856cdbff2ace043cf7d63cbfc7f0479cbd183929fdae22260a6ec1ba78606497

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Size

344KB
MD5

867dfb9870a9d4bf0aac9882cf35c045
SHA1

981c43ab18e6a95e466e8b2d68fb28766dd41222
SHA256

856cdbff2ace043cf7d63cbfc7f0479cbd183929fdae22260a6ec1ba78606497
SHA512

2fdeabfc62669e453897d73f868b7bd72dc87b24364ec3b7a58f7ea375abe0fb4b65e2357b33a90116ed7720cfb3870a3062760a8bb3d720a213c4c5cafb6ead
SSDEEP

3072:mEGh0oulEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGYlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015cb1-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d0a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015cb1-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015d21-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015cb1-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015cb1-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015cb1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A61F52B-8B71-4984-BCD9-78E0ADD59247}\stubpath = "C:\\Windows\\{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe"	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58696530-7DA8-4895-A162-621726EE28D7}	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{657EC1E3-A510-4498-B68D-72F6456932B1}	{58696530-7DA8-4895-A162-621726EE28D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{657EC1E3-A510-4498-B68D-72F6456932B1}\stubpath = "C:\\Windows\\{657EC1E3-A510-4498-B68D-72F6456932B1}.exe"	{58696530-7DA8-4895-A162-621726EE28D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F6B4289-C64A-4a94-896D-88D82B7F9502}	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD94C441-ED71-4105-8E14-36AF983062B3}	{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}\stubpath = "C:\\Windows\\{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe"	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A61F52B-8B71-4984-BCD9-78E0ADD59247}	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06BC12AC-C139-41c9-8200-A9CD978E991E}\stubpath = "C:\\Windows\\{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe"	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58696530-7DA8-4895-A162-621726EE28D7}\stubpath = "C:\\Windows\\{58696530-7DA8-4895-A162-621726EE28D7}.exe"	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F6B4289-C64A-4a94-896D-88D82B7F9502}\stubpath = "C:\\Windows\\{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe"	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F4175FD-965C-44d8-AB64-F153AD1252B0}\stubpath = "C:\\Windows\\{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe"	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}\stubpath = "C:\\Windows\\{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe"	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C220AC7-2744-4280-B399-5368E7DD204E}	{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD94C441-ED71-4105-8E14-36AF983062B3}\stubpath = "C:\\Windows\\{DD94C441-ED71-4105-8E14-36AF983062B3}.exe"	{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F4175FD-965C-44d8-AB64-F153AD1252B0}	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06BC12AC-C139-41c9-8200-A9CD978E991E}	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C220AC7-2744-4280-B399-5368E7DD204E}\stubpath = "C:\\Windows\\{2C220AC7-2744-4280-B399-5368E7DD204E}.exe"	{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F83F5280-C766-49a8-ADF3-0BA26ED09685}	{2C220AC7-2744-4280-B399-5368E7DD204E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F83F5280-C766-49a8-ADF3-0BA26ED09685}\stubpath = "C:\\Windows\\{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe"	{2C220AC7-2744-4280-B399-5368E7DD204E}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe
2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe
2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe
1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe
2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe
2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe
876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe
1332	{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe
2108	{2C220AC7-2744-4280-B399-5368E7DD204E}.exe
592	{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe
1684	{DD94C441-ED71-4105-8E14-36AF983062B3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{58696530-7DA8-4895-A162-621726EE28D7}.exe	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe
File created	C:\Windows\{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe
File created	C:\Windows\{2C220AC7-2744-4280-B399-5368E7DD204E}.exe	{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe
File created	C:\Windows\{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe	{2C220AC7-2744-4280-B399-5368E7DD204E}.exe
File created	C:\Windows\{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
File created	C:\Windows\{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe
File created	C:\Windows\{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe
File created	C:\Windows\{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	{58696530-7DA8-4895-A162-621726EE28D7}.exe
File created	C:\Windows\{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe
File created	C:\Windows\{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe
File created	C:\Windows\{DD94C441-ED71-4105-8E14-36AF983062B3}.exe	{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe
Token: SeIncBasePriorityPrivilege	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe
Token: SeIncBasePriorityPrivilege	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe
Token: SeIncBasePriorityPrivilege	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe
Token: SeIncBasePriorityPrivilege	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe
Token: SeIncBasePriorityPrivilege	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe
Token: SeIncBasePriorityPrivilege	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe
Token: SeIncBasePriorityPrivilege	1332	{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe
Token: SeIncBasePriorityPrivilege	2108	{2C220AC7-2744-4280-B399-5368E7DD204E}.exe
Token: SeIncBasePriorityPrivilege	592	{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2504	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	28
PID 1992 wrote to memory of 2504	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	28
PID 1992 wrote to memory of 2504	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	28
PID 1992 wrote to memory of 2504	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	28
PID 1992 wrote to memory of 2612	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	29
PID 1992 wrote to memory of 2612	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	29
PID 1992 wrote to memory of 2612	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	29
PID 1992 wrote to memory of 2612	1992	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	29
PID 2504 wrote to memory of 2648	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	30
PID 2504 wrote to memory of 2648	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	30
PID 2504 wrote to memory of 2648	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	30
PID 2504 wrote to memory of 2648	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	30
PID 2504 wrote to memory of 1960	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	31
PID 2504 wrote to memory of 1960	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	31
PID 2504 wrote to memory of 1960	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	31
PID 2504 wrote to memory of 1960	2504	{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe	31
PID 2648 wrote to memory of 2564	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	32
PID 2648 wrote to memory of 2564	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	32
PID 2648 wrote to memory of 2564	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	32
PID 2648 wrote to memory of 2564	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	32
PID 2648 wrote to memory of 2460	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	33
PID 2648 wrote to memory of 2460	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	33
PID 2648 wrote to memory of 2460	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	33
PID 2648 wrote to memory of 2460	2648	{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe	33
PID 2564 wrote to memory of 1864	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	36
PID 2564 wrote to memory of 1864	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	36
PID 2564 wrote to memory of 1864	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	36
PID 2564 wrote to memory of 1864	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	36
PID 2564 wrote to memory of 1860	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	37
PID 2564 wrote to memory of 1860	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	37
PID 2564 wrote to memory of 1860	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	37
PID 2564 wrote to memory of 1860	2564	{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe	37
PID 1864 wrote to memory of 2208	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	38
PID 1864 wrote to memory of 2208	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	38
PID 1864 wrote to memory of 2208	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	38
PID 1864 wrote to memory of 2208	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	38
PID 1864 wrote to memory of 1216	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	39
PID 1864 wrote to memory of 1216	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	39
PID 1864 wrote to memory of 1216	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	39
PID 1864 wrote to memory of 1216	1864	{58696530-7DA8-4895-A162-621726EE28D7}.exe	39
PID 2208 wrote to memory of 2300	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	40
PID 2208 wrote to memory of 2300	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	40
PID 2208 wrote to memory of 2300	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	40
PID 2208 wrote to memory of 2300	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	40
PID 2208 wrote to memory of 2316	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	41
PID 2208 wrote to memory of 2316	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	41
PID 2208 wrote to memory of 2316	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	41
PID 2208 wrote to memory of 2316	2208	{657EC1E3-A510-4498-B68D-72F6456932B1}.exe	41
PID 2300 wrote to memory of 876	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	42
PID 2300 wrote to memory of 876	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	42
PID 2300 wrote to memory of 876	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	42
PID 2300 wrote to memory of 876	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	42
PID 2300 wrote to memory of 860	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	43
PID 2300 wrote to memory of 860	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	43
PID 2300 wrote to memory of 860	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	43
PID 2300 wrote to memory of 860	2300	{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe	43
PID 876 wrote to memory of 1332	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	44
PID 876 wrote to memory of 1332	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	44
PID 876 wrote to memory of 1332	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	44
PID 876 wrote to memory of 1332	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	44
PID 876 wrote to memory of 1700	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	45
PID 876 wrote to memory of 1700	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	45
PID 876 wrote to memory of 1700	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	45
PID 876 wrote to memory of 1700	876	{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe
  C:\Windows\{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe
    C:\Windows\{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe
      C:\Windows\{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{58696530-7DA8-4895-A162-621726EE28D7}.exe
        
        C:\Windows\{58696530-7DA8-4895-A162-621726EE28D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\{657EC1E3-A510-4498-B68D-72F6456932B1}.exe
        
        C:\Windows\{657EC1E3-A510-4498-B68D-72F6456932B1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe
        
        C:\Windows\{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe
        
        C:\Windows\{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe
        
        C:\Windows\{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\{2C220AC7-2744-4280-B399-5368E7DD204E}.exe
        
        C:\Windows\{2C220AC7-2744-4280-B399-5368E7DD204E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe
        
        C:\Windows\{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{DD94C441-ED71-4105-8E14-36AF983062B3}.exe
        
        C:\Windows\{DD94C441-ED71-4105-8E14-36AF983062B3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F83F5~1.EXE > nul
        12⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C220~1.EXE > nul
        11⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A09E~1.EXE > nul
        10⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F417~1.EXE > nul
        9⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F6B4~1.EXE > nul
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{657EC~1.EXE > nul
        7⤵
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58696~1.EXE > nul
        6⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06BC1~1.EXE > nul
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4A61F~1.EXE > nul
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74188~1.EXE > nul
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06BC12AC-C139-41c9-8200-A9CD978E991E}.exe

Filesize
344KB

MD5
5bb8212ff146b348acd6749e3e8fcad2

SHA1
5a920a332f20299c8124d6d109b6f59531b0f003

SHA256
c7dbe189ec2c9ceecc47a45244a656421b95a659f2b5a2da28f0a860824d84cc

SHA512
c30ec15ff7a194b886b3ad31898463927b3099cdb1ce865869230732d534c66884ba00cb381219b825c82c423e8dc11f9b186ff9cf63b23a331609da8ea9454c

Download Submit
C:\Windows\{2C220AC7-2744-4280-B399-5368E7DD204E}.exe

Filesize
344KB

MD5
f8a186515948f0c1def98af14e1b9558

SHA1
afd31a7f4f2311efa20a6393c14edc28c896d0db

SHA256
c659b77595250a5d0801df6f65d31abd29d817235df919632d9941ceb99079fc

SHA512
5919f76f12e853de4c96620d956efb60fdc809e04e0f6c9915ba3e8db8fd097b8f56c087038c3dcbe7f55c6454adfd61b8567461a0328252fc179827796a8fcf

Download Submit
C:\Windows\{4A61F52B-8B71-4984-BCD9-78E0ADD59247}.exe

Filesize
344KB

MD5
57fb83ab4982a12b7f1e94753559d899

SHA1
591bed344a19707781fde5dcbb7c620c3445e392

SHA256
0474584b82faf852dfecc08e13a2fea339afd553cdf8553c333aba80e407a951

SHA512
8913e0ae54ee43bec604e50b5687dddc78fac513ae60fe9f0060b33fba53adfda326839bff802c3e698fdd590c784744c50e15bdcb21be53ddfb9f4260c8c168

Download Submit
C:\Windows\{58696530-7DA8-4895-A162-621726EE28D7}.exe

Filesize
344KB

MD5
fd3b18381827f691fa8ba9f76868098a

SHA1
0f4ec7e2183ca149e056fca2685ea824ceb0124d

SHA256
52d567f9e321ce55db60e40161a92205e9326b9b94597256e2e2031ca0ed2aa1

SHA512
001108aae4a5faa0c429eddf652913453625a0c96f6282f0779a4b383b9bacc649d19dbafec519a1f2f3a8153bdcafcd5705feb2bc33e79dd8866b06419b01e7

Download Submit
C:\Windows\{657EC1E3-A510-4498-B68D-72F6456932B1}.exe

Filesize
344KB

MD5
ed2ef9e2988db38f1d0a9b696e28e24c

SHA1
706b81caf26ee3bfbbf66e3f50496205469ecff2

SHA256
130a5c9385a98ac7f608c5758c6c615dccb52d4bcecf5374c2cda32b9fa5f813

SHA512
897725764ef29938206203af38746c2ec437d11d2ccc02d9497325cf040ff3459a417b43bad3e42fe99520647d8757df4a7932611a434750a5a75b12ebb5ef2d

Download Submit
C:\Windows\{6F6B4289-C64A-4a94-896D-88D82B7F9502}.exe

Filesize
344KB

MD5
c7e94626395b27375eca8e532e1cdc97

SHA1
62e626391a47bd7bab747063a5c081abf4d1b5d3

SHA256
4a0f42d93f6e169635a09d7e050f25d34f8adcbab4bff08d09b59025c4233136

SHA512
073c259babc22a6e2629eb7a35f99cc674db031e678efc0ad8b70e7c8ad2bb5411bd853f57a123f9b529fad5848bdeebca92c3afc9914cbf697a188be3d1779f

Download Submit
C:\Windows\{741880AB-CECB-4d3a-BBB6-1BF9417C46D7}.exe

Filesize
344KB

MD5
6e215b0328e71defd89a41053f58d402

SHA1
9ff05e59df12304a9b46bc8cba915967c36d214a

SHA256
afa8d5eaab9319c6c839fe0183cb282d0267455594952bfaff97a076e3404f95

SHA512
8c86fac2bf153d102f28d0f4f4ed3c66255715f9a74c97cf46187f26483ec0c87a5a269b2bd7bee5736a5a03df380a0936596eea102489993077836ba2c118a8

Download Submit
C:\Windows\{8F4175FD-965C-44d8-AB64-F153AD1252B0}.exe

Filesize
344KB

MD5
323a13191296f93558e27f10323c50ab

SHA1
43c3ec4f2c7060ebd2b48d5038f84772aad52b2d

SHA256
7f0d1310ac848be526342d1237818ca9f1be10cf4149fdc9fd85a0e443e3f43f

SHA512
2c6ed876953316f3aaa8a00c67839c563fe7d713e2f456667e48075099ba6e8554e267b47238d2e46c04712e9bfd793527bc10b4f7837800b8dd597f4dc09a6a

Download Submit
C:\Windows\{9A09E1C4-59BE-4ecb-A3CA-C75EADBFBEE0}.exe

Filesize
344KB

MD5
ae3f1ff43580c3c13a3128d309057d78

SHA1
dd9728835bf572b5345863fdd4b7e22c1d299e08

SHA256
5b802170b46a865aea412d8ea4dd017db56813f8350ed2b44371f268d1f9d17d

SHA512
c06635e88998b06ba773ecda248647bca0f09c172cfbac85ac9e9f9ff09775e674a197d8f6143a402cc72c4e29aca6a926a686d03f52296ccfdcabc0ea89d06a

Download Submit
C:\Windows\{DD94C441-ED71-4105-8E14-36AF983062B3}.exe

Filesize
344KB

MD5
5604b08cbca02e21abe682e59f145608

SHA1
2154bf7dbe1d6fc29bcf39ddcc801fa0a30a11dc

SHA256
eaee01d7c3d9a8baa090999f19c466d48fc4e66b3301d343480aab182a8088d5

SHA512
ed9bccf2ff1be5f0865f49f6b1bb87c4dfb418eef9e2ae9a4e32da88716905cf17b29fa0b06c53b159ba4f68e55eff4f5904f1b1bc2acfba6a6d18c3e1f01a71

Download Submit
C:\Windows\{F83F5280-C766-49a8-ADF3-0BA26ED09685}.exe

Filesize
344KB

MD5
c7e4a3672d76ece29596a30892911ba3

SHA1
dcf1d7b008fe62c42ad9aeaa8b516e0492bdd18b

SHA256
25ee51e3567324ad1d6ef3e88a318dbdb0a0f839aef2080c2911d6a302151df7

SHA512
7e29d654d9e50e503790f98eae3e4b9bb78bec3b88c2844cb2c2d0d09ab26c54a553f53bbf5fb395f56681e9b99f494fe13908ede150361a284bfcad5ad79b1f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads