780a367303c1347467dc3cf254266ae6ea92ae1bffcb52daa3842c978e1c0226

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Size

344KB
MD5

711053a156c1a8216c0842ffe36b5a79
SHA1

c56a383e8ff9ab7ffc211d3b129d22f9a9e532f9
SHA256

780a367303c1347467dc3cf254266ae6ea92ae1bffcb52daa3842c978e1c0226
SHA512

260573f17e7eadb9bfe1ca26edc3f0306536297f326b78305d2d808b1ad620615b0298247d8d2107bab80b15e0e6008b57012ee56720405240995177fce18fbb
SSDEEP

3072:mEGh0odlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGjlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012272-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002200000001559a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012272-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012272-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012272-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012272-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012272-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96596B21-8786-4fe1-853F-F503C99C7CC7}	{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96596B21-8786-4fe1-853F-F503C99C7CC7}\stubpath = "C:\\Windows\\{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe"	{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}\stubpath = "C:\\Windows\\{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe"	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}\stubpath = "C:\\Windows\\{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe"	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1A266C-DE36-4fa3-9528-759B076423C9}	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E151B4B6-46CB-423a-8E1A-B16608642142}	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E151B4B6-46CB-423a-8E1A-B16608642142}\stubpath = "C:\\Windows\\{E151B4B6-46CB-423a-8E1A-B16608642142}.exe"	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606BA448-3259-4599-96BF-162355AD792C}\stubpath = "C:\\Windows\\{606BA448-3259-4599-96BF-162355AD792C}.exe"	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6A9386E-3D00-47ce-BE12-121658220C09}	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}\stubpath = "C:\\Windows\\{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe"	{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E853E89-5169-4cd1-9706-4F15C4D653FF}	{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6A9386E-3D00-47ce-BE12-121658220C09}\stubpath = "C:\\Windows\\{F6A9386E-3D00-47ce-BE12-121658220C09}.exe"	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5E25720-D138-4cd3-AC05-446CF368FC7D}	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}	{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E853E89-5169-4cd1-9706-4F15C4D653FF}\stubpath = "C:\\Windows\\{9E853E89-5169-4cd1-9706-4F15C4D653FF}.exe"	{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1A266C-DE36-4fa3-9528-759B076423C9}\stubpath = "C:\\Windows\\{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe"	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{606BA448-3259-4599-96BF-162355AD792C}	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AB169A6-2854-46fb-92A4-EF886CF43B3E}	{606BA448-3259-4599-96BF-162355AD792C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AB169A6-2854-46fb-92A4-EF886CF43B3E}\stubpath = "C:\\Windows\\{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe"	{606BA448-3259-4599-96BF-162355AD792C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5E25720-D138-4cd3-AC05-446CF368FC7D}\stubpath = "C:\\Windows\\{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe"	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe

Deletes itself 1 IoCs

pid	Process
3016	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe
2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe
2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe
2260	{606BA448-3259-4599-96BF-162355AD792C}.exe
2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe
1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe
1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe
568	{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe
2892	{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe
2024	{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe
2052	{9E853E89-5169-4cd1-9706-4F15C4D653FF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe
File created	C:\Windows\{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe
File created	C:\Windows\{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe	{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe
File created	C:\Windows\{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe	{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe
File created	C:\Windows\{9E853E89-5169-4cd1-9706-4F15C4D653FF}.exe	{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe
File created	C:\Windows\{606BA448-3259-4599-96BF-162355AD792C}.exe	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe
File created	C:\Windows\{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	{606BA448-3259-4599-96BF-162355AD792C}.exe
File created	C:\Windows\{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe
File created	C:\Windows\{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe
File created	C:\Windows\{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
File created	C:\Windows\{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe
Token: SeIncBasePriorityPrivilege	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe
Token: SeIncBasePriorityPrivilege	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe
Token: SeIncBasePriorityPrivilege	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe
Token: SeIncBasePriorityPrivilege	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe
Token: SeIncBasePriorityPrivilege	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe
Token: SeIncBasePriorityPrivilege	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe
Token: SeIncBasePriorityPrivilege	568	{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe
Token: SeIncBasePriorityPrivilege	2892	{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe
Token: SeIncBasePriorityPrivilege	2024	{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2992	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	28
PID 2188 wrote to memory of 2992	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	28
PID 2188 wrote to memory of 2992	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	28
PID 2188 wrote to memory of 2992	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	28
PID 2188 wrote to memory of 3016	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	29
PID 2188 wrote to memory of 3016	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	29
PID 2188 wrote to memory of 3016	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	29
PID 2188 wrote to memory of 3016	2188	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	29
PID 2992 wrote to memory of 2552	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	30
PID 2992 wrote to memory of 2552	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	30
PID 2992 wrote to memory of 2552	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	30
PID 2992 wrote to memory of 2552	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	30
PID 2992 wrote to memory of 2684	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	31
PID 2992 wrote to memory of 2684	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	31
PID 2992 wrote to memory of 2684	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	31
PID 2992 wrote to memory of 2684	2992	{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe	31
PID 2552 wrote to memory of 2500	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	34
PID 2552 wrote to memory of 2500	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	34
PID 2552 wrote to memory of 2500	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	34
PID 2552 wrote to memory of 2500	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	34
PID 2552 wrote to memory of 2964	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	35
PID 2552 wrote to memory of 2964	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	35
PID 2552 wrote to memory of 2964	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	35
PID 2552 wrote to memory of 2964	2552	{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe	35
PID 2500 wrote to memory of 2260	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	36
PID 2500 wrote to memory of 2260	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	36
PID 2500 wrote to memory of 2260	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	36
PID 2500 wrote to memory of 2260	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	36
PID 2500 wrote to memory of 588	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	37
PID 2500 wrote to memory of 588	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	37
PID 2500 wrote to memory of 588	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	37
PID 2500 wrote to memory of 588	2500	{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe	37
PID 2260 wrote to memory of 2760	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	38
PID 2260 wrote to memory of 2760	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	38
PID 2260 wrote to memory of 2760	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	38
PID 2260 wrote to memory of 2760	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	38
PID 2260 wrote to memory of 2788	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	39
PID 2260 wrote to memory of 2788	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	39
PID 2260 wrote to memory of 2788	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	39
PID 2260 wrote to memory of 2788	2260	{606BA448-3259-4599-96BF-162355AD792C}.exe	39
PID 2760 wrote to memory of 1532	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	40
PID 2760 wrote to memory of 1532	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	40
PID 2760 wrote to memory of 1532	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	40
PID 2760 wrote to memory of 1532	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	40
PID 2760 wrote to memory of 1292	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	41
PID 2760 wrote to memory of 1292	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	41
PID 2760 wrote to memory of 1292	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	41
PID 2760 wrote to memory of 1292	2760	{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe	41
PID 1532 wrote to memory of 1916	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	42
PID 1532 wrote to memory of 1916	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	42
PID 1532 wrote to memory of 1916	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	42
PID 1532 wrote to memory of 1916	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	42
PID 1532 wrote to memory of 2268	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	43
PID 1532 wrote to memory of 2268	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	43
PID 1532 wrote to memory of 2268	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	43
PID 1532 wrote to memory of 2268	1532	{F6A9386E-3D00-47ce-BE12-121658220C09}.exe	43
PID 1916 wrote to memory of 568	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	44
PID 1916 wrote to memory of 568	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	44
PID 1916 wrote to memory of 568	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	44
PID 1916 wrote to memory of 568	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	44
PID 1916 wrote to memory of 2492	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	45
PID 1916 wrote to memory of 2492	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	45
PID 1916 wrote to memory of 2492	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	45
PID 1916 wrote to memory of 2492	1916	{E151B4B6-46CB-423a-8E1A-B16608642142}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe
  C:\Windows\{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe
    C:\Windows\{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe
      C:\Windows\{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\{606BA448-3259-4599-96BF-162355AD792C}.exe
        
        C:\Windows\{606BA448-3259-4599-96BF-162355AD792C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe
        
        C:\Windows\{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{F6A9386E-3D00-47ce-BE12-121658220C09}.exe
        
        C:\Windows\{F6A9386E-3D00-47ce-BE12-121658220C09}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{E151B4B6-46CB-423a-8E1A-B16608642142}.exe
        
        C:\Windows\{E151B4B6-46CB-423a-8E1A-B16608642142}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe
        
        C:\Windows\{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe
        
        C:\Windows\{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe
        
        C:\Windows\{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{9E853E89-5169-4cd1-9706-4F15C4D653FF}.exe
        
        C:\Windows\{9E853E89-5169-4cd1-9706-4F15C4D653FF}.exe
        12⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B2F7~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96596~1.EXE > nul
        11⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5E25~1.EXE > nul
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E151B~1.EXE > nul
        9⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6A93~1.EXE > nul
        8⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AB16~1.EXE > nul
        7⤵
        
        PID:1292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{606BA~1.EXE > nul
        6⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB1A2~1.EXE > nul
        5⤵
        
        PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{238BC~1.EXE > nul
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8569~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{238BC59F-FDEA-4873-A1ED-063B98D9BCE7}.exe

Filesize
344KB

MD5
2e42b354e54978ba1eea05f0ea9131dd

SHA1
72e7d85570e11a50490ca88aba040e64a8af31b8

SHA256
2f1b3be38d41307cc9c29a86149197d5ebec9528c983fbcbdd2ce3fed0a039db

SHA512
8046a2ce495a95834121720cd7c41aa0d8614a361ecd2d432f8e181b5520e54080a7837a595f5e1a7b507d0222a2bde624cbc5e066d998b57d08e8cc1b40daa2

Download Submit
C:\Windows\{2AB169A6-2854-46fb-92A4-EF886CF43B3E}.exe

Filesize
344KB

MD5
7a09b8c58a045859acaebb746e073d40

SHA1
05bdce14f0b894a50482291e2fb9a62670f8ca9f

SHA256
c7e38b70ccf57f64e5d8a14e5421b920332a4ea03b17ef57e0536067aae9789c

SHA512
702bbfcc92c285e4e31ccf81b9248b896347994401bf2265c6bdab24c6273dde9bee3ba72b8e70916e4090655e45c83a8aa328e431429560c81067e97574ec9e

Download Submit
C:\Windows\{2B2F729C-FF37-4ee8-8D25-7FCBD42AF9FE}.exe

Filesize
344KB

MD5
5fe8ae8f61e6f79e90a99bae3977d1d8

SHA1
a28159ed946666d3f49b555caf6823a3e02751ac

SHA256
ca9ea61fa0ed5081640adb5e0871000cc2b75bda8c5b17c0afc254d3edd501d0

SHA512
f076711bfaf848fac2556a1917e4452c1d02e3a79ce0fd3a2b57022635620a9336c872514f003c07cf7ef6356bac0bca1dfb12bff16ac0ac1a9a2ebfbe8543eb

Download Submit
C:\Windows\{606BA448-3259-4599-96BF-162355AD792C}.exe

Filesize
344KB

MD5
5532e372f36f166d5d90eb1ca59aa782

SHA1
5c6d95c35e23620af72598fddfb915e397287cc2

SHA256
fa07023b095a9040dd3ad3f0a51a4369df9e31a8051e123d2249fc77aa6eda9c

SHA512
fbc7a64871d042d4d58b1874c5151bc2852c76e44d4b0c04c8f8be23d12be9805d04938ab9e3c7009a555123791482c4b2ec89725243e6ada04c6d806570a854

Download Submit
C:\Windows\{96596B21-8786-4fe1-853F-F503C99C7CC7}.exe

Filesize
344KB

MD5
98eacf11cc9b9d248d16fe60deb41cc5

SHA1
02d2e5c1002d4c0f47afd814c2b32483ffe002be

SHA256
d3a23f79480a21bcc2cf9dd69d8be72c257a3a22b0bb95b398eb56e4a59bb18d

SHA512
d07890198488358d82df542a71e4ddadee79d553b8a293898c74319d7837b5d98dd084afbc520c734bb534f41ed2035329003d269f1bec3612b937225b7ef2e1

Download Submit
C:\Windows\{9E853E89-5169-4cd1-9706-4F15C4D653FF}.exe

Filesize
344KB

MD5
bbccd3bec6401c59e7974bf3b1226ece

SHA1
c42fc9d9ba884294836fc9fcd4fd7c0fd636ad3c

SHA256
56d5137ab079e3f04b4e6c4f15fc68f61e77e7fdc609682fdeedb4d30e87cf33

SHA512
5da7046483119e0d028b1482294a0da466a0095829b68531e46a7bbf7c523865c7df29d16358fc987adac56fbe097832d815b36a6f7df03d4d2739218b1bb65e

Download Submit
C:\Windows\{B5E25720-D138-4cd3-AC05-446CF368FC7D}.exe

Filesize
344KB

MD5
d52b18c90cd2fd4dc131072e6af95cba

SHA1
841bc95554ce8060d776c9ac463659e6ce8c8bef

SHA256
55451631366d4b1a02e6458f81b1b1f7f3412ea5baffbd79f55cad80a915dd59

SHA512
f42eb7c74043b075f16c1190fb9b6fd91734ba0cad5f0bac785d87b75135558a6c4d66f9f79a39daed561c70c2b38b47b481e5751eabcb280f14579ba9ff55b1

Download Submit
C:\Windows\{D85695DB-ACFD-407f-887B-FD0F1C2B45EB}.exe

Filesize
344KB

MD5
7884a5701428c7616bc749d172449908

SHA1
872faaf4bf9a174cf9b0994c5239027586394bf9

SHA256
ae09af8e5691453bea813a3d6ff9120388d061c40a23f4e4dc8e49e9a47536f2

SHA512
f9a6517b17b36b8dbda43f2cebb2162a143ecafb8012568d9d30bda2fa80240de8dc1e350461fd5c895374a16068272ef1e3f8555a1b6145c51a1101c3d407d7

Download Submit
C:\Windows\{E151B4B6-46CB-423a-8E1A-B16608642142}.exe

Filesize
344KB

MD5
cf3b27cb0c10f7e0faa4e6f0f976a256

SHA1
833b31332480c587405f78840af3666285d987e3

SHA256
cd2f128c9bfdbbcb93134f8357a9f363c2c0511507480306b62da7442863c625

SHA512
007b3647d5cc0827cef82ad53cc380a955491cc7435fb7c5f660f109f101285b7b8a684185b16fa2e02b385e51af413a184c0db83240cbb2219513528c09a050

Download Submit
C:\Windows\{F6A9386E-3D00-47ce-BE12-121658220C09}.exe

Filesize
344KB

MD5
ccf0a1708da78f35dcb45ae0fa0d276b

SHA1
b7e2450299481f8c73ed19ff33ac67b355e3fd6d

SHA256
2c089f2dbb5f91d323ad5dec8201f17ee05c286f817c0fa59a519735f67ddcb8

SHA512
91a459dbeae859900ddad33426f315b534fe030ee43d590458cccf345e8ee92ff45302caf2ddf52d2f714ecbc44d91756353259963b33c67cb2fbf0a9662269b

Download Submit
C:\Windows\{FB1A266C-DE36-4fa3-9528-759B076423C9}.exe

Filesize
344KB

MD5
c47aeba804ad3d84082325a2a0a58eb3

SHA1
dd8ab32406d108206202b0bb2d7c7bde8a5fa35d

SHA256
302845f4082e611151aa3422b4188e7c33b781c6491ed6f1b3c06d74e5e5d478

SHA512
198f3296a98023d48b74d5b4503d6275ee886f5ec806c25271780ff2cb88e66aa6898c8a84011451d670d965c32b1d9bcc0809134d3761fe3122a24ee6a763eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads