766479b07cac21aca2345fd57b03e847b4af2ad5cab1f1d1e48e17a72c9e991e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
Size

180KB
MD5

b88d8a8d11dc5a7252e9b84af5ea2ed0
SHA1

a262911f2e966a07c9e293cf33760f1a7bb7f9bb
SHA256

766479b07cac21aca2345fd57b03e847b4af2ad5cab1f1d1e48e17a72c9e991e
SHA512

cd827ca07c46a1306203c3413c1f85787b207c4a1dd63d288f0de43f00ab00fa66c25048ca2fffc42ae215453222b9e60dc2657ac8b1b25aa21952f0745868b3
SSDEEP

3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001231c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014502-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001231c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014588-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001231c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001231c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001231c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}\stubpath = "C:\\Windows\\{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe"	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92724638-80C3-40a4-917D-2B4FD3769F10}\stubpath = "C:\\Windows\\{92724638-80C3-40a4-917D-2B4FD3769F10}.exe"	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{437991ED-7C3D-409e-AF74-1FF734C70F8F}	{F7840795-82C0-4873-8961-4B894683C79B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{437991ED-7C3D-409e-AF74-1FF734C70F8F}\stubpath = "C:\\Windows\\{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe"	{F7840795-82C0-4873-8961-4B894683C79B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C38E4BE-02A6-42d2-A806-807219B14313}\stubpath = "C:\\Windows\\{8C38E4BE-02A6-42d2-A806-807219B14313}.exe"	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA077FF-7784-4a51-894A-1AC6FBC936AD}	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519D4988-8238-4976-9753-930A82768BB0}\stubpath = "C:\\Windows\\{519D4988-8238-4976-9753-930A82768BB0}.exe"	{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92724638-80C3-40a4-917D-2B4FD3769F10}	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA077FF-7784-4a51-894A-1AC6FBC936AD}\stubpath = "C:\\Windows\\{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe"	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7840795-82C0-4873-8961-4B894683C79B}	{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3067008A-F232-4b4c-B5D1-BA5CB956B507}\stubpath = "C:\\Windows\\{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe"	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D50E36-417A-421a-B7D1-5E094FAAFC87}	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C38E4BE-02A6-42d2-A806-807219B14313}	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}\stubpath = "C:\\Windows\\{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe"	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D50E36-417A-421a-B7D1-5E094FAAFC87}\stubpath = "C:\\Windows\\{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe"	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7840795-82C0-4873-8961-4B894683C79B}\stubpath = "C:\\Windows\\{F7840795-82C0-4873-8961-4B894683C79B}.exe"	{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519D4988-8238-4976-9753-930A82768BB0}	{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3067008A-F232-4b4c-B5D1-BA5CB956B507}	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7296DC2-70E7-451d-AA6F-81721718EACE}	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7296DC2-70E7-451d-AA6F-81721718EACE}\stubpath = "C:\\Windows\\{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe"	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe
2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe
2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe
1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe
1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe
1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe
1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe
1044	{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe
1984	{F7840795-82C0-4873-8961-4B894683C79B}.exe
336	{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe
1352	{519D4988-8238-4976-9753-930A82768BB0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe
File created	C:\Windows\{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe
File created	C:\Windows\{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe	{F7840795-82C0-4873-8961-4B894683C79B}.exe
File created	C:\Windows\{519D4988-8238-4976-9753-930A82768BB0}.exe	{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe
File created	C:\Windows\{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
File created	C:\Windows\{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe
File created	C:\Windows\{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe
File created	C:\Windows\{F7840795-82C0-4873-8961-4B894683C79B}.exe	{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe
File created	C:\Windows\{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe
File created	C:\Windows\{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe
File created	C:\Windows\{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe
Token: SeIncBasePriorityPrivilege	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe
Token: SeIncBasePriorityPrivilege	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe
Token: SeIncBasePriorityPrivilege	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe
Token: SeIncBasePriorityPrivilege	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe
Token: SeIncBasePriorityPrivilege	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe
Token: SeIncBasePriorityPrivilege	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe
Token: SeIncBasePriorityPrivilege	1044	{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe
Token: SeIncBasePriorityPrivilege	1984	{F7840795-82C0-4873-8961-4B894683C79B}.exe
Token: SeIncBasePriorityPrivilege	336	{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2968	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	28
PID 2744 wrote to memory of 2968	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	28
PID 2744 wrote to memory of 2968	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	28
PID 2744 wrote to memory of 2968	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	28
PID 2744 wrote to memory of 2632	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	29
PID 2744 wrote to memory of 2632	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	29
PID 2744 wrote to memory of 2632	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	29
PID 2744 wrote to memory of 2632	2744	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	29
PID 2968 wrote to memory of 2640	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	30
PID 2968 wrote to memory of 2640	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	30
PID 2968 wrote to memory of 2640	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	30
PID 2968 wrote to memory of 2640	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	30
PID 2968 wrote to memory of 2592	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	31
PID 2968 wrote to memory of 2592	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	31
PID 2968 wrote to memory of 2592	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	31
PID 2968 wrote to memory of 2592	2968	{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe	31
PID 2640 wrote to memory of 2600	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	32
PID 2640 wrote to memory of 2600	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	32
PID 2640 wrote to memory of 2600	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	32
PID 2640 wrote to memory of 2600	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	32
PID 2640 wrote to memory of 2428	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	33
PID 2640 wrote to memory of 2428	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	33
PID 2640 wrote to memory of 2428	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	33
PID 2640 wrote to memory of 2428	2640	{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe	33
PID 2600 wrote to memory of 1900	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	36
PID 2600 wrote to memory of 1900	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	36
PID 2600 wrote to memory of 1900	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	36
PID 2600 wrote to memory of 1900	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	36
PID 2600 wrote to memory of 2312	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	37
PID 2600 wrote to memory of 2312	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	37
PID 2600 wrote to memory of 2312	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	37
PID 2600 wrote to memory of 2312	2600	{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe	37
PID 1900 wrote to memory of 1268	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	38
PID 1900 wrote to memory of 1268	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	38
PID 1900 wrote to memory of 1268	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	38
PID 1900 wrote to memory of 1268	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	38
PID 1900 wrote to memory of 1140	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	39
PID 1900 wrote to memory of 1140	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	39
PID 1900 wrote to memory of 1140	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	39
PID 1900 wrote to memory of 1140	1900	{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe	39
PID 1268 wrote to memory of 1792	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	40
PID 1268 wrote to memory of 1792	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	40
PID 1268 wrote to memory of 1792	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	40
PID 1268 wrote to memory of 1792	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	40
PID 1268 wrote to memory of 2388	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	41
PID 1268 wrote to memory of 2388	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	41
PID 1268 wrote to memory of 2388	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	41
PID 1268 wrote to memory of 2388	1268	{8C38E4BE-02A6-42d2-A806-807219B14313}.exe	41
PID 1792 wrote to memory of 1808	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	42
PID 1792 wrote to memory of 1808	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	42
PID 1792 wrote to memory of 1808	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	42
PID 1792 wrote to memory of 1808	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	42
PID 1792 wrote to memory of 1592	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	43
PID 1792 wrote to memory of 1592	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	43
PID 1792 wrote to memory of 1592	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	43
PID 1792 wrote to memory of 1592	1792	{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe	43
PID 1808 wrote to memory of 1044	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	44
PID 1808 wrote to memory of 1044	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	44
PID 1808 wrote to memory of 1044	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	44
PID 1808 wrote to memory of 1044	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	44
PID 1808 wrote to memory of 2828	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	45
PID 1808 wrote to memory of 2828	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	45
PID 1808 wrote to memory of 2828	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	45
PID 1808 wrote to memory of 2828	1808	{92724638-80C3-40a4-917D-2B4FD3769F10}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe
  C:\Windows\{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe
    C:\Windows\{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe
      C:\Windows\{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe
        
        C:\Windows\{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\{8C38E4BE-02A6-42d2-A806-807219B14313}.exe
        
        C:\Windows\{8C38E4BE-02A6-42d2-A806-807219B14313}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe
        
        C:\Windows\{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{92724638-80C3-40a4-917D-2B4FD3769F10}.exe
        
        C:\Windows\{92724638-80C3-40a4-917D-2B4FD3769F10}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe
        
        C:\Windows\{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\{F7840795-82C0-4873-8961-4B894683C79B}.exe
        
        C:\Windows\{F7840795-82C0-4873-8961-4B894683C79B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe
        
        C:\Windows\{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\{519D4988-8238-4976-9753-930A82768BB0}.exe
        
        C:\Windows\{519D4988-8238-4976-9753-930A82768BB0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43799~1.EXE > nul
        12⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7840~1.EXE > nul
        11⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEA07~1.EXE > nul
        10⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92724~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87EDC~1.EXE > nul
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C38E~1.EXE > nul
        7⤵
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0D50~1.EXE > nul
        6⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E55F~1.EXE > nul
        5⤵
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F7296~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30670~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3067008A-F232-4b4c-B5D1-BA5CB956B507}.exe

Filesize
180KB

MD5
4cce2e03bf4274423b769a089b21fa50

SHA1
53f55ca1fd4c1dc171e5d9f07643c7f8f575a24e

SHA256
a8a074e17dd1a8fa6ae614d03b27e9aa37e342512b33bb7384f72a92e7bfc8c1

SHA512
30537a5234f4d0eafed7148076e57f77f7b692e905baf11d4bcfc5408697037fdb12d0a3e180081cd863432c60a7eb3983fbbe2492ef3b2d14dab8c5c0b8d06e

Download Submit
C:\Windows\{437991ED-7C3D-409e-AF74-1FF734C70F8F}.exe

Filesize
180KB

MD5
92c88bd92107f00a7bab77e616b6f4e1

SHA1
e15268c579e7f6d4666dc0ef066a78b755124092

SHA256
fff990dfae2207765b9f1ff4d328d232fc36545dce504a4a6d8b90998ec54ce7

SHA512
c95695f5bcb09b18542a4a30ccf57f9c88a38759efcc7eeb4d03d120863a0e3d4a437362a0670027fe7f97d2675769a92acf31815bf4cd98f259e1d88875a267

Download Submit
C:\Windows\{4E55FEEC-03AB-4b17-B208-2FEA716DBD59}.exe

Filesize
180KB

MD5
15d9b1edee971413704231a7cb484e00

SHA1
b828a8829a65fb353a37ed66aeec8898df29fbbb

SHA256
b4101d4441eccd4bacd2d3394809dab5e58fc2b2ac8e3391cd4647bb052c2baa

SHA512
86dcbcfc593485c80bed1efdc2f9cc0a693d89ecda54b88c9b18852e00a3bf734ba209fbbac5b198c11012c98963af30e6985911f4bd413ae118c81416d4e16c

Download Submit
C:\Windows\{519D4988-8238-4976-9753-930A82768BB0}.exe

Filesize
180KB

MD5
2f351c3ff76ac9277ba8d9b9b15e4e56

SHA1
f2ac00304825c95b4466bd775abe1aa4340a9c22

SHA256
d1532302d59b1af944ef4fbd0f975ae81a951c527e02ab4a57be629c898e557f

SHA512
c5ee8cd72f494bbcf80e011bd803b35f373e1aed4bb526dd9e494da5c2d427104c67cab7d9f3f6ece0adb221901df2c44240669f62be3396b72759a7c8f8c1a8

Download Submit
C:\Windows\{87EDC0DF-352C-4355-958B-E66AE0ED8FC9}.exe

Filesize
180KB

MD5
0df5cddc4fcfb2df80a4a59d3e42ba8b

SHA1
ce246ad8768cebb388ba5c672c6c96e429283874

SHA256
d860061f4ab6b6bb7f0d2c658e98b302fa8cf524e77f0997c0c28e609621f3ba

SHA512
8996fec769c05c1b738876142cffcd61d741aaa1681b58d2d44f9cb1ca582497e591bdb97c176ef6c36198caf7a9dc2704a9dd8ae4b1a55a73ee6a495cffc23d

Download Submit
C:\Windows\{8C38E4BE-02A6-42d2-A806-807219B14313}.exe

Filesize
180KB

MD5
3ed2415683d875de1fe2bd375d709556

SHA1
ff223e50dfe00a6b6f0d36da027422b91cf233ec

SHA256
a4752e2c092fba6b7e2c88144d264acad8bf6f8704369dffcfaf6710d8e1c0e0

SHA512
8981136d31afd030a7ee64541cbb253bc8017db2b2e596f269af7f34b738ca3498d9937e439ba364b3f9b19601148290f57c2c0fe844d6ee79e85515e8e48006

Download Submit
C:\Windows\{92724638-80C3-40a4-917D-2B4FD3769F10}.exe

Filesize
180KB

MD5
fa68fbe5fd19d6049eb0ac38ae2ecc9f

SHA1
5fc17c5a4f93344f3b69ef3e8d21c78166ca1dfa

SHA256
4b3e523a5000bf8272c08170a21ed3c4e7146560a48f9858608b061c0b667457

SHA512
d30068ed9a7779273863487af27c938b18de9e1e01bebf009191a276534c8eb7863286bc3990a52f283713ee2ad1859655a6d09273ddbd8337357de2d88d1834

Download Submit
C:\Windows\{BEA077FF-7784-4a51-894A-1AC6FBC936AD}.exe

Filesize
180KB

MD5
18ec4e5ff3acea1caedb46b98c61439f

SHA1
2ed431c210e98142688b169e642d3ab551feb139

SHA256
08ade9c918f2e8bfcf53594c3f32c85f3a8cd42244c00c10f8f144ace15857eb

SHA512
65d3d461722277fda234e2ec60ce25b68ccb6459c3fa96c235d0e4f96a4e82ea92e4a08bb22dfaef8901f70a25361d02001aa3961f1c2c2f5ab88433c0ca1722

Download Submit
C:\Windows\{C0D50E36-417A-421a-B7D1-5E094FAAFC87}.exe

Filesize
180KB

MD5
68b0c9513cee1e1bba707054652ac4ac

SHA1
9fa324accacaecb49ee07585690797eecd5486c4

SHA256
1a8e7b4b9d8c48cf261433c30ddd1bc989840932cea536f307b28da6cf06e925

SHA512
662c5567324eb5ddb800805a0d203619c822bb504bc59ab9dd7f21d7c3c9f2e19f4debd730f3b26dbe9148936b47081ac0ad3a676e4c34ae7e6e021a97b07923

Download Submit
C:\Windows\{F7296DC2-70E7-451d-AA6F-81721718EACE}.exe

Filesize
180KB

MD5
a70c2fa3cf0268570b157bf008ca065c

SHA1
b77289c9424a8268ec0ba26df8b159c264ebec25

SHA256
9711bd15f1ef52f032472d70d966f575bcb36b75dc0626d06795d62739ad11ea

SHA512
c98f35d271beb3929bc620c872d58a695b57dbc4e720764cdc7a04d86babaa3c4c7288565efc602a02a6c7f03d76368199a05b49cdad86c3f3614f9a2c04bbfb

Download Submit
C:\Windows\{F7840795-82C0-4873-8961-4B894683C79B}.exe

Filesize
180KB

MD5
20708239e5336d11a84da9f0181a170d

SHA1
4d89d462b94a7116d4f83d788d021c191ab6a8c8

SHA256
f9b9a62a4e7dfb0537a6efc0b65e5a1fb0d65e89c52edc418ac5a14d226daf45

SHA512
c0835c04bacdf0027d9ac732cdbcd99371ebfb2ce2607553c84161bb497072cf86ec03cf13be9ec70c81159c76b88ffc2b67d0f2d4025f191ad951f26f81535a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads