3d0723b933ffb88de6b22abf168873b36d2e9d266d98aeb0e39184ed2e284553

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Size

216KB
MD5

6dd96150c05b8e203ccdc1ce196840aa
SHA1

adc3efa726e09d2bcbe1581f08ef6380632eb110
SHA256

3d0723b933ffb88de6b22abf168873b36d2e9d266d98aeb0e39184ed2e284553
SHA512

a6a864f37460bfdbd566683a923d9af260963237be80fd2d8417a125a00a0b090e7df4cd7b91ee241b00381a7fed5442c5f3949ca38c5ad25ef05afb7cc392dd
SSDEEP

3072:jEGh0oJl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGPlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000014825-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014abe-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014825-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015018-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014825-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014825-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014825-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0016E7-E15E-4f64-A14B-5356353B4CC7}\stubpath = "C:\\Windows\\{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe"	{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5A79628-2079-4007-8041-1C728813C676}	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{513D04D1-80C6-4ac7-8676-711E7CA07723}\stubpath = "C:\\Windows\\{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe"	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B48D0B54-A73F-4388-83C7-3A76919B238F}\stubpath = "C:\\Windows\\{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe"	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}\stubpath = "C:\\Windows\\{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe"	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}\stubpath = "C:\\Windows\\{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe"	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718315D3-394E-429a-A011-09DA7BC0EBDA}\stubpath = "C:\\Windows\\{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe"	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}\stubpath = "C:\\Windows\\{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}.exe"	{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BED7C9A-FB27-40ee-B43D-380873497846}	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5A79628-2079-4007-8041-1C728813C676}\stubpath = "C:\\Windows\\{E5A79628-2079-4007-8041-1C728813C676}.exe"	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B48D0B54-A73F-4388-83C7-3A76919B238F}	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}	{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BED7C9A-FB27-40ee-B43D-380873497846}\stubpath = "C:\\Windows\\{1BED7C9A-FB27-40ee-B43D-380873497846}.exe"	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}	{E5A79628-2079-4007-8041-1C728813C676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718315D3-394E-429a-A011-09DA7BC0EBDA}	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}	{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}\stubpath = "C:\\Windows\\{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe"	{E5A79628-2079-4007-8041-1C728813C676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{513D04D1-80C6-4ac7-8676-711E7CA07723}	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0016E7-E15E-4f64-A14B-5356353B4CC7}	{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}\stubpath = "C:\\Windows\\{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe"	{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe
2576	{E5A79628-2079-4007-8041-1C728813C676}.exe
2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe
2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe
948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe
1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe
1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe
2172	{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe
2472	{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe
2260	{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe
1636	{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
File created	C:\Windows\{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe
File created	C:\Windows\{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe
File created	C:\Windows\{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe
File created	C:\Windows\{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe
File created	C:\Windows\{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe	{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe
File created	C:\Windows\{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe	{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe
File created	C:\Windows\{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}.exe	{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe
File created	C:\Windows\{E5A79628-2079-4007-8041-1C728813C676}.exe	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe
File created	C:\Windows\{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	{E5A79628-2079-4007-8041-1C728813C676}.exe
File created	C:\Windows\{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe
Token: SeIncBasePriorityPrivilege	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe
Token: SeIncBasePriorityPrivilege	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe
Token: SeIncBasePriorityPrivilege	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe
Token: SeIncBasePriorityPrivilege	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe
Token: SeIncBasePriorityPrivilege	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe
Token: SeIncBasePriorityPrivilege	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe
Token: SeIncBasePriorityPrivilege	2172	{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe
Token: SeIncBasePriorityPrivilege	2472	{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe
Token: SeIncBasePriorityPrivilege	2260	{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 860	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	28
PID 2140 wrote to memory of 860	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	28
PID 2140 wrote to memory of 860	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	28
PID 2140 wrote to memory of 860	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	28
PID 2140 wrote to memory of 2312	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	29
PID 2140 wrote to memory of 2312	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	29
PID 2140 wrote to memory of 2312	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	29
PID 2140 wrote to memory of 2312	2140	2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe	29
PID 860 wrote to memory of 2576	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	30
PID 860 wrote to memory of 2576	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	30
PID 860 wrote to memory of 2576	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	30
PID 860 wrote to memory of 2576	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	30
PID 860 wrote to memory of 2640	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	31
PID 860 wrote to memory of 2640	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	31
PID 860 wrote to memory of 2640	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	31
PID 860 wrote to memory of 2640	860	{1BED7C9A-FB27-40ee-B43D-380873497846}.exe	31
PID 2576 wrote to memory of 2664	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	32
PID 2576 wrote to memory of 2664	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	32
PID 2576 wrote to memory of 2664	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	32
PID 2576 wrote to memory of 2664	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	32
PID 2576 wrote to memory of 2152	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	33
PID 2576 wrote to memory of 2152	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	33
PID 2576 wrote to memory of 2152	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	33
PID 2576 wrote to memory of 2152	2576	{E5A79628-2079-4007-8041-1C728813C676}.exe	33
PID 2664 wrote to memory of 2504	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	36
PID 2664 wrote to memory of 2504	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	36
PID 2664 wrote to memory of 2504	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	36
PID 2664 wrote to memory of 2504	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	36
PID 2664 wrote to memory of 2696	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	37
PID 2664 wrote to memory of 2696	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	37
PID 2664 wrote to memory of 2696	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	37
PID 2664 wrote to memory of 2696	2664	{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe	37
PID 2504 wrote to memory of 948	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	38
PID 2504 wrote to memory of 948	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	38
PID 2504 wrote to memory of 948	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	38
PID 2504 wrote to memory of 948	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	38
PID 2504 wrote to memory of 1596	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	39
PID 2504 wrote to memory of 1596	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	39
PID 2504 wrote to memory of 1596	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	39
PID 2504 wrote to memory of 1596	2504	{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe	39
PID 948 wrote to memory of 1732	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	40
PID 948 wrote to memory of 1732	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	40
PID 948 wrote to memory of 1732	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	40
PID 948 wrote to memory of 1732	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	40
PID 948 wrote to memory of 1672	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	41
PID 948 wrote to memory of 1672	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	41
PID 948 wrote to memory of 1672	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	41
PID 948 wrote to memory of 1672	948	{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe	41
PID 1732 wrote to memory of 1192	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	42
PID 1732 wrote to memory of 1192	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	42
PID 1732 wrote to memory of 1192	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	42
PID 1732 wrote to memory of 1192	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	42
PID 1732 wrote to memory of 1628	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	43
PID 1732 wrote to memory of 1628	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	43
PID 1732 wrote to memory of 1628	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	43
PID 1732 wrote to memory of 1628	1732	{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe	43
PID 1192 wrote to memory of 2172	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	44
PID 1192 wrote to memory of 2172	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	44
PID 1192 wrote to memory of 2172	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	44
PID 1192 wrote to memory of 2172	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	44
PID 1192 wrote to memory of 1504	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	45
PID 1192 wrote to memory of 1504	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	45
PID 1192 wrote to memory of 1504	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	45
PID 1192 wrote to memory of 1504	1192	{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_6dd96150c05b8e203ccdc1ce196840aa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\{1BED7C9A-FB27-40ee-B43D-380873497846}.exe
  C:\Windows\{1BED7C9A-FB27-40ee-B43D-380873497846}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{E5A79628-2079-4007-8041-1C728813C676}.exe
    C:\Windows\{E5A79628-2079-4007-8041-1C728813C676}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe
      C:\Windows\{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe
        
        C:\Windows\{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe
        
        C:\Windows\{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe
        
        C:\Windows\{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe
        
        C:\Windows\{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe
        
        C:\Windows\{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe
        
        C:\Windows\{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe
        
        C:\Windows\{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}.exe
        
        C:\Windows\{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76DDC~1.EXE > nul
        12⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A001~1.EXE > nul
        11⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71831~1.EXE > nul
        10⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE88~1.EXE > nul
        9⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D25E3~1.EXE > nul
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B48D0~1.EXE > nul
        7⤵
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{513D0~1.EXE > nul
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6668~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5A79~1.EXE > nul
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BED7~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BED7C9A-FB27-40ee-B43D-380873497846}.exe

Filesize
216KB

MD5
8fcf85116951c51eb7de92926cb0c91f

SHA1
b32143ed0a948e2a9970b196fe4b2788d71405ab

SHA256
f6ee5fb2e8cfe5b72680c9e6405f58335be70f452d1c7c5429a6f506b39a04b2

SHA512
8d83203e6178ab3d3cc4b327dcecba49c18cccdf30010a583d050477f380da8337948bf8173e35508adfa714ae71a5ce0cfe9e7c83da5bdf8baa3320765d864f

Download Submit
C:\Windows\{513D04D1-80C6-4ac7-8676-711E7CA07723}.exe

Filesize
216KB

MD5
5ac9b1e874bd08efb96f51f34b981ca6

SHA1
43317a4ef37573d9bec85373b244ef50fca08cc7

SHA256
1b216dd1e935a5b9a2b3d0f18d2bb886e753811b19985cb31ef36d70fc579017

SHA512
c9c0ceff5138d2bba5d04d1b842eadfdf9186ef66e0a0b07e7460b9f9046d485d980587aeaa591b8795d2c739ea8b66202932349546efea6049576fd26d0938b

Download Submit
C:\Windows\{718315D3-394E-429a-A011-09DA7BC0EBDA}.exe

Filesize
216KB

MD5
c7146a4b7129653e0ea4901d2e0c53cd

SHA1
b923bb98fd25f63f273ad2fdf4aaf90d25347f7a

SHA256
f541b03bea7fa1b9a3ea22c2a77ffd1d029f38b4e842f78f8743371a6469ed8c

SHA512
f4864b963aa1acdfe43d89db8d1444c5f50671fd500f94eda32a7237583dec70536545829130c31d68ebf59042c818a97502aba928e2d57d5817830f23384380

Download Submit
C:\Windows\{76DDC35E-E91F-4c77-A8C8-C9F53CB23EB6}.exe

Filesize
216KB

MD5
32f18f9863dc1abbca942b4280196bb8

SHA1
9e3f549d1c9655ce506552dbe9a01cf42dda250a

SHA256
e3d4f96baad7d93f3de635cce754f3f560aee0a61be430ff8ee584c71458cdff

SHA512
8a5b2079b58e5fe4722d3deee4182400d7e5567fe928895d400f0a8523f920603ea52c9cdbdce686170acfbbb9facbf777a27522e0735affe3a8e195946a1f92

Download Submit
C:\Windows\{812947D6-41F7-44be-9D6E-5C30ECF9EE2D}.exe

Filesize
216KB

MD5
bf6e6749354a8812c46c63749eca6ba9

SHA1
94dc39571050c2d81ceda457746f771b9d3e350a

SHA256
270c58d5edc227e4f3d194a05e99d1462d892720ffd75a82cc8c990bd37a9650

SHA512
6a65799b1f75c286d62c4ebb76655178e6fae5435b26104117fcc72999ccfe3a44267b729a03525bd609725c6f38d2fffcfefb1c4575a9d695c918ac38ca9d93

Download Submit
C:\Windows\{9A0016E7-E15E-4f64-A14B-5356353B4CC7}.exe

Filesize
216KB

MD5
59bc892d141c24eb1bda73115bc8b634

SHA1
f8ad980b629b05b5e931de4b5e88248958916fb0

SHA256
fde0d5a8e26c1c48193a1c848b0f3f24f8292181e855377d43877e420ab6ffa9

SHA512
c211ec992f8fa28ae641cbb7b8838cee9ffe74d5a7bb18af10f755de99c11376b36af13fa614687efd3c96be89e8aac8538a8ad7405de3a9467ba1dd08c8494e

Download Submit
C:\Windows\{B48D0B54-A73F-4388-83C7-3A76919B238F}.exe

Filesize
216KB

MD5
d7ec97b24e740e2442a14eb8d4fdbf8d

SHA1
03953d201772021a67fd8c471e666cbcf8db282a

SHA256
c430fca4a34da986497e40a808c9513f81afa6a117272e70e0e40502853692a0

SHA512
3ec8ef0287751228f6f3274c66ab1f66a13d87d616fca005831bbd4721b6233861afc85ca47cdf3ff0208791f23fc726e3233153024d9389fb4139ddb9488e47

Download Submit
C:\Windows\{D25E3F6E-ED14-4750-9E37-E1FCFED9E4DD}.exe

Filesize
216KB

MD5
3a4173a780a177150bcf603289b04d52

SHA1
1b17febb62322280404e3056079fe0da4e0ad084

SHA256
7d5da780dfdd47476287f65c26daf65ff5c0800f0a99968852805d32b89061e6

SHA512
b207e238e92fd9e460b76e8f6a41848b09b216071b8ceaac02d21774b17b506c331fa92f2880fbf00e5189bc4b87ff179dc7718c269ea08fb0e1417f82cc7ad1

Download Submit
C:\Windows\{E5A79628-2079-4007-8041-1C728813C676}.exe

Filesize
216KB

MD5
109827ce919dda939c4cc7d9620831ef

SHA1
925e075d1467a85caafba606db7c037365afc70b

SHA256
ba6ce6e8402d4bfd433d84c4b273c5ebde524d348a8dcf8df51ca8c6af06acee

SHA512
a98d6bb397ea982d64767209318d3619dd186b5bab4c9398effae8c06635c8bf3be9dd317c1aaf9859587bfa81a35fc22a55ca10c8c92748c868b527b76f3b66

Download Submit
C:\Windows\{E66683C7-0906-4d0b-9EE6-6F7E5166FFB4}.exe

Filesize
216KB

MD5
da213e6129297e23b79e15d7960f2cb6

SHA1
9fed997b2fc37003ce8599f93a94d1bcbdb586d4

SHA256
ceb21226db3050c8425f091b7e1aba16ad93969f442c17b079fe129f442151d4

SHA512
5cfa1ab04c636ebaaf016f9c1231b47def428e780d7dfb1a0360b7b183ca3d3ab6d0eb874be2dc05d3079bdc8d930fefc2b439a570c2776395b20d4755332f8e

Download Submit
C:\Windows\{EFE889E2-2F83-42c7-A6D4-E8048727DFA8}.exe

Filesize
216KB

MD5
149e47ddd55e802761e3db3b0b0f43ce

SHA1
889661ab3f47ae6efd189ec909107bb5e505cb68

SHA256
aeed71268550bbfbb7f16224c084cf6c5a3d440b46f5ca558ac14942984e7512

SHA512
c22f48931ab9e98cfe979b7199e8341847437cdb3e1b2d93f9354ff57e5320c312202a5dd5db2e6f27eabaa4d4faf7ee7e5cad29457514e92aa1eda452537611

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads