d6ea0afb5debe0c26363df4509445f63fb269b3e096d1738b450b3bfc58fd6ce

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe
Size

380KB
MD5

b13f687f7670e8a57be7936075a7cc70
SHA1

15326e49e6210bb3628b1a04b1e19f13b3a16906
SHA256

d6ea0afb5debe0c26363df4509445f63fb269b3e096d1738b450b3bfc58fd6ce
SHA512

2f9ea879e6070b81cf8f699570aff08e0d948f32e0bc9eacbc91f9ddeafd62b027c0d1b0b2535b99b41002075553a48639c2e8c616fad7e473f15a553385d4ad
SSDEEP

3072:mEGh0oclPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGml7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0038000000013450-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00390000000134e6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000013450-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013726-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000013450-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b000000013450-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003c000000013450-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{477E40AF-20FA-40fe-B8C2-A57523801BE1}\stubpath = "C:\\Windows\\{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe"	{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA112E8C-A43C-40b2-8B21-E8AE226550CD}\stubpath = "C:\\Windows\\{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe"	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{851F3751-9D96-49bf-BD28-9B8C3E3732DA}	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C06D4C09-D1F0-442e-991F-E2A264AEF026}	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA112E8C-A43C-40b2-8B21-E8AE226550CD}	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C06D4C09-D1F0-442e-991F-E2A264AEF026}\stubpath = "C:\\Windows\\{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe"	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E20CE98-4538-4d2b-959B-870B79658203}\stubpath = "C:\\Windows\\{1E20CE98-4538-4d2b-959B-870B79658203}.exe"	{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D58703-07EC-4209-8826-DD34F743DBA5}\stubpath = "C:\\Windows\\{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe"	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{851F3751-9D96-49bf-BD28-9B8C3E3732DA}\stubpath = "C:\\Windows\\{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe"	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{477E40AF-20FA-40fe-B8C2-A57523801BE1}	{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E20CE98-4538-4d2b-959B-870B79658203}	{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC01EE65-E544-44b8-A794-4A916EEE0FE8}\stubpath = "C:\\Windows\\{DC01EE65-E544-44b8-A794-4A916EEE0FE8}.exe"	{1E20CE98-4538-4d2b-959B-870B79658203}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07D4B604-34AC-498d-AE8C-A3257CB4B881}	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07D4B604-34AC-498d-AE8C-A3257CB4B881}\stubpath = "C:\\Windows\\{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe"	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D58703-07EC-4209-8826-DD34F743DBA5}	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E2DEA23-41B9-428b-B25C-D7662643A8BB}\stubpath = "C:\\Windows\\{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe"	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59BE62D8-793A-433d-B276-5C68E715CE76}	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59BE62D8-793A-433d-B276-5C68E715CE76}\stubpath = "C:\\Windows\\{59BE62D8-793A-433d-B276-5C68E715CE76}.exe"	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC01EE65-E544-44b8-A794-4A916EEE0FE8}	{1E20CE98-4538-4d2b-959B-870B79658203}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C326E3-655E-422e-8998-E7BD5C640CA5}	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1C326E3-655E-422e-8998-E7BD5C640CA5}\stubpath = "C:\\Windows\\{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe"	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E2DEA23-41B9-428b-B25C-D7662643A8BB}	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe
2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe
2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe
2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe
2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe
344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe
1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe
1648	{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe
1692	{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe
2116	{1E20CE98-4538-4d2b-959B-870B79658203}.exe
700	{DC01EE65-E544-44b8-A794-4A916EEE0FE8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1E20CE98-4538-4d2b-959B-870B79658203}.exe	{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe
File created	C:\Windows\{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe
File created	C:\Windows\{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe
File created	C:\Windows\{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe
File created	C:\Windows\{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe
File created	C:\Windows\{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe	{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe
File created	C:\Windows\{DC01EE65-E544-44b8-A794-4A916EEE0FE8}.exe	{1E20CE98-4538-4d2b-959B-870B79658203}.exe
File created	C:\Windows\{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe
File created	C:\Windows\{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe
File created	C:\Windows\{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe
File created	C:\Windows\{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe
Token: SeIncBasePriorityPrivilege	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe
Token: SeIncBasePriorityPrivilege	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe
Token: SeIncBasePriorityPrivilege	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe
Token: SeIncBasePriorityPrivilege	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe
Token: SeIncBasePriorityPrivilege	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe
Token: SeIncBasePriorityPrivilege	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe
Token: SeIncBasePriorityPrivilege	1648	{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe
Token: SeIncBasePriorityPrivilege	1692	{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe
Token: SeIncBasePriorityPrivilege	2116	{1E20CE98-4538-4d2b-959B-870B79658203}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 860	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	28
PID 1068 wrote to memory of 860	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	28
PID 1068 wrote to memory of 860	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	28
PID 1068 wrote to memory of 860	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	28
PID 1068 wrote to memory of 2664	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	29
PID 1068 wrote to memory of 2664	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	29
PID 1068 wrote to memory of 2664	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	29
PID 1068 wrote to memory of 2664	1068	2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe	29
PID 860 wrote to memory of 2712	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	30
PID 860 wrote to memory of 2712	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	30
PID 860 wrote to memory of 2712	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	30
PID 860 wrote to memory of 2712	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	30
PID 860 wrote to memory of 2604	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	31
PID 860 wrote to memory of 2604	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	31
PID 860 wrote to memory of 2604	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	31
PID 860 wrote to memory of 2604	860	{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe	31
PID 2712 wrote to memory of 2516	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	32
PID 2712 wrote to memory of 2516	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	32
PID 2712 wrote to memory of 2516	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	32
PID 2712 wrote to memory of 2516	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	32
PID 2712 wrote to memory of 2504	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	33
PID 2712 wrote to memory of 2504	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	33
PID 2712 wrote to memory of 2504	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	33
PID 2712 wrote to memory of 2504	2712	{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe	33
PID 2516 wrote to memory of 2096	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	36
PID 2516 wrote to memory of 2096	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	36
PID 2516 wrote to memory of 2096	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	36
PID 2516 wrote to memory of 2096	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	36
PID 2516 wrote to memory of 1180	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	37
PID 2516 wrote to memory of 1180	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	37
PID 2516 wrote to memory of 1180	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	37
PID 2516 wrote to memory of 1180	2516	{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe	37
PID 2096 wrote to memory of 2932	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	38
PID 2096 wrote to memory of 2932	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	38
PID 2096 wrote to memory of 2932	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	38
PID 2096 wrote to memory of 2932	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	38
PID 2096 wrote to memory of 2368	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	39
PID 2096 wrote to memory of 2368	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	39
PID 2096 wrote to memory of 2368	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	39
PID 2096 wrote to memory of 2368	2096	{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe	39
PID 2932 wrote to memory of 344	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	40
PID 2932 wrote to memory of 344	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	40
PID 2932 wrote to memory of 344	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	40
PID 2932 wrote to memory of 344	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	40
PID 2932 wrote to memory of 316	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	41
PID 2932 wrote to memory of 316	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	41
PID 2932 wrote to memory of 316	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	41
PID 2932 wrote to memory of 316	2932	{59BE62D8-793A-433d-B276-5C68E715CE76}.exe	41
PID 344 wrote to memory of 1984	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	42
PID 344 wrote to memory of 1984	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	42
PID 344 wrote to memory of 1984	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	42
PID 344 wrote to memory of 1984	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	42
PID 344 wrote to memory of 1996	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	43
PID 344 wrote to memory of 1996	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	43
PID 344 wrote to memory of 1996	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	43
PID 344 wrote to memory of 1996	344	{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe	43
PID 1984 wrote to memory of 1648	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	44
PID 1984 wrote to memory of 1648	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	44
PID 1984 wrote to memory of 1648	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	44
PID 1984 wrote to memory of 1648	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	44
PID 1984 wrote to memory of 1088	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	45
PID 1984 wrote to memory of 1088	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	45
PID 1984 wrote to memory of 1088	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	45
PID 1984 wrote to memory of 1088	1984	{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_b13f687f7670e8a57be7936075a7cc70_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe
  C:\Windows\{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe
    C:\Windows\{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe
      C:\Windows\{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe
        
        C:\Windows\{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\{59BE62D8-793A-433d-B276-5C68E715CE76}.exe
        
        C:\Windows\{59BE62D8-793A-433d-B276-5C68E715CE76}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe
        
        C:\Windows\{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe
        
        C:\Windows\{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe
        
        C:\Windows\{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe
        
        C:\Windows\{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{1E20CE98-4538-4d2b-959B-870B79658203}.exe
        
        C:\Windows\{1E20CE98-4538-4d2b-959B-870B79658203}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{DC01EE65-E544-44b8-A794-4A916EEE0FE8}.exe
        
        C:\Windows\{DC01EE65-E544-44b8-A794-4A916EEE0FE8}.exe
        12⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E20C~1.EXE > nul
        12⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{477E4~1.EXE > nul
        11⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C06D4~1.EXE > nul
        10⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{851F3~1.EXE > nul
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA112~1.EXE > nul
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59BE6~1.EXE > nul
        7⤵
        
        PID:316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8D58~1.EXE > nul
        6⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E2DE~1.EXE > nul
        5⤵
        
        PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07D4B~1.EXE > nul
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C32~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07D4B604-34AC-498d-AE8C-A3257CB4B881}.exe

Filesize
380KB

MD5
7f5ae44daf477807f6b53aca3539c670

SHA1
c1bb4f3f6a27927f528c607c2c4342e123e8b862

SHA256
d97363d87f50f33a2e1ba84074f443449107a29e679191119248a20735f96b34

SHA512
30c4e931f85102a01f98ed85237d2ff75a9170dfae325de8407c8b9b33fe282e5fd452184cce939b284eb8110d77c9e0864e82139a5e672811bc9db5ced5a4e9

Download Submit
C:\Windows\{1E20CE98-4538-4d2b-959B-870B79658203}.exe

Filesize
380KB

MD5
f431b28656c1cc3d115bae07d3db4bd7

SHA1
2184aeb97c2339b4357bdca0b42faed206c38d2c

SHA256
cc4b57870fee40baded36f7ab707eb01db464bed227e7e59d0558e1b4b22d7c8

SHA512
171284e97409924f4f6f4bce184bb9c4ce8e0f8abc037f214ae741c14ed54748fa92765ef139b4979d20a11fbf1cb9488866610ee67db3c8fc84c9f9fd5239a6

Download Submit
C:\Windows\{1E2DEA23-41B9-428b-B25C-D7662643A8BB}.exe

Filesize
380KB

MD5
37e9c60beb9b27888de618b41a7f4c92

SHA1
10abdc2c51bbd36f3d4234885fac0b616569e8f1

SHA256
92e2336234401f3a8f168840266d95cdafe06ec795c23c359d9aa5b8a5de1484

SHA512
57cdad19bec87910c140fb12ae84eb667441bed56a05dcd298ee9e9ebb4d72e128d9a60057f50329743c25d0155cc32776a2c6fb7987ca2c1da541e0b9737166

Download Submit
C:\Windows\{477E40AF-20FA-40fe-B8C2-A57523801BE1}.exe

Filesize
380KB

MD5
ae9911c760c25d0b1bc5e59ba5d0a87b

SHA1
5f7a3f47f85c292d0bd05a4ae18b6e960c6f58e4

SHA256
dfaabd3c57e32784c7011db15b15f9149ac423ab6ef4fcbb91102b0887288500

SHA512
e9472ebe8b19606e73f0d296f23af99728035d0f856367ef4fbb6e38293ce43ba1a0c8eeef2f6f277743bd3e0a9e67feeacbbe03b5ec6ec2c2eed81a597b4263

Download Submit
C:\Windows\{59BE62D8-793A-433d-B276-5C68E715CE76}.exe

Filesize
380KB

MD5
9fff186269df721062725416ba1c8114

SHA1
0b143e5e03aaca171b74de6ca25b008a6878f93b

SHA256
9e59bad9b2491d7dc2f481be8d7cbfc24382e5cfe7dcf6cada4641ad33684bf2

SHA512
b218c7030174c4068c5fb6cc2ff866b8c8fa03c810dfbf5af4313f32b517de6aa0d54461bba32ff8d84fd0c58d3490c5d6d21f3c5f06896a864c898d3b44faeb

Download Submit
C:\Windows\{851F3751-9D96-49bf-BD28-9B8C3E3732DA}.exe

Filesize
380KB

MD5
616255bac00cb90fe3bb4d020e492beb

SHA1
58d37e9136cfe8d5a743aad29eb69621b9d2734b

SHA256
ed4d02244d2745b11a036d4be8a2eb85996c6925ebe02de04030ebd6ef3e6a78

SHA512
91195c49246db550c3f83e1d28bbada2af61ddc26d45478d1503cc4b2f05eab2f9131196224368589fb8000c290d39723273217ca32976b545d3e2c952324e46

Download Submit
C:\Windows\{C06D4C09-D1F0-442e-991F-E2A264AEF026}.exe

Filesize
380KB

MD5
12380ea99bd7ff1e5bef71db066e2753

SHA1
3e0039acb8127f6a141e2daa974a6be72f8d4b41

SHA256
02fa1a9cfed78112c0f8dc3e714f1515f4d26d93cb5586e39014ff2d3d1f7467

SHA512
655e8b2c294c1c12c15c5f60b705a8bdb8a71f8c56b9aaf481623d2ced8ef781a3ac1a69c5ed825ae840176475030635623345a75982a67f36ee32c39bbcffb9

Download Submit
C:\Windows\{D1C326E3-655E-422e-8998-E7BD5C640CA5}.exe

Filesize
380KB

MD5
59bb6ef5bb8b551064e8f4597adfb8fc

SHA1
e88d4f3d867f6b16a007e57d8a21b3b448c02e9b

SHA256
69f88cb08d6c4c6fdab954fd281fa6805998a55c0056bdb1e7e9b6346adef409

SHA512
11bae5ce437369b6e68dca5e114ced80fb4fbe0c5e3e6573a4b97bbdeeabd8dead412d7a2861357e8ffe01cd1a5e497ac764a4ac5e7b44bcfb81f06dde585d86

Download Submit
C:\Windows\{D8D58703-07EC-4209-8826-DD34F743DBA5}.exe

Filesize
380KB

MD5
ff89801a4f72bedc62997cdfcce5e48e

SHA1
ac4db66596a7faf57fae24c32c07a13269cf47af

SHA256
ad9d1e831771ad99415d3280c6788d58fe025b40405ab319a00516161c6b1ad6

SHA512
791a752ad28f491bc4bfe4aa75de20a6bc7ced297a88f26efee95646628af535dfdfe3df1ad31f4768ee1efd00b3089397292efa16b2d2039825278f6561de36

Download Submit
C:\Windows\{DC01EE65-E544-44b8-A794-4A916EEE0FE8}.exe

Filesize
380KB

MD5
f01ffb480b6dc0ad5e83884d3ecb31bc

SHA1
c30768c6d1dcfd8c90befcf178ffc19b3f671b80

SHA256
4a79f8b7e9f5cb7ca66765eb868ace079d187b1e9616416c6e862648820d7acb

SHA512
4782fe41bba688a98ed228f7e92cc9a17652a2760f42c815b18ee184dbbc5e21e7475793a272a490c82c929e7134493bd8847b9a3f5d487249e41eb56b3176f0

Download Submit
C:\Windows\{EA112E8C-A43C-40b2-8B21-E8AE226550CD}.exe

Filesize
380KB

MD5
9d713ad71e0ae359c32ea081acc46a2f

SHA1
6425d7337e208b2f535c2f2d4f032f0a1ac52fc0

SHA256
cf2a056bd2459a0d346c1501ee846dea860d851fccd5fc7423b44965a5f2cc8c

SHA512
a52974589e10a2c99787ca265a1b81ce4335cee5bc33bef3fa4d8e9543521866f8c232358a9488688c4e5f3e99c1dd3d29c698128e25e27f949c417e29806a99

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads