c97c7bf7a9035b1e7791c4778c19801918a15d6b7bee9e24866478a4258d4297

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe
Size

168KB
MD5

024687052e95bc586d75402c16e68316
SHA1

09227454101ffe822896aeb37cb6f9d432fac5d4
SHA256

c97c7bf7a9035b1e7791c4778c19801918a15d6b7bee9e24866478a4258d4297
SHA512

3b1c3173bb44a3b89b7acf1f37803109c0ea77e8b0d03033f42cba247a68907e50d51f6c757611d5e9d93641dae6dae83a80edb41e9c617ba975c3f08ada41f5
SSDEEP

1536:1EGh0oOIli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012248-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122e5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015c50-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}	{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BBA6215-B969-4248-83B5-F24BEC8033CC}\stubpath = "C:\\Windows\\{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe"	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8889D0BB-B802-4b2a-93B3-B30E67EB8690}	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A16244F3-8924-4414-B272-04A52481B9C2}	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}\stubpath = "C:\\Windows\\{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe"	{A16244F3-8924-4414-B272-04A52481B9C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}\stubpath = "C:\\Windows\\{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe"	{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}	{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A16244F3-8924-4414-B272-04A52481B9C2}\stubpath = "C:\\Windows\\{A16244F3-8924-4414-B272-04A52481B9C2}.exe"	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}	{A16244F3-8924-4414-B272-04A52481B9C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63019F40-EA67-45b1-8AC7-FB2B3555E620}	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94845C6-ACFB-48e6-A023-8C106C5453A1}	{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BBA6215-B969-4248-83B5-F24BEC8033CC}	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065266C6-54CC-47e5-BEAC-AB79A808236C}	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C94845C6-ACFB-48e6-A023-8C106C5453A1}\stubpath = "C:\\Windows\\{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe"	{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}\stubpath = "C:\\Windows\\{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}.exe"	{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214302E1-61E8-4046-88E2-E271FA9BD26D}	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214302E1-61E8-4046-88E2-E271FA9BD26D}\stubpath = "C:\\Windows\\{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe"	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065266C6-54CC-47e5-BEAC-AB79A808236C}\stubpath = "C:\\Windows\\{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe"	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8889D0BB-B802-4b2a-93B3-B30E67EB8690}\stubpath = "C:\\Windows\\{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe"	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63019F40-EA67-45b1-8AC7-FB2B3555E620}\stubpath = "C:\\Windows\\{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe"	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B314DF08-525B-48c2-A590-9A6F8ACFD03D}	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B314DF08-525B-48c2-A590-9A6F8ACFD03D}\stubpath = "C:\\Windows\\{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe"	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe

Deletes itself 1 IoCs

pid	Process
3000	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe
2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe
2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe
2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe
2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe
2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe
2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe
640	{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe
1328	{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe
2240	{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe
2992	{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe
File created	C:\Windows\{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe
File created	C:\Windows\{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe	{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe
File created	C:\Windows\{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe	{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe
File created	C:\Windows\{A16244F3-8924-4414-B272-04A52481B9C2}.exe	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe
File created	C:\Windows\{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	{A16244F3-8924-4414-B272-04A52481B9C2}.exe
File created	C:\Windows\{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe
File created	C:\Windows\{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe
File created	C:\Windows\{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}.exe	{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe
File created	C:\Windows\{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe
File created	C:\Windows\{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe
Token: SeIncBasePriorityPrivilege	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe
Token: SeIncBasePriorityPrivilege	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe
Token: SeIncBasePriorityPrivilege	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe
Token: SeIncBasePriorityPrivilege	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe
Token: SeIncBasePriorityPrivilege	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe
Token: SeIncBasePriorityPrivilege	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe
Token: SeIncBasePriorityPrivilege	640	{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe
Token: SeIncBasePriorityPrivilege	1328	{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe
Token: SeIncBasePriorityPrivilege	2240	{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2928	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	28
PID 1444 wrote to memory of 2928	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	28
PID 1444 wrote to memory of 2928	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	28
PID 1444 wrote to memory of 2928	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	28
PID 1444 wrote to memory of 3000	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	29
PID 1444 wrote to memory of 3000	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	29
PID 1444 wrote to memory of 3000	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	29
PID 1444 wrote to memory of 3000	1444	2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe	29
PID 2928 wrote to memory of 2556	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	30
PID 2928 wrote to memory of 2556	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	30
PID 2928 wrote to memory of 2556	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	30
PID 2928 wrote to memory of 2556	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	30
PID 2928 wrote to memory of 2536	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	31
PID 2928 wrote to memory of 2536	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	31
PID 2928 wrote to memory of 2536	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	31
PID 2928 wrote to memory of 2536	2928	{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe	31
PID 2556 wrote to memory of 2400	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	34
PID 2556 wrote to memory of 2400	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	34
PID 2556 wrote to memory of 2400	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	34
PID 2556 wrote to memory of 2400	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	34
PID 2556 wrote to memory of 2480	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	35
PID 2556 wrote to memory of 2480	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	35
PID 2556 wrote to memory of 2480	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	35
PID 2556 wrote to memory of 2480	2556	{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe	35
PID 2400 wrote to memory of 2420	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	36
PID 2400 wrote to memory of 2420	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	36
PID 2400 wrote to memory of 2420	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	36
PID 2400 wrote to memory of 2420	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	36
PID 2400 wrote to memory of 2148	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	37
PID 2400 wrote to memory of 2148	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	37
PID 2400 wrote to memory of 2148	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	37
PID 2400 wrote to memory of 2148	2400	{A16244F3-8924-4414-B272-04A52481B9C2}.exe	37
PID 2420 wrote to memory of 2908	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	38
PID 2420 wrote to memory of 2908	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	38
PID 2420 wrote to memory of 2908	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	38
PID 2420 wrote to memory of 2908	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	38
PID 2420 wrote to memory of 2888	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	39
PID 2420 wrote to memory of 2888	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	39
PID 2420 wrote to memory of 2888	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	39
PID 2420 wrote to memory of 2888	2420	{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe	39
PID 2908 wrote to memory of 2316	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	40
PID 2908 wrote to memory of 2316	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	40
PID 2908 wrote to memory of 2316	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	40
PID 2908 wrote to memory of 2316	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	40
PID 2908 wrote to memory of 1996	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	41
PID 2908 wrote to memory of 1996	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	41
PID 2908 wrote to memory of 1996	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	41
PID 2908 wrote to memory of 1996	2908	{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe	41
PID 2316 wrote to memory of 2136	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	42
PID 2316 wrote to memory of 2136	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	42
PID 2316 wrote to memory of 2136	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	42
PID 2316 wrote to memory of 2136	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	42
PID 2316 wrote to memory of 796	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	43
PID 2316 wrote to memory of 796	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	43
PID 2316 wrote to memory of 796	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	43
PID 2316 wrote to memory of 796	2316	{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe	43
PID 2136 wrote to memory of 640	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	44
PID 2136 wrote to memory of 640	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	44
PID 2136 wrote to memory of 640	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	44
PID 2136 wrote to memory of 640	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	44
PID 2136 wrote to memory of 1112	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	45
PID 2136 wrote to memory of 1112	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	45
PID 2136 wrote to memory of 1112	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	45
PID 2136 wrote to memory of 1112	2136	{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_024687052e95bc586d75402c16e68316_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe
  C:\Windows\{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe
    C:\Windows\{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{A16244F3-8924-4414-B272-04A52481B9C2}.exe
      C:\Windows\{A16244F3-8924-4414-B272-04A52481B9C2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe
        
        C:\Windows\{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe
        
        C:\Windows\{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe
        
        C:\Windows\{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe
        
        C:\Windows\{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe
        
        C:\Windows\{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe
        
        C:\Windows\{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe
        
        C:\Windows\{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}.exe
        
        C:\Windows\{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}.exe
        12⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CEC4~1.EXE > nul
        12⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9484~1.EXE > nul
        11⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06526~1.EXE > nul
        10⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21430~1.EXE > nul
        9⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B314D~1.EXE > nul
        8⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63019~1.EXE > nul
        7⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6540D~1.EXE > nul
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1624~1.EXE > nul
        5⤵
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8889D~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6BBA6~1.EXE > nul
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{065266C6-54CC-47e5-BEAC-AB79A808236C}.exe

Filesize
168KB

MD5
762d1ae1a2ca77d971bab595ec4de30a

SHA1
ce981fbc2674cdc632b99c22041a3064c7dba3c7

SHA256
11eaf0d08be5bb59d9f02cf35da7e030e446123860040753fc6f6da6af4ca47d

SHA512
90e924b695e4221a51d6f7499620e4e2bc52dcfa31e0aa3862187a038a554ca72ec26a2db9caef51347170c13680eb422e89732d652304edd4bb38ebb4f631bd

Download Submit
C:\Windows\{214302E1-61E8-4046-88E2-E271FA9BD26D}.exe

Filesize
168KB

MD5
4a4902f619190b5c5e635a58b2c2fff7

SHA1
b28ad28d974995590d49d59e161817e9412c325b

SHA256
7663e6c9bbc4ff1f356d6e3ff58ecfb6afaa840896f523056be66859232bd180

SHA512
38d4eb6e07bc96bc37fd8b47286c5a24cf12598dd82fab3a5b7e0d69f75217119a15666cf048de6888d5366bf5949e7d6d389fc903bc0505813d26a9b84a0bde

Download Submit
C:\Windows\{3CEC4B0C-51BE-47e3-960F-D72FF94AED66}.exe

Filesize
168KB

MD5
ba4d721af3b73c103ec483b0b20fc008

SHA1
ef26c772b091e633ae4444fbbb87be7d1e80b9a0

SHA256
644321e2da6bffeb78dd854a6c568300b879856540f2b1dd16a75ad5a5c55861

SHA512
9996324c86757eeab833fe20ffde3bd84a880dbde33e317fcbc2d7a28715c9c2b2d8f8b44fec6577858640348fa1e62035679cfab2c45e6f0082efb35af8fade

Download Submit
C:\Windows\{63019F40-EA67-45b1-8AC7-FB2B3555E620}.exe

Filesize
168KB

MD5
20861abf0e8730557f799a255efbecfd

SHA1
dbf001277f0b213ee004f648f263620cd68349cf

SHA256
9446dca0c25213439b5fc627052675b3c99acc1524409b0b81e11b16e0b35d9c

SHA512
564f158a931b4c5840ce0375f0633b71a68dfd7f52e8c27863ca750ed2a271e6d97795e9a2aee27fa28cda2f0941109cfb7bbda344088edbbce495419ecb3735

Download Submit
C:\Windows\{6540DEF6-B990-4ddf-84B2-C589F3ED1E60}.exe

Filesize
168KB

MD5
ad15cf42c0d393d30b1e10563edd789d

SHA1
ab0e4165d420bf5d0edc78690696766a7ae01c00

SHA256
76bbe17e2a7e04beffe651d4dcde1df8e9918ef4bb7af7c600ecc3647148d2fb

SHA512
203026541f6cafc994c8d3d22fa038f73c4f6a8a587f8a598511321ad419eb70fbfc5ad63736df53bfe70cf4e08640c5bfe9e69c15943f6d42f094d12f7f251b

Download Submit
C:\Windows\{6BBA6215-B969-4248-83B5-F24BEC8033CC}.exe

Filesize
168KB

MD5
bd32ff4596062bd014a4a51d80a473f4

SHA1
d3b2bb04a36ad2b0bde7cb173bd2983265dcd99f

SHA256
af2807731eac9d7a5b46845dd4a51dcf75562d40e268c52a8205b4ecb27af137

SHA512
1a01c4807bba9a0c9ba780dda879f5139dd56315307b56f25a6a4eadb78fb8a2daa7fab85a6ef751dd59f8da08e02e4e93e1daa0f93dfee062f66be84ce089ac

Download Submit
C:\Windows\{8889D0BB-B802-4b2a-93B3-B30E67EB8690}.exe

Filesize
168KB

MD5
6d5772f791dcae6aa15f30e5b7d8d474

SHA1
78bc6137c208e806baeb0b668624192468bafd64

SHA256
7e4bf207947e96be39c1879a8d0b816c3bd8b355d079e6bcfaf932afa3f6376d

SHA512
b215611ed4d867dcc2b99885813fa8fece01760609b7a88843428f4eee847c00c75d6a7e5d579d18091cab722ad7c2c74fc11f690ed8ce4ad90452e5817a23af

Download Submit
C:\Windows\{A16244F3-8924-4414-B272-04A52481B9C2}.exe

Filesize
168KB

MD5
00e781a2e0ace4e43d3ca98b2d09a045

SHA1
335c8f7962725a3ee3df3a01d3702ddaf4079cba

SHA256
d999083dc15f3ec03884bb174bf4fafae33ad1105d2cbf6d7d70d89afadf022b

SHA512
de1124814f7850ce9cd4b2e826b23e7d7772142ea959b76bb6288b3282d38b27c57354e98fe10f8c47dba57d57b856eb2c3073ffa78ea5ffc31306ce6f1b2e39

Download Submit
C:\Windows\{B314DF08-525B-48c2-A590-9A6F8ACFD03D}.exe

Filesize
168KB

MD5
8c1ab7a9148e7d2fd49290536e375451

SHA1
956696e2055e50cab3774af0329e9293754eba08

SHA256
21d7c5c7a605493dea0446f50c59dc8447470634fcf1e62ac5d0d5cb202f4c79

SHA512
61906c41eb13eb9f80b0fee89cb98d58f13d8a74befdcc1bf99baf3ecb5d8c71458faa2ab639fee7d39501573e452c98e115449b56103c10ac961ba72bef27a4

Download Submit
C:\Windows\{C94845C6-ACFB-48e6-A023-8C106C5453A1}.exe

Filesize
168KB

MD5
6453d6003a3b872b3c682473a0ebc16d

SHA1
12e5be814e5f0ce9644a93d2bdfd238e7c81737c

SHA256
a4bfd0b3c508beb03731bc0f4257418f8f08661e823b0ebe5648fdea50a55606

SHA512
ef47197b8e734940b343a9f5cb81f928dc0b0f5a10bf0ae4231a1f0ab9cee56fc7b477ed78ba2feb9b6de3e91a139bf773c2ee7142ec885ba5fe7af3ae6e268f

Download Submit
C:\Windows\{DFE25ECF-2D39-47fa-A129-DDEB3C5966EE}.exe

Filesize
168KB

MD5
f66923a9096e334c47c75ffa1f2bbdfd

SHA1
73529da5b29752353e6dc1f49ccfcf937bb3c14b

SHA256
8c0993611fb51852f4f891aa0c1b8de734308cc66c6b2552356a04044a4f1968

SHA512
e698f0958d9387e95634e3296b7899c4b06cdee02f69a87fde5b10eeb1a1b5b4776aae4ecadc364dd0b6ae83655ac02e449467bb6eb8fda1cc708b797b98c579

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads