3cb995bf45adeacd42847821e9663172e241d4962e770fe7badaf360c615f272

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe
Size

344KB
MD5

170c81bc621dc8565722682bab0c04bf
SHA1

d244c08b8689f81ac02a0d9debbaf107e8e19f4c
SHA256

3cb995bf45adeacd42847821e9663172e241d4962e770fe7badaf360c615f272
SHA512

495b5ae6caacb6926bf40722692a4d26449bc4d5cf12f9202bf9df145c3057edbdd07d784b5ffe43a85be898abd55a69edbb97f3e43b1af31b92f83729c7725d
SSDEEP

3072:mEGh0oolEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGWlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015d42-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015d72-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07BCE40E-9BCA-43b4-880D-20CEAADEA283}	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{000C3B6E-3400-4500-A4CC-282D28395959}	{CC06C202-19F1-4abd-9178-440897E3399C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC06C202-19F1-4abd-9178-440897E3399C}	{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED6A7563-E72F-45cf-9B91-B5B813A51A52}	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED6A7563-E72F-45cf-9B91-B5B813A51A52}\stubpath = "C:\\Windows\\{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe"	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D54712C6-11B6-4f23-8273-288D1B86A9A1}\stubpath = "C:\\Windows\\{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe"	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{156C17A1-C57C-480a-A8D1-6FE312615292}	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{156C17A1-C57C-480a-A8D1-6FE312615292}\stubpath = "C:\\Windows\\{156C17A1-C57C-480a-A8D1-6FE312615292}.exe"	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E630097-EAC9-4fe9-9823-2453775F49A9}\stubpath = "C:\\Windows\\{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe"	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC06C202-19F1-4abd-9178-440897E3399C}\stubpath = "C:\\Windows\\{CC06C202-19F1-4abd-9178-440897E3399C}.exe"	{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{000C3B6E-3400-4500-A4CC-282D28395959}\stubpath = "C:\\Windows\\{000C3B6E-3400-4500-A4CC-282D28395959}.exe"	{CC06C202-19F1-4abd-9178-440897E3399C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396831FB-C2F8-4124-9D16-53B40C45915D}	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}\stubpath = "C:\\Windows\\{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe"	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07BCE40E-9BCA-43b4-880D-20CEAADEA283}\stubpath = "C:\\Windows\\{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe"	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D54712C6-11B6-4f23-8273-288D1B86A9A1}	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20508448-ADAE-4619-9D0E-95D59721444A}	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC56238-75F9-411f-BE60-9432D3BFD120}\stubpath = "C:\\Windows\\{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe"	{20508448-ADAE-4619-9D0E-95D59721444A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396831FB-C2F8-4124-9D16-53B40C45915D}\stubpath = "C:\\Windows\\{396831FB-C2F8-4124-9D16-53B40C45915D}.exe"	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E630097-EAC9-4fe9-9823-2453775F49A9}	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20508448-ADAE-4619-9D0E-95D59721444A}\stubpath = "C:\\Windows\\{20508448-ADAE-4619-9D0E-95D59721444A}.exe"	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC56238-75F9-411f-BE60-9432D3BFD120}	{20508448-ADAE-4619-9D0E-95D59721444A}.exe

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe
2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe
2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe
2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe
628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe
468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe
884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe
1252	{20508448-ADAE-4619-9D0E-95D59721444A}.exe
2772	{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe
2340	{CC06C202-19F1-4abd-9178-440897E3399C}.exe
1416	{000C3B6E-3400-4500-A4CC-282D28395959}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe
File created	C:\Windows\{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe
File created	C:\Windows\{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe
File created	C:\Windows\{CC06C202-19F1-4abd-9178-440897E3399C}.exe	{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe
File created	C:\Windows\{000C3B6E-3400-4500-A4CC-282D28395959}.exe	{CC06C202-19F1-4abd-9178-440897E3399C}.exe
File created	C:\Windows\{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe
File created	C:\Windows\{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe
File created	C:\Windows\{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe
File created	C:\Windows\{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe
File created	C:\Windows\{20508448-ADAE-4619-9D0E-95D59721444A}.exe	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe
File created	C:\Windows\{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe	{20508448-ADAE-4619-9D0E-95D59721444A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe
Token: SeIncBasePriorityPrivilege	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe
Token: SeIncBasePriorityPrivilege	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe
Token: SeIncBasePriorityPrivilege	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe
Token: SeIncBasePriorityPrivilege	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe
Token: SeIncBasePriorityPrivilege	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe
Token: SeIncBasePriorityPrivilege	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe
Token: SeIncBasePriorityPrivilege	1252	{20508448-ADAE-4619-9D0E-95D59721444A}.exe
Token: SeIncBasePriorityPrivilege	2772	{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe
Token: SeIncBasePriorityPrivilege	2340	{CC06C202-19F1-4abd-9178-440897E3399C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2972	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	28
PID 108 wrote to memory of 2972	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	28
PID 108 wrote to memory of 2972	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	28
PID 108 wrote to memory of 2972	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	28
PID 108 wrote to memory of 3008	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	29
PID 108 wrote to memory of 3008	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	29
PID 108 wrote to memory of 3008	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	29
PID 108 wrote to memory of 3008	108	2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe	29
PID 2972 wrote to memory of 2664	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	30
PID 2972 wrote to memory of 2664	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	30
PID 2972 wrote to memory of 2664	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	30
PID 2972 wrote to memory of 2664	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	30
PID 2972 wrote to memory of 2332	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	31
PID 2972 wrote to memory of 2332	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	31
PID 2972 wrote to memory of 2332	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	31
PID 2972 wrote to memory of 2332	2972	{396831FB-C2F8-4124-9D16-53B40C45915D}.exe	31
PID 2664 wrote to memory of 2552	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	32
PID 2664 wrote to memory of 2552	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	32
PID 2664 wrote to memory of 2552	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	32
PID 2664 wrote to memory of 2552	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	32
PID 2664 wrote to memory of 2732	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	33
PID 2664 wrote to memory of 2732	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	33
PID 2664 wrote to memory of 2732	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	33
PID 2664 wrote to memory of 2732	2664	{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe	33
PID 2552 wrote to memory of 2480	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	36
PID 2552 wrote to memory of 2480	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	36
PID 2552 wrote to memory of 2480	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	36
PID 2552 wrote to memory of 2480	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	36
PID 2552 wrote to memory of 1808	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	37
PID 2552 wrote to memory of 1808	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	37
PID 2552 wrote to memory of 1808	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	37
PID 2552 wrote to memory of 1808	2552	{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe	37
PID 2480 wrote to memory of 628	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	38
PID 2480 wrote to memory of 628	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	38
PID 2480 wrote to memory of 628	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	38
PID 2480 wrote to memory of 628	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	38
PID 2480 wrote to memory of 1276	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	39
PID 2480 wrote to memory of 1276	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	39
PID 2480 wrote to memory of 1276	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	39
PID 2480 wrote to memory of 1276	2480	{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe	39
PID 628 wrote to memory of 468	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	40
PID 628 wrote to memory of 468	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	40
PID 628 wrote to memory of 468	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	40
PID 628 wrote to memory of 468	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	40
PID 628 wrote to memory of 1528	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	41
PID 628 wrote to memory of 1528	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	41
PID 628 wrote to memory of 1528	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	41
PID 628 wrote to memory of 1528	628	{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe	41
PID 468 wrote to memory of 884	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	42
PID 468 wrote to memory of 884	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	42
PID 468 wrote to memory of 884	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	42
PID 468 wrote to memory of 884	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	42
PID 468 wrote to memory of 2372	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	43
PID 468 wrote to memory of 2372	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	43
PID 468 wrote to memory of 2372	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	43
PID 468 wrote to memory of 2372	468	{156C17A1-C57C-480a-A8D1-6FE312615292}.exe	43
PID 884 wrote to memory of 1252	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	44
PID 884 wrote to memory of 1252	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	44
PID 884 wrote to memory of 1252	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	44
PID 884 wrote to memory of 1252	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	44
PID 884 wrote to memory of 1284	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	45
PID 884 wrote to memory of 1284	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	45
PID 884 wrote to memory of 1284	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	45
PID 884 wrote to memory of 1284	884	{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_170c81bc621dc8565722682bab0c04bf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\{396831FB-C2F8-4124-9D16-53B40C45915D}.exe
  C:\Windows\{396831FB-C2F8-4124-9D16-53B40C45915D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe
    C:\Windows\{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe
      C:\Windows\{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe
        
        C:\Windows\{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe
        
        C:\Windows\{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{156C17A1-C57C-480a-A8D1-6FE312615292}.exe
        
        C:\Windows\{156C17A1-C57C-480a-A8D1-6FE312615292}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe
        
        C:\Windows\{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{20508448-ADAE-4619-9D0E-95D59721444A}.exe
        
        C:\Windows\{20508448-ADAE-4619-9D0E-95D59721444A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe
        
        C:\Windows\{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{CC06C202-19F1-4abd-9178-440897E3399C}.exe
        
        C:\Windows\{CC06C202-19F1-4abd-9178-440897E3399C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\{000C3B6E-3400-4500-A4CC-282D28395959}.exe
        
        C:\Windows\{000C3B6E-3400-4500-A4CC-282D28395959}.exe
        12⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC06C~1.EXE > nul
        12⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC56~1.EXE > nul
        11⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20508~1.EXE > nul
        10⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E630~1.EXE > nul
        9⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{156C1~1.EXE > nul
        8⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5471~1.EXE > nul
        7⤵
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07BCE~1.EXE > nul
        6⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED6A7~1.EXE > nul
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{138FA~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{39683~1.EXE > nul
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{000C3B6E-3400-4500-A4CC-282D28395959}.exe

Filesize
344KB

MD5
2d14a211c4a17895c0a0c4e070084d8f

SHA1
13e638c1ac6ab5b77342aa14b88500efacd66e1f

SHA256
84b16cd1d35b8e477767b4cab14ee25aabd8dc8109cdb6e4986d9c5765b6fd99

SHA512
84099aafd8945e1f88f89fd5f55473f3d1a5afe5836a867e5ccfa3d432805843e106d510c744d29119641cdbf3fe31cb1e8d541580606aa6c9b0dc0db0506283

Download Submit
C:\Windows\{07BCE40E-9BCA-43b4-880D-20CEAADEA283}.exe

Filesize
344KB

MD5
1b8eaa663405389ad6011d54f8946f09

SHA1
7b3fa4f9677ab1e54377ba44f3c287ac1565e545

SHA256
6f3f5b4e35c54ba373c15870d12d6e884c5774a13cd0de571b2086e900322b63

SHA512
fd4c5dbc1d93c93ba77118a2c859b3c68a3816f65eb5bda2b196a80388c0e5cbe7a15d0e94dc23566946c37d4f4a3479a4ddb7a451d7e0587b55edd7a2658548

Download Submit
C:\Windows\{138FA5FD-75DD-44dd-A7A4-79ED3630C8D2}.exe

Filesize
344KB

MD5
c699359afe1e5abdd9ed88aaec0bbbea

SHA1
9511600a48e6c062713209c6092a6c9af91561f9

SHA256
492b88184a4a5780a30b48b344d26b3f8fbf8456c54c90b80250fa041ce9b2f2

SHA512
ab271ae430433532c2420b3885c528867b4b0c8ea7209428944b18bc47c3448db233f6fec79f0c21934ae86f2081a599d767737c651ee09f475767728dc484f6

Download Submit
C:\Windows\{156C17A1-C57C-480a-A8D1-6FE312615292}.exe

Filesize
344KB

MD5
c4983aa14fb22d045a63a01fa037152a

SHA1
d5c98ac085efab4dc93227aaccff441e9e57e8f6

SHA256
4d40e7244e664099536dd611618fd1cc0db6cde1132d0e24e6dfd9116aaea8a9

SHA512
76e6ff7af5dc5fcb632e491059aa5c413e363fe382ccc5e531781e7ffe2572cbc9854a615ff01f43b15fc0ba09869a7764fe1adbb1923c14df0581cb4dcb471f

Download Submit
C:\Windows\{1EC56238-75F9-411f-BE60-9432D3BFD120}.exe

Filesize
344KB

MD5
af945ecb9c110185c1e78c05c5c9c075

SHA1
9b85b1625e05b989f609f847cf336b0c47e5b24e

SHA256
005b533c9146cf781625be4861ec60e4aacf5ee23b4852d12986572f4fdc7c3f

SHA512
eac2e52367780bd7ecb2e2cb941c6e106f103fa3a0f1a5119722bbdb36eb82646346ef41c37878f41e6e65d08e67b26e06177cb573109337d305105d06ed8eb9

Download Submit
C:\Windows\{20508448-ADAE-4619-9D0E-95D59721444A}.exe

Filesize
344KB

MD5
a6cd10c3b4855192b8c07ba9b2691211

SHA1
0db9986af536f8c286976dda35b234bd96256c05

SHA256
8d8bcf43f82c6454784c42b5462138da64a1c16086ee8ba6d67575c20f8d97b0

SHA512
63321a30ec91c9806eebbffd5937129643063b86ab09a0638220454387fb92e347bb4d7c51f50c5c6bef8c350d5f8a348cab20175a8099527ba8a7654f8318d4

Download Submit
C:\Windows\{396831FB-C2F8-4124-9D16-53B40C45915D}.exe

Filesize
344KB

MD5
c6e4dd0c408840f1794431f4f2acfb7b

SHA1
92751c3bcf382a8ae584776b6e28997b11fe4f89

SHA256
76d6a99302c9199c2b17ef07e9c1cf518c7f344df3b51130712c8725a59c4be4

SHA512
5091f9b9e083cf8d7e3a29f0808ac545f45c2512e1996b7fde9c70cf07accc8b20c19e7cb643c17637002d65b94c27d397423f62b7b8bb3c8754f4dbc35a32d6

Download Submit
C:\Windows\{9E630097-EAC9-4fe9-9823-2453775F49A9}.exe

Filesize
344KB

MD5
28e1e001dc7adedbb3f3971148fe41fa

SHA1
81789ad94dbc6da77d4cb7b9017264cd7fe74d3e

SHA256
c772b79d4cea0989c93ef65ed23c12b03c1a3c69322ad696e9e7e4757cc8f1aa

SHA512
cd72e06e566795aba6ec107c15aa6b2c5a0e20975e21fcab4053f0011da06f9e46e7976d409f809d91332e07d3e82fd4535f48c8a95b3b1b1378ae80e68531ad

Download Submit
C:\Windows\{CC06C202-19F1-4abd-9178-440897E3399C}.exe

Filesize
344KB

MD5
a30c53cf4c105ddf14f1e8b17d28f1b0

SHA1
ff716326568e1d2b16d1ac2a7e32a3f273ae0b92

SHA256
165dd1f10b2d6a36075d6623fc123c5727639e0f59f14a298ac1678be9fe651d

SHA512
1028f2de7105b9f4a9acd06f0441cd49b7ebdb80dcaa5e1bc23e5ae05f298dec6a5cca6ef906cf3c0229b54821bdc2b175dee43a11f17654ace30c422c78b734

Download Submit
C:\Windows\{D54712C6-11B6-4f23-8273-288D1B86A9A1}.exe

Filesize
344KB

MD5
3e119682952837c1d8e89d2a9416d870

SHA1
056548a8ac2ab666c0c03234e99f792ad29b9b6a

SHA256
85561bb5a75d38d9b147331851b6c919a7ac92d66a62d3ebee41bfaf350be553

SHA512
295b9ea733c26255b8dac170bd31d365eccf9302ef779334eed013e62fe0175892f9badbcb6c9887146e02c13f38fb70989f14bd5ed28e534948092003661c4b

Download Submit
C:\Windows\{ED6A7563-E72F-45cf-9B91-B5B813A51A52}.exe

Filesize
344KB

MD5
1436072b2f75e6cd75411fbabd3a4de5

SHA1
68d6b8f10f73d3c52c3936f45f91692a21753620

SHA256
cedfb85c9422e5d36e129aaf1f4fadda9de461274a5ba13c281d47c784259fc8

SHA512
5678b2767d8aa472bfdfa3a49685491b792575196cb7767aa1b15c8075d9171b632902ffdea6d0e12fb092ffbaab705054fa1b3a0688158703080363bae9a290

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads