7bee873ddaaf6200100c3af346becd212e72e4f78e22b18a51ff213b1da9440e

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe
Size

197KB
MD5

cba8b929033ac4a50fd2c13612dd56e6
SHA1

94c8a0eb6aeddbee8de98ab3b4ba39a7529251e4
SHA256

7bee873ddaaf6200100c3af346becd212e72e4f78e22b18a51ff213b1da9440e
SHA512

7f5f2815073dab7e447cf9986bfcf540b8883e697de959cb4f9653b98f0781ee3d882ae10618b134811e3ac8c8fc4cdbf11da5ef2a415966a6ac6a49ce0475a7
SSDEEP

3072:jEGh0o5l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGzlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014fe1-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155e2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000155e2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000155e2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155e2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000155e2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0DBB633-9B47-4cdf-959F-9750B90EECB6}	{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C72DB3-4BE8-4bf8-9947-94B703278C24}	{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DA0C9BB-5728-4dde-87C0-919DFA88373B}	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7AA0B90-FF92-42b1-8B3A-24024264245F}\stubpath = "C:\\Windows\\{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe"	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{967FC414-5BF9-458b-A57A-0BA1BD1763BB}	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{046E00FC-0BCB-438a-A2AF-BC5F850A787D}\stubpath = "C:\\Windows\\{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe"	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{967FC414-5BF9-458b-A57A-0BA1BD1763BB}\stubpath = "C:\\Windows\\{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe"	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}\stubpath = "C:\\Windows\\{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe"	{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C72DB3-4BE8-4bf8-9947-94B703278C24}\stubpath = "C:\\Windows\\{E9C72DB3-4BE8-4bf8-9947-94B703278C24}.exe"	{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD2DF239-B976-4bfe-8F50-A679B9573325}	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}\stubpath = "C:\\Windows\\{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe"	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}\stubpath = "C:\\Windows\\{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe"	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{046E00FC-0BCB-438a-A2AF-BC5F850A787D}	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}	{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0DBB633-9B47-4cdf-959F-9750B90EECB6}\stubpath = "C:\\Windows\\{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe"	{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DA0C9BB-5728-4dde-87C0-919DFA88373B}\stubpath = "C:\\Windows\\{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe"	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86705CE5-1C80-426c-9C2E-4C19E2536E66}	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86705CE5-1C80-426c-9C2E-4C19E2536E66}\stubpath = "C:\\Windows\\{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe"	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD2DF239-B976-4bfe-8F50-A679B9573325}\stubpath = "C:\\Windows\\{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe"	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7AA0B90-FF92-42b1-8B3A-24024264245F}	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe

Deletes itself 1 IoCs

pid	Process
1324	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe
2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe
2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe
2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe
2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe
1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe
2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe
2012	{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe
2160	{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe
2656	{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe
2636	{E9C72DB3-4BE8-4bf8-9947-94B703278C24}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe
File created	C:\Windows\{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe
File created	C:\Windows\{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe
File created	C:\Windows\{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe
File created	C:\Windows\{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe
File created	C:\Windows\{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe
File created	C:\Windows\{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe	{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe
File created	C:\Windows\{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe
File created	C:\Windows\{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe
File created	C:\Windows\{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe	{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe
File created	C:\Windows\{E9C72DB3-4BE8-4bf8-9947-94B703278C24}.exe	{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe
Token: SeIncBasePriorityPrivilege	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe
Token: SeIncBasePriorityPrivilege	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe
Token: SeIncBasePriorityPrivilege	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe
Token: SeIncBasePriorityPrivilege	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe
Token: SeIncBasePriorityPrivilege	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe
Token: SeIncBasePriorityPrivilege	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe
Token: SeIncBasePriorityPrivilege	2012	{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe
Token: SeIncBasePriorityPrivilege	2160	{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe
Token: SeIncBasePriorityPrivilege	2656	{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1216	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	28
PID 2812 wrote to memory of 1216	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	28
PID 2812 wrote to memory of 1216	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	28
PID 2812 wrote to memory of 1216	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	28
PID 2812 wrote to memory of 1324	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	29
PID 2812 wrote to memory of 1324	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	29
PID 2812 wrote to memory of 1324	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	29
PID 2812 wrote to memory of 1324	2812	2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe	29
PID 1216 wrote to memory of 2488	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	30
PID 1216 wrote to memory of 2488	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	30
PID 1216 wrote to memory of 2488	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	30
PID 1216 wrote to memory of 2488	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	30
PID 1216 wrote to memory of 2608	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	31
PID 1216 wrote to memory of 2608	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	31
PID 1216 wrote to memory of 2608	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	31
PID 1216 wrote to memory of 2608	1216	{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe	31
PID 2488 wrote to memory of 2444	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	34
PID 2488 wrote to memory of 2444	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	34
PID 2488 wrote to memory of 2444	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	34
PID 2488 wrote to memory of 2444	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	34
PID 2488 wrote to memory of 2328	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	35
PID 2488 wrote to memory of 2328	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	35
PID 2488 wrote to memory of 2328	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	35
PID 2488 wrote to memory of 2328	2488	{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe	35
PID 2444 wrote to memory of 2388	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	36
PID 2444 wrote to memory of 2388	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	36
PID 2444 wrote to memory of 2388	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	36
PID 2444 wrote to memory of 2388	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	36
PID 2444 wrote to memory of 2780	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	37
PID 2444 wrote to memory of 2780	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	37
PID 2444 wrote to memory of 2780	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	37
PID 2444 wrote to memory of 2780	2444	{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe	37
PID 2388 wrote to memory of 2016	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	38
PID 2388 wrote to memory of 2016	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	38
PID 2388 wrote to memory of 2016	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	38
PID 2388 wrote to memory of 2016	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	38
PID 2388 wrote to memory of 1312	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	39
PID 2388 wrote to memory of 1312	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	39
PID 2388 wrote to memory of 1312	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	39
PID 2388 wrote to memory of 1312	2388	{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe	39
PID 2016 wrote to memory of 1212	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	40
PID 2016 wrote to memory of 1212	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	40
PID 2016 wrote to memory of 1212	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	40
PID 2016 wrote to memory of 1212	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	40
PID 2016 wrote to memory of 1488	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	41
PID 2016 wrote to memory of 1488	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	41
PID 2016 wrote to memory of 1488	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	41
PID 2016 wrote to memory of 1488	2016	{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe	41
PID 1212 wrote to memory of 2300	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	42
PID 1212 wrote to memory of 2300	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	42
PID 1212 wrote to memory of 2300	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	42
PID 1212 wrote to memory of 2300	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	42
PID 1212 wrote to memory of 2168	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	43
PID 1212 wrote to memory of 2168	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	43
PID 1212 wrote to memory of 2168	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	43
PID 1212 wrote to memory of 2168	1212	{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe	43
PID 2300 wrote to memory of 2012	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	44
PID 2300 wrote to memory of 2012	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	44
PID 2300 wrote to memory of 2012	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	44
PID 2300 wrote to memory of 2012	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	44
PID 2300 wrote to memory of 2280	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	45
PID 2300 wrote to memory of 2280	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	45
PID 2300 wrote to memory of 2280	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	45
PID 2300 wrote to memory of 2280	2300	{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_cba8b929033ac4a50fd2c13612dd56e6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe
  C:\Windows\{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe
    C:\Windows\{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe
      C:\Windows\{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe
        
        C:\Windows\{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe
        
        C:\Windows\{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe
        
        C:\Windows\{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe
        
        C:\Windows\{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe
        
        C:\Windows\{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe
        
        C:\Windows\{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe
        
        C:\Windows\{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\{E9C72DB3-4BE8-4bf8-9947-94B703278C24}.exe
        
        C:\Windows\{E9C72DB3-4BE8-4bf8-9947-94B703278C24}.exe
        12⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0DBB~1.EXE > nul
        12⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA3BB~1.EXE > nul
        11⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{046E0~1.EXE > nul
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{967FC~1.EXE > nul
        9⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6F3A~1.EXE > nul
        8⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7AA0~1.EXE > nul
        7⤵
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5588~1.EXE > nul
        6⤵
        
        PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD2DF~1.EXE > nul
        5⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{86705~1.EXE > nul
      4⤵
      PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2DA0C~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{046E00FC-0BCB-438a-A2AF-BC5F850A787D}.exe

Filesize
197KB

MD5
fcb7728cf77ac516b57b914e616a5a13

SHA1
eef49bb2624ef42dd79c3bba5aae433da8161d0b

SHA256
a0e6cf721a26f44a1efa471520db44e089af7e6ef204ac72b369c4acbf0a39c7

SHA512
51635a4364f2f84e3b3149e28323c02c35607a64aee1ef18c090c65887097a800eb3212336f62a249742874e15683110d246bcd8f5966a42f6103f47abb7e092

Download Submit
C:\Windows\{2DA0C9BB-5728-4dde-87C0-919DFA88373B}.exe

Filesize
197KB

MD5
1fbdf9ab961832b5eda2aff80cfee784

SHA1
5b9f1deaa4cf807a7a0f1666971138029ee09796

SHA256
d5b9de98e1a20d71848e18db203b08777e694c5cc994cabd846e8866c8df066f

SHA512
f6f6227536edd3266015dc41ae4e21180baa0156c310181b682a289d79b87f38daf477684f20b71b1c519fb5497e91c0620975bf99add36ec565ad5fcbf511c2

Download Submit
C:\Windows\{86705CE5-1C80-426c-9C2E-4C19E2536E66}.exe

Filesize
197KB

MD5
febf66bdb8b206b1054b0c52da1e0a62

SHA1
bc4db96d78c6272360295fc3b4a4bb0211121f31

SHA256
8a4ea2fe924b391c974f75dc78a4045e295892081eca46e62be366f70916827c

SHA512
72781afc24f910d49b269aeef848ce2f49abc42c3f319558ebf28c1ebcb05713cdaec5d7b2d1c0aa71b2b8a1a172664356052b280ddf6975a4803cfc5d296b59

Download Submit
C:\Windows\{967FC414-5BF9-458b-A57A-0BA1BD1763BB}.exe

Filesize
197KB

MD5
d43c82d13e6fe05e26eb7387ae161ea1

SHA1
c8a5df7a2d2b089f074d6616a1817dc21f80c450

SHA256
aff855900686290523df5beb670851def8329ea8bb23f213c8fa60dce3caaf08

SHA512
970c668f6105ecb5128645b90a702eba6191e71ee46a2edc8d71050fab72bd36c92fdca593f56bcadff3a426d89adbda69344df174e22f784d99368b4489316d

Download Submit
C:\Windows\{A55880FA-EA29-40fe-A1FD-DD2CEC55120E}.exe

Filesize
197KB

MD5
51a861c5763b736eb1723c3cd65cc301

SHA1
0cb55bbabbea5512475ff973833f8f1f907b537f

SHA256
f4e41e520fa07fd99ce72504bddaf0fb784d1cc0cdfe440cfcf5c44fba9677de

SHA512
d29adfbfa1bffad9635a0dca25e7b41cfa647d934313f9f45e4f16db42f811e16a5b7943de86de2de52cd2a7c43ef1c76811b73664d8cfc069e15f7e06e82d56

Download Submit
C:\Windows\{B6F3AD2C-63E8-47e5-B03D-256BA00DE06D}.exe

Filesize
197KB

MD5
d52605f1671b1daced22089b11965cd4

SHA1
c59a0fe488e56b7a37859c2e88336b8573000af7

SHA256
cc2efaf9acacf40c9124083a54176639a78914a0dd79a4886ce90640c65d514c

SHA512
9d33bffbe09ef9f782539d03bc35d4cd21484c2027bce31fb6162a6222cb84fcdd7c0bc79fc356be10b48204aa97c8ea9e6abdafb9524bfa4a7a4099c19929d3

Download Submit
C:\Windows\{C0DBB633-9B47-4cdf-959F-9750B90EECB6}.exe

Filesize
197KB

MD5
735b67884316de28dcdd3ea979b819c4

SHA1
c0c0a4da2d6344ce1a0465665b31f19145f7f25d

SHA256
84c5d8098db090be9686c4d3785b1efb45639df6a27d681ba5f0b10b377b2599

SHA512
1219f6c0a71498d0f52ef2ff3674af05c6ae800fc878027f54218ccd83bfd7bf6826e98d632e0ad32d421b6207bfe2e50875d4347dab03059dc2679b6a976ad3

Download Submit
C:\Windows\{D7AA0B90-FF92-42b1-8B3A-24024264245F}.exe

Filesize
197KB

MD5
32a94ddc4076beb3ef2110a84955c87e

SHA1
eef75a07cb07f8e74e2d56888be5d2babe99e5f4

SHA256
929810c0dfdeb24ea943bdaebd43e7b3a7c61cc4ae89e34db2660343085dd479

SHA512
d690061519b1d28bf68f2de6485de184c81bcc4d7457d45436e65d93d723a15505003e1f12fc86ac536b2baea071306699f2673ee90b29ccf3ac0d303bb4f2e5

Download Submit
C:\Windows\{DD2DF239-B976-4bfe-8F50-A679B9573325}.exe

Filesize
197KB

MD5
b7ae2731e268000bfbfe5c39949d9659

SHA1
a023a50741122125ec6c380d4acdfbb35452d718

SHA256
d40e4508a07152e2025edb9521666f56b84902b74713584cd9249951c7dd7fad

SHA512
7a9a1e9c9613bb9119866a664e77f2328fbd348b6a5e1ca4bcca931840491a741a30c23fe91345844532eea4904e81a9b2ebf6ce359c51e5d95f674e9b102e41

Download Submit
C:\Windows\{E9C72DB3-4BE8-4bf8-9947-94B703278C24}.exe

Filesize
197KB

MD5
7e9b1230a586ad725a6ccd1e986cba6c

SHA1
514d5b93dd0d3f76a44dd02a6217b95e699c8c3a

SHA256
ad1584d82a97b686a890286b8f22bea2796c6ff44180d7c33069173066e3a0d6

SHA512
142f1cb80fbe04455da2997a06bfea42ebb77b86a6df5c580c3be5cba9e8100648bcc5d937e983ecddc467a0b9f11bb1aee20ca51c7d1e960b550cc93e8ae53d

Download Submit
C:\Windows\{FA3BB6FE-9637-4293-8CFB-DFDCD396566D}.exe

Filesize
197KB

MD5
740f998c5bdd7615718a5470495ee6c1

SHA1
2b821f95134dff13f021f9af411809b037413490

SHA256
e39da3c2d2ad55d2c7590520fb05580a136e104f6110ed1763edbd3f02f21509

SHA512
896168a8bf2f32667852f943022a7bf7c31f892a36e69b49966491490d4b24bb7969f47431ee8200b5082c08351c672cccf6ff6517f410ad47865c2a2323b5c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads