c4bd17812f8b76e1090
SHA512

7567a0dd05bec6b56b77664369d149f312b2461449a53f9df3d026a56514a021e2ac6182ba9c86288f301faa7a33867820f33b2e5e2bc9d3b9cd612ee516363b
SSDEEP

1536:1EGh0oTlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 18 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023226-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002322b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023246-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023135-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023246-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023135-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023135-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db4d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db4d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002339e-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002339e-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233a8-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233dc-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233dc-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234ce-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234ce-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234d6-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234d6-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED4AE6F0-B71A-4665-9383-046796047000}	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67A5039C-0030-4865-9762-2C45B662033E}\stubpath = "C:\\Windows\\{67A5039C-0030-4865-9762-2C45B662033E}.exe"	{ED4AE6F0-B71A-4665-9383-046796047000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}\stubpath = "C:\\Windows\\{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}.exe"	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}\stubpath = "C:\\Windows\\{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe"	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E15E03C-8184-414e-872B-0E094371BA87}	{67A5039C-0030-4865-9762-2C45B662033E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14793837-03C4-401a-8479-9D5C4AAED4CF}	{0E15E03C-8184-414e-872B-0E094371BA87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}\stubpath = "C:\\Windows\\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe"	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}\stubpath = "C:\\Windows\\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe"	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED4AE6F0-B71A-4665-9383-046796047000}\stubpath = "C:\\Windows\\{ED4AE6F0-B71A-4665-9383-046796047000}.exe"	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67A5039C-0030-4865-9762-2C45B662033E}	{ED4AE6F0-B71A-4665-9383-046796047000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}\stubpath = "C:\\Windows\\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe"	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E15E03C-8184-414e-872B-0E094371BA87}\stubpath = "C:\\Windows\\{0E15E03C-8184-414e-872B-0E094371BA87}.exe"	{67A5039C-0030-4865-9762-2C45B662033E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14793837-03C4-401a-8479-9D5C4AAED4CF}\stubpath = "C:\\Windows\\{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe"	{0E15E03C-8184-414e-872B-0E094371BA87}.exe

Executes dropped EXE 9 IoCs

pid	Process
1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe
3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe
1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe
1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe
4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe
2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe
1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe
4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe
4148	{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe
File created	C:\Windows\{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe
File created	C:\Windows\{67A5039C-0030-4865-9762-2C45B662033E}.exe	{ED4AE6F0-B71A-4665-9383-046796047000}.exe
File created	C:\Windows\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe
File created	C:\Windows\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe
File created	C:\Windows\{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}.exe	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe
File created	C:\Windows\{ED4AE6F0-B71A-4665-9383-046796047000}.exe	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe
File created	C:\Windows\{0E15E03C-8184-414e-872B-0E094371BA87}.exe	{67A5039C-0030-4865-9762-2C45B662033E}.exe
File created	C:\Windows\{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe	{0E15E03C-8184-414e-872B-0E094371BA87}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1464	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe
Token: SeIncBasePriorityPrivilege	3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe
Token: SeIncBasePriorityPrivilege	1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe
Token: SeIncBasePriorityPrivilege	1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe
Token: SeIncBasePriorityPrivilege	4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe
Token: SeIncBasePriorityPrivilege	2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe
Token: SeIncBasePriorityPrivilege	1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe
Token: SeIncBasePriorityPrivilege	4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1596	1464	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe	99
PID 1464 wrote to memory of 1596	1464	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe	99
PID 1464 wrote to memory of 1596	1464	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe	99
PID 1464 wrote to memory of 3820	1464	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe	100
PID 1464 wrote to memory of 3820	1464	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe	100
PID 1464 wrote to memory of 3820	1464	2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe	100
PID 1596 wrote to memory of 3108	1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe	101
PID 1596 wrote to memory of 3108	1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe	101
PID 1596 wrote to memory of 3108	1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe	101
PID 1596 wrote to memory of 4196	1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe	102
PID 1596 wrote to memory of 4196	1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe	102
PID 1596 wrote to memory of 4196	1596	{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe	102
PID 3108 wrote to memory of 1592	3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe	106
PID 3108 wrote to memory of 1592	3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe	106
PID 3108 wrote to memory of 1592	3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe	106
PID 3108 wrote to memory of 3484	3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe	107
PID 3108 wrote to memory of 3484	3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe	107
PID 3108 wrote to memory of 3484	3108	{ED4AE6F0-B71A-4665-9383-046796047000}.exe	107
PID 1592 wrote to memory of 1288	1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe	108
PID 1592 wrote to memory of 1288	1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe	108
PID 1592 wrote to memory of 1288	1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe	108
PID 1592 wrote to memory of 4976	1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe	109
PID 1592 wrote to memory of 4976	1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe	109
PID 1592 wrote to memory of 4976	1592	{67A5039C-0030-4865-9762-2C45B662033E}.exe	109
PID 1288 wrote to memory of 4512	1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe	110
PID 1288 wrote to memory of 4512	1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe	110
PID 1288 wrote to memory of 4512	1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe	110
PID 1288 wrote to memory of 884	1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe	111
PID 1288 wrote to memory of 884	1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe	111
PID 1288 wrote to memory of 884	1288	{0E15E03C-8184-414e-872B-0E094371BA87}.exe	111
PID 4512 wrote to memory of 2388	4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe	113
PID 4512 wrote to memory of 2388	4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe	113
PID 4512 wrote to memory of 2388	4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe	113
PID 4512 wrote to memory of 3960	4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe	114
PID 4512 wrote to memory of 3960	4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe	114
PID 4512 wrote to memory of 3960	4512	{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe	114
PID 2388 wrote to memory of 1592	2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe	115
PID 2388 wrote to memory of 1592	2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe	115
PID 2388 wrote to memory of 1592	2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe	115
PID 2388 wrote to memory of 3224	2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe	116
PID 2388 wrote to memory of 3224	2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe	116
PID 2388 wrote to memory of 3224	2388	{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe	116
PID 1592 wrote to memory of 4280	1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe	117
PID 1592 wrote to memory of 4280	1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe	117
PID 1592 wrote to memory of 4280	1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe	117
PID 1592 wrote to memory of 3008	1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe	118
PID 1592 wrote to memory of 3008	1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe	118
PID 1592 wrote to memory of 3008	1592	{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe	118
PID 4280 wrote to memory of 4148	4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe	123
PID 4280 wrote to memory of 4148	4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe	123
PID 4280 wrote to memory of 4148	4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe	123
PID 4280 wrote to memory of 2272	4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe	124
PID 4280 wrote to memory of 2272	4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe	124
PID 4280 wrote to memory of 2272	4280	{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_aff472e264114917bdb53f4ba5fbcb8d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe
  C:\Windows\{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\{ED4AE6F0-B71A-4665-9383-046796047000}.exe
    C:\Windows\{ED4AE6F0-B71A-4665-9383-046796047000}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\{67A5039C-0030-4865-9762-2C45B662033E}.exe
      C:\Windows\{67A5039C-0030-4865-9762-2C45B662033E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\{0E15E03C-8184-414e-872B-0E094371BA87}.exe
        
        C:\Windows\{0E15E03C-8184-414e-872B-0E094371BA87}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
      - C:\Windows\{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe
        
        C:\Windows\{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe
        
        C:\Windows\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe
        
        C:\Windows\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe
        
        C:\Windows\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}.exe
        
        C:\Windows\{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}.exe
        10⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\{D2384523-6AE7-4b8f-A0DE-8FB9BB0E72D3}.exe
        
        C:\Windows\{D2384523-6AE7-4b8f-A0DE-8FB9BB0E72D3}.exe
        11⤵
        
        PID:4564
        
        C:\Windows\{2FD7BFAE-D860-49c5-9C23-ADC736D3531E}.exe
        
        C:\Windows\{2FD7BFAE-D860-49c5-9C23-ADC736D3531E}.exe
        12⤵
        
        PID:3112
        
        C:\Windows\{ADB02113-570A-4bf0-8CA1-3DD76FBA71B2}.exe
        
        C:\Windows\{ADB02113-570A-4bf0-8CA1-3DD76FBA71B2}.exe
        13⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FD7B~1.EXE > nul
        13⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2384~1.EXE > nul
        12⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC8DA~1.EXE > nul
        11⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC168~1.EXE > nul
        10⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24DB6~1.EXE > nul
        9⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67ECD~1.EXE > nul
        8⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14793~1.EXE > nul
        7⤵
        
        PID:3960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E15E~1.EXE > nul
        6⤵
        
        PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67A50~1.EXE > nul
        5⤵
        
        PID:4976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ED4AE~1.EXE > nul
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20032~1.EXE > nul
    3⤵
    PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E15E03C-8184-414e-872B-0E094371BA87}.exe

Filesize
168KB

MD5
e2990f7c2010e77fa8cf6c50637f1f7d

SHA1
e1bd3c3ec82ac62c6d183cf1508c1533c19c6172

SHA256
a2e9996b329310d374007ca7e00e2735be4877c686a565c741f602a339aaed51

SHA512
48cc59eaba7ab1e6c5f5d327a0705bb309bf7a18c93e4ec6ebd3d0449f96ac309be1d2caa74d4b73d2528d24b6e5120140de1ba6de493fbe8ceaaa0cbe08a1dc

Download Submit
C:\Windows\{14793837-03C4-401a-8479-9D5C4AAED4CF}.exe

Filesize
168KB

MD5
dff09516912c393fe2cc2d606ac59a6b

SHA1
83db74d6a0a5e8ecd5f7ad9086b7fa267aa49fcd

SHA256
1061e314c2e5dfc3afe3ad024190ba1a51472a729b9a3826e65d241ba375b638

SHA512
279e0f01dd58dc654cd7961d06ac5050586017dcaa8842aa164944aa393cde54800bced26454652f363ccb7dfa397c939dcda94eaac2f851f58c8f1894b3b3ab

Download Submit
C:\Windows\{20032E25-5F32-4dec-97B2-CDCEB8EF39FC}.exe

Filesize
168KB

MD5
962e337c945ce1e391153e3b44a12a0d

SHA1
a029a0a57d03326f4819254dbd707a0ab37e0e8a

SHA256
a4e78ff527c701584db34c643f09051757576207f48146641bb022f226d7b310

SHA512
b8b30b283a3f0e99a1621273ca05975653fc2e7e59a2b20302cf965ff11395a3c9f5f004f810f4520c93f0285e212cea09e96cce8648b4d46f81671144b9269b

Download Submit
C:\Windows\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe

Filesize
113KB

MD5
347f7b601900064947a5a99cb54897e0

SHA1
af2e5c47def162059709b5524b9d42ab02516d82

SHA256
bfb835b6ac4afec24f3c403cddaa26d0c53dbe2b71508512520c802b8a676927

SHA512
428e60b34810903374c58d654afdeb2ae618367aeec1821b4f80522ef5f62ee8b3c9c132b8cdfa170594b87079909bed69aedf8da479768c435898ac7f49406b

Download Submit
C:\Windows\{24DB6B29-19B9-46df-88C4-B90E4849BEB4}.exe

Filesize
168KB

MD5
4b2aadaeb9b9cd8355d6ce9dbc706dfb

SHA1
db82ae93f08ff86d3080bb197bf49ed231a58a04

SHA256
9261e31f45d043f335078b199d2fa8bc0bc5da13a18475d220863b9a75a74970

SHA512
94e95599cf3f63bab7b0a0fc2e6345f77161524480906f0d338c731d4cb19b948f47b4f19d0dbc668e056923c8ad9142b5d94247de17fe9f33b1a66a26d68bf7

Download Submit
C:\Windows\{2FD7BFAE-D860-49c5-9C23-ADC736D3531E}.exe

Filesize
99KB

MD5
7efe6191e3e5457a882a04765fa2e225

SHA1
faf2646fe25134353a740214d71ebf8c11273132

SHA256
8333527b20cf78d19c514e1dc2971a1ba4c8c5a468850e9930d117e87cc015d3

SHA512
390b203fd650d823d327cbe7fb746bd8c14d25a7c1b057500cdcbc41db5743e2fb2ab3984ca48cb9bd7ddace9833b3890c5c58de14069c58036aad0ef480ff3d

Download Submit
C:\Windows\{2FD7BFAE-D860-49c5-9C23-ADC736D3531E}.exe

Filesize
38KB

MD5
3df68718cc5be5da3bd819f9897c9bbe

SHA1
370ef74df7409c125bc31af715398ede0f835d0a

SHA256
df81f46f991d094da6638d480d719b743f1356b6b23260dc786a74506d06c5a8

SHA512
b8e6ad094fdaff37af28dad146f59928e6736a7f62e92ee7394044ca62973d7d79f7cd7224deb454175dd622d990ae24120358b7fea1dba4677d65b042eb4c22

Download Submit
C:\Windows\{67A5039C-0030-4865-9762-2C45B662033E}.exe

Filesize
168KB

MD5
fa2deceafe271b6f330744b334f02831

SHA1
a636e0f8c6ce9b93dec76d9991d962f8a6d79f81

SHA256
35563c70e7bf3b5f792337b5810775627b00556f76d17b0955c64e165def2289

SHA512
8fe693519be4f71ea22b2965fb243403a22b4ed07af4d535e31241b04d9baa76dde820651692ea853d764a303cfcbfc560b37927e9742f80536ed208ffe41585

Download Submit
C:\Windows\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe

Filesize
56KB

MD5
25d3250dcd9f8f67a166667cb8623217

SHA1
c33ccb54d90cd1bced2463b9b54ef1f5b073ff8e

SHA256
ec459437fe59e45e620da47af0d611adcbf076c4db23513aa2daf9c5bcbd15d8

SHA512
68fa36620bfe4b7deda39c3ebdb209f133649f0ade9eff47c9bfec2f777893e83f34537dd31de65d67f3d8fb3df539adcd9c3306f2976493c71393324cfeda08

Download Submit
C:\Windows\{67ECDFEF-E4CB-45b4-AA86-A23E564E768F}.exe

Filesize
124KB

MD5
ff454aa8e6edf24b4512335c4e4338e5

SHA1
05e1ffd54e2c336b99cc4ad43e87bca4263bd025

SHA256
946ae84d7f4948b683c9bc0a6f5301087e662593c70b66e98e305f84ab220204

SHA512
f3ac9c46ae982b4a6fa402f823840fb7afe2a1439e667cb916b10fc71b77ea838ba1209ca204acd26f9938d03490b047c8576a1fe37e2d8f99ccb8a1637ef14b

Download Submit
C:\Windows\{ADB02113-570A-4bf0-8CA1-3DD76FBA71B2}.exe

Filesize
168KB

MD5
2c0f865dae21a4a643b94951af1e5d51

SHA1
cb6bc70f269da559d39969f09dc14607765d83f8

SHA256
193c0285eaf69f95a0739b2926a21cb5f5486110e983c5006f5e6053687f6dfb

SHA512
8ef086de2c56002b575c6b1876d80967b3bf4d5d87abf09eb1e078acec0d918009e95de101a6746263c54501b6a92418078fe323f9eb836f8f516baf92a1f78d

Download Submit
C:\Windows\{ADB02113-570A-4bf0-8CA1-3DD76FBA71B2}.exe

Filesize
56KB

MD5
4ab78a2028cc1e0d11146fef5e4de6bb

SHA1
bfd3ae16c0cd3652b9aaac036fbd508fb88bcf6d

SHA256
1e7410e02931c2a4053793ab7af04bb554f8183b1232e8d346050919e8baa990

SHA512
43c0c8d93248f87de3dbebf0099118912ec8b2410d599792e625291cc9cd5d540528308598b6ef6b37e1253fa22d72b5cd08fadd70f1676227585e54a2d04e93

Download Submit
C:\Windows\{CC8DADA3-C2DE-424f-A3BA-BBE69EF2E1BB}.exe

Filesize
1KB

MD5
b228397504b8fc94b59ced1aa1106388

SHA1
ae8b4968e5f828aa7b8f4895a9ad359b0f7ba1ff

SHA256
10c558a88626acfc67baee1f538772c101dfa71d0600a9d08841878f906a835d

SHA512
007e971715f32664e618c6ee7500bc8befcfcf413d9b900eeeb14c2e8cebb65d2f96d271882541fcfc540f1e53f6414c4073b0858b9ff7ad9b64de61fee22ec2

Download Submit
C:\Windows\{D2384523-6AE7-4b8f-A0DE-8FB9BB0E72D3}.exe

Filesize
127KB

MD5
1a6de8c0f0e0607e88ebd3066ff82bbc

SHA1
f1fa7ff796532598884d952b151ed216f91a2b18

SHA256
d84be77560f049c57f693bb30570a10243c85b692c7454d6995ef1c88a99cf0d

SHA512
2672dd70b6ac3cbf2d8e230ff526be15eabee7fd40910d90d653b0f8cf76ef9d71a4996364662474552f87fdbc8dca452da84d785a40811a1e8f9b05a56a6ea1

Download Submit
C:\Windows\{D2384523-6AE7-4b8f-A0DE-8FB9BB0E72D3}.exe

Filesize
58KB

MD5
2cf510d5b7b76791b1ccc85b4284af10

SHA1
8aa1a833103a2ed1754346ac72ef161d8141bbaf

SHA256
617854afacef1e93feb5ab6df283e971049a4b86817f2b4ee644a60cbd93f9ea

SHA512
d8bd129ea0d1faaa661a77262bd79fc22dfc227dab2ee6a0039b01803f453837927d06cb85819a9ae5f2569da7f1e3bfcbe9e0b151e72753ca3923c0c7efc86d

Download Submit
C:\Windows\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe

Filesize
143KB

MD5
ee0f4e349c446b4260055734ba0f3459

SHA1
a0e7cff5b8352254bcbc517fc5526e45d5d0c6c3

SHA256
c2a7353696b2e7d6417de565492f19bdb5eca719bc24eed3518b3fe18aa33c11

SHA512
13959be95c8966ad998c8c7ce800c77a97618d8ed3f68110d506f6b77c9f8914489af595917aa5493fd738e45ed0bf4e712626fe698aed3ca0c9bee98d720178

Download Submit
C:\Windows\{EC1683CF-C4C4-4242-B1D7-1C2E3461DCDD}.exe

Filesize
168KB

MD5
b5a286dc201a951c3072851716a2fae6

SHA1
1abca7afe6a4ba63f4b0c27325efa5542afdb050

SHA256
af7c6875e46200901afe01c2f26d872ed62088babbf05cb9d391cc1f628aaf1a

SHA512
ad0e4d2d88835ff9885a1443c30cc3d6f9343d8de5caee2e6d8b015193a92902e0b433403ed0f25ffad705585a685e054a030898cdb00098c0b94e9dd963e1ba

Download Submit
C:\Windows\{ED4AE6F0-B71A-4665-9383-046796047000}.exe

Filesize
168KB

MD5
ca68ac0269d385c48e5809612337d246

SHA1
67a755b184ea72f05e33b6f676b81e5778fe0f7d

SHA256
ba697b8b70774d0d1490424fa5afc43279ae7c041d501139c6dd43197e43d5b5

SHA512
1de39ce770c79cc1b9855d79985db389f00ddbaed9b552f16e268dc06832fbeee66107b0081e0a91333963d163e23881d62195c70a7bd97a1b89e3ff6f9ad17e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads