cf7ae9d063e8bc17be1265b8e20e57e3af095194f479678813668dbb00f39dfa

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 15:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Size

344KB
MD5

acfa508c3acb9ee8e6ff23c9902563e0
SHA1

604e966f35234e1d4e48a82904ad4ad696c1f3b6
SHA256

cf7ae9d063e8bc17be1265b8e20e57e3af095194f479678813668dbb00f39dfa
SHA512

b6a251b2efe71906697928832ddfebabd66dac6a49186e790860891ad7df475ba283f5476f074834c7e23b9d97d5788df802210ca866383a14272245c20db52d
SSDEEP

3072:mEGh0o8lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012279-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00350000000141aa-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012279-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00360000000141bb-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012279-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012279-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012279-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8689404A-2288-45a2-A5B0-2653ADF388BC}	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8689404A-2288-45a2-A5B0-2653ADF388BC}\stubpath = "C:\\Windows\\{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe"	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D532F4D-DA1B-4a03-A221-D7019753EF4D}	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B947FAEC-9ABF-40e3-B41B-566C8208002C}\stubpath = "C:\\Windows\\{B947FAEC-9ABF-40e3-B41B-566C8208002C}.exe"	{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED296C6-E633-4085-92B3-3A38B03C6405}	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5228223B-B717-40f5-9BF3-0A763FF29D13}	{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}	{7793F106-E079-4735-8688-305E70B0493C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00317CC6-A0F8-43bd-A088-155C9169A68D}	{A790D877-56E4-40b9-985C-8B88700E8750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5228223B-B717-40f5-9BF3-0A763FF29D13}\stubpath = "C:\\Windows\\{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe"	{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3303EFC0-14AD-427f-91B3-2C34538DAF0B}	{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED296C6-E633-4085-92B3-3A38B03C6405}\stubpath = "C:\\Windows\\{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe"	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}\stubpath = "C:\\Windows\\{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe"	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7793F106-E079-4735-8688-305E70B0493C}\stubpath = "C:\\Windows\\{7793F106-E079-4735-8688-305E70B0493C}.exe"	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A790D877-56E4-40b9-985C-8B88700E8750}\stubpath = "C:\\Windows\\{A790D877-56E4-40b9-985C-8B88700E8750}.exe"	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00317CC6-A0F8-43bd-A088-155C9169A68D}\stubpath = "C:\\Windows\\{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe"	{A790D877-56E4-40b9-985C-8B88700E8750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3303EFC0-14AD-427f-91B3-2C34538DAF0B}\stubpath = "C:\\Windows\\{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe"	{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B947FAEC-9ABF-40e3-B41B-566C8208002C}	{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7793F106-E079-4735-8688-305E70B0493C}	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}\stubpath = "C:\\Windows\\{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe"	{7793F106-E079-4735-8688-305E70B0493C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D532F4D-DA1B-4a03-A221-D7019753EF4D}\stubpath = "C:\\Windows\\{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe"	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A790D877-56E4-40b9-985C-8B88700E8750}	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe
2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe
2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe
2580	{7793F106-E079-4735-8688-305E70B0493C}.exe
2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe
1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe
1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe
900	{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe
2276	{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe
2968	{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe
1392	{B947FAEC-9ABF-40e3-B41B-566C8208002C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	{7793F106-E079-4735-8688-305E70B0493C}.exe
File created	C:\Windows\{A790D877-56E4-40b9-985C-8B88700E8750}.exe	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe
File created	C:\Windows\{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe	{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe
File created	C:\Windows\{B947FAEC-9ABF-40e3-B41B-566C8208002C}.exe	{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe
File created	C:\Windows\{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe
File created	C:\Windows\{7793F106-E079-4735-8688-305E70B0493C}.exe	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe
File created	C:\Windows\{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe
File created	C:\Windows\{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe	{A790D877-56E4-40b9-985C-8B88700E8750}.exe
File created	C:\Windows\{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe	{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe
File created	C:\Windows\{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
File created	C:\Windows\{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe
Token: SeIncBasePriorityPrivilege	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe
Token: SeIncBasePriorityPrivilege	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe
Token: SeIncBasePriorityPrivilege	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe
Token: SeIncBasePriorityPrivilege	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe
Token: SeIncBasePriorityPrivilege	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe
Token: SeIncBasePriorityPrivilege	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe
Token: SeIncBasePriorityPrivilege	900	{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe
Token: SeIncBasePriorityPrivilege	2276	{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe
Token: SeIncBasePriorityPrivilege	2968	{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2480	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	28
PID 2488 wrote to memory of 2480	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	28
PID 2488 wrote to memory of 2480	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	28
PID 2488 wrote to memory of 2480	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	28
PID 2488 wrote to memory of 2104	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	29
PID 2488 wrote to memory of 2104	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	29
PID 2488 wrote to memory of 2104	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	29
PID 2488 wrote to memory of 2104	2488	2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe	29
PID 2480 wrote to memory of 2960	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	30
PID 2480 wrote to memory of 2960	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	30
PID 2480 wrote to memory of 2960	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	30
PID 2480 wrote to memory of 2960	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	30
PID 2480 wrote to memory of 2640	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	31
PID 2480 wrote to memory of 2640	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	31
PID 2480 wrote to memory of 2640	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	31
PID 2480 wrote to memory of 2640	2480	{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe	31
PID 2960 wrote to memory of 2560	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	32
PID 2960 wrote to memory of 2560	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	32
PID 2960 wrote to memory of 2560	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	32
PID 2960 wrote to memory of 2560	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	32
PID 2960 wrote to memory of 2908	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	33
PID 2960 wrote to memory of 2908	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	33
PID 2960 wrote to memory of 2908	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	33
PID 2960 wrote to memory of 2908	2960	{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe	33
PID 2560 wrote to memory of 2580	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	36
PID 2560 wrote to memory of 2580	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	36
PID 2560 wrote to memory of 2580	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	36
PID 2560 wrote to memory of 2580	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	36
PID 2560 wrote to memory of 1736	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	37
PID 2560 wrote to memory of 1736	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	37
PID 2560 wrote to memory of 1736	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	37
PID 2560 wrote to memory of 1736	2560	{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe	37
PID 2580 wrote to memory of 2900	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	38
PID 2580 wrote to memory of 2900	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	38
PID 2580 wrote to memory of 2900	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	38
PID 2580 wrote to memory of 2900	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	38
PID 2580 wrote to memory of 2888	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	39
PID 2580 wrote to memory of 2888	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	39
PID 2580 wrote to memory of 2888	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	39
PID 2580 wrote to memory of 2888	2580	{7793F106-E079-4735-8688-305E70B0493C}.exe	39
PID 2900 wrote to memory of 1432	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	40
PID 2900 wrote to memory of 1432	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	40
PID 2900 wrote to memory of 1432	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	40
PID 2900 wrote to memory of 1432	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	40
PID 2900 wrote to memory of 1944	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	41
PID 2900 wrote to memory of 1944	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	41
PID 2900 wrote to memory of 1944	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	41
PID 2900 wrote to memory of 1944	2900	{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe	41
PID 1432 wrote to memory of 1996	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	42
PID 1432 wrote to memory of 1996	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	42
PID 1432 wrote to memory of 1996	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	42
PID 1432 wrote to memory of 1996	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	42
PID 1432 wrote to memory of 1452	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	43
PID 1432 wrote to memory of 1452	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	43
PID 1432 wrote to memory of 1452	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	43
PID 1432 wrote to memory of 1452	1432	{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe	43
PID 1996 wrote to memory of 900	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	44
PID 1996 wrote to memory of 900	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	44
PID 1996 wrote to memory of 900	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	44
PID 1996 wrote to memory of 900	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	44
PID 1996 wrote to memory of 1316	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	45
PID 1996 wrote to memory of 1316	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	45
PID 1996 wrote to memory of 1316	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	45
PID 1996 wrote to memory of 1316	1996	{A790D877-56E4-40b9-985C-8B88700E8750}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_acfa508c3acb9ee8e6ff23c9902563e0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe
  C:\Windows\{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe
    C:\Windows\{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe
      C:\Windows\{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\{7793F106-E079-4735-8688-305E70B0493C}.exe
        
        C:\Windows\{7793F106-E079-4735-8688-305E70B0493C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe
        
        C:\Windows\{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe
        
        C:\Windows\{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{A790D877-56E4-40b9-985C-8B88700E8750}.exe
        
        C:\Windows\{A790D877-56E4-40b9-985C-8B88700E8750}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe
        
        C:\Windows\{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe
        
        C:\Windows\{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe
        
        C:\Windows\{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{B947FAEC-9ABF-40e3-B41B-566C8208002C}.exe
        
        C:\Windows\{B947FAEC-9ABF-40e3-B41B-566C8208002C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3303E~1.EXE > nul
        12⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52282~1.EXE > nul
        11⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00317~1.EXE > nul
        10⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A790D~1.EXE > nul
        9⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D532~1.EXE > nul
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A4F8~1.EXE > nul
        7⤵
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7793F~1.EXE > nul
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86894~1.EXE > nul
        5⤵
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B90FF~1.EXE > nul
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED29~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00317CC6-A0F8-43bd-A088-155C9169A68D}.exe

Filesize
344KB

MD5
d9a35d900bc51cde94e55987838cd2bc

SHA1
b0786f311e4588e15a9432833908e5089453fdbc

SHA256
5e04d7a6d1408395c8acabce56b34478bc84b70e8441643d21cd24a1cb31af29

SHA512
f33c94c28e4d7bc8e48cb09d3c6e4bd1804497ecd13ea4a2ac028481ca2f4899bb8f7bdb5a360e1e9cfd055d0ade34b5c5581d8093c1c57b986f4828747c3542

Download Submit
C:\Windows\{3303EFC0-14AD-427f-91B3-2C34538DAF0B}.exe

Filesize
344KB

MD5
11380db57339bd2e60770a9024554e4c

SHA1
4b88dfce93c4ab0239bd60c885896d212b2e0f03

SHA256
1d7f5e6e5feca8a232df5f2d3da6fc6af3912e38c4e33350954c41274b1a1453

SHA512
ce0df1e8893604e725e23c374cdad7698db74b4ad09bac1dda3450e87093d988291e23ddf4474614ddabe1a999d1ec37bf2643d3444933476f0ac643617943c7

Download Submit
C:\Windows\{5228223B-B717-40f5-9BF3-0A763FF29D13}.exe

Filesize
344KB

MD5
dceb3b6078d8258dbf32b33334604284

SHA1
1665a248affc68775bb6632a14ba65a34bc2c11e

SHA256
92f492a401c140cd059a2af055ce1489d1a02aca8935e323a6de27a8b4b376b2

SHA512
e06a07a08bd89e2b8180060ac5b0d22eb3e0c6fa90abd55b47abbe03ff7de2fbac87213744e18f2ce099c098df79ca49a3871a237fdedc8a5f3d7569438fea44

Download Submit
C:\Windows\{6D532F4D-DA1B-4a03-A221-D7019753EF4D}.exe

Filesize
344KB

MD5
d7717ba48528e0c5f96a4b250813bc95

SHA1
a899979ae697c98172ec8ab0f37c0be61f677ac3

SHA256
5e2cd76ff82c709bff08eb299e70a9f2b78d30a91561bb4a37b72c232989eade

SHA512
fa69b7cff5855fb6436c07a6695b86ba6e90426ed6b68cc6b1d1bb9ce889079d11653cbb87b30c28e303b8806673f0b8e1891f8b6a1cecc10a0e1e68159a4cd2

Download Submit
C:\Windows\{6ED296C6-E633-4085-92B3-3A38B03C6405}.exe

Filesize
344KB

MD5
4d67ff7dd5639ab8870feb3960ebcd64

SHA1
76578de513d684c39551ffcad0661ce5b04d1033

SHA256
08394db8430e99c9f454a447741a5ec2ee370ff67a6d1b9a1716909fc2f3d454

SHA512
acc6d4d1fdfc300c08faef0e1a1d4f555625872ce06b0800a546c97835fba7cdf349b80bf308afeb2a1c8d266b998291bb9e65875a8047c1f46779f84d42d947

Download Submit
C:\Windows\{7793F106-E079-4735-8688-305E70B0493C}.exe

Filesize
344KB

MD5
addb2959ee29d2b1590343a61e7af2a4

SHA1
05a469f243bc130ba43f839769c964efd6c73712

SHA256
0e3cd118d72a4d9b420574b010ec04f037b0016aa7ec6d3f2dfaaebaf0ef9fae

SHA512
3a6ab97809d678c855f08cb236470ae0dc51fe101af14bf9de4babf8a1dc1e4c652ae8798fa3027f9c61c2165f00f88f1ace982bf03f43dd3affa4cd037cf93f

Download Submit
C:\Windows\{7A4F8B56-E0D9-4f40-AF18-13AA36E9FD1E}.exe

Filesize
344KB

MD5
aff66ea6bffedee186f54e3145e19a8f

SHA1
d416fc67c0b0e2453b7fb68d7ae28e5b0a08ca15

SHA256
783ef62f67315c53ff1f54ed356e4a5c9772466e63eb94064e5d3bf124bf6964

SHA512
f19095adffd0584fc0e4067824dc29c97cc304ee4f87baa35332972f5180027bc94e7692299e746bfb962f8a3f3623571c4c1e0931c9ffc107bab600105685c5

Download Submit
C:\Windows\{8689404A-2288-45a2-A5B0-2653ADF388BC}.exe

Filesize
344KB

MD5
d41eac7e1b0fe0fe3b8f94d5a6adc28d

SHA1
ccf8f6cc93f19570346434e77353387aea5c2265

SHA256
bcda0b0005f4b68fe99b49d2986805e51f59e581348368afee369249c9819fcb

SHA512
76e4f07f28b065860a0982522f4c06f740d1778259d0c2ff21fef54e32414381aee6c63eb88c29bbab756057726755fc37d13411135cc8f28fbf65f6ce46a645

Download Submit
C:\Windows\{A790D877-56E4-40b9-985C-8B88700E8750}.exe

Filesize
344KB

MD5
91cce3f7db6073a7a95d5bc7fd6a2cb7

SHA1
62e2e97f309d6b97db54befaf848fb54c1278405

SHA256
91372a1f4dc79beb70fa7e689fc8dfdbe18bf663f9fd8e73d8182b87a17b7f68

SHA512
fc55fe223355ee2891e09dd994878708f14db031c7460853a2e7755e156a918e8166d2151882c69e4c298f991c018d3344e24cb56c23ffcb35b8ebb4623c9ab8

Download Submit
C:\Windows\{B90FF935-3AC1-4fd8-A511-2F2F0116C80E}.exe

Filesize
344KB

MD5
16d03199ce0941d938493044e84edd5a

SHA1
e1ce87ba6c61242a4463c643c2e101c7313fe0c0

SHA256
48c4cdc068d2e2dd4e23cb5803323a06a5715bb04d916c84b2478d2a22e9bce5

SHA512
da655930c65002d343d0f53715e0e912a33b0839e39e110fba9835d1bd79ba292b2aa1fcc9fd2ad4bb98a09a0dde6455e580cf1560ebc9ded9f90412fed8d6b7

Download Submit
C:\Windows\{B947FAEC-9ABF-40e3-B41B-566C8208002C}.exe

Filesize
344KB

MD5
ccd4105409a0a32bb70d6f4430cd9cd5

SHA1
0a738d5f3e73bc73eb589c5ca2427117ab4e5323

SHA256
5f86f2c480d6b16c57c287e135f1eacd896802f3b4233b535e50b6fbb9bda8b8

SHA512
7595ec1bda7b3c46cb8c6af29ff7d6d2eb4674bf1505693bfbce262cc58c9cb5da2220dfd701f630aab1849f38bc22cd2c3c3d18134adf2bf9413135d2c54029

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads