43839158fd1647276dd6c6fe4be83a6f7fcdbe0f69cdce86c560c647f9390878

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 16:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe
Size

408KB
MD5

6c11283a1dc1ed6fd43d5e49c1916ebf
SHA1

7174fde7cabaf83f2c142c26df142c456202731a
SHA256

43839158fd1647276dd6c6fe4be83a6f7fcdbe0f69cdce86c560c647f9390878
SHA512

6191fe6830c36ddec9b96ee11b96889b95ccb61ca84d80b6ce7d07bb3992135970f519282e1d48cc7b7144c8a33ff7c04b7cccaf659e598208b933993894bb86
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGNldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00310000000144d6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001227b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001451d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001227b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001227b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001227b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B555B7-7AC4-4695-98F6-96DD1E7FA172}	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31111B0-3522-4623-B626-8AD4BE4D6A8A}	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}\stubpath = "C:\\Windows\\{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe"	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}	{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4CC351-4739-4012-847D-78095372477A}	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF4CC351-4739-4012-847D-78095372477A}\stubpath = "C:\\Windows\\{EF4CC351-4739-4012-847D-78095372477A}.exe"	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{086AC98D-8485-495a-8ECF-4465B97334F0}\stubpath = "C:\\Windows\\{086AC98D-8485-495a-8ECF-4465B97334F0}.exe"	{EF4CC351-4739-4012-847D-78095372477A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6230169-3F95-4799-A377-DAAD90544207}	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71856E5B-D81E-449f-8981-A75201CC41F5}	{E6230169-3F95-4799-A377-DAAD90544207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31111B0-3522-4623-B626-8AD4BE4D6A8A}\stubpath = "C:\\Windows\\{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe"	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{086AC98D-8485-495a-8ECF-4465B97334F0}	{EF4CC351-4739-4012-847D-78095372477A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}\stubpath = "C:\\Windows\\{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe"	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6230169-3F95-4799-A377-DAAD90544207}\stubpath = "C:\\Windows\\{E6230169-3F95-4799-A377-DAAD90544207}.exe"	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}\stubpath = "C:\\Windows\\{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}.exe"	{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71856E5B-D81E-449f-8981-A75201CC41F5}\stubpath = "C:\\Windows\\{71856E5B-D81E-449f-8981-A75201CC41F5}.exe"	{E6230169-3F95-4799-A377-DAAD90544207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{365D63FE-4605-428f-B0B0-9A55599691B0}	{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{365D63FE-4605-428f-B0B0-9A55599691B0}\stubpath = "C:\\Windows\\{365D63FE-4605-428f-B0B0-9A55599691B0}.exe"	{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}\stubpath = "C:\\Windows\\{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe"	{365D63FE-4605-428f-B0B0-9A55599691B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B555B7-7AC4-4695-98F6-96DD1E7FA172}\stubpath = "C:\\Windows\\{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe"	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}	{365D63FE-4605-428f-B0B0-9A55599691B0}.exe

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3004	{EF4CC351-4739-4012-847D-78095372477A}.exe
2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe
2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe
2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe
2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe
2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe
1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe
2212	{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe
2112	{365D63FE-4605-428f-B0B0-9A55599691B0}.exe
2716	{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe
1320	{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe
File created	C:\Windows\{E6230169-3F95-4799-A377-DAAD90544207}.exe	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe
File created	C:\Windows\{365D63FE-4605-428f-B0B0-9A55599691B0}.exe	{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe
File created	C:\Windows\{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe	{365D63FE-4605-428f-B0B0-9A55599691B0}.exe
File created	C:\Windows\{EF4CC351-4739-4012-847D-78095372477A}.exe	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe
File created	C:\Windows\{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	{E6230169-3F95-4799-A377-DAAD90544207}.exe
File created	C:\Windows\{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe
File created	C:\Windows\{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe
File created	C:\Windows\{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe
File created	C:\Windows\{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}.exe	{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe
File created	C:\Windows\{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	{EF4CC351-4739-4012-847D-78095372477A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe
Token: SeIncBasePriorityPrivilege	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe
Token: SeIncBasePriorityPrivilege	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe
Token: SeIncBasePriorityPrivilege	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe
Token: SeIncBasePriorityPrivilege	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe
Token: SeIncBasePriorityPrivilege	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe
Token: SeIncBasePriorityPrivilege	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe
Token: SeIncBasePriorityPrivilege	2212	{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe
Token: SeIncBasePriorityPrivilege	2112	{365D63FE-4605-428f-B0B0-9A55599691B0}.exe
Token: SeIncBasePriorityPrivilege	2716	{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3004	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	28
PID 2236 wrote to memory of 3004	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	28
PID 2236 wrote to memory of 3004	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	28
PID 2236 wrote to memory of 3004	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	28
PID 2236 wrote to memory of 2164	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	29
PID 2236 wrote to memory of 2164	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	29
PID 2236 wrote to memory of 2164	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	29
PID 2236 wrote to memory of 2164	2236	2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe	29
PID 3004 wrote to memory of 2688	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	30
PID 3004 wrote to memory of 2688	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	30
PID 3004 wrote to memory of 2688	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	30
PID 3004 wrote to memory of 2688	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	30
PID 3004 wrote to memory of 2544	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	31
PID 3004 wrote to memory of 2544	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	31
PID 3004 wrote to memory of 2544	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	31
PID 3004 wrote to memory of 2544	3004	{EF4CC351-4739-4012-847D-78095372477A}.exe	31
PID 2688 wrote to memory of 2712	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	32
PID 2688 wrote to memory of 2712	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	32
PID 2688 wrote to memory of 2712	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	32
PID 2688 wrote to memory of 2712	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	32
PID 2688 wrote to memory of 2672	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	33
PID 2688 wrote to memory of 2672	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	33
PID 2688 wrote to memory of 2672	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	33
PID 2688 wrote to memory of 2672	2688	{086AC98D-8485-495a-8ECF-4465B97334F0}.exe	33
PID 2712 wrote to memory of 2260	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	36
PID 2712 wrote to memory of 2260	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	36
PID 2712 wrote to memory of 2260	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	36
PID 2712 wrote to memory of 2260	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	36
PID 2712 wrote to memory of 2032	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	37
PID 2712 wrote to memory of 2032	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	37
PID 2712 wrote to memory of 2032	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	37
PID 2712 wrote to memory of 2032	2712	{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe	37
PID 2260 wrote to memory of 2852	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	38
PID 2260 wrote to memory of 2852	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	38
PID 2260 wrote to memory of 2852	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	38
PID 2260 wrote to memory of 2852	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	38
PID 2260 wrote to memory of 2876	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	39
PID 2260 wrote to memory of 2876	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	39
PID 2260 wrote to memory of 2876	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	39
PID 2260 wrote to memory of 2876	2260	{E6230169-3F95-4799-A377-DAAD90544207}.exe	39
PID 2852 wrote to memory of 2004	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	40
PID 2852 wrote to memory of 2004	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	40
PID 2852 wrote to memory of 2004	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	40
PID 2852 wrote to memory of 2004	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	40
PID 2852 wrote to memory of 2024	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	41
PID 2852 wrote to memory of 2024	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	41
PID 2852 wrote to memory of 2024	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	41
PID 2852 wrote to memory of 2024	2852	{71856E5B-D81E-449f-8981-A75201CC41F5}.exe	41
PID 2004 wrote to memory of 1648	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	42
PID 2004 wrote to memory of 1648	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	42
PID 2004 wrote to memory of 1648	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	42
PID 2004 wrote to memory of 1648	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	42
PID 2004 wrote to memory of 304	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	43
PID 2004 wrote to memory of 304	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	43
PID 2004 wrote to memory of 304	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	43
PID 2004 wrote to memory of 304	2004	{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe	43
PID 1648 wrote to memory of 2212	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	44
PID 1648 wrote to memory of 2212	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	44
PID 1648 wrote to memory of 2212	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	44
PID 1648 wrote to memory of 2212	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	44
PID 1648 wrote to memory of 1592	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	45
PID 1648 wrote to memory of 1592	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	45
PID 1648 wrote to memory of 1592	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	45
PID 1648 wrote to memory of 1592	1648	{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_6c11283a1dc1ed6fd43d5e49c1916ebf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{EF4CC351-4739-4012-847D-78095372477A}.exe
  C:\Windows\{EF4CC351-4739-4012-847D-78095372477A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{086AC98D-8485-495a-8ECF-4465B97334F0}.exe
    C:\Windows\{086AC98D-8485-495a-8ECF-4465B97334F0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe
      C:\Windows\{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{E6230169-3F95-4799-A377-DAAD90544207}.exe
        
        C:\Windows\{E6230169-3F95-4799-A377-DAAD90544207}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\{71856E5B-D81E-449f-8981-A75201CC41F5}.exe
        
        C:\Windows\{71856E5B-D81E-449f-8981-A75201CC41F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe
        
        C:\Windows\{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe
        
        C:\Windows\{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe
        
        C:\Windows\{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{365D63FE-4605-428f-B0B0-9A55599691B0}.exe
        
        C:\Windows\{365D63FE-4605-428f-B0B0-9A55599691B0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe
        
        C:\Windows\{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}.exe
        
        C:\Windows\{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B14DA~1.EXE > nul
        12⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{365D6~1.EXE > nul
        11⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77C49~1.EXE > nul
        10⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3111~1.EXE > nul
        9⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50B55~1.EXE > nul
        8⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71856~1.EXE > nul
        7⤵
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6230~1.EXE > nul
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BA8B~1.EXE > nul
        5⤵
        
        PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{086AC~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EF4CC~1.EXE > nul
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{086AC98D-8485-495a-8ECF-4465B97334F0}.exe

Filesize
408KB

MD5
44ba4ed47affd5ce4bd310e6cec8c10a

SHA1
5236f25a1729e1d8dbc00856ca76c3f9aba787c5

SHA256
8ec272babaee8caadb74b96dd4181f24c44141d55fb46789906e8f03c0590e5f

SHA512
a6a83e0edfecdfc7125c9b121eb4cf778581676dd2021a74ed55a746478afffb90c09a4a40d307b3b3394fcc99bdb90ce77c2795c78bb2f742e26b14ffec4d1b

Download Submit
C:\Windows\{1BA8B620-B73A-4aa2-ABE6-0FD1FB432860}.exe

Filesize
408KB

MD5
aa3a2a4f0ab41269ff85163eeff8bf1e

SHA1
c9eda0b6b9ca7c108eb2771055e67342cdf5165c

SHA256
9a925c2c1515dd9875cc1c633fd1c68096ec9d7b3e02ce8a24aefdfb536f70f4

SHA512
bbca8d0dcf8829f0390a32973a1612233b8541e285eef133f0752da6d331a8bdb8382e79e73195b197ac625ed80bfd8b3cd4d87673222eab1ee892aa307fd929

Download Submit
C:\Windows\{365D63FE-4605-428f-B0B0-9A55599691B0}.exe

Filesize
408KB

MD5
1579694c5004a217220dd72b2c91db24

SHA1
fa000b3451a7d4c4d39e43378721137fbee326c5

SHA256
6e174a53b00f4db31d951726af8502a2e13a0592a809186892c8ca10b79d3f41

SHA512
841276127f7c6ad1ac2550bf12e0f01d8ad2b18c428d43f90c040efd8f042bf4e58a1985639da2f9274f706a67635e421ca40b3f4b87a3aba007c120cd487f2d

Download Submit
C:\Windows\{50B555B7-7AC4-4695-98F6-96DD1E7FA172}.exe

Filesize
408KB

MD5
c712c2a58a5ea9edab139275f5dffa5e

SHA1
dad55385452056093987cac0a79c4da0b4e1a595

SHA256
cf2f239b9055ed902146efb636add75c53f5e9ca90349ac364993c43d321b5c2

SHA512
a96eff3a20bc53982a998b46788a52bcdac561e217cab06802a3fcfaac4a332b808bad1641b1b159ff855f8050f22fe5afdf6338c209af641b635390ddc3f47a

Download Submit
C:\Windows\{71856E5B-D81E-449f-8981-A75201CC41F5}.exe

Filesize
408KB

MD5
2dc0f4869a9a2828f155d5a395fc6050

SHA1
0069c6d76277718ffb66f63b1e0e46babac50239

SHA256
3840d06df89c7c72c4aedea35302bdce781791e9b7bbdd029612124d84b97e99

SHA512
8f3c4c9c28d33c37600bd86bec086190a5eefb3a178d88740b2af1acb4115af496a3b3f49dee40d40286171dcb519ab6f53a720b8697a7d82e92f878dd363912

Download Submit
C:\Windows\{77C49B90-3596-4c2d-ADBD-5C4AEF79ABE7}.exe

Filesize
408KB

MD5
270ea6d046c9a2328853eb9e82964882

SHA1
d80d6d4413dfce7d8fada7cb2bb0930e76130fe4

SHA256
a4d39734e13066f96382dc7c3e441cfdf07b51a1a90e47790c6d68618ec5ee02

SHA512
5acf1b70f2a410e456f8ea8fc6602e36276064aa599e6040c796f95e8c1430d27605c38462e91dba3bd2f44f795c9bc6392c05f26b3b606d2327826b3c4d5cf3

Download Submit
C:\Windows\{B14DA27F-A4E3-4f46-A5D4-7A100DB79DD6}.exe

Filesize
408KB

MD5
367447a490ae497fcf11616034752d46

SHA1
b0e70acd6f287f59e1cb194c132a051cdf653a22

SHA256
84680772664843a9af63e942e102e11f12dc0621df904939c75e6d1705668c04

SHA512
6ad28f70f7a852cdc4a447d44ed723427eb25e97adf233b7ffe9029e6502bfc590c7e7179119ec50135f990602bbe8ebafdf3483ee5fafceec918502fb86bd85

Download Submit
C:\Windows\{C31111B0-3522-4623-B626-8AD4BE4D6A8A}.exe

Filesize
408KB

MD5
5364f4eaee5e9c43a9c9add11f0d580b

SHA1
7d1f70fdf5e6860f88d14d4a436b14296f857bd4

SHA256
caf4d85277bed89e1975cab1db76d1cadfbca34ea96c9bb18dad92dac709a511

SHA512
de22bb56a7eb64e40c0fd75c65a987b746ea88eacb90ce1ffacd91db1d49c0bd33f7af56efe3662f1df33c268a2b5e7a6371c084a8cff1e39f1276b4c9154fb7

Download Submit
C:\Windows\{D8A91532-A8FB-4e36-8B1C-9784ECE82BB8}.exe

Filesize
408KB

MD5
fb50d8caa692f8de61c8f084df9f0a0d

SHA1
c0ec873a0777022223ff42de0cd8ea3265a22369

SHA256
2cca9ba3855babdf16eebf8cb1c473b7ee40dec87501ed9612942c1db7ca4201

SHA512
2bb0f420949264c4480d0a472ed72b49832cff7d18068c2ff3c5bfb3c54ceefc9175d9fa6c9c5ad6b65ddaaf7b675920cd20d836fe360c542363496758d384f4

Download Submit
C:\Windows\{E6230169-3F95-4799-A377-DAAD90544207}.exe

Filesize
408KB

MD5
2b824e3a20d4468b1d42a99a1e57db72

SHA1
31d699f946d74e2955d19c006a7afd69845beb45

SHA256
b8a9d9672955aeab2c4fcf2db3bfa6a33c8a61e1f0a35c54627aec34fc827983

SHA512
166beef325cf6aca53bcae5dbb58168353f2bfb93a230c76ffcc0f642f9fac8844dd2fbb9a7940363ab317d8f23303a8cd8ea4cc897da1eab4baa7512fb03d15

Download Submit
C:\Windows\{EF4CC351-4739-4012-847D-78095372477A}.exe

Filesize
408KB

MD5
4b862270d14f95621db9c11158cfdbe8

SHA1
59ed03f5c85e681dc90ae1148eec2a2ab76afcf4

SHA256
d076d46797397da977147c7a25482b1e9b97076f9308ec3695441f9da0a2da8e

SHA512
2f083395d1665aef194f42e259a5336f8fe9843ee1a5a1720e5b67424635af99cab5f23516b730f63d9d290850cf7a73c104fc4a3d7e4524a5db32f17bc0cab6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads