77f041c3f8a1b32640cd2631b1416b2876d3a7ef1cbb086d438d663b1fb6fd1b

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe
Size

372KB
MD5

81fb0fdeb18661ffddda8ae8885c00c5
SHA1

5b0981f410a31e00fd074fd1f6e16203a1cab003
SHA256

77f041c3f8a1b32640cd2631b1416b2876d3a7ef1cbb086d438d663b1fb6fd1b
SHA512

aa4712698a88ceca270eb4494b613ae34de99cf42cc79638c92785dd8de08784209322e47054537ff88553259689b4fc8b418a7fe583102d4efac02e4bb1ce50
SSDEEP

3072:CEGh0o+lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG8lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015c87-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000015ce3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c87-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000015cff-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015c87-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015c87-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015c87-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30498E44-1B37-4967-8F2C-71B4F8ED52B8}	{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7300223-9841-43b5-AF5F-C840E0793326}	{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7300223-9841-43b5-AF5F-C840E0793326}\stubpath = "C:\\Windows\\{A7300223-9841-43b5-AF5F-C840E0793326}.exe"	{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D754A4-868A-419a-9120-1B0480E0650D}\stubpath = "C:\\Windows\\{98D754A4-868A-419a-9120-1B0480E0650D}.exe"	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B4A39EB-8821-4037-AFA7-6C4B45929F42}\stubpath = "C:\\Windows\\{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe"	{98D754A4-868A-419a-9120-1B0480E0650D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B4A39EB-8821-4037-AFA7-6C4B45929F42}	{98D754A4-868A-419a-9120-1B0480E0650D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31BF782C-77E4-46f3-96CD-32773881AB51}\stubpath = "C:\\Windows\\{31BF782C-77E4-46f3-96CD-32773881AB51}.exe"	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01BEA34-0652-418e-B4FC-0168422BE4BA}	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F5FA744-50F5-4a81-B28B-87C136F6425E}	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}\stubpath = "C:\\Windows\\{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe"	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47D4B448-F985-4e97-817C-23FEB02530BA}\stubpath = "C:\\Windows\\{47D4B448-F985-4e97-817C-23FEB02530BA}.exe"	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30498E44-1B37-4967-8F2C-71B4F8ED52B8}\stubpath = "C:\\Windows\\{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe"	{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31BF782C-77E4-46f3-96CD-32773881AB51}	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01BEA34-0652-418e-B4FC-0168422BE4BA}\stubpath = "C:\\Windows\\{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe"	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}	{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F5FA744-50F5-4a81-B28B-87C136F6425E}\stubpath = "C:\\Windows\\{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe"	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}\stubpath = "C:\\Windows\\{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe"	{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47D4B448-F985-4e97-817C-23FEB02530BA}	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}\stubpath = "C:\\Windows\\{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe"	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D754A4-868A-419a-9120-1B0480E0650D}	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe
2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe
2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe
2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe
2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe
1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe
544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe
2020	{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe
2480	{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe
1948	{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe
576	{A7300223-9841-43b5-AF5F-C840E0793326}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe
File created	C:\Windows\{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe
File created	C:\Windows\{98D754A4-868A-419a-9120-1B0480E0650D}.exe	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe
File created	C:\Windows\{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	{98D754A4-868A-419a-9120-1B0480E0650D}.exe
File created	C:\Windows\{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe
File created	C:\Windows\{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe	{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe
File created	C:\Windows\{A7300223-9841-43b5-AF5F-C840E0793326}.exe	{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe
File created	C:\Windows\{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe
File created	C:\Windows\{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe
File created	C:\Windows\{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe
File created	C:\Windows\{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe	{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe
Token: SeIncBasePriorityPrivilege	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe
Token: SeIncBasePriorityPrivilege	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe
Token: SeIncBasePriorityPrivilege	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe
Token: SeIncBasePriorityPrivilege	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe
Token: SeIncBasePriorityPrivilege	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe
Token: SeIncBasePriorityPrivilege	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe
Token: SeIncBasePriorityPrivilege	2020	{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe
Token: SeIncBasePriorityPrivilege	2480	{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe
Token: SeIncBasePriorityPrivilege	1948	{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2652	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	28
PID 1968 wrote to memory of 2652	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	28
PID 1968 wrote to memory of 2652	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	28
PID 1968 wrote to memory of 2652	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	28
PID 1968 wrote to memory of 2492	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	29
PID 1968 wrote to memory of 2492	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	29
PID 1968 wrote to memory of 2492	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	29
PID 1968 wrote to memory of 2492	1968	2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe	29
PID 2652 wrote to memory of 2640	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	30
PID 2652 wrote to memory of 2640	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	30
PID 2652 wrote to memory of 2640	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	30
PID 2652 wrote to memory of 2640	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	30
PID 2652 wrote to memory of 2620	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	31
PID 2652 wrote to memory of 2620	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	31
PID 2652 wrote to memory of 2620	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	31
PID 2652 wrote to memory of 2620	2652	{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe	31
PID 2640 wrote to memory of 2684	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	32
PID 2640 wrote to memory of 2684	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	32
PID 2640 wrote to memory of 2684	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	32
PID 2640 wrote to memory of 2684	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	32
PID 2640 wrote to memory of 2608	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	33
PID 2640 wrote to memory of 2608	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	33
PID 2640 wrote to memory of 2608	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	33
PID 2640 wrote to memory of 2608	2640	{47D4B448-F985-4e97-817C-23FEB02530BA}.exe	33
PID 2684 wrote to memory of 2304	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	36
PID 2684 wrote to memory of 2304	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	36
PID 2684 wrote to memory of 2304	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	36
PID 2684 wrote to memory of 2304	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	36
PID 2684 wrote to memory of 880	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	37
PID 2684 wrote to memory of 880	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	37
PID 2684 wrote to memory of 880	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	37
PID 2684 wrote to memory of 880	2684	{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe	37
PID 2304 wrote to memory of 2708	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	38
PID 2304 wrote to memory of 2708	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	38
PID 2304 wrote to memory of 2708	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	38
PID 2304 wrote to memory of 2708	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	38
PID 2304 wrote to memory of 2712	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	39
PID 2304 wrote to memory of 2712	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	39
PID 2304 wrote to memory of 2712	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	39
PID 2304 wrote to memory of 2712	2304	{98D754A4-868A-419a-9120-1B0480E0650D}.exe	39
PID 2708 wrote to memory of 1456	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	40
PID 2708 wrote to memory of 1456	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	40
PID 2708 wrote to memory of 1456	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	40
PID 2708 wrote to memory of 1456	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	40
PID 2708 wrote to memory of 2164	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	41
PID 2708 wrote to memory of 2164	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	41
PID 2708 wrote to memory of 2164	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	41
PID 2708 wrote to memory of 2164	2708	{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe	41
PID 1456 wrote to memory of 544	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	42
PID 1456 wrote to memory of 544	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	42
PID 1456 wrote to memory of 544	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	42
PID 1456 wrote to memory of 544	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	42
PID 1456 wrote to memory of 2136	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	43
PID 1456 wrote to memory of 2136	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	43
PID 1456 wrote to memory of 2136	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	43
PID 1456 wrote to memory of 2136	1456	{31BF782C-77E4-46f3-96CD-32773881AB51}.exe	43
PID 544 wrote to memory of 2020	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	44
PID 544 wrote to memory of 2020	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	44
PID 544 wrote to memory of 2020	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	44
PID 544 wrote to memory of 2020	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	44
PID 544 wrote to memory of 2036	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	45
PID 544 wrote to memory of 2036	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	45
PID 544 wrote to memory of 2036	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	45
PID 544 wrote to memory of 2036	544	{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_81fb0fdeb18661ffddda8ae8885c00c5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe
  C:\Windows\{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\{47D4B448-F985-4e97-817C-23FEB02530BA}.exe
    C:\Windows\{47D4B448-F985-4e97-817C-23FEB02530BA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe
      C:\Windows\{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{98D754A4-868A-419a-9120-1B0480E0650D}.exe
        
        C:\Windows\{98D754A4-868A-419a-9120-1B0480E0650D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe
        
        C:\Windows\{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{31BF782C-77E4-46f3-96CD-32773881AB51}.exe
        
        C:\Windows\{31BF782C-77E4-46f3-96CD-32773881AB51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe
        
        C:\Windows\{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe
        
        C:\Windows\{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe
        
        C:\Windows\{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe
        
        C:\Windows\{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{A7300223-9841-43b5-AF5F-C840E0793326}.exe
        
        C:\Windows\{A7300223-9841-43b5-AF5F-C840E0793326}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30498~1.EXE > nul
        12⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20EF2~1.EXE > nul
        11⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F5FA~1.EXE > nul
        10⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B01BE~1.EXE > nul
        9⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31BF7~1.EXE > nul
        8⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B4A3~1.EXE > nul
        7⤵
        
        PID:2164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98D75~1.EXE > nul
        6⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60CB3~1.EXE > nul
        5⤵
        
        PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47D4B~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{36AEA~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20EF2A50-2309-4f64-8CE9-2B3FAD83384E}.exe

Filesize
372KB

MD5
9964a71cd699b96eeb92e0190bd02c0f

SHA1
19d2ee8423052b04e9ac05404076782de58f4c02

SHA256
8bdcb9376dc8817380bbcdff3a370d86d380f769f1529f80b2feb91c79b3f6fc

SHA512
ee6e7a508524856af925e69ffb870dea53286756803bc73a77337f53e3c61061a7c882cc5eb91d38346655420ee1fddb908f1f7c3bbed9adf5ea7bb01f9def35

Download Submit
C:\Windows\{30498E44-1B37-4967-8F2C-71B4F8ED52B8}.exe

Filesize
372KB

MD5
d096dc9640457f79740f3c52f78a01d1

SHA1
f5e94569382291cf1e0232ed652cc85c10276957

SHA256
f9055395fb5adc3ef0260b6ccd80dfd79aad8a7636456274467b42ec5c0d3f95

SHA512
cf523709fdc6c39f5bafa5e37a24ee841337d8f0dcc415ca0a5f6e7c541a829e62b189183cf637356ff7e9c4beac35581c9f2fa22dafe7dc06a6b0e4eeec15b6

Download Submit
C:\Windows\{31BF782C-77E4-46f3-96CD-32773881AB51}.exe

Filesize
372KB

MD5
7f3130207887a7d415574a4d4e421fab

SHA1
e2afe38e288b550b358f929c5a58ba55b6c5089d

SHA256
52883c2ea6095979d41ef2af49289fc52f0f36be044acd38c8327cb52ed25b6c

SHA512
cf513a4420b103bc22bc4dd17caf53ee49b6d39a4478cb2497d4f9e5d4b48d1600c927e005416b07d48848f98ef1c1312c4fb7f05f887bf6b09d20b2c1b690be

Download Submit
C:\Windows\{36AEA633-777D-4d22-B640-F8B0D6C0A3AD}.exe

Filesize
372KB

MD5
55e08e0b951487b4c5e73437ee7af40c

SHA1
02031d67ada166dc5b68ba9697842e38a29594d8

SHA256
709ec76c3034df9550cd00ccea50efdb8a6eeaeeb0217a0439269328bc35a2fc

SHA512
bc215b5dca19968f9ae3d385bef2690f85494c92a391134e9bf705d7dc9d2dcdb638e0b86c64acb95b8a2960d8be4b195673292431d838373b662da098afe962

Download Submit
C:\Windows\{47D4B448-F985-4e97-817C-23FEB02530BA}.exe

Filesize
372KB

MD5
057c2173b508090acd77a86c9103f600

SHA1
53b52312c026512dc528ae60fd38207100b21803

SHA256
283c716c35e77cf5bf02deaf14d58c2c447fc1762a846c1a88a3ab9a62d1d7d9

SHA512
4213262817e7a7ae2b31ab1e538dcb84db8244af735d7ff030d024a7ed810cf70ec678872d3a0416a9d8e630892fa11d6e2e0af3d38a12fb9e36ffb76df0d58a

Download Submit
C:\Windows\{4F5FA744-50F5-4a81-B28B-87C136F6425E}.exe

Filesize
372KB

MD5
4cf468281623818ac295abc0f7bf4099

SHA1
7e20c20681ed00c082415b5cc3eb2e22ed919c32

SHA256
8c160f7a46622f88271da7d40798d7472325017babdbbd3516b9baa4776c126b

SHA512
20817cca649161adef28a49ef3688cecda06761cb7d4b6016f84a11bd9b50aa677c454b230c3be1cd31d34b3ffdf750062d43561a74ef7bf456cbfe1f215210b

Download Submit
C:\Windows\{60CB3CF3-8650-44bf-A556-107CAD2A5F5A}.exe

Filesize
372KB

MD5
59186da39e7db744da40fe927ba7eb4e

SHA1
756c98c5078622bb3011b227b2fe0451348fefae

SHA256
b1e6179abd113bb2d8b0612eefa3e87f053eb99d0790914d6a54a28190237200

SHA512
f4198c27e44f4c2e953218fa76978c917463f9b412a7b7af8f0d6d9b9db9f3d19c514e6ecd2312ba6454d716594553b2150aa2307301d7d0c82d363421e2ec96

Download Submit
C:\Windows\{98D754A4-868A-419a-9120-1B0480E0650D}.exe

Filesize
372KB

MD5
a76a34397e3b942c6b3b58e02aacc49b

SHA1
2f8f3343983d9fc1ab9f877938b463846f6f9f9d

SHA256
d37e5675b7f2e8a99bbc53e71734623d9d300e4d98e193b37b50d61021376ae2

SHA512
0b589514daa6789f9e37dd9836f31979cf235e0a03b383e42c7cc41bed732e0890704ba589228fe8dc132e203b290e113730ac15838725a6ebd30ac4ac62ff66

Download Submit
C:\Windows\{9B4A39EB-8821-4037-AFA7-6C4B45929F42}.exe

Filesize
372KB

MD5
49dc0bc98526689678b0dfa6e6852150

SHA1
f18393d8a85b76b251d1e38e51c402d963da7c45

SHA256
96880e4f0c3ca8f05737ada2c389aba85c54fa22cd7ca7c20a2e3b90bd1444ee

SHA512
304924f3e0fec4092b6e5e93d2ace4ad5233d98caebcc277e45e72eed305bcccb816a6fc2bedd91370325f9eaad745d2b5468ffa7f8226a9149508dd7474d5c9

Download Submit
C:\Windows\{A7300223-9841-43b5-AF5F-C840E0793326}.exe

Filesize
372KB

MD5
a4d296991c247ab9118c2ff51af1c68a

SHA1
e6de8f8d2668af3fcbf5099e48c42e4aaa163890

SHA256
525f1d9d684d15415fe3089c4d1b76856106b0cac215c27591afa15f19a63da9

SHA512
070304dd450ccab123b52b240a3cdf405911d44b7ff5442635a0d370ab0817a4bf25ea3d00d44cdcbc1926698f05c3b16c178233f6fe346979be7f5686173486

Download Submit
C:\Windows\{B01BEA34-0652-418e-B4FC-0168422BE4BA}.exe

Filesize
372KB

MD5
9b59e219475f4dcddf34c369d2b9e34d

SHA1
bbaab7122fa2e9c02b4fd7c4da97ece3736f0a22

SHA256
0910f959afc17bbc782ae4758afb40e77e4caee571090255a261926a9a69a54c

SHA512
8ee00f8b17adebbd2b275f2ed650f979e8e22462227c57307a572fbc64fdd1b4b17f5f8052a07b9dbe2da82c06092c1367147a6d6af21f6a8bf126a34cb64714

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads