6238eb1fa499270e786624d44452013e6f8f1e0f797751926b2abb441a1cbed8

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 00:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
Size

197KB
MD5

a4c266cc954c77f25d03766ddc0020d6
SHA1

d2747f60cd9717c6cd5bc96a5979e7d8ecde906c
SHA256

6238eb1fa499270e786624d44452013e6f8f1e0f797751926b2abb441a1cbed8
SHA512

22ee60ba5519a0a88139b379e2ad0ef10e35d2572c7f0b4734e5bf1360d4cca132ecaf7cc15448eead6360749a422bf81f5a3324c21d0962a30c40ab496cf6ae
SSDEEP

3072:jEGh0o5l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015df1-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015f7a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015df1-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016a29-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015df1-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015df1-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015df1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE835FF3-BA85-4c92-9061-48E503C4A983}	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}\stubpath = "C:\\Windows\\{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe"	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}\stubpath = "C:\\Windows\\{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe"	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C986009E-DB8F-4f44-9F98-43FDEF986D1A}	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35101E36-CDA6-4fa3-9B56-15407C21E2B9}\stubpath = "C:\\Windows\\{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe"	{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814D38E5-2104-4357-A455-07B293561906}\stubpath = "C:\\Windows\\{814D38E5-2104-4357-A455-07B293561906}.exe"	{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD56EC4A-19E3-45dd-84CB-B63878481F6C}	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD56EC4A-19E3-45dd-84CB-B63878481F6C}\stubpath = "C:\\Windows\\{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe"	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC936013-AEAA-4505-8A62-2F47178BF7CC}\stubpath = "C:\\Windows\\{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe"	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{650DE937-61CA-4eb8-B39E-228C4058739F}	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35101E36-CDA6-4fa3-9B56-15407C21E2B9}	{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1421C0-DD0E-479f-BEBE-102E3FC94582}	{814D38E5-2104-4357-A455-07B293561906}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD1421C0-DD0E-479f-BEBE-102E3FC94582}\stubpath = "C:\\Windows\\{CD1421C0-DD0E-479f-BEBE-102E3FC94582}.exe"	{814D38E5-2104-4357-A455-07B293561906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC936013-AEAA-4505-8A62-2F47178BF7CC}	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{650DE937-61CA-4eb8-B39E-228C4058739F}\stubpath = "C:\\Windows\\{650DE937-61CA-4eb8-B39E-228C4058739F}.exe"	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE835FF3-BA85-4c92-9061-48E503C4A983}\stubpath = "C:\\Windows\\{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe"	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9513CDCF-7394-423c-9855-3187B5979DAA}	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9513CDCF-7394-423c-9855-3187B5979DAA}\stubpath = "C:\\Windows\\{9513CDCF-7394-423c-9855-3187B5979DAA}.exe"	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C986009E-DB8F-4f44-9F98-43FDEF986D1A}\stubpath = "C:\\Windows\\{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe"	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{814D38E5-2104-4357-A455-07B293561906}	{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe

Deletes itself 1 IoCs

pid	Process
2020	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe
2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe
2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe
3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe
2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe
2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe
3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe
1792	{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe
2708	{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe
692	{814D38E5-2104-4357-A455-07B293561906}.exe
2952	{CD1421C0-DD0E-479f-BEBE-102E3FC94582}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
File created	C:\Windows\{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe
File created	C:\Windows\{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe
File created	C:\Windows\{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe
File created	C:\Windows\{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe
File created	C:\Windows\{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe
File created	C:\Windows\{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe
File created	C:\Windows\{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe
File created	C:\Windows\{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe	{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe
File created	C:\Windows\{814D38E5-2104-4357-A455-07B293561906}.exe	{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe
File created	C:\Windows\{CD1421C0-DD0E-479f-BEBE-102E3FC94582}.exe	{814D38E5-2104-4357-A455-07B293561906}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe
Token: SeIncBasePriorityPrivilege	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe
Token: SeIncBasePriorityPrivilege	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe
Token: SeIncBasePriorityPrivilege	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe
Token: SeIncBasePriorityPrivilege	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe
Token: SeIncBasePriorityPrivilege	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe
Token: SeIncBasePriorityPrivilege	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe
Token: SeIncBasePriorityPrivilege	1792	{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe
Token: SeIncBasePriorityPrivilege	2708	{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe
Token: SeIncBasePriorityPrivilege	692	{814D38E5-2104-4357-A455-07B293561906}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2992	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	28
PID 2968 wrote to memory of 2992	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	28
PID 2968 wrote to memory of 2992	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	28
PID 2968 wrote to memory of 2992	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	28
PID 2968 wrote to memory of 2020	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	29
PID 2968 wrote to memory of 2020	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	29
PID 2968 wrote to memory of 2020	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	29
PID 2968 wrote to memory of 2020	2968	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	29
PID 2992 wrote to memory of 2700	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	30
PID 2992 wrote to memory of 2700	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	30
PID 2992 wrote to memory of 2700	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	30
PID 2992 wrote to memory of 2700	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	30
PID 2992 wrote to memory of 2624	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	31
PID 2992 wrote to memory of 2624	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	31
PID 2992 wrote to memory of 2624	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	31
PID 2992 wrote to memory of 2624	2992	{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe	31
PID 2700 wrote to memory of 2804	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	32
PID 2700 wrote to memory of 2804	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	32
PID 2700 wrote to memory of 2804	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	32
PID 2700 wrote to memory of 2804	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	32
PID 2700 wrote to memory of 2868	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	33
PID 2700 wrote to memory of 2868	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	33
PID 2700 wrote to memory of 2868	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	33
PID 2700 wrote to memory of 2868	2700	{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe	33
PID 2804 wrote to memory of 3028	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	36
PID 2804 wrote to memory of 3028	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	36
PID 2804 wrote to memory of 3028	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	36
PID 2804 wrote to memory of 3028	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	36
PID 2804 wrote to memory of 2064	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	37
PID 2804 wrote to memory of 2064	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	37
PID 2804 wrote to memory of 2064	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	37
PID 2804 wrote to memory of 2064	2804	{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe	37
PID 3028 wrote to memory of 2888	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	38
PID 3028 wrote to memory of 2888	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	38
PID 3028 wrote to memory of 2888	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	38
PID 3028 wrote to memory of 2888	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	38
PID 3028 wrote to memory of 1956	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	39
PID 3028 wrote to memory of 1956	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	39
PID 3028 wrote to memory of 1956	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	39
PID 3028 wrote to memory of 1956	3028	{9513CDCF-7394-423c-9855-3187B5979DAA}.exe	39
PID 2888 wrote to memory of 2536	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	40
PID 2888 wrote to memory of 2536	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	40
PID 2888 wrote to memory of 2536	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	40
PID 2888 wrote to memory of 2536	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	40
PID 2888 wrote to memory of 2556	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	41
PID 2888 wrote to memory of 2556	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	41
PID 2888 wrote to memory of 2556	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	41
PID 2888 wrote to memory of 2556	2888	{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe	41
PID 2536 wrote to memory of 3036	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	42
PID 2536 wrote to memory of 3036	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	42
PID 2536 wrote to memory of 3036	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	42
PID 2536 wrote to memory of 3036	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	42
PID 2536 wrote to memory of 2896	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	43
PID 2536 wrote to memory of 2896	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	43
PID 2536 wrote to memory of 2896	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	43
PID 2536 wrote to memory of 2896	2536	{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe	43
PID 3036 wrote to memory of 1792	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	44
PID 3036 wrote to memory of 1792	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	44
PID 3036 wrote to memory of 1792	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	44
PID 3036 wrote to memory of 1792	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	44
PID 3036 wrote to memory of 2200	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	45
PID 3036 wrote to memory of 2200	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	45
PID 3036 wrote to memory of 2200	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	45
PID 3036 wrote to memory of 2200	3036	{650DE937-61CA-4eb8-B39E-228C4058739F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe
  C:\Windows\{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe
    C:\Windows\{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe
      C:\Windows\{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{9513CDCF-7394-423c-9855-3187B5979DAA}.exe
        
        C:\Windows\{9513CDCF-7394-423c-9855-3187B5979DAA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe
        
        C:\Windows\{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe
        
        C:\Windows\{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{650DE937-61CA-4eb8-B39E-228C4058739F}.exe
        
        C:\Windows\{650DE937-61CA-4eb8-B39E-228C4058739F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe
        
        C:\Windows\{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe
        
        C:\Windows\{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{814D38E5-2104-4357-A455-07B293561906}.exe
        
        C:\Windows\{814D38E5-2104-4357-A455-07B293561906}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{CD1421C0-DD0E-479f-BEBE-102E3FC94582}.exe
        
        C:\Windows\{CD1421C0-DD0E-479f-BEBE-102E3FC94582}.exe
        12⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{814D3~1.EXE > nul
        12⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35101~1.EXE > nul
        11⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9860~1.EXE > nul
        10⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{650DE~1.EXE > nul
        9⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43B80~1.EXE > nul
        8⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC936~1.EXE > nul
        7⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9513C~1.EXE > nul
        6⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75B05~1.EXE > nul
        5⤵
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BD56E~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FE835~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{35101E36-CDA6-4fa3-9B56-15407C21E2B9}.exe

Filesize
197KB

MD5
c3920bb62f491ac2850d8d566e32dea4

SHA1
335575a8013b167fd52e409568fbf6292fd5c025

SHA256
22c08805131f37089af91576ead325dae5fa9210cd98c45e9f61bc1f5b2d8422

SHA512
35636c0e4e44f37450cf663a0ca44aee7f34c9fbbe89988f516c59689e70ac1fb8621fc9129b0f35a5cfe02f79370ee46c694cde413c90b495aee0c899f58b55

Download Submit
C:\Windows\{43B80431-39B8-4d5b-80FF-3B1FBC0EC50C}.exe

Filesize
197KB

MD5
8d7ce7b767ebad7f12a6faa197694beb

SHA1
487b9a21064c22e4e2eafe90f4ab05dcf60d90e8

SHA256
958870b840bf3f21ce381db9a2e8694c2d6a6254f4400ad3c0a5ca0e8e2673d8

SHA512
3a19a7a61b82d7de0f879159a38cd7337cef73d06808ed3eeba1c681a7c464734a68687786ef21653a3b23ca85944e041b4f560d4dde588b7c21bb175bf64c29

Download Submit
C:\Windows\{650DE937-61CA-4eb8-B39E-228C4058739F}.exe

Filesize
197KB

MD5
3d8f12b2cdc31b076384d9e726822e2d

SHA1
57436aa059b80d74fdf32547acd122c514cfb969

SHA256
660650546b71f60af339d2eff9d9b914606a0effc19be8ae7b47e8d00ccee095

SHA512
3cae787629913891d05e242513f0c12b6978aa1baba412418532445a7b20f89015c4080b42f7be08f5904099deadd909ddcf292b0203d1582d3a500f9faf86bf

Download Submit
C:\Windows\{75B0544A-7A3F-43f8-ABA3-A9FDEDC56E10}.exe

Filesize
197KB

MD5
5bb54a8f4e128fe4186c9120cf0bf61d

SHA1
6cd4b12df2afc70e712fddbf2de78a22d2da9192

SHA256
6e35f3d1d944e4cc124f90babfdf813c9d9488ed2d2440ad6d9d2d2b0fe52bdc

SHA512
e78a1e70dd863060c9382e03d5d1a8710c00804e3d07406d64a7f2350284956994cbf8d3972c0394da985c95bed51531d179a98e6d21d32088defd220f1ef15f

Download Submit
C:\Windows\{814D38E5-2104-4357-A455-07B293561906}.exe

Filesize
197KB

MD5
1a90e76e146121f2f45e854ba21634f5

SHA1
667a5c7a8db37689be01b3c5170ddd7327d16d2f

SHA256
e739c72a2bc4e79d28de088e30fd14c96df155b5d648fff20841a02be2ff9e25

SHA512
97c45cd6354246d2dc46d717c814eaa8b14eb794b4795698f3f4bfbf28ba1977c903cad1176d587d0a36d5dbb0edfdfd179892202c76b1b5eda55d59d6df20c3

Download Submit
C:\Windows\{9513CDCF-7394-423c-9855-3187B5979DAA}.exe

Filesize
197KB

MD5
11821ab1e3b690bc2baa6cca0879b869

SHA1
126b1e7979320e3162cdd55302d5003c53ce10d1

SHA256
4f3c6f6da1c4f880a3e63db066d1256a8685be65e7e95008b4fd32e33c746c05

SHA512
c0a4b5827799b0e3ba7f5625381624838fc036cee4d57f139e60fd0c91483497d2bfc7eb217f427d8fceded0d64441608cfd77b855e3a373f24611f8a5ca756a

Download Submit
C:\Windows\{BD56EC4A-19E3-45dd-84CB-B63878481F6C}.exe

Filesize
197KB

MD5
3c04bdee129ec35b7928737011dcfdb8

SHA1
f96e0e500722addd47192b366dc33c53e6732794

SHA256
aab7ace51ef819d4b986c0cdc85fe2b35c60a21aca8d5e4148000e0c3d7da4cf

SHA512
350dc99b3c889ef6b83e27f948377f3b107ae26c5d23d93eb619a64748e97eb7684445af301eb6e66d02e8ae8db20420344dd961875c49a9f30d6616dd7dfd83

Download Submit
C:\Windows\{C986009E-DB8F-4f44-9F98-43FDEF986D1A}.exe

Filesize
197KB

MD5
a425aba5f120a2d4ad3381b7189c800c

SHA1
8f0de136fa707e0facabb2053afb27a778c37d1a

SHA256
a024b0f6d67bf398b64401a013ab987ff889cb16c80c385114d42def49aed9c5

SHA512
dbbbccb418061780e9639654c777f8aeb8e6fb0fea4cfb4f515cae34b7ddf1178ea408f5616db10e9d0706c4646e07dfad8cc89a671b69d6a3916bab8a96a5f1

Download Submit
C:\Windows\{CD1421C0-DD0E-479f-BEBE-102E3FC94582}.exe

Filesize
197KB

MD5
0a36642da02fa70d9bc82958bcfc24a0

SHA1
31db3b3155fbf79620bd1afea0b83868ca8e8ed3

SHA256
37c40b20576ee9226cd2f67e2b3b0354ba362ab125c3a96e0410b00801f03245

SHA512
5ee1dabb63c2872035b27bd1f9fd26851d59411e12b74acf2ae862bf9bbf2af5961ce7224db6e0af65b063a52840b1e9ec9f46f372727d944f13042cd4143444

Download Submit
C:\Windows\{DC936013-AEAA-4505-8A62-2F47178BF7CC}.exe

Filesize
197KB

MD5
927d63ee834d7e321b77ae2a341a73d0

SHA1
a51f423b708823a283b708bd1706567bb6287f4f

SHA256
728a5d67bfe3e668e36431283aa272acefe2dd1636990f7885f91cd0cb919fc3

SHA512
eb9e4472715abdfe20dbc564727f8b61168dadcfe46af30e9f75993d19a62854976388f3004c0a2e75c785ba89ce19597c17e2308b820e89109d00d3dd9d813c

Download Submit
C:\Windows\{FE835FF3-BA85-4c92-9061-48E503C4A983}.exe

Filesize
197KB

MD5
4c1897dd2d4bd362cfb679327935bc57

SHA1
183a4dbf865bf2173864ac9cdceab583bb760c1e

SHA256
35b456204f4a906a9640554a2ce674f699f2645649cb8570fac071023f4092d2

SHA512
fd38678f7666b76138ebedc291861d6de1e86ec1309776222ce1899a372dd0edb94ab8b77f1d0dc84bfdd22a99ce9b124c142e04fc698123103059af47c4aae7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.