e50098d0d0a208b9c4862245cf6eb78825a1f3f16614895003779c4d9a410b69

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 13:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe
Size

216KB
MD5

c6c1c4e74676dc5d53a76e3b90dd9cd1
SHA1

2a9cc25889bc625a0d0b7c44ed99cb695db10b0a
SHA256

e50098d0d0a208b9c4862245cf6eb78825a1f3f16614895003779c4d9a410b69
SHA512

09d848042cf39ae0478fb9922d7c19227a9c9abdb0d31ac1358b7e7eae04c538aacda0466be8a6493880122adb7170b8e2c0c1eaddf6984190c7bf891740b495
SSDEEP

3072:jEGh0oMl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGilEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014228-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001443b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C50111-F6E0-40fa-9819-663BEE3C3D0A}\stubpath = "C:\\Windows\\{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe"	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}\stubpath = "C:\\Windows\\{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe"	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B55F3EF-B1EF-47ac-9884-BF096073631A}\stubpath = "C:\\Windows\\{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe"	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}\stubpath = "C:\\Windows\\{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe"	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{301B3255-EAC0-400c-94BE-EAD0CBA5E931}	{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}	{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}	{9B709585-6FE2-4848-BA74-A223870947BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}\stubpath = "C:\\Windows\\{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe"	{9B709585-6FE2-4848-BA74-A223870947BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B55F3EF-B1EF-47ac-9884-BF096073631A}	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C50111-F6E0-40fa-9819-663BEE3C3D0A}	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A742188-9E51-4a70-86EC-DD537F4DE909}	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A742188-9E51-4a70-86EC-DD537F4DE909}\stubpath = "C:\\Windows\\{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe"	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{301B3255-EAC0-400c-94BE-EAD0CBA5E931}\stubpath = "C:\\Windows\\{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe"	{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0936B11D-A68C-4b45-B80B-A21C1503EF8A}	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A80ABA54-B8EB-4e65-B27A-144B1806F945}\stubpath = "C:\\Windows\\{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe"	{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B709585-6FE2-4848-BA74-A223870947BA}	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B709585-6FE2-4848-BA74-A223870947BA}\stubpath = "C:\\Windows\\{9B709585-6FE2-4848-BA74-A223870947BA}.exe"	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A80ABA54-B8EB-4e65-B27A-144B1806F945}	{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}\stubpath = "C:\\Windows\\{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}.exe"	{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0936B11D-A68C-4b45-B80B-A21C1503EF8A}\stubpath = "C:\\Windows\\{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe"	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe
2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe
2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe
1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe
3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe
2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe
2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe
2844	{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe
1728	{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe
2336	{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe
488	{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}.exe	{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe
File created	C:\Windows\{9B709585-6FE2-4848-BA74-A223870947BA}.exe	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe
File created	C:\Windows\{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe
File created	C:\Windows\{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe
File created	C:\Windows\{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe	{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe
File created	C:\Windows\{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe	{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe
File created	C:\Windows\{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe
File created	C:\Windows\{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	{9B709585-6FE2-4848-BA74-A223870947BA}.exe
File created	C:\Windows\{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe
File created	C:\Windows\{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe
File created	C:\Windows\{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe
Token: SeIncBasePriorityPrivilege	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe
Token: SeIncBasePriorityPrivilege	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe
Token: SeIncBasePriorityPrivilege	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe
Token: SeIncBasePriorityPrivilege	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe
Token: SeIncBasePriorityPrivilege	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe
Token: SeIncBasePriorityPrivilege	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe
Token: SeIncBasePriorityPrivilege	2844	{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe
Token: SeIncBasePriorityPrivilege	1728	{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe
Token: SeIncBasePriorityPrivilege	2336	{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2724	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	28
PID 2372 wrote to memory of 2724	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	28
PID 2372 wrote to memory of 2724	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	28
PID 2372 wrote to memory of 2724	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	28
PID 2372 wrote to memory of 3068	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	29
PID 2372 wrote to memory of 3068	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	29
PID 2372 wrote to memory of 3068	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	29
PID 2372 wrote to memory of 3068	2372	2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe	29
PID 2724 wrote to memory of 2656	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	30
PID 2724 wrote to memory of 2656	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	30
PID 2724 wrote to memory of 2656	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	30
PID 2724 wrote to memory of 2656	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	30
PID 2724 wrote to memory of 2880	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	31
PID 2724 wrote to memory of 2880	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	31
PID 2724 wrote to memory of 2880	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	31
PID 2724 wrote to memory of 2880	2724	{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe	31
PID 2656 wrote to memory of 2660	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	32
PID 2656 wrote to memory of 2660	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	32
PID 2656 wrote to memory of 2660	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	32
PID 2656 wrote to memory of 2660	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	32
PID 2656 wrote to memory of 2692	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	33
PID 2656 wrote to memory of 2692	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	33
PID 2656 wrote to memory of 2692	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	33
PID 2656 wrote to memory of 2692	2656	{9B709585-6FE2-4848-BA74-A223870947BA}.exe	33
PID 2660 wrote to memory of 1872	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	36
PID 2660 wrote to memory of 1872	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	36
PID 2660 wrote to memory of 1872	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	36
PID 2660 wrote to memory of 1872	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	36
PID 2660 wrote to memory of 2708	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	37
PID 2660 wrote to memory of 2708	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	37
PID 2660 wrote to memory of 2708	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	37
PID 2660 wrote to memory of 2708	2660	{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe	37
PID 1872 wrote to memory of 3024	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	38
PID 1872 wrote to memory of 3024	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	38
PID 1872 wrote to memory of 3024	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	38
PID 1872 wrote to memory of 3024	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	38
PID 1872 wrote to memory of 2480	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	39
PID 1872 wrote to memory of 2480	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	39
PID 1872 wrote to memory of 2480	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	39
PID 1872 wrote to memory of 2480	1872	{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe	39
PID 3024 wrote to memory of 2816	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	40
PID 3024 wrote to memory of 2816	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	40
PID 3024 wrote to memory of 2816	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	40
PID 3024 wrote to memory of 2816	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	40
PID 3024 wrote to memory of 1984	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	41
PID 3024 wrote to memory of 1984	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	41
PID 3024 wrote to memory of 1984	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	41
PID 3024 wrote to memory of 1984	3024	{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe	41
PID 2816 wrote to memory of 2624	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	42
PID 2816 wrote to memory of 2624	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	42
PID 2816 wrote to memory of 2624	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	42
PID 2816 wrote to memory of 2624	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	42
PID 2816 wrote to memory of 2616	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	43
PID 2816 wrote to memory of 2616	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	43
PID 2816 wrote to memory of 2616	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	43
PID 2816 wrote to memory of 2616	2816	{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe	43
PID 2624 wrote to memory of 2844	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	44
PID 2624 wrote to memory of 2844	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	44
PID 2624 wrote to memory of 2844	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	44
PID 2624 wrote to memory of 2844	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	44
PID 2624 wrote to memory of 2324	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	45
PID 2624 wrote to memory of 2324	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	45
PID 2624 wrote to memory of 2324	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	45
PID 2624 wrote to memory of 2324	2624	{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_c6c1c4e74676dc5d53a76e3b90dd9cd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe
  C:\Windows\{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{9B709585-6FE2-4848-BA74-A223870947BA}.exe
    C:\Windows\{9B709585-6FE2-4848-BA74-A223870947BA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe
      C:\Windows\{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe
        
        C:\Windows\{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe
        
        C:\Windows\{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe
        
        C:\Windows\{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe
        
        C:\Windows\{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe
        
        C:\Windows\{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe
        
        C:\Windows\{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe
        
        C:\Windows\{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}.exe
        
        C:\Windows\{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}.exe
        12⤵
        Executes dropped EXE
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A80AB~1.EXE > nul
        12⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{301B3~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBA07~1.EXE > nul
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EA9~1.EXE > nul
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A742~1.EXE > nul
        8⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80C50~1.EXE > nul
        7⤵
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B55F~1.EXE > nul
        6⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87EFD~1.EXE > nul
        5⤵
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9B709~1.EXE > nul
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0936B~1.EXE > nul
    3⤵
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0936B11D-A68C-4b45-B80B-A21C1503EF8A}.exe

Filesize
216KB

MD5
7b5653521f2064283762b727584eca73

SHA1
7b6da62b07c43ee120d117cf89891fe45ea6b77c

SHA256
356a296d4652fd59e30af661ad009f53feb7894c6f9f1eab09633e495ea993ce

SHA512
c19c2dd52ffe5d8f5648c160cbc0f0bfb256c356364d47550900f7605c1d1b52c58e127be11be1e62ec399751cdeace960e61f4ae5ece29fd20a2325b60e624e

Download Submit
C:\Windows\{2A742188-9E51-4a70-86EC-DD537F4DE909}.exe

Filesize
216KB

MD5
f775e931836fb86b0a75588a13bae545

SHA1
d31b5cb5dac7f27258d93d47a146459855a3dd4a

SHA256
902436de50013fa2b3861bcb3cf135010cb7317b5943036ff919bf0ec7b77765

SHA512
ceeca79e66d641e0b5b20fdc8d099313b162bb26107c2278af5beb815944f10e9fd778a3e97e095eb84c5159f6edefd7deb10873589125845080b65cccc380b0

Download Submit
C:\Windows\{301B3255-EAC0-400c-94BE-EAD0CBA5E931}.exe

Filesize
216KB

MD5
553a2370213c646922782265e21ac133

SHA1
df7133f16a4bebffc2c049f399e716e6a7ce8d9b

SHA256
62a2bca9f9be47260f8b06144732b0bc6acc8d16b289988ed77ed0946137ce1c

SHA512
a5e2d46ae1b8ac961e94fcd5ec0619cc55a85fd837d81668fd002417aada0756a74399028f5ca87222e52546f88658f7a2ef147a5fa3522f834cfd6c57836bac

Download Submit
C:\Windows\{3B6FA224-90F8-466c-957C-A19DCEBA2FC7}.exe

Filesize
216KB

MD5
3bc51835b2d427cdf4e0e9099e0c1ccd

SHA1
119c49a8e3b1c9de6a59226e3b8f07d327f29aec

SHA256
8455d004d3e4b33556d74ee0f12db0dd563ea98b181c62dd7681b0922f23648a

SHA512
1e791085e8317dd125e3bc54af7a39caaef2a8600415379ca26d893dcee326d98340f3d3372b96b3e6d036e02b6fb7d68ebfbfb8a357a3f61330ea0f61a70172

Download Submit
C:\Windows\{5B55F3EF-B1EF-47ac-9884-BF096073631A}.exe

Filesize
216KB

MD5
596e73afc8dbfad6718e77229d093ac0

SHA1
f8784e1ab0014fb7dbd168a1ea94800366e6053d

SHA256
a20424a49b32c2f78529d2bfdb9bef0f1ebfb0d6de4605f55a8a36ae3455e35e

SHA512
dc44d2e4aadd58cf729f2a9c72c9d60ff3e9cfe1370361afbc8c5dc6e8777ee64d6a04b2a415fd5275a720cc453700c72f69e316fd61b417e7903e1658177321

Download Submit
C:\Windows\{80C50111-F6E0-40fa-9819-663BEE3C3D0A}.exe

Filesize
216KB

MD5
377b58bb49e04b08365dec236ea3bf4f

SHA1
6ada50cec3ac7d135d010b4e865a9a67e2d30bbf

SHA256
8304d42e56eeb187db920fd4d0a4d5a5a4d56fddbbb71a8a59463b58f2518614

SHA512
9e23cf61543924b78ab75856f8f71ff025be062ed3b9eaf8cc0066b021544738b7da64d7a730bff5ab3362e2b53c85c68dec77a496c02554e7d223b0c5693d1a

Download Submit
C:\Windows\{87EFD376-8A75-4ce0-ADE2-DACC2B3D52C3}.exe

Filesize
216KB

MD5
2cf2816ec257f0c0a5b4749d3278a359

SHA1
b5b29ca3bd0969ec8d8a1726e36722aea4cd69f7

SHA256
cf0865d5de2903d15598311e4236de862bfc5990117f516b805816b9d5f16740

SHA512
bba79202f97b1345c544c85bdc2a0f3c05c4a9847f6e4d0178e79977927fff0886e18c0fb6e926bb1c4318e4844a411d2155ae035f139cca7f684229ca6685b7

Download Submit
C:\Windows\{9B709585-6FE2-4848-BA74-A223870947BA}.exe

Filesize
216KB

MD5
d1da62517ec3e5168d727b92d6af1b4d

SHA1
fe48d43b3a5ae2d36c51d4603adc2f26811a4702

SHA256
f073b4015dfaa5f39f965ea8129d0e7a97c7482706e7301cb02d0e91ed3ae877

SHA512
3eea837a27666d3546f829b8e95fd2518da299418b75a5da3f71791571e06f54c6673559c1565ac31d827fe9c963ff4556eefa90530e624d8e130e3832128913

Download Submit
C:\Windows\{A80ABA54-B8EB-4e65-B27A-144B1806F945}.exe

Filesize
216KB

MD5
1362d88f4a2b64e1db78636f5e5af891

SHA1
9b2fac62787b09fc5f2a16a7f02c6b1363546a5d

SHA256
8313e781ab34f618cfbbb35919937fbab6ed25daf984ebb22f7c0823e3c421fe

SHA512
2b8fc348623bd6a47ea092ce2090ef5990a821a9bffa06be8352b1bc58f0d90d419915c30d5890cc8d51dddfba832744dd58044190427f5580c63f28972bbf57

Download Submit
C:\Windows\{BBA07CC5-27BC-40f2-B3AB-9C93BBE97208}.exe

Filesize
216KB

MD5
8b960260686f9f136a0ca3895b0654f1

SHA1
0d29a310eb02a46bd73c2bbfc50e7de2c91e328d

SHA256
595e5d2b54eda61e42d63f3caaf8ec7a6ca20bfe6044d05866feb3a209ecf1bc

SHA512
2114ff8234d7d276ee32234b873bdcddc2bdc6d27bab3306e1cf3a8bdaa0e74af80b73a4f4d7e6f1985d6693e89b81ce52017f4fc014639c121b32f714973784

Download Submit
C:\Windows\{D9EA93F9-F290-45f5-98D8-C275D4DC67BC}.exe

Filesize
216KB

MD5
b1fd5b230b01244e9f996ac5f2d13d6d

SHA1
db40cd74aab1f96133f158dc754f2a586ae29309

SHA256
1f8be4bc16a339250078f7ecf6b8443bb7608e4656049fad4b1671dbeda30af3

SHA512
4e0702395164440a7837a7e504b48ff705d952a05a63103dad600cd50962f5edce57f751aa32fe45f33734db7e3ed1c1aae2c6b3e714aa044459d2914b916895

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads