9b3bc1442e90e58ee7b33616cce548023135b289aafadba1ba44af466699fb92

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe
Size

380KB
MD5

0170e6ffd4d5d9148d1d68372991e16e
SHA1

f4517115864083c914c33a29d09aaad42bcef407
SHA256

9b3bc1442e90e58ee7b33616cce548023135b289aafadba1ba44af466699fb92
SHA512

f283324558f651987cfa56de11738a9dcf79437aad5757963401434a5c281a8f201fc9165cda4dfaccbea412da9298e3c22f62eb6581d814139f44bd412a3fda
SSDEEP

3072:mEGh0o/lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGpl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 10 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d24-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d84-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016d24-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d84-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016d89-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016d84-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016d89-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000001704f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000017090-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00020000000180e5-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1700F2B5-A942-4927-BEDA-61D22A9B004C}\stubpath = "C:\\Windows\\{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe"	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C5448B1-E4F4-475f-8A3E-4803D2146840}	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7554779B-9E40-40e9-AB41-A99D9B870F47}\stubpath = "C:\\Windows\\{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe"	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}\stubpath = "C:\\Windows\\{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe"	{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B9E979D-4D47-4716-B8B3-E608E1DD5631}	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C048495-D367-4d23-B39A-F27153E19190}	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C048495-D367-4d23-B39A-F27153E19190}\stubpath = "C:\\Windows\\{0C048495-D367-4d23-B39A-F27153E19190}.exe"	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8C43093-A887-4874-9605-97D5D5E3C0A9}\stubpath = "C:\\Windows\\{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe"	{0C048495-D367-4d23-B39A-F27153E19190}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}\stubpath = "C:\\Windows\\{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe"	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11A4D531-F794-45cf-A8F4-DA25F70131F7}	{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11A4D531-F794-45cf-A8F4-DA25F70131F7}\stubpath = "C:\\Windows\\{11A4D531-F794-45cf-A8F4-DA25F70131F7}.exe"	{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1700F2B5-A942-4927-BEDA-61D22A9B004C}	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B9E979D-4D47-4716-B8B3-E608E1DD5631}\stubpath = "C:\\Windows\\{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe"	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8C43093-A887-4874-9605-97D5D5E3C0A9}	{0C048495-D367-4d23-B39A-F27153E19190}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C5448B1-E4F4-475f-8A3E-4803D2146840}\stubpath = "C:\\Windows\\{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe"	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}	{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}\stubpath = "C:\\Windows\\{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe"	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7554779B-9E40-40e9-AB41-A99D9B870F47}	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe

Deletes itself 1 IoCs

pid	Process
1620	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe
1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe
592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe
1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe
1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe
2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe
2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe
2700	{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe
1836	{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe
3048	{11A4D531-F794-45cf-A8F4-DA25F70131F7}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe
File created	C:\Windows\{0C048495-D367-4d23-B39A-F27153E19190}.exe	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe
File created	C:\Windows\{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	{0C048495-D367-4d23-B39A-F27153E19190}.exe
File created	C:\Windows\{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe
File created	C:\Windows\{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe
File created	C:\Windows\{11A4D531-F794-45cf-A8F4-DA25F70131F7}.exe	{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe
File created	C:\Windows\{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe
File created	C:\Windows\{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe
File created	C:\Windows\{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe
File created	C:\Windows\{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe	{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe
Token: SeIncBasePriorityPrivilege	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe
Token: SeIncBasePriorityPrivilege	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe
Token: SeIncBasePriorityPrivilege	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe
Token: SeIncBasePriorityPrivilege	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe
Token: SeIncBasePriorityPrivilege	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe
Token: SeIncBasePriorityPrivilege	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe
Token: SeIncBasePriorityPrivilege	2700	{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe
Token: SeIncBasePriorityPrivilege	1836	{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 876	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	30
PID 2336 wrote to memory of 876	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	30
PID 2336 wrote to memory of 876	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	30
PID 2336 wrote to memory of 876	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	30
PID 2336 wrote to memory of 1620	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	31
PID 2336 wrote to memory of 1620	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	31
PID 2336 wrote to memory of 1620	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	31
PID 2336 wrote to memory of 1620	2336	2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe	31
PID 876 wrote to memory of 1236	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	32
PID 876 wrote to memory of 1236	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	32
PID 876 wrote to memory of 1236	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	32
PID 876 wrote to memory of 1236	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	32
PID 876 wrote to memory of 2328	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	33
PID 876 wrote to memory of 2328	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	33
PID 876 wrote to memory of 2328	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	33
PID 876 wrote to memory of 2328	876	{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe	33
PID 1236 wrote to memory of 592	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	34
PID 1236 wrote to memory of 592	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	34
PID 1236 wrote to memory of 592	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	34
PID 1236 wrote to memory of 592	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	34
PID 1236 wrote to memory of 268	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	35
PID 1236 wrote to memory of 268	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	35
PID 1236 wrote to memory of 268	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	35
PID 1236 wrote to memory of 268	1236	{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe	35
PID 592 wrote to memory of 1736	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	36
PID 592 wrote to memory of 1736	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	36
PID 592 wrote to memory of 1736	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	36
PID 592 wrote to memory of 1736	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	36
PID 592 wrote to memory of 564	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	37
PID 592 wrote to memory of 564	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	37
PID 592 wrote to memory of 564	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	37
PID 592 wrote to memory of 564	592	{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe	37
PID 1736 wrote to memory of 1520	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	38
PID 1736 wrote to memory of 1520	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	38
PID 1736 wrote to memory of 1520	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	38
PID 1736 wrote to memory of 1520	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	38
PID 1736 wrote to memory of 2612	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	39
PID 1736 wrote to memory of 2612	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	39
PID 1736 wrote to memory of 2612	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	39
PID 1736 wrote to memory of 2612	1736	{0C048495-D367-4d23-B39A-F27153E19190}.exe	39
PID 1520 wrote to memory of 2452	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	40
PID 1520 wrote to memory of 2452	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	40
PID 1520 wrote to memory of 2452	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	40
PID 1520 wrote to memory of 2452	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	40
PID 1520 wrote to memory of 2552	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	41
PID 1520 wrote to memory of 2552	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	41
PID 1520 wrote to memory of 2552	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	41
PID 1520 wrote to memory of 2552	1520	{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe	41
PID 2452 wrote to memory of 2628	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	42
PID 2452 wrote to memory of 2628	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	42
PID 2452 wrote to memory of 2628	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	42
PID 2452 wrote to memory of 2628	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	42
PID 2452 wrote to memory of 2856	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	43
PID 2452 wrote to memory of 2856	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	43
PID 2452 wrote to memory of 2856	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	43
PID 2452 wrote to memory of 2856	2452	{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe	43
PID 2628 wrote to memory of 2700	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	44
PID 2628 wrote to memory of 2700	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	44
PID 2628 wrote to memory of 2700	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	44
PID 2628 wrote to memory of 2700	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	44
PID 2628 wrote to memory of 2684	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	45
PID 2628 wrote to memory of 2684	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	45
PID 2628 wrote to memory of 2684	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	45
PID 2628 wrote to memory of 2684	2628	{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0170e6ffd4d5d9148d1d68372991e16e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe
  C:\Windows\{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe
    C:\Windows\{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe
      C:\Windows\{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Windows\{0C048495-D367-4d23-B39A-F27153E19190}.exe
        
        C:\Windows\{0C048495-D367-4d23-B39A-F27153E19190}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe
        
        C:\Windows\{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe
        
        C:\Windows\{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe
        
        C:\Windows\{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe
        
        C:\Windows\{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe
        
        C:\Windows\{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\{11A4D531-F794-45cf-A8F4-DA25F70131F7}.exe
        
        C:\Windows\{11A4D531-F794-45cf-A8F4-DA25F70131F7}.exe
        11⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B60~1.EXE > nul
        11⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C544~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75547~1.EXE > nul
        9⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B0C8~1.EXE > nul
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C43~1.EXE > nul
        7⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C048~1.EXE > nul
        6⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F9CF~1.EXE > nul
        5⤵
        
        PID:564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6B9E9~1.EXE > nul
      4⤵
      PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1700F~1.EXE > nul
    3⤵
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B0C81D1-595E-45f4-9C29-12CD4FA2CB2D}.exe

Filesize
380KB

MD5
6ed75a69aecbfde59e9abfe9b470d712

SHA1
4f10348f858f9bd9f091e252ede0348f183e7361

SHA256
3d2be45f9a1f3c1ba1f5439599615137129bdf70744a78c658f4d4963631b99a

SHA512
24c45284fc95224a2c0deb059577806b3f7f1d453a94d171906213b03880be2e717cfed38dffb8367bf0681e19c7d30e9dfd02c91b8e831e5b9a1c9c1c694da6

Download Submit
C:\Windows\{0C048495-D367-4d23-B39A-F27153E19190}.exe

Filesize
380KB

MD5
0ae8435c3f8c6c80df84bed0385508f3

SHA1
6ac2fbc9e1644bb59ebae2045ea2f79a01063bd3

SHA256
6b2cd4f7fede882f24d31225fe21f0c9b887b64db3184562bd02a942a7ff928e

SHA512
7bd50fa5e92aa513bade47086795ea40a6eeb65f75a075bf42c7dd23d83b7f4b5db41b735a200eecd2cf6d4ae33b83f66a9ea1936d0749773efee603b7069b5d

Download Submit
C:\Windows\{11A4D531-F794-45cf-A8F4-DA25F70131F7}.exe

Filesize
380KB

MD5
baaa0481c2348f7fd5e473533f33fab6

SHA1
01c55e0883a3dbcd84421feee79b90f773be6a93

SHA256
26212a1c4fdf555bdcc0d764349b6846e3a6e53f1d5fcb74a4db95e052f479ff

SHA512
f6a2a5ff48b386fbde9ff4208e44285ab547cf10e4b27bcaf1f888e663fb99667596a4cd8f566c933ff466373f0720dcfae841fbfb0a66ba5f1363ebfa82844a

Download Submit
C:\Windows\{1700F2B5-A942-4927-BEDA-61D22A9B004C}.exe

Filesize
380KB

MD5
310c898d64cd7dce16812b52c05c5406

SHA1
6f35957f46db86cbb811ebf083de0dfe79893ad8

SHA256
d3e02b69119f4e759cb6ca703575d7788863226abcede14e99f5af63a448edc5

SHA512
32198cea1953c7e61ac532592399c8351492ea03fa3e5d458902022f49214ce485dcacdf52dd1aa286a5230273f107463c27aeeaab2da06738bc10f38a173563

Download Submit
C:\Windows\{1C5448B1-E4F4-475f-8A3E-4803D2146840}.exe

Filesize
380KB

MD5
71317faf381f4d28050cdff2f7d8e7a1

SHA1
8e05781b97d42fef109141fb12896981b61fef33

SHA256
f762153ed84bd64225a6477364c05c039b6f1467fa5348036cb6db33ad5e64a5

SHA512
bfd16b28810a1d1dcc66e21ca5a61b59a6a16b090f4655a5beebafddbb6511941cdb8c49ce8da5066a08a16e746d35b1406d27750a8c1053be6af1123c5581f2

Download Submit
C:\Windows\{6B9E979D-4D47-4716-B8B3-E608E1DD5631}.exe

Filesize
380KB

MD5
886e0f797bf2a29a2ef3580684b6913b

SHA1
aa0e84ae1fb5aebe3444233452e7ecd6e611cf44

SHA256
a4d733e61722735e514b1e8875eb1ab49b287650242cd04e41db8fb5b3b651a8

SHA512
b1366b5bc9c4fee359104be9fd328c4bd32266501eede1ff5de92dad3c80b4ba8949cff12f27aba4fc0cbfe624435c02a5dcda915c0bd15ca64b318f259663c8

Download Submit
C:\Windows\{7554779B-9E40-40e9-AB41-A99D9B870F47}.exe

Filesize
380KB

MD5
d87b42219ca672811d2bdce61dab690d

SHA1
040b9546f51766365e5e9fde557f2afb18b0b9cf

SHA256
ccfdaea3b2660a3d98cf3f14d23a6775a285dc9b36c58bd5f1b000b0b7a2c7a7

SHA512
78ad1750900e81acd53f5d2f77108e9f15f4c3bd649e2a3899c1e7ba7178495fc264f2f2f67fd9d478e3d0cfe78fe92eaecadfe881defe3e2a6d6b2f0af386eb

Download Submit
C:\Windows\{9F9CF1BB-9BFC-4063-BDF7-A0F28498D1EC}.exe

Filesize
380KB

MD5
4c4c1e713aafa513afd15b020c05001c

SHA1
501089a6bcdccd3d9c34ccfdbb8e05bd8e912920

SHA256
1c9388b6def9c00ab50e0727d3de0f4207506efd1e0d56cf158d629ef05a0418

SHA512
d6e4ae6b668a874da74c1ef285bc550ede0c294976ffc7ec454088220519e9e0a60d06a9a2e3a99284ae609b22dec62fb58651c9d97895b4128bc7b09aae3b2e

Download Submit
C:\Windows\{B8C43093-A887-4874-9605-97D5D5E3C0A9}.exe

Filesize
380KB

MD5
d57b27064acc5c194dadeec25009ece0

SHA1
168cebaf0533e620ca6c017801b22bd2a09185d3

SHA256
52857ba4d2f50326dc30d96a8f5bee563ca2dff1d4244b6cb308a96794fd377e

SHA512
cb316aed641ad63f455eefd24877379140757476304e25653c55364ea99588d13be7ab071fa9d952d1dfcb512fa4f21716f9efab2ad608b0a3769dc20c42552d

Download Submit
C:\Windows\{C3B604FE-D4A8-420f-9B33-9E6EDCBD1A01}.exe

Filesize
380KB

MD5
8c3f1752c767a85fe8d651ea997e85dd

SHA1
a15ba6c2ce8e5ea12b346e9757c83b54eaf8d2c6

SHA256
a0632b8a6f05389992a5967129be66630b56d4e0fe23f820e817445581bd20fd

SHA512
b10596cd6aab58d642116f9415b360fd79b5c7a1c98f044ed46d273f86d200eff736c775d37022de596e7e22220c3e5706147be87f4352ab8cd77a248190ebac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads