dfcf70805666d26076fb0df8d32abb76ec13386cc39a1341ebe6c6bd2b62638c

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe
Size

180KB
MD5

c366008c5357fe8baf604bba052a0854
SHA1

7efc0f6993824a98aaac7e9ae1a4d29ef563ae2f
SHA256

dfcf70805666d26076fb0df8d32abb76ec13386cc39a1341ebe6c6bd2b62638c
SHA512

2a38035c4f3641a5f4faae208d473bbb2ccbed11481f4e29c603bb03cf58a4fa0d703324991d1b52fc823d164fdeba7bf9fd142d870ec328fd4233801f04fde0
SSDEEP

3072:jEGh0o0lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGKl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001220d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014120-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001220d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000143ec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001220d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001220d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001220d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9550158B-BFD5-4384-8435-6AE23D50EE37}	{1EEC3E91-858A-43df-A001-683A40DC280A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9550158B-BFD5-4384-8435-6AE23D50EE37}\stubpath = "C:\\Windows\\{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe"	{1EEC3E91-858A-43df-A001-683A40DC280A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}	{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}\stubpath = "C:\\Windows\\{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}.exe"	{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}\stubpath = "C:\\Windows\\{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe"	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11653A26-C8D1-40b5-928E-D22EB9369B69}\stubpath = "C:\\Windows\\{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe"	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}\stubpath = "C:\\Windows\\{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe"	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D3444C-9402-4450-B890-459F132229CA}	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEC3E91-858A-43df-A001-683A40DC280A}	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEC3E91-858A-43df-A001-683A40DC280A}\stubpath = "C:\\Windows\\{1EEC3E91-858A-43df-A001-683A40DC280A}.exe"	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}\stubpath = "C:\\Windows\\{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe"	{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}	{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D3444C-9402-4450-B890-459F132229CA}\stubpath = "C:\\Windows\\{C3D3444C-9402-4450-B890-459F132229CA}.exe"	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11653A26-C8D1-40b5-928E-D22EB9369B69}	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85684E39-7B05-4000-9485-75FC2B7B912A}	{C3D3444C-9402-4450-B890-459F132229CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85684E39-7B05-4000-9485-75FC2B7B912A}\stubpath = "C:\\Windows\\{85684E39-7B05-4000-9485-75FC2B7B912A}.exe"	{C3D3444C-9402-4450-B890-459F132229CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}\stubpath = "C:\\Windows\\{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe"	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{403C64D3-E89F-49ad-AC27-D111F4121EE2}	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{403C64D3-E89F-49ad-AC27-D111F4121EE2}\stubpath = "C:\\Windows\\{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe"	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe
2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe
2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe
3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe
2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe
1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe
2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe
1540	{1EEC3E91-858A-43df-A001-683A40DC280A}.exe
2264	{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe
592	{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe
576	{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}.exe	{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe
File created	C:\Windows\{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe
File created	C:\Windows\{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	{C3D3444C-9402-4450-B890-459F132229CA}.exe
File created	C:\Windows\{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe
File created	C:\Windows\{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe
File created	C:\Windows\{1EEC3E91-858A-43df-A001-683A40DC280A}.exe	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe
File created	C:\Windows\{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe
File created	C:\Windows\{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe
File created	C:\Windows\{C3D3444C-9402-4450-B890-459F132229CA}.exe	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe
File created	C:\Windows\{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe	{1EEC3E91-858A-43df-A001-683A40DC280A}.exe
File created	C:\Windows\{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe	{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe
Token: SeIncBasePriorityPrivilege	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe
Token: SeIncBasePriorityPrivilege	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe
Token: SeIncBasePriorityPrivilege	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe
Token: SeIncBasePriorityPrivilege	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe
Token: SeIncBasePriorityPrivilege	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe
Token: SeIncBasePriorityPrivilege	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe
Token: SeIncBasePriorityPrivilege	1540	{1EEC3E91-858A-43df-A001-683A40DC280A}.exe
Token: SeIncBasePriorityPrivilege	2264	{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe
Token: SeIncBasePriorityPrivilege	592	{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2436	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	28
PID 3028 wrote to memory of 2436	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	28
PID 3028 wrote to memory of 2436	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	28
PID 3028 wrote to memory of 2436	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	28
PID 3028 wrote to memory of 2344	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	29
PID 3028 wrote to memory of 2344	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	29
PID 3028 wrote to memory of 2344	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	29
PID 3028 wrote to memory of 2344	3028	2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe	29
PID 2436 wrote to memory of 2696	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	30
PID 2436 wrote to memory of 2696	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	30
PID 2436 wrote to memory of 2696	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	30
PID 2436 wrote to memory of 2696	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	30
PID 2436 wrote to memory of 2624	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	31
PID 2436 wrote to memory of 2624	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	31
PID 2436 wrote to memory of 2624	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	31
PID 2436 wrote to memory of 2624	2436	{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe	31
PID 2696 wrote to memory of 2060	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	32
PID 2696 wrote to memory of 2060	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	32
PID 2696 wrote to memory of 2060	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	32
PID 2696 wrote to memory of 2060	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	32
PID 2696 wrote to memory of 2492	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	33
PID 2696 wrote to memory of 2492	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	33
PID 2696 wrote to memory of 2492	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	33
PID 2696 wrote to memory of 2492	2696	{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe	33
PID 2060 wrote to memory of 3044	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	36
PID 2060 wrote to memory of 3044	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	36
PID 2060 wrote to memory of 3044	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	36
PID 2060 wrote to memory of 3044	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	36
PID 2060 wrote to memory of 2132	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	37
PID 2060 wrote to memory of 2132	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	37
PID 2060 wrote to memory of 2132	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	37
PID 2060 wrote to memory of 2132	2060	{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe	37
PID 3044 wrote to memory of 2864	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	38
PID 3044 wrote to memory of 2864	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	38
PID 3044 wrote to memory of 2864	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	38
PID 3044 wrote to memory of 2864	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	38
PID 3044 wrote to memory of 2960	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	39
PID 3044 wrote to memory of 2960	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	39
PID 3044 wrote to memory of 2960	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	39
PID 3044 wrote to memory of 2960	3044	{C3D3444C-9402-4450-B890-459F132229CA}.exe	39
PID 2864 wrote to memory of 1852	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	40
PID 2864 wrote to memory of 1852	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	40
PID 2864 wrote to memory of 1852	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	40
PID 2864 wrote to memory of 1852	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	40
PID 2864 wrote to memory of 2376	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	41
PID 2864 wrote to memory of 2376	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	41
PID 2864 wrote to memory of 2376	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	41
PID 2864 wrote to memory of 2376	2864	{85684E39-7B05-4000-9485-75FC2B7B912A}.exe	41
PID 1852 wrote to memory of 2840	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	42
PID 1852 wrote to memory of 2840	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	42
PID 1852 wrote to memory of 2840	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	42
PID 1852 wrote to memory of 2840	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	42
PID 1852 wrote to memory of 2856	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	43
PID 1852 wrote to memory of 2856	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	43
PID 1852 wrote to memory of 2856	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	43
PID 1852 wrote to memory of 2856	1852	{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe	43
PID 2840 wrote to memory of 1540	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	44
PID 2840 wrote to memory of 1540	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	44
PID 2840 wrote to memory of 1540	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	44
PID 2840 wrote to memory of 1540	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	44
PID 2840 wrote to memory of 1140	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	45
PID 2840 wrote to memory of 1140	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	45
PID 2840 wrote to memory of 1140	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	45
PID 2840 wrote to memory of 1140	2840	{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_c366008c5357fe8baf604bba052a0854_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe
  C:\Windows\{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe
    C:\Windows\{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe
      C:\Windows\{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\{C3D3444C-9402-4450-B890-459F132229CA}.exe
        
        C:\Windows\{C3D3444C-9402-4450-B890-459F132229CA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\{85684E39-7B05-4000-9485-75FC2B7B912A}.exe
        
        C:\Windows\{85684E39-7B05-4000-9485-75FC2B7B912A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe
        
        C:\Windows\{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe
        
        C:\Windows\{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{1EEC3E91-858A-43df-A001-683A40DC280A}.exe
        
        C:\Windows\{1EEC3E91-858A-43df-A001-683A40DC280A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe
        
        C:\Windows\{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe
        
        C:\Windows\{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}.exe
        
        C:\Windows\{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A457~1.EXE > nul
        12⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95501~1.EXE > nul
        11⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EEC3~1.EXE > nul
        10⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11653~1.EXE > nul
        9⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{944AC~1.EXE > nul
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85684~1.EXE > nul
        7⤵
        
        PID:2376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D34~1.EXE > nul
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB5F8~1.EXE > nul
        5⤵
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FDBFE~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{403C6~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11653A26-C8D1-40b5-928E-D22EB9369B69}.exe

Filesize
180KB

MD5
eccb7a9469c88296895d6977715a45ed

SHA1
cba9efb57801eb97226546e3cd1eb5113ef99c08

SHA256
ae55549dc133f16d676d4320b5f12542af622b0bfa17c86bf3384fe8d4cca246

SHA512
1f6cead1ee3e68ad1c519e9afc770a33556e8e4bb8bc88c61c57dd39ad219a63f7a324648153ab49369a8c586530ad3810bb773fe00aa2d089a1f4598b5b8aa6

Download Submit
C:\Windows\{1EEC3E91-858A-43df-A001-683A40DC280A}.exe

Filesize
180KB

MD5
2636dcaafdd718c247f171df057a42c7

SHA1
7da1ce9c48d20d751b50a7aba242ce658b01c26b

SHA256
20ee4ab443b94ef371798d203b4d1de23349b4f1b6c48aae7734bd8ee3d94eb2

SHA512
c64cc3b76a543fbf6365c61f2464e0efc4c0970fce78cbba72305aef1e74fe36ffe4bd17187ee4a4ea932401c98ae91ff9239d5a9cfcaef03c7a73d3a4acc5af

Download Submit
C:\Windows\{2A4577CF-F699-4b2a-BF19-5E1B8EBCE9F9}.exe

Filesize
180KB

MD5
ef5f026089073f6e0d7f42e48f632f60

SHA1
93506756e4e03a551f4abd41a803a8227ea9c102

SHA256
d3a9ef35e9ec7f5fe6213b9d815cd5cdd4f1718d54e9bb40ea192557c01ca166

SHA512
8a30c38b13a05b0e9490197e919938f331fa4a5152b48755076c0f72678df8a18a35a90e4067899316924b710a014d218a23c81ea3360a3d93ee3a57f666a3c9

Download Submit
C:\Windows\{403C64D3-E89F-49ad-AC27-D111F4121EE2}.exe

Filesize
180KB

MD5
4245e0e8b09d13f199ad1639d134aa1f

SHA1
9332beb90d37b7ff6dfeb1e439a199fdeea8ab67

SHA256
33bb50e7c58933e25fbd01a661559f4bbf74a108227ee116716cbb635f5fe344

SHA512
d9b04126a30a08a32c547a815c92417bfbe8ad536df0ebf13948696e5341de8d2a3c6b78c201808a7a8ed7edadb7e777d203f6e557bd0022a8cf2d53383e1e00

Download Submit
C:\Windows\{85684E39-7B05-4000-9485-75FC2B7B912A}.exe

Filesize
180KB

MD5
cc810d9ebcc6d2144ee9325dfc60e8da

SHA1
ec90f4457e4325cba2be90d897a5321bfca5f965

SHA256
faa23c2aab2dedf83746c7859b61b5f3360c3d4cc921f62b3bb95a6207a9d0f6

SHA512
79ef30496f1022b42f2b86da817caac21e1d15f5c224749ca284519087b291de372fdfb27d6fd891aa59697c621c060c0aa8878a106e2bf5cc71ce88cb58c1fd

Download Submit
C:\Windows\{944AC7D6-94D6-4727-A0AA-9B6D867AC35F}.exe

Filesize
180KB

MD5
cb9eb3d21ea51bbbfd7f99aba057aee3

SHA1
90404ef29d89370d9e2afea6834bb525e45ddead

SHA256
b5cc117d2213a948493c694932d4d1cda77c6b4a68ca285612392c4d6c4ab998

SHA512
74a356efe9218097fea81c604e588d76927901b181d35def7b4f8343fc98450062b4018b17910f1a9cee4989442aa48a921ef9f735c89a5487ccf83ca0a7e4e2

Download Submit
C:\Windows\{9550158B-BFD5-4384-8435-6AE23D50EE37}.exe

Filesize
180KB

MD5
56a81614f799813b8a45fb2573fd3a48

SHA1
0d4b01c04b4ef2b8b7b61bab01451b4aff7ff13a

SHA256
0df49e623255c702cb896c1c8bdebeddf8d53bd5854d9d9f3e45a07261c3e513

SHA512
524cff1dd2b2c17593dee7ae9d6bd4fe788c2f007d5ed53f603f5b574b2522e2436d82b8a6a98ce86545a7de9eddbfa0960325d47354fb0c9062d43b373b960e

Download Submit
C:\Windows\{BB5F85C0-B68E-4412-BB3A-D8D21A308A8F}.exe

Filesize
180KB

MD5
29b9941a9dfe80c92fef6467c9f93eb5

SHA1
ef42d18b477955745491d61eb856be7426d9b023

SHA256
789751edabf7a6a3888c2278dd6fafc083d842589e046169af390f814f2c3696

SHA512
0d8d5ca1b82486e059055a449ecdb8c6ef723f9d2ebf8895851980db4c31de103df38c1c308353a5b701f6cdfe1a3e623f63104a24718c595581ed6b60c3d6fb

Download Submit
C:\Windows\{BE7756A0-FA15-4b6d-BA04-B87BCCE8FD9B}.exe

Filesize
180KB

MD5
65bfc5fd76d019b799d3644d97b2f7fa

SHA1
ef5faf5db2b0698f73292731a9823a12754ca4e6

SHA256
fa016716f0a52863c55af8d19ae8a4dd11634a7da26108cc64f3f7eae49c23e2

SHA512
f10f79b35a4839969ddf2968dac09e4d7c92baef8e7ba66830ae23d6d5539ec77cc6490433fcd4e9002211d69c2dc27c5052454c92b692f4ed8d2badf28eaa3b

Download Submit
C:\Windows\{C3D3444C-9402-4450-B890-459F132229CA}.exe

Filesize
180KB

MD5
1d163c7f0a9f5ae480c270a47408deb9

SHA1
24501b3c04ef164fdb6ec59a3abbb3ffc4d05c77

SHA256
a927a355c0e31bb95bc3b65ae3c1ca743a1c361dcc0b239f959445f70858dc25

SHA512
de88719d517f6502a6fbf1e7124c64f299931f01a5e9166c70278e089d6375cb06d491a737bb1644ddc54599949d3115637e2f2c9ce9c91c1dce2e59b1e27ce7

Download Submit
C:\Windows\{FDBFE10C-41AF-49ab-908B-915BCA0C47C0}.exe

Filesize
180KB

MD5
3263e69d04306b803cdadc7a6b86fc5b

SHA1
236c7a0ec93cd69b3d2dc40effce99e7aa8b84d2

SHA256
dd243ca341c11d3220a2ce0549d8e6f5127eab91a0fa1f83c8d4c14f1219d41a

SHA512
aa6828576fe8f069b3d91041e3bb033d8f3c47b8b5b39e71cc1ad126db674e66616f3b8d517f6244354ae53725e714e5ff28e95af400258d4ba7dc1a124361ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads