43c9b932e1d96de18fd93a21130858120dc847815babd70ebd3f1b011fd09fdb

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Size

372KB
MD5

0af3c4c39595ac5ca0535318843c6aae
SHA1

80e322dbe80c3b14a278872735f3feb6c38253b2
SHA256

43c9b932e1d96de18fd93a21130858120dc847815babd70ebd3f1b011fd09fdb
SHA512

535473b75e7bce9c9fb8afbd77f95f6370615b246e6d593fb168c8acb7d8ff3ca4ca780570d84963192270904b8d2798531202ad4ecf9096014cf660670d5a86
SSDEEP

3072:CEGh0ozlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001222b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015c87-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015c87-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015c87-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015c87-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0013000000015c87-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015d88-74.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{206F8012-4970-483a-9911-A8D8B1A01F89}\stubpath = "C:\\Windows\\{206F8012-4970-483a-9911-A8D8B1A01F89}.exe"	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14B30C35-67DE-45bd-9398-94866E161290}\stubpath = "C:\\Windows\\{14B30C35-67DE-45bd-9398-94866E161290}.exe"	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E9A076D-2795-4c0a-81A9-AC279488F972}	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09F40046-4316-4cae-806E-C6D39FF3454D}	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}\stubpath = "C:\\Windows\\{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe"	{09F40046-4316-4cae-806E-C6D39FF3454D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09F40046-4316-4cae-806E-C6D39FF3454D}\stubpath = "C:\\Windows\\{09F40046-4316-4cae-806E-C6D39FF3454D}.exe"	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D45ABA6-6439-4f8a-8709-581C0156346A}	{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D45ABA6-6439-4f8a-8709-581C0156346A}\stubpath = "C:\\Windows\\{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe"	{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{206F8012-4970-483a-9911-A8D8B1A01F89}	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14B30C35-67DE-45bd-9398-94866E161290}	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E9A076D-2795-4c0a-81A9-AC279488F972}\stubpath = "C:\\Windows\\{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe"	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}\stubpath = "C:\\Windows\\{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}.exe"	{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79B1EA01-F56D-41a7-85EF-099F0A210EBE}	{14B30C35-67DE-45bd-9398-94866E161290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}	{09F40046-4316-4cae-806E-C6D39FF3454D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}	{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}\stubpath = "C:\\Windows\\{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe"	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}\stubpath = "C:\\Windows\\{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe"	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA27DC34-B032-4d46-964B-7C643C599C55}	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA27DC34-B032-4d46-964B-7C643C599C55}\stubpath = "C:\\Windows\\{FA27DC34-B032-4d46-964B-7C643C599C55}.exe"	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79B1EA01-F56D-41a7-85EF-099F0A210EBE}\stubpath = "C:\\Windows\\{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe"	{14B30C35-67DE-45bd-9398-94866E161290}.exe

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe
1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe
2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe
2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe
1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe
2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe
1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe
2044	{09F40046-4316-4cae-806E-C6D39FF3454D}.exe
1772	{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe
2760	{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe
2796	{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe	{09F40046-4316-4cae-806E-C6D39FF3454D}.exe
File created	C:\Windows\{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe	{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe
File created	C:\Windows\{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe
File created	C:\Windows\{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe
File created	C:\Windows\{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	{14B30C35-67DE-45bd-9398-94866E161290}.exe
File created	C:\Windows\{09F40046-4316-4cae-806E-C6D39FF3454D}.exe	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe
File created	C:\Windows\{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}.exe	{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe
File created	C:\Windows\{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
File created	C:\Windows\{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe
File created	C:\Windows\{14B30C35-67DE-45bd-9398-94866E161290}.exe	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe
File created	C:\Windows\{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe
Token: SeIncBasePriorityPrivilege	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe
Token: SeIncBasePriorityPrivilege	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe
Token: SeIncBasePriorityPrivilege	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe
Token: SeIncBasePriorityPrivilege	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe
Token: SeIncBasePriorityPrivilege	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe
Token: SeIncBasePriorityPrivilege	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe
Token: SeIncBasePriorityPrivilege	2044	{09F40046-4316-4cae-806E-C6D39FF3454D}.exe
Token: SeIncBasePriorityPrivilege	1772	{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe
Token: SeIncBasePriorityPrivilege	2760	{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 1532	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	28
PID 2772 wrote to memory of 1532	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	28
PID 2772 wrote to memory of 1532	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	28
PID 2772 wrote to memory of 1532	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	28
PID 2772 wrote to memory of 2596	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	29
PID 2772 wrote to memory of 2596	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	29
PID 2772 wrote to memory of 2596	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	29
PID 2772 wrote to memory of 2596	2772	2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe	29
PID 1532 wrote to memory of 1548	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	32
PID 1532 wrote to memory of 1548	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	32
PID 1532 wrote to memory of 1548	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	32
PID 1532 wrote to memory of 1548	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	32
PID 1532 wrote to memory of 2612	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	33
PID 1532 wrote to memory of 2612	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	33
PID 1532 wrote to memory of 2612	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	33
PID 1532 wrote to memory of 2612	1532	{206F8012-4970-483a-9911-A8D8B1A01F89}.exe	33
PID 1548 wrote to memory of 2696	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	34
PID 1548 wrote to memory of 2696	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	34
PID 1548 wrote to memory of 2696	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	34
PID 1548 wrote to memory of 2696	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	34
PID 1548 wrote to memory of 2428	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	35
PID 1548 wrote to memory of 2428	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	35
PID 1548 wrote to memory of 2428	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	35
PID 1548 wrote to memory of 2428	1548	{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe	35
PID 2696 wrote to memory of 2700	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	36
PID 2696 wrote to memory of 2700	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	36
PID 2696 wrote to memory of 2700	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	36
PID 2696 wrote to memory of 2700	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	36
PID 2696 wrote to memory of 1016	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	37
PID 2696 wrote to memory of 1016	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	37
PID 2696 wrote to memory of 1016	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	37
PID 2696 wrote to memory of 1016	2696	{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe	37
PID 2700 wrote to memory of 1792	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	38
PID 2700 wrote to memory of 1792	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	38
PID 2700 wrote to memory of 1792	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	38
PID 2700 wrote to memory of 1792	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	38
PID 2700 wrote to memory of 1876	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	39
PID 2700 wrote to memory of 1876	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	39
PID 2700 wrote to memory of 1876	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	39
PID 2700 wrote to memory of 1876	2700	{FA27DC34-B032-4d46-964B-7C643C599C55}.exe	39
PID 1792 wrote to memory of 2636	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	40
PID 1792 wrote to memory of 2636	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	40
PID 1792 wrote to memory of 2636	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	40
PID 1792 wrote to memory of 2636	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	40
PID 1792 wrote to memory of 2632	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	41
PID 1792 wrote to memory of 2632	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	41
PID 1792 wrote to memory of 2632	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	41
PID 1792 wrote to memory of 2632	1792	{14B30C35-67DE-45bd-9398-94866E161290}.exe	41
PID 2636 wrote to memory of 1956	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	42
PID 2636 wrote to memory of 1956	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	42
PID 2636 wrote to memory of 1956	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	42
PID 2636 wrote to memory of 1956	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	42
PID 2636 wrote to memory of 856	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	43
PID 2636 wrote to memory of 856	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	43
PID 2636 wrote to memory of 856	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	43
PID 2636 wrote to memory of 856	2636	{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe	43
PID 1956 wrote to memory of 2044	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	44
PID 1956 wrote to memory of 2044	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	44
PID 1956 wrote to memory of 2044	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	44
PID 1956 wrote to memory of 2044	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	44
PID 1956 wrote to memory of 2740	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	45
PID 1956 wrote to memory of 2740	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	45
PID 1956 wrote to memory of 2740	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	45
PID 1956 wrote to memory of 2740	1956	{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_0af3c4c39595ac5ca0535318843c6aae_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\{206F8012-4970-483a-9911-A8D8B1A01F89}.exe
  C:\Windows\{206F8012-4970-483a-9911-A8D8B1A01F89}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe
    C:\Windows\{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe
      C:\Windows\{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{FA27DC34-B032-4d46-964B-7C643C599C55}.exe
        
        C:\Windows\{FA27DC34-B032-4d46-964B-7C643C599C55}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{14B30C35-67DE-45bd-9398-94866E161290}.exe
        
        C:\Windows\{14B30C35-67DE-45bd-9398-94866E161290}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe
        
        C:\Windows\{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe
        
        C:\Windows\{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{09F40046-4316-4cae-806E-C6D39FF3454D}.exe
        
        C:\Windows\{09F40046-4316-4cae-806E-C6D39FF3454D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe
        
        C:\Windows\{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe
        
        C:\Windows\{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}.exe
        
        C:\Windows\{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D45A~1.EXE > nul
        12⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF164~1.EXE > nul
        11⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09F40~1.EXE > nul
        10⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E9A0~1.EXE > nul
        9⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79B1E~1.EXE > nul
        8⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14B30~1.EXE > nul
        7⤵
        
        PID:2632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA27D~1.EXE > nul
        6⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B65A~1.EXE > nul
        5⤵
        
        PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D9CFE~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{206F8~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09F40046-4316-4cae-806E-C6D39FF3454D}.exe

Filesize
372KB

MD5
eb6a8e3897c3fce69aa3195c258d97b8

SHA1
a7166c1909c84ee86a4c015223360295d2ddf38d

SHA256
6f6401990772c5cfaa5f81deb0c7b983d7bbff2fd613a23f2d41932fffdc07fa

SHA512
4f5a70bcd8622385b6615f0356a5416dd738d34366631b8506eba323f7d7802ca185b6806339e593b5856a4cdbc9a6d53a08fa9f75c8ef8477ad04ed4c5ac673

Download Submit
C:\Windows\{14B30C35-67DE-45bd-9398-94866E161290}.exe

Filesize
372KB

MD5
8cd87315f213b8a9416ee2c9a204dd5f

SHA1
975b3802f89acbebe4b5fb21bfb90a53eff3e494

SHA256
21b66b940ce25f301406089b58b9815427f26d37606a8c6938b3454762be17a1

SHA512
001ed512e7d07bece26aadecbc751d77c806e4560ea8624ebcf26c9412f6b6b0466b73714436a2bd4c91dfcb91b934619d7c35096d8d6ed7d149d89a3ac4984c

Download Submit
C:\Windows\{1E9A076D-2795-4c0a-81A9-AC279488F972}.exe

Filesize
372KB

MD5
93d1f19a019a4eb9ad29d7814cf32182

SHA1
32a865f3d71dce6dcb7f2d9dd82ac981358a33d7

SHA256
4a7a3b7b212845233009a5147daa66e3e9d2a5b04bb583689f18c0f6dbc349a3

SHA512
4a47d7d01e8b96a874311375b4f5e2f3097e0abfe2dea6fcff3d317a7f7d4cda82b13639c0204ce797c5beb3ade85143868f1a7c3a1479c76351d77968c9c961

Download Submit
C:\Windows\{206F8012-4970-483a-9911-A8D8B1A01F89}.exe

Filesize
372KB

MD5
398bf9e1af4f358f2d64df54ed995d94

SHA1
9b2665bee821ffdc6f0349999ab754ff779f68a6

SHA256
01d315d7a301df29061fa1931bd3fa457b5e86a024c77eb2445094cd2117f071

SHA512
65cb84998f84e11a375dd6a6a9d9a1f0aed128c1c31b15649b99c13b0d6434f288f91eb4d909c05c99da359c5a8f44f206a886630ebe583e42f988139afaa98d

Download Submit
C:\Windows\{79B1EA01-F56D-41a7-85EF-099F0A210EBE}.exe

Filesize
372KB

MD5
2ebe51dde83cac8b91b22a01fcff7b9b

SHA1
d213083f0d2d784a0d87cdf4c2ee9290307d9fa1

SHA256
7d2723b21e8d6d4729b757e6f22196baafaa26619fc38ccbf8f88e0d49ccbf00

SHA512
887332c1a830d44a6fcde5b6def620014347bb58e8b1acf50543423f60abf13e2ea5dea8e40ddffb29997bda84aebbc8004bab0cd78450bfd19f6498e7afa9fa

Download Submit
C:\Windows\{8CABE507-68C6-40ef-A1C2-70B6A82FD04A}.exe

Filesize
372KB

MD5
6c71330e16ffa6da7fd26dbd19392dce

SHA1
6ec10d6a2c2199bbe83619370d5682f40074ebfe

SHA256
69239e2745d2ae318a6b2b67cd4d2e12c95943d3acf5fe9272115cc1b9be7aa7

SHA512
e6001e99998a1b712e6df6e7672634c608f6209085c415fdfdf7472cd6dbce016c1459842fb862f75f469ac3206225f0492233cdba1999717d44cfda933eace2

Download Submit
C:\Windows\{9B65A1CE-EE50-48be-8521-C3C317AFB8AD}.exe

Filesize
372KB

MD5
94bef7ff5f898c7070089d0fb1807453

SHA1
8027953e921f731d69cf48ac7969dda43df2111a

SHA256
596e2c89d66fc3fc7ba62f1f3010fc068a37610406937ad00b132f37be78d481

SHA512
3d7ddd80440bab9d117cffe93c5ce1f298dd9e5184e0761a9f3dd54a39f57719868127f385adac25dd78a43696e9be73ea362917353006415ac83bad4ca449b7

Download Submit
C:\Windows\{9D45ABA6-6439-4f8a-8709-581C0156346A}.exe

Filesize
372KB

MD5
1b48c8665ded734f89f35a9df9777abf

SHA1
d3363dcfee7e5c3965c23ea45a579b85eeae3167

SHA256
7ddc16c9b8f472fdbee7b9ae9627d4475d31ea22eb74dbb031ae61bead27fa9e

SHA512
61a6d5cf7a544fda51b0e825870809a1401cc587ae879c8ef6a8a8a94fd053ed746513d8f4e6ad12d7fd49960774229a499d24aee7c9e2046d4d0db316ef95df

Download Submit
C:\Windows\{D9CFEF30-19C6-4146-ADC2-77A868A6DE0A}.exe

Filesize
372KB

MD5
a12d2d72c9d029ae6efc66cad205e7f2

SHA1
c007fb7a824f5d0b4b2ca9b7f24f65e49e7185d8

SHA256
f98151354bb3f834d76f1946c750207d9ea27567ea8dd965d41ab8c187e89b95

SHA512
3304c55809d81e59ea83f9c43b7ba53d2be08bb3ef1b597ca332e4160aaea3005268934855691e382603c422d32ec4f09b5e1455f4683e79507779642e1f3a56

Download Submit
C:\Windows\{DF164A06-E1E4-4f81-9BA2-A1E86A56B149}.exe

Filesize
372KB

MD5
44e42d927e6a67711347df512271bc1c

SHA1
b4fab7550f46002f242eeb08aae791fd9b89ba70

SHA256
3cfb86c5d05ac6f4960d97423ff2b588be0ae5b7f59528d2f07bb56b1fbfde6c

SHA512
af9bfb195a89ac3a54b09039ad03b9753aa17f4692e419df979113a8b4b2c8cb5ceaeb9d955d2de0df86e57a68e392bb5c71e2126a1833523144cd26eee054ae

Download Submit
C:\Windows\{FA27DC34-B032-4d46-964B-7C643C599C55}.exe

Filesize
372KB

MD5
42b2cee6887cb40f5b4d2a6a5c04363c

SHA1
e2c815db84d1a659dd4d50a692247c6ac81d6deb

SHA256
994c676b859aaac113ed291bfe85984fe58756ee8799c2bb5d99c45115be6387

SHA512
da8edc7ffd39c5ecb187c1ca6e72c90933665a44a40a7cf6cd8b9ce757a1ac7bdc30afec9da04aa4d1d68965c4869795dab5c9f42530c9ff2c570178d430abfc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads