f080cc41d3b2040c7321666bf13f6c50e6f28c50e8c5b9a77f545fc9ed2b5b32

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe
Size

344KB
MD5

8065e9130a566db8691badcaa4838e3c
SHA1

5597f96a7599f70c897038ec5eb207427baac59c
SHA256

f080cc41d3b2040c7321666bf13f6c50e6f28c50e8c5b9a77f545fc9ed2b5b32
SHA512

6973dc04ce8767f077e6a0d818e74fbfc10c1a20650448e5c2273b0afade3ba689c651c8da00e02714ea4e5415e49883cbde934e89961307e747d2f80f1ac206
SSDEEP

3072:mEGh0oNlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c7-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001225e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}\stubpath = "C:\\Windows\\{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe"	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C2CA18-D320-4501-B6E3-517BAD4483ED}\stubpath = "C:\\Windows\\{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe"	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}	{96401A32-7ACD-495c-8757-FC05F6111091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96401A32-7ACD-495c-8757-FC05F6111091}	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96401A32-7ACD-495c-8757-FC05F6111091}\stubpath = "C:\\Windows\\{96401A32-7ACD-495c-8757-FC05F6111091}.exe"	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62C3910-76EC-4d96-9CBB-76E56B336946}	{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}\stubpath = "C:\\Windows\\{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe"	{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}\stubpath = "C:\\Windows\\{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe"	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{273590CF-DE54-4a58-B3FE-2D70004CDCC0}\stubpath = "C:\\Windows\\{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe"	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C2CA18-D320-4501-B6E3-517BAD4483ED}	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}\stubpath = "C:\\Windows\\{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe"	{96401A32-7ACD-495c-8757-FC05F6111091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FB009C-0759-4c48-94F0-0C29FD76895A}	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FB009C-0759-4c48-94F0-0C29FD76895A}\stubpath = "C:\\Windows\\{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe"	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{273590CF-DE54-4a58-B3FE-2D70004CDCC0}	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62C3910-76EC-4d96-9CBB-76E56B336946}\stubpath = "C:\\Windows\\{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe"	{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}	{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547F3397-1D1E-4902-B772-FD470D5F8414}	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547F3397-1D1E-4902-B772-FD470D5F8414}\stubpath = "C:\\Windows\\{547F3397-1D1E-4902-B772-FD470D5F8414}.exe"	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A28F207-08BE-477c-B292-A04B7182E544}	{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A28F207-08BE-477c-B292-A04B7182E544}\stubpath = "C:\\Windows\\{6A28F207-08BE-477c-B292-A04B7182E544}.exe"	{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe
2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe
3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe
2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe
2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe
2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe
1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe
2828	{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe
816	{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe
2976	{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe
2056	{6A28F207-08BE-477c-B292-A04B7182E544}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6A28F207-08BE-477c-B292-A04B7182E544}.exe	{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe
File created	C:\Windows\{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe
File created	C:\Windows\{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe
File created	C:\Windows\{96401A32-7ACD-495c-8757-FC05F6111091}.exe	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe
File created	C:\Windows\{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe
File created	C:\Windows\{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe	{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe
File created	C:\Windows\{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe
File created	C:\Windows\{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe
File created	C:\Windows\{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	{96401A32-7ACD-495c-8757-FC05F6111091}.exe
File created	C:\Windows\{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe
File created	C:\Windows\{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe	{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe
Token: SeIncBasePriorityPrivilege	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe
Token: SeIncBasePriorityPrivilege	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe
Token: SeIncBasePriorityPrivilege	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe
Token: SeIncBasePriorityPrivilege	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe
Token: SeIncBasePriorityPrivilege	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe
Token: SeIncBasePriorityPrivilege	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe
Token: SeIncBasePriorityPrivilege	2828	{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe
Token: SeIncBasePriorityPrivilege	816	{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe
Token: SeIncBasePriorityPrivilege	2976	{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1616	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	28
PID 2208 wrote to memory of 1616	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	28
PID 2208 wrote to memory of 1616	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	28
PID 2208 wrote to memory of 1616	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	28
PID 2208 wrote to memory of 2784	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	29
PID 2208 wrote to memory of 2784	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	29
PID 2208 wrote to memory of 2784	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	29
PID 2208 wrote to memory of 2784	2208	2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe	29
PID 1616 wrote to memory of 2676	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	30
PID 1616 wrote to memory of 2676	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	30
PID 1616 wrote to memory of 2676	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	30
PID 1616 wrote to memory of 2676	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	30
PID 1616 wrote to memory of 2700	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	31
PID 1616 wrote to memory of 2700	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	31
PID 1616 wrote to memory of 2700	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	31
PID 1616 wrote to memory of 2700	1616	{547F3397-1D1E-4902-B772-FD470D5F8414}.exe	31
PID 2676 wrote to memory of 3052	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	32
PID 2676 wrote to memory of 3052	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	32
PID 2676 wrote to memory of 3052	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	32
PID 2676 wrote to memory of 3052	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	32
PID 2676 wrote to memory of 2448	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	33
PID 2676 wrote to memory of 2448	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	33
PID 2676 wrote to memory of 2448	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	33
PID 2676 wrote to memory of 2448	2676	{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe	33
PID 3052 wrote to memory of 2960	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	36
PID 3052 wrote to memory of 2960	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	36
PID 3052 wrote to memory of 2960	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	36
PID 3052 wrote to memory of 2960	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	36
PID 3052 wrote to memory of 2964	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	37
PID 3052 wrote to memory of 2964	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	37
PID 3052 wrote to memory of 2964	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	37
PID 3052 wrote to memory of 2964	3052	{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe	37
PID 2960 wrote to memory of 2652	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	38
PID 2960 wrote to memory of 2652	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	38
PID 2960 wrote to memory of 2652	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	38
PID 2960 wrote to memory of 2652	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	38
PID 2960 wrote to memory of 2588	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	39
PID 2960 wrote to memory of 2588	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	39
PID 2960 wrote to memory of 2588	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	39
PID 2960 wrote to memory of 2588	2960	{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe	39
PID 2652 wrote to memory of 2632	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	40
PID 2652 wrote to memory of 2632	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	40
PID 2652 wrote to memory of 2632	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	40
PID 2652 wrote to memory of 2632	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	40
PID 2652 wrote to memory of 884	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	41
PID 2652 wrote to memory of 884	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	41
PID 2652 wrote to memory of 884	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	41
PID 2652 wrote to memory of 884	2652	{96401A32-7ACD-495c-8757-FC05F6111091}.exe	41
PID 2632 wrote to memory of 1644	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	42
PID 2632 wrote to memory of 1644	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	42
PID 2632 wrote to memory of 1644	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	42
PID 2632 wrote to memory of 1644	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	42
PID 2632 wrote to memory of 300	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	43
PID 2632 wrote to memory of 300	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	43
PID 2632 wrote to memory of 300	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	43
PID 2632 wrote to memory of 300	2632	{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe	43
PID 1644 wrote to memory of 2828	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	44
PID 1644 wrote to memory of 2828	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	44
PID 1644 wrote to memory of 2828	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	44
PID 1644 wrote to memory of 2828	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	44
PID 1644 wrote to memory of 2628	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	45
PID 1644 wrote to memory of 2628	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	45
PID 1644 wrote to memory of 2628	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	45
PID 1644 wrote to memory of 2628	1644	{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_8065e9130a566db8691badcaa4838e3c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\{547F3397-1D1E-4902-B772-FD470D5F8414}.exe
  C:\Windows\{547F3397-1D1E-4902-B772-FD470D5F8414}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe
    C:\Windows\{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe
      C:\Windows\{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe
        
        C:\Windows\{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\{96401A32-7ACD-495c-8757-FC05F6111091}.exe
        
        C:\Windows\{96401A32-7ACD-495c-8757-FC05F6111091}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe
        
        C:\Windows\{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe
        
        C:\Windows\{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe
        
        C:\Windows\{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe
        
        C:\Windows\{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe
        
        C:\Windows\{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{6A28F207-08BE-477c-B292-A04B7182E544}.exe
        
        C:\Windows\{6A28F207-08BE-477c-B292-A04B7182E544}.exe
        12⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D88A9~1.EXE > nul
        12⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C62C3~1.EXE > nul
        11⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4E95~1.EXE > nul
        10⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27359~1.EXE > nul
        9⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38C6F~1.EXE > nul
        8⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96401~1.EXE > nul
        7⤵
        
        PID:884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C2C~1.EXE > nul
        6⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C312~1.EXE > nul
        5⤵
        
        PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15FB0~1.EXE > nul
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{547F3~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15FB009C-0759-4c48-94F0-0C29FD76895A}.exe

Filesize
344KB

MD5
4c34bf7435686d9022487a9981a33dab

SHA1
c103cb1a3a00e855c7ae61e2ba763947a5a26790

SHA256
7b53312112c9d9c0b80a87bf2d743a700de52328cf2c8e435134bfddd45d1e67

SHA512
ab22a01a05388d4e88d1df9524be74f02c67006ba215e6019c794437e4dc6a0ca84078ad0b6b6e5f62bb190bc4ced5d3895b6486323756505c4ae5af91e826b2

Download Submit
C:\Windows\{273590CF-DE54-4a58-B3FE-2D70004CDCC0}.exe

Filesize
344KB

MD5
b6406154579852b5c817354523d9ddbd

SHA1
5597e34748f4bbaf407e5a98230fcedb1508792e

SHA256
b49f2f07484a782435c3317920b3c289145b461bd39ad1fc57f762a46373d11e

SHA512
26ac3f435ae456b140768e1eb33c4d94479f4bb964c455f2cb6ced7115517c1b99e87569364f04bcefedde6e647f7181a4c2942045ce629ea21c60f5ac7da5cf

Download Submit
C:\Windows\{38C6F45B-C12E-41ac-BA2A-3552E25CE93F}.exe

Filesize
344KB

MD5
6e1f1f105995eb6c43b21f6a03a63341

SHA1
72b434df867ebb1bef3fd4f588df696d2a5c9cc1

SHA256
af56be0b3b544acd180e4417611c25840b5066233c8bc94ea25b94f8f14a69a7

SHA512
e5e1900f2da202d93486466b3d77f8712c01cf78cad5e71d6b038b767bbbbb12ab88b85ca2e4cf63a6692472b16662da9908367b2a650c510c3e606df06f2c14

Download Submit
C:\Windows\{52C2CA18-D320-4501-B6E3-517BAD4483ED}.exe

Filesize
344KB

MD5
8299f1bea20331ed0a89c20c994e53b4

SHA1
c5a9973bd47958b765b348aac1cdd07812fcd32d

SHA256
815643cd9cb56cc023ac933802f8b12ae1478d2aa770888a7c7b29092120086e

SHA512
a1fd72e88a179b711cf4b8e4dd97224ebbfaf3acd84b6150a15d9bc60add4617e2d9ac53c4b677b38140c4202c2fb17621f7797662370ddb01abc41770ff9c39

Download Submit
C:\Windows\{547F3397-1D1E-4902-B772-FD470D5F8414}.exe

Filesize
344KB

MD5
85ac93ae0f514c730ed92b86112882dd

SHA1
e790820bcd01f21aef413fa4838a82161a4482a9

SHA256
2067f547cf071e220fc01a69c9cca59dd8660196d049349f22b4f4faa6efbf04

SHA512
2e849312b7590ee1f248b7602376ea2b1267d7b2d94c74db0062fcd051e882f0caec5fe914c18f6eebcc8a15c4bac72d1f6d0c028cc57c4e5a491b7ac9ab51c2

Download Submit
C:\Windows\{6A28F207-08BE-477c-B292-A04B7182E544}.exe

Filesize
344KB

MD5
708a1d83691a39be4f027eee6adbad64

SHA1
ce0d2e3ed50c06968ee9b0bf76d21648611f347a

SHA256
8e966ff7617528298dd3a251b10f76760cbf1c413f6acd75147dc38fa1034ab9

SHA512
47830d53d6adcec6e142789d850954519828e87926275e86674dd544c81e19acde792bcfea18ffcc12668c3dfd71f4f3d7fc6da28711f58e7baef3663e1976d1

Download Submit
C:\Windows\{6C31203D-3A0A-40e5-BA2D-9FEE3584B9B3}.exe

Filesize
344KB

MD5
6e78530d83624e511a4cab4cff82df73

SHA1
201e4df9b7ed8c3db2a33dc269a629908ec547f3

SHA256
9539581d9d573cfd6263eaf2dfe9511127353f1e883595b37030b07591843e88

SHA512
87cc69984a682cb42672baaedb649045b9ae30c5cdc90daab8779f03138c26e56fa7f4594c57a468d7f4efebc17a095aaaf111989fff07213f07a580eba96905

Download Submit
C:\Windows\{96401A32-7ACD-495c-8757-FC05F6111091}.exe

Filesize
344KB

MD5
abb8c332bd07ccc0b65a53cc66354d79

SHA1
0f8f9f6afd4168e720b17b240e90ff0ce8d0e62d

SHA256
21ce3eaba8d877b1d457a2ef720a3c6c8ee1320492ac5e64790319791a0473c2

SHA512
03ab8c8977a180c412287b3f1a5ddf8def4835c710ee1c7608e0b67cf24803d677624c3aede823a27a1a69a86a2b2cc6bc8d95d896a8ccdc34d0359ceea5f625

Download Submit
C:\Windows\{A4E959C9-BAEA-4930-9F37-470F9CDFE2AD}.exe

Filesize
344KB

MD5
903ff13a0d7071778e47a357eedafed6

SHA1
b956f2e19ad1eb427bffc79afd7c5f6875e53b90

SHA256
04ae7305e7b82c1b403162f58bca101464028b93be232a0e9f736644a5e7161f

SHA512
20727498b505ad5629262317c55c95525d7fda83456e2f6b21b94bcedd1278d8a9c768e419fe634f47caa4a2c9ac5241a3bd022305dd9b44108eb99d4014cc9d

Download Submit
C:\Windows\{C62C3910-76EC-4d96-9CBB-76E56B336946}.exe

Filesize
344KB

MD5
aeded563af591f5473da5b3af1e811cd

SHA1
4b35bc7fc0c518a09e6129801e30acc581468d76

SHA256
b20cf792953423d7b106fabdaa79aad97b28e309cb9b3afb3a9ae9dc4ba85cd7

SHA512
37c5a63ac968bd99571767c3d4714b18a0c7d8ac8ac099cc822f7aadf37dcbf74303b603d24a3aff9384403b8bd474bc94a9f57ab7988d598c84f94bdceb5aa2

Download Submit
C:\Windows\{D88A915F-8099-4c77-9DB9-F3E6FE886FA9}.exe

Filesize
344KB

MD5
639447117fcb312fa73c65f806671553

SHA1
163406a3d706b15b58b27f45353dcfba9eda74b4

SHA256
905fd87f54631d4ac3fad6c84299f3db1ba70e50f62557e8fb155db5401718d7

SHA512
46f4977e67bda5c73ee675d65859fd483aecb105d74f8e0b3e261dcbfa9b61e143f749e68d4e1998902633611c010c8f7b61e1506b1b5a5ed9d61e86b1d4f737

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads