741f46d46b2c7f9b78af631e35a8450042a52e5bdc023a70cfd1e9345f4aacfa

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Size

204KB
MD5

70124ce90feffa6832ff63b72362e260
SHA1

e6e9d2a67f0fd06e6c1438f2c173cc024a0f9057
SHA256

741f46d46b2c7f9b78af631e35a8450042a52e5bdc023a70cfd1e9345f4aacfa
SHA512

4507cb130caeef9e98f8871dd294f22a77cfd49d506fab045857fdfd76f27c25296da91d7282450642e2b93215730fb899e89274e0aae479344216a8a4db620e
SSDEEP

1536:1EGh0ofl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ofl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122ac-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001413f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ac-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E3F0507-2373-4d5c-A710-FA5D2D87F445}\stubpath = "C:\\Windows\\{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe"	{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63B830B6-7F91-49ab-B487-8CC10E6A3832}\stubpath = "C:\\Windows\\{63B830B6-7F91-49ab-B487-8CC10E6A3832}.exe"	{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{785A3DBC-032B-40fc-947E-CC863AFD7CC4}\stubpath = "C:\\Windows\\{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe"	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E3F0507-2373-4d5c-A710-FA5D2D87F445}	{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52505F2A-E47F-4883-AAFF-01646C4D3C1A}	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25173B77-391F-4940-9D45-5F4232D4C7B4}	{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25173B77-391F-4940-9D45-5F4232D4C7B4}\stubpath = "C:\\Windows\\{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe"	{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8691ED33-B26F-4bfa-8325-DF546C69A8BC}	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{785A3DBC-032B-40fc-947E-CC863AFD7CC4}	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8691ED33-B26F-4bfa-8325-DF546C69A8BC}\stubpath = "C:\\Windows\\{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe"	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{087B3066-D2B1-4c14-A811-B9484D4EF973}	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D70721E-CDBC-449b-9377-763DB200E66F}\stubpath = "C:\\Windows\\{3D70721E-CDBC-449b-9377-763DB200E66F}.exe"	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{087B3066-D2B1-4c14-A811-B9484D4EF973}\stubpath = "C:\\Windows\\{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe"	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}\stubpath = "C:\\Windows\\{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe"	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D70721E-CDBC-449b-9377-763DB200E66F}	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2933EEF-1972-4e75-A860-95ADE7600C87}	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2933EEF-1972-4e75-A860-95ADE7600C87}\stubpath = "C:\\Windows\\{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe"	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD36084-EB60-44be-921C-D7C16765FBC3}	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD36084-EB60-44be-921C-D7C16765FBC3}\stubpath = "C:\\Windows\\{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe"	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52505F2A-E47F-4883-AAFF-01646C4D3C1A}\stubpath = "C:\\Windows\\{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe"	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63B830B6-7F91-49ab-B487-8CC10E6A3832}	{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe

Deletes itself 1 IoCs

pid	Process
2284	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe
2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe
2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe
2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe
2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe
1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe
852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe
1180	{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe
2064	{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe
1728	{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe
3024	{63B830B6-7F91-49ab-B487-8CC10E6A3832}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe
File created	C:\Windows\{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe
File created	C:\Windows\{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe	{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe
File created	C:\Windows\{63B830B6-7F91-49ab-B487-8CC10E6A3832}.exe	{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe
File created	C:\Windows\{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe
File created	C:\Windows\{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe
File created	C:\Windows\{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe
File created	C:\Windows\{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe	{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe
File created	C:\Windows\{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
File created	C:\Windows\{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe
File created	C:\Windows\{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe
Token: SeIncBasePriorityPrivilege	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe
Token: SeIncBasePriorityPrivilege	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe
Token: SeIncBasePriorityPrivilege	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe
Token: SeIncBasePriorityPrivilege	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe
Token: SeIncBasePriorityPrivilege	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe
Token: SeIncBasePriorityPrivilege	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe
Token: SeIncBasePriorityPrivilege	1180	{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe
Token: SeIncBasePriorityPrivilege	2064	{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe
Token: SeIncBasePriorityPrivilege	1728	{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2524	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	28
PID 2956 wrote to memory of 2524	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	28
PID 2956 wrote to memory of 2524	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	28
PID 2956 wrote to memory of 2524	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	28
PID 2956 wrote to memory of 2284	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	29
PID 2956 wrote to memory of 2284	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	29
PID 2956 wrote to memory of 2284	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	29
PID 2956 wrote to memory of 2284	2956	2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe	29
PID 2524 wrote to memory of 2664	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	30
PID 2524 wrote to memory of 2664	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	30
PID 2524 wrote to memory of 2664	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	30
PID 2524 wrote to memory of 2664	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	30
PID 2524 wrote to memory of 2560	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	31
PID 2524 wrote to memory of 2560	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	31
PID 2524 wrote to memory of 2560	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	31
PID 2524 wrote to memory of 2560	2524	{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe	31
PID 2664 wrote to memory of 2824	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	32
PID 2664 wrote to memory of 2824	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	32
PID 2664 wrote to memory of 2824	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	32
PID 2664 wrote to memory of 2824	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	32
PID 2664 wrote to memory of 2960	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	33
PID 2664 wrote to memory of 2960	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	33
PID 2664 wrote to memory of 2960	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	33
PID 2664 wrote to memory of 2960	2664	{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe	33
PID 2824 wrote to memory of 2412	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	36
PID 2824 wrote to memory of 2412	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	36
PID 2824 wrote to memory of 2412	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	36
PID 2824 wrote to memory of 2412	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	36
PID 2824 wrote to memory of 1684	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	37
PID 2824 wrote to memory of 1684	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	37
PID 2824 wrote to memory of 1684	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	37
PID 2824 wrote to memory of 1684	2824	{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe	37
PID 2412 wrote to memory of 2776	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	38
PID 2412 wrote to memory of 2776	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	38
PID 2412 wrote to memory of 2776	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	38
PID 2412 wrote to memory of 2776	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	38
PID 2412 wrote to memory of 2904	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	39
PID 2412 wrote to memory of 2904	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	39
PID 2412 wrote to memory of 2904	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	39
PID 2412 wrote to memory of 2904	2412	{3D70721E-CDBC-449b-9377-763DB200E66F}.exe	39
PID 2776 wrote to memory of 1636	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	40
PID 2776 wrote to memory of 1636	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	40
PID 2776 wrote to memory of 1636	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	40
PID 2776 wrote to memory of 1636	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	40
PID 2776 wrote to memory of 2172	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	41
PID 2776 wrote to memory of 2172	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	41
PID 2776 wrote to memory of 2172	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	41
PID 2776 wrote to memory of 2172	2776	{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe	41
PID 1636 wrote to memory of 852	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	42
PID 1636 wrote to memory of 852	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	42
PID 1636 wrote to memory of 852	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	42
PID 1636 wrote to memory of 852	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	42
PID 1636 wrote to memory of 656	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	43
PID 1636 wrote to memory of 656	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	43
PID 1636 wrote to memory of 656	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	43
PID 1636 wrote to memory of 656	1636	{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe	43
PID 852 wrote to memory of 1180	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	44
PID 852 wrote to memory of 1180	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	44
PID 852 wrote to memory of 1180	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	44
PID 852 wrote to memory of 1180	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	44
PID 852 wrote to memory of 876	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	45
PID 852 wrote to memory of 876	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	45
PID 852 wrote to memory of 876	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	45
PID 852 wrote to memory of 876	852	{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_70124ce90feffa6832ff63b72362e260_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe
  C:\Windows\{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe
    C:\Windows\{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe
      C:\Windows\{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\{3D70721E-CDBC-449b-9377-763DB200E66F}.exe
        
        C:\Windows\{3D70721E-CDBC-449b-9377-763DB200E66F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe
        
        C:\Windows\{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe
        
        C:\Windows\{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe
        
        C:\Windows\{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe
        
        C:\Windows\{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe
        
        C:\Windows\{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe
        
        C:\Windows\{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\{63B830B6-7F91-49ab-B487-8CC10E6A3832}.exe
        
        C:\Windows\{63B830B6-7F91-49ab-B487-8CC10E6A3832}.exe
        12⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E3F0~1.EXE > nul
        12⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25173~1.EXE > nul
        11⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52505~1.EXE > nul
        10⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2933~1.EXE > nul
        9⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{785A3~1.EXE > nul
        8⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8691E~1.EXE > nul
        7⤵
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D707~1.EXE > nul
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F449~1.EXE > nul
        5⤵
        
        PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{087B3~1.EXE > nul
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FFD36~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{087B3066-D2B1-4c14-A811-B9484D4EF973}.exe

Filesize
204KB

MD5
4556381f53f91050a316808b2e0ee81c

SHA1
b3643baff98e123693c4bd7350f07cae8543a9e4

SHA256
983a9b3322ef12b43cf843bb18e269c3093039bc95c976fc8ff72eff46f2a03e

SHA512
14a258e01684d56503637863963240dbf2098a15acb87360237926f4942be0c50fa5f3e096dee2d346e1214756aa78780649dae7fb23831342332b0f72c65bd3

Download Submit
C:\Windows\{25173B77-391F-4940-9D45-5F4232D4C7B4}.exe

Filesize
204KB

MD5
0b7c410ea2c963dd51cbb8c3e52ba4fc

SHA1
5066eb422367d5d43efadb332f381985c5566270

SHA256
399867b4fddea4a79a73a763a876d42da0af1a42967ae7dc42eed99e1c45e659

SHA512
c5df37fc4eee289b9cf461c2480a41b91fccad143da18238d8cea5a662a6282b75298cb19ea5633b50fa1401547f8277add077a7aebe60c6bbe0c0c2c7196954

Download Submit
C:\Windows\{3D70721E-CDBC-449b-9377-763DB200E66F}.exe

Filesize
204KB

MD5
d0e50c1f8b9b38f768b6beae20b953a6

SHA1
1be3d96b0436c3a1783f75cfbcc300086aae22d1

SHA256
23e46ec1ad582f61bb38427eeaf57090aaaea31154048c2ce919c54c5d6850a9

SHA512
dd2eb218e16f83e36062046cd2632f1fd95dcfcd43c90e06d47a0f9e4d1f8537fa5bf0ce042dee04babd2514951d9c97d92e5a9862c4905002432eba79fdc31d

Download Submit
C:\Windows\{52505F2A-E47F-4883-AAFF-01646C4D3C1A}.exe

Filesize
204KB

MD5
164ab5f45a5bb6a45144d8ed565b7718

SHA1
8a58bb3f1eb7bb245b642cf2f8ff688b4ff0ceb9

SHA256
09d4d1ff5a7f84fe24699b88ea8a490b401791b4b59f2cd2357d761e3d34228c

SHA512
1532432de55b184bb124b1bca2dae5f8496439b1424cad69c123b18c483bd9dd41e03ed208c7cce2c9b7f2f2f105ccde604672e1b9f3c5a42dd813b5fc8b86e9

Download Submit
C:\Windows\{5E3F0507-2373-4d5c-A710-FA5D2D87F445}.exe

Filesize
204KB

MD5
6e62e1cb75b2a282e5f34f71a3bd6d14

SHA1
601f460daf108c7fb3f270cf69e9dc20929b6954

SHA256
914bd73cb30037785d70cdae8c6fa33a34cc14c1e591fefb41e9fbac0c8609a8

SHA512
1856fe07dacb03d458f8fbdb6d9aecd52faf8c781a3609ef8ed035cd7709238113c2612230590be01a7043b247f5c9f071daa8ad950d6cbde19ea71b3fa68fa4

Download Submit
C:\Windows\{5F44941A-04A9-4954-BFB1-3D1C9F19AAF0}.exe

Filesize
204KB

MD5
02ad54aff5e06ffbe9c88ef596e15894

SHA1
34523bf7f90a8c1b1d0e2e0723fe45f4daec93fc

SHA256
83e74ae0f27904dec8432db8f5296ff42e3e510584dfab865398de10d80c64de

SHA512
da52f8ffa8adbcbe1194462e2edd2b340106110e0aeb763504c9711b3e8d8fd5f5299be4ff334448804ec1409c0ad599fd0f4966b13038e80aca2f3e5171df26

Download Submit
C:\Windows\{63B830B6-7F91-49ab-B487-8CC10E6A3832}.exe

Filesize
204KB

MD5
a88e51a990c1d09e51f3c34f7027266e

SHA1
25389c143692631589e0a364fda6063473b8b97f

SHA256
10b34e381f5b081c7b97ba1750cf2fc5af599c3fc478aadbcfe13128b5627cc0

SHA512
212c881d7b34933a872f34d8b8bc3a6b7351901b294baeb1aa121d0ae404aad6439adfd09f4d16a9db69425f6829ce71476b9de743113b1566de8e9f3aff70e3

Download Submit
C:\Windows\{785A3DBC-032B-40fc-947E-CC863AFD7CC4}.exe

Filesize
204KB

MD5
8ed6122bccf7919c52d24145e2530ed7

SHA1
e54aae5b4ea46fa1dd00999c4432fd14c614ee4c

SHA256
6ea70d9363212f7e53ffdfd6a2a6bcc1b22eed52f2a72de57eadcca8a1e5c9f7

SHA512
13bb3b11a30d9d9c3db1066e04e49930cc943de25665e395bd3a80ceb947e3141c6dba19c8b1f39bbc3413e24924bcd489c739bfad05cccac5139c51fcd371bf

Download Submit
C:\Windows\{8691ED33-B26F-4bfa-8325-DF546C69A8BC}.exe

Filesize
204KB

MD5
8afb829bb4a943c32185159998f57cfe

SHA1
fdc54a71b3d424d90414cccdb484bed86b5cf628

SHA256
84d4713cf83c3556386f62557a4298bcd53fd48c646a7f38bafb749f96b5dc2a

SHA512
160b0733e3693bc0a72e09600acb4e1fac81f89966861ad1b2b6833a44ad499389a954f01c8f15171a33473b5d780105f071f83dd7c3203ece0d0c92ce9d0327

Download Submit
C:\Windows\{D2933EEF-1972-4e75-A860-95ADE7600C87}.exe

Filesize
204KB

MD5
3b97d633f13ae00755da655d4f7531bc

SHA1
d93cb8d8099fbfadebb317eea5e54aef07c0d103

SHA256
1c73305b9ebb3faa857bbf23923fedb1ffbcb34bcea458262a6e1fa35d64e115

SHA512
0bd21c6783d8d30e917962fb681837c646b89a330ca018c181119cd4c327dc0c6cb81f1891bb98dc8760d0faa24a1fb9b0120ef1a3c966a2d22eaa2b5a525e2c

Download Submit
C:\Windows\{FFD36084-EB60-44be-921C-D7C16765FBC3}.exe

Filesize
204KB

MD5
a5ba27a9d14e343312d16c7134ae86b6

SHA1
394d3b42453942fd82a2941fc93d482660512b82

SHA256
68784dcefc55fdf51837009b3df150e47215822b70ba6c48a35bf3ba9a81e361

SHA512
eefdcddb0026842913250a9b9173d8700e3696dd776eda96bece02947bff7b300e2c4838108a483bd5b59153c9db61d7cf7fefa814aa9691b70c2d306c49e52b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads