710582cf06dbf689f036ea995d273d7fad4e360f8d666d7bbd83cd82e3416d0b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Size

168KB
MD5

ca560f2a56c345baf900332a40fcfd23
SHA1

a97ed4fc5e88fd25e760da3924fc7020f7481f78
SHA256

710582cf06dbf689f036ea995d273d7fad4e360f8d666d7bbd83cd82e3416d0b
SHA512

c98d8e8d80514ce95978002e0d95975041bb72b1e43722c381f05f43555bff6482a346aecd2c21804774715a887195edf614729c0be36c9bb76ce5b1a2d72b04
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122f2-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015598-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c3d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c3d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c45-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c4d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015c76-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31B79757-1832-429c-A99B-B946D65A19D4}	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}\stubpath = "C:\\Windows\\{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe"	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9339045A-23A4-45e0-8374-4DC98D234C75}	{19920154-5B87-4eab-97B3-6122C652DCDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}	{6E445569-C214-44af-9F50-C16E2274DC46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6EF09B-EE95-47ca-8898-0E87DD54272B}	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E445569-C214-44af-9F50-C16E2274DC46}	{9339045A-23A4-45e0-8374-4DC98D234C75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{298BCEBC-882A-4aa4-996E-F738AB024E11}\stubpath = "C:\\Windows\\{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe"	{31B79757-1832-429c-A99B-B946D65A19D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069268E7-3A31-45d0-9996-6A9978CD6DE1}	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069268E7-3A31-45d0-9996-6A9978CD6DE1}\stubpath = "C:\\Windows\\{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe"	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E445569-C214-44af-9F50-C16E2274DC46}\stubpath = "C:\\Windows\\{6E445569-C214-44af-9F50-C16E2274DC46}.exe"	{9339045A-23A4-45e0-8374-4DC98D234C75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}\stubpath = "C:\\Windows\\{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}.exe"	{6E445569-C214-44af-9F50-C16E2274DC46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31B79757-1832-429c-A99B-B946D65A19D4}\stubpath = "C:\\Windows\\{31B79757-1832-429c-A99B-B946D65A19D4}.exe"	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}\stubpath = "C:\\Windows\\{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe"	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}\stubpath = "C:\\Windows\\{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe"	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19920154-5B87-4eab-97B3-6122C652DCDD}	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9339045A-23A4-45e0-8374-4DC98D234C75}\stubpath = "C:\\Windows\\{9339045A-23A4-45e0-8374-4DC98D234C75}.exe"	{19920154-5B87-4eab-97B3-6122C652DCDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{298BCEBC-882A-4aa4-996E-F738AB024E11}	{31B79757-1832-429c-A99B-B946D65A19D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6EF09B-EE95-47ca-8898-0E87DD54272B}\stubpath = "C:\\Windows\\{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe"	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19920154-5B87-4eab-97B3-6122C652DCDD}\stubpath = "C:\\Windows\\{19920154-5B87-4eab-97B3-6122C652DCDD}.exe"	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe
2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe
2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe
2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe
812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe
344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe
2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe
1692	{19920154-5B87-4eab-97B3-6122C652DCDD}.exe
1544	{9339045A-23A4-45e0-8374-4DC98D234C75}.exe
2644	{6E445569-C214-44af-9F50-C16E2274DC46}.exe
2120	{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	{31B79757-1832-429c-A99B-B946D65A19D4}.exe
File created	C:\Windows\{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe
File created	C:\Windows\{9339045A-23A4-45e0-8374-4DC98D234C75}.exe	{19920154-5B87-4eab-97B3-6122C652DCDD}.exe
File created	C:\Windows\{6E445569-C214-44af-9F50-C16E2274DC46}.exe	{9339045A-23A4-45e0-8374-4DC98D234C75}.exe
File created	C:\Windows\{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}.exe	{6E445569-C214-44af-9F50-C16E2274DC46}.exe
File created	C:\Windows\{31B79757-1832-429c-A99B-B946D65A19D4}.exe	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
File created	C:\Windows\{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe
File created	C:\Windows\{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe
File created	C:\Windows\{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe
File created	C:\Windows\{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe
File created	C:\Windows\{19920154-5B87-4eab-97B3-6122C652DCDD}.exe	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe
Token: SeIncBasePriorityPrivilege	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe
Token: SeIncBasePriorityPrivilege	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe
Token: SeIncBasePriorityPrivilege	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe
Token: SeIncBasePriorityPrivilege	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe
Token: SeIncBasePriorityPrivilege	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe
Token: SeIncBasePriorityPrivilege	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe
Token: SeIncBasePriorityPrivilege	1692	{19920154-5B87-4eab-97B3-6122C652DCDD}.exe
Token: SeIncBasePriorityPrivilege	1544	{9339045A-23A4-45e0-8374-4DC98D234C75}.exe
Token: SeIncBasePriorityPrivilege	2644	{6E445569-C214-44af-9F50-C16E2274DC46}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2176	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	28
PID 2200 wrote to memory of 2176	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	28
PID 2200 wrote to memory of 2176	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	28
PID 2200 wrote to memory of 2176	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	28
PID 2200 wrote to memory of 2356	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	29
PID 2200 wrote to memory of 2356	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	29
PID 2200 wrote to memory of 2356	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	29
PID 2200 wrote to memory of 2356	2200	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	29
PID 2176 wrote to memory of 2564	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	30
PID 2176 wrote to memory of 2564	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	30
PID 2176 wrote to memory of 2564	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	30
PID 2176 wrote to memory of 2564	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	30
PID 2176 wrote to memory of 2628	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	31
PID 2176 wrote to memory of 2628	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	31
PID 2176 wrote to memory of 2628	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	31
PID 2176 wrote to memory of 2628	2176	{31B79757-1832-429c-A99B-B946D65A19D4}.exe	31
PID 2564 wrote to memory of 2724	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	32
PID 2564 wrote to memory of 2724	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	32
PID 2564 wrote to memory of 2724	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	32
PID 2564 wrote to memory of 2724	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	32
PID 2564 wrote to memory of 2428	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	33
PID 2564 wrote to memory of 2428	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	33
PID 2564 wrote to memory of 2428	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	33
PID 2564 wrote to memory of 2428	2564	{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe	33
PID 2724 wrote to memory of 2488	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	36
PID 2724 wrote to memory of 2488	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	36
PID 2724 wrote to memory of 2488	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	36
PID 2724 wrote to memory of 2488	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	36
PID 2724 wrote to memory of 2920	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	37
PID 2724 wrote to memory of 2920	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	37
PID 2724 wrote to memory of 2920	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	37
PID 2724 wrote to memory of 2920	2724	{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe	37
PID 2488 wrote to memory of 812	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	38
PID 2488 wrote to memory of 812	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	38
PID 2488 wrote to memory of 812	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	38
PID 2488 wrote to memory of 812	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	38
PID 2488 wrote to memory of 868	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	39
PID 2488 wrote to memory of 868	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	39
PID 2488 wrote to memory of 868	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	39
PID 2488 wrote to memory of 868	2488	{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe	39
PID 812 wrote to memory of 344	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	40
PID 812 wrote to memory of 344	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	40
PID 812 wrote to memory of 344	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	40
PID 812 wrote to memory of 344	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	40
PID 812 wrote to memory of 764	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	41
PID 812 wrote to memory of 764	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	41
PID 812 wrote to memory of 764	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	41
PID 812 wrote to memory of 764	812	{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe	41
PID 344 wrote to memory of 2168	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	42
PID 344 wrote to memory of 2168	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	42
PID 344 wrote to memory of 2168	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	42
PID 344 wrote to memory of 2168	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	42
PID 344 wrote to memory of 268	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	43
PID 344 wrote to memory of 268	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	43
PID 344 wrote to memory of 268	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	43
PID 344 wrote to memory of 268	344	{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe	43
PID 2168 wrote to memory of 1692	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	44
PID 2168 wrote to memory of 1692	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	44
PID 2168 wrote to memory of 1692	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	44
PID 2168 wrote to memory of 1692	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	44
PID 2168 wrote to memory of 1084	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	45
PID 2168 wrote to memory of 1084	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	45
PID 2168 wrote to memory of 1084	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	45
PID 2168 wrote to memory of 1084	2168	{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{31B79757-1832-429c-A99B-B946D65A19D4}.exe
  C:\Windows\{31B79757-1832-429c-A99B-B946D65A19D4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe
    C:\Windows\{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe
      C:\Windows\{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe
        
        C:\Windows\{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe
        
        C:\Windows\{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe
        
        C:\Windows\{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe
        
        C:\Windows\{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{19920154-5B87-4eab-97B3-6122C652DCDD}.exe
        
        C:\Windows\{19920154-5B87-4eab-97B3-6122C652DCDD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{9339045A-23A4-45e0-8374-4DC98D234C75}.exe
        
        C:\Windows\{9339045A-23A4-45e0-8374-4DC98D234C75}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{6E445569-C214-44af-9F50-C16E2274DC46}.exe
        
        C:\Windows\{6E445569-C214-44af-9F50-C16E2274DC46}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}.exe
        
        C:\Windows\{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E445~1.EXE > nul
        12⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93390~1.EXE > nul
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19920~1.EXE > nul
        10⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E6EF~1.EXE > nul
        9⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BAE~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06926~1.EXE > nul
        7⤵
        
        PID:764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56B40~1.EXE > nul
        6⤵
        
        PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B5E7~1.EXE > nul
        5⤵
        
        PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{298BC~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31B79~1.EXE > nul
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{069268E7-3A31-45d0-9996-6A9978CD6DE1}.exe

Filesize
168KB

MD5
eca67a60c40fe937e59fd41eb08b1c59

SHA1
b88e813a2fa6bdf637ff946b4a0c30db3f272f80

SHA256
42dd7b7e12ba8db549e8854a92f55c33d80d835a173a8b2de46723763caf3ad3

SHA512
becd7d8a4728c2c8d177fb7478754548a1549239a083e84a482fac84b5f1d1b45b363d9f06070904db7824aaa11508f65ac18eec11373b0d500546929d99d683

Download Submit
C:\Windows\{19920154-5B87-4eab-97B3-6122C652DCDD}.exe

Filesize
168KB

MD5
77de329536f29c150b328edd2d00d389

SHA1
88041b315151bc3edb2406b56771e624b33f7eeb

SHA256
0a9bcfa7fdb5eedd8660412f0b3f94035a60869586515c93f78e0fba781082bf

SHA512
07874f3ac9c3cd69a1828cc6a15a4c587a489822fd7325e830f73b0f220cfb8050f815daa136d63671f1dfdfde3dddf8850be070cebf49734995993f330cbaba

Download Submit
C:\Windows\{1BEC6E26-D0F1-45d4-9280-BD2D815D4E6D}.exe

Filesize
168KB

MD5
0f21f2d217d9e0ff3c74bbee0f549867

SHA1
67ec12abe5202e11dc8b43eeb085bf0da2b60825

SHA256
b6f866e5ad8403ad2c609e963a15d7a1b0d632b33ad12c9e7b4a144c78db3144

SHA512
8709c7bfe5e5e1a7bc582ac5974be13d6291c339417048edc504d713adf1e94484362b0067db2e803f36b9cf392243a200d9b5ecf6d9ecf36122cef6c6edb88e

Download Submit
C:\Windows\{298BCEBC-882A-4aa4-996E-F738AB024E11}.exe

Filesize
168KB

MD5
a66d7d37d907b97e6e07af84b9fc0c63

SHA1
a1ce35b1468fe0d9c13e9d25c3d3d5ca4f17787e

SHA256
d2b2575849e50d20e05bedeb537d8af3533d1569a137cc8ae886f6a2c81c162f

SHA512
18eb47661586261a051a4af9fa7537195ea1b6793b9bef00ecb2c01ef4a426d514a7ec2281f81cfe02db659c2dcfe0003ba582f79a6cb471510e267128597a85

Download Submit
C:\Windows\{2E6EF09B-EE95-47ca-8898-0E87DD54272B}.exe

Filesize
168KB

MD5
9a3a8e1240731698d72b83198b0b8f36

SHA1
3930e27bac085e1887c592073f261896eccbaa3a

SHA256
2e61f09d05919e87543901a73cb347a7804ee2599ab7d8f1ac7baf06ace8bafe

SHA512
aaa1e6de78b932d05c2ab17562c5a79ea50222b9a52e0e2a98454f030bc057c293bf420f641fb8d294c89d07b17f5215c45823d4f3d17e17a11aded8dbfbca73

Download Submit
C:\Windows\{31B79757-1832-429c-A99B-B946D65A19D4}.exe

Filesize
168KB

MD5
e9385618172dcc4ac6c138de73e14e86

SHA1
606110b7503947f7be70e968017840b164db9aa3

SHA256
e9adcff733303e42433f5b90302fa8cf47eccc07901ec32ae3879c3f6f2f5a06

SHA512
e174b788a0f4906d968801279b3dcc21acd3791a732281eba111ac7e72bcfb8f2910cfa9b7466854f574a4ab113a458b13b76a7f3eead849907ed95060106ebe

Download Submit
C:\Windows\{4B5E72B8-54E9-476d-B1F3-A28C8F84B671}.exe

Filesize
168KB

MD5
f0b7e723579b7cb625913c2f12c88150

SHA1
5ef7fc25f1df5f6d323479336284b0de7f234337

SHA256
384baee6ab1ffd1b02beaffd834bbc512a49d6da51561cc42e43d188302e1106

SHA512
c122a3c470a91db7d66d05c39e97c02dd1bf19cc82877ec85475da134e9b18527ed8cf20df5ed028012bddf902d1947de26e88c8ee9abd10a254b3701dd97da3

Download Submit
C:\Windows\{56B40953-D27D-41c1-8313-ECBA0CD8ACB6}.exe

Filesize
168KB

MD5
a64cef15db6910656e6b5f47aae7644f

SHA1
ded6c7faa9333d4e0e7226cf3f0afafa166432c9

SHA256
3854d1cc19746f538d35e9918ac3830a32592ff23479f5eadf1892a120472dd8

SHA512
7b3e2fbc45eded4172ce9e64b4b2bb904c9b997372f856147de61b84ac3920b34b6d9548a53077bd0b2b86aa2b470a41330c26142639ae1b4f733031cd7900bd

Download Submit
C:\Windows\{6E445569-C214-44af-9F50-C16E2274DC46}.exe

Filesize
168KB

MD5
ca5d516b83cfd9cbfcf5ba9fc7faa1a9

SHA1
77b1db4cdef5403f58336c1d562b2f94dec01c7a

SHA256
a1912c54507062e76bc7e2a73d40c9ae428ffeb699ae05d92f00e275f89d5dc5

SHA512
ad856d32d29f3c85d8754f02ccd56c4b7a7fafe2794ecd20f150615f98a84eaf88a3f58a7d3044099dc0f20652583b8e841dfb10dcfe476d7378f763120be7b1

Download Submit
C:\Windows\{9339045A-23A4-45e0-8374-4DC98D234C75}.exe

Filesize
168KB

MD5
bfee39ba65cc9fe1e3856eeaaf0561ec

SHA1
c972fbc113fb0cf54b6971fd92ec724289889b8c

SHA256
513dd8e7ad96039bf22e997088e8594869700f71ff770b8962dc5a41f5c9223f

SHA512
2f9aecb84e086a972366ab7e8c35d64d8caaaf461250fbf140806af523674993dd9b7635ab1de1bda34102b216ab8856f31dc00e871f57832c5db51e99ad6f63

Download Submit
C:\Windows\{C5BAE1CD-8659-48f8-A0E2-4048D24A9963}.exe

Filesize
168KB

MD5
fe0448e21e9ff6d6aca9762a14d96122

SHA1
24eea9319afa8f4e4ad07c570f7c35cb49de4551

SHA256
d0a85fca556288cebef012715edab29cf26e0e26bf1b70edd82ecff909c1d51b

SHA512
97675aa485e2caac4297a5e83f5e54998022010300801643751c80e637e84b8aa232b7809f9910d7b6762bc9be8019d1a80af53fc85a1bb76781edaa0bd54b81

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads