4bb9ae48a897342633a6a52a6917b058bafbb65d09f2149fba7695ab6e5134b9

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe
Size

216KB
MD5

7c87bb6045af8c76c0ada3757dc9a887
SHA1

1b01c478b57f8a1e01b4bf2efb871d33c7850aed
SHA256

4bb9ae48a897342633a6a52a6917b058bafbb65d09f2149fba7695ab6e5134b9
SHA512

a03b8f9154c26572d5e56dbd7f0e5cc23c8dc08652c0f39c462d8674c9ab1e91d0c5a417835f70a8d8c440feaecd34dedcd16848c27dffeff39fa323e82f6348
SSDEEP

3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGXlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001472f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014f57-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001472f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001507a-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001472f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001472f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001472f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB10A947-6ED9-4573-9802-066639A686FE}\stubpath = "C:\\Windows\\{BB10A947-6ED9-4573-9802-066639A686FE}.exe"	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}\stubpath = "C:\\Windows\\{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe"	{BB10A947-6ED9-4573-9802-066639A686FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}\stubpath = "C:\\Windows\\{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe"	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{472E7171-724D-48dd-95E3-A8B0A9CF82F5}	{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51117906-43E5-4ce1-88B4-23A193466EEC}\stubpath = "C:\\Windows\\{51117906-43E5-4ce1-88B4-23A193466EEC}.exe"	{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}\stubpath = "C:\\Windows\\{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}.exe"	{51117906-43E5-4ce1-88B4-23A193466EEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB10A947-6ED9-4573-9802-066639A686FE}	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D6CF63-4D21-4132-A969-65F1FE53E96E}\stubpath = "C:\\Windows\\{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe"	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E3E64C-988E-4b78-8567-EB39E369423D}\stubpath = "C:\\Windows\\{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe"	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E20B6B-4507-4179-B14F-DBD0961474CD}\stubpath = "C:\\Windows\\{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe"	{C1A79577-3515-478c-B756-03E025BEA71C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E3E64C-988E-4b78-8567-EB39E369423D}	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D6CF63-4D21-4132-A969-65F1FE53E96E}	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{472E7171-724D-48dd-95E3-A8B0A9CF82F5}\stubpath = "C:\\Windows\\{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe"	{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51117906-43E5-4ce1-88B4-23A193466EEC}	{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1A79577-3515-478c-B756-03E025BEA71C}\stubpath = "C:\\Windows\\{C1A79577-3515-478c-B756-03E025BEA71C}.exe"	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80E20B6B-4507-4179-B14F-DBD0961474CD}	{C1A79577-3515-478c-B756-03E025BEA71C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}	{BB10A947-6ED9-4573-9802-066639A686FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}\stubpath = "C:\\Windows\\{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe"	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}	{51117906-43E5-4ce1-88B4-23A193466EEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1A79577-3515-478c-B756-03E025BEA71C}	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe
2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe
2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe
2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe
320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe
2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe
1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe
2040	{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe
1992	{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe
692	{51117906-43E5-4ce1-88B4-23A193466EEC}.exe
352	{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	{C1A79577-3515-478c-B756-03E025BEA71C}.exe
File created	C:\Windows\{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	{BB10A947-6ED9-4573-9802-066639A686FE}.exe
File created	C:\Windows\{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe
File created	C:\Windows\{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe
File created	C:\Windows\{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe
File created	C:\Windows\{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe	{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe
File created	C:\Windows\{C1A79577-3515-478c-B756-03E025BEA71C}.exe	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe
File created	C:\Windows\{BB10A947-6ED9-4573-9802-066639A686FE}.exe	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe
File created	C:\Windows\{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe
File created	C:\Windows\{51117906-43E5-4ce1-88B4-23A193466EEC}.exe	{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe
File created	C:\Windows\{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}.exe	{51117906-43E5-4ce1-88B4-23A193466EEC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe
Token: SeIncBasePriorityPrivilege	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe
Token: SeIncBasePriorityPrivilege	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe
Token: SeIncBasePriorityPrivilege	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe
Token: SeIncBasePriorityPrivilege	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe
Token: SeIncBasePriorityPrivilege	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe
Token: SeIncBasePriorityPrivilege	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe
Token: SeIncBasePriorityPrivilege	2040	{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe
Token: SeIncBasePriorityPrivilege	1992	{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe
Token: SeIncBasePriorityPrivilege	692	{51117906-43E5-4ce1-88B4-23A193466EEC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2512	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	28
PID 2644 wrote to memory of 2512	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	28
PID 2644 wrote to memory of 2512	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	28
PID 2644 wrote to memory of 2512	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	28
PID 2644 wrote to memory of 2580	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	29
PID 2644 wrote to memory of 2580	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	29
PID 2644 wrote to memory of 2580	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	29
PID 2644 wrote to memory of 2580	2644	2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe	29
PID 2512 wrote to memory of 2608	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	30
PID 2512 wrote to memory of 2608	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	30
PID 2512 wrote to memory of 2608	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	30
PID 2512 wrote to memory of 2608	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	30
PID 2512 wrote to memory of 2396	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	31
PID 2512 wrote to memory of 2396	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	31
PID 2512 wrote to memory of 2396	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	31
PID 2512 wrote to memory of 2396	2512	{C1A79577-3515-478c-B756-03E025BEA71C}.exe	31
PID 2608 wrote to memory of 2600	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	32
PID 2608 wrote to memory of 2600	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	32
PID 2608 wrote to memory of 2600	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	32
PID 2608 wrote to memory of 2600	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	32
PID 2608 wrote to memory of 2384	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	33
PID 2608 wrote to memory of 2384	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	33
PID 2608 wrote to memory of 2384	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	33
PID 2608 wrote to memory of 2384	2608	{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe	33
PID 2600 wrote to memory of 2668	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	36
PID 2600 wrote to memory of 2668	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	36
PID 2600 wrote to memory of 2668	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	36
PID 2600 wrote to memory of 2668	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	36
PID 2600 wrote to memory of 2692	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	37
PID 2600 wrote to memory of 2692	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	37
PID 2600 wrote to memory of 2692	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	37
PID 2600 wrote to memory of 2692	2600	{BB10A947-6ED9-4573-9802-066639A686FE}.exe	37
PID 2668 wrote to memory of 320	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	38
PID 2668 wrote to memory of 320	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	38
PID 2668 wrote to memory of 320	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	38
PID 2668 wrote to memory of 320	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	38
PID 2668 wrote to memory of 2284	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	39
PID 2668 wrote to memory of 2284	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	39
PID 2668 wrote to memory of 2284	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	39
PID 2668 wrote to memory of 2284	2668	{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe	39
PID 320 wrote to memory of 2292	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	40
PID 320 wrote to memory of 2292	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	40
PID 320 wrote to memory of 2292	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	40
PID 320 wrote to memory of 2292	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	40
PID 320 wrote to memory of 1556	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	41
PID 320 wrote to memory of 1556	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	41
PID 320 wrote to memory of 1556	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	41
PID 320 wrote to memory of 1556	320	{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe	41
PID 2292 wrote to memory of 1368	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	42
PID 2292 wrote to memory of 1368	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	42
PID 2292 wrote to memory of 1368	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	42
PID 2292 wrote to memory of 1368	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	42
PID 2292 wrote to memory of 1332	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	43
PID 2292 wrote to memory of 1332	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	43
PID 2292 wrote to memory of 1332	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	43
PID 2292 wrote to memory of 1332	2292	{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe	43
PID 1368 wrote to memory of 2040	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	44
PID 1368 wrote to memory of 2040	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	44
PID 1368 wrote to memory of 2040	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	44
PID 1368 wrote to memory of 2040	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	44
PID 1368 wrote to memory of 1968	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	45
PID 1368 wrote to memory of 1968	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	45
PID 1368 wrote to memory of 1968	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	45
PID 1368 wrote to memory of 1968	1368	{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_7c87bb6045af8c76c0ada3757dc9a887_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\{C1A79577-3515-478c-B756-03E025BEA71C}.exe
  C:\Windows\{C1A79577-3515-478c-B756-03E025BEA71C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe
    C:\Windows\{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{BB10A947-6ED9-4573-9802-066639A686FE}.exe
      C:\Windows\{BB10A947-6ED9-4573-9802-066639A686FE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe
        
        C:\Windows\{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe
        
        C:\Windows\{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe
        
        C:\Windows\{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe
        
        C:\Windows\{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe
        
        C:\Windows\{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe
        
        C:\Windows\{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{51117906-43E5-4ce1-88B4-23A193466EEC}.exe
        
        C:\Windows\{51117906-43E5-4ce1-88B4-23A193466EEC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}.exe
        
        C:\Windows\{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}.exe
        12⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51117~1.EXE > nul
        12⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{472E7~1.EXE > nul
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44BAA~1.EXE > nul
        10⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38D6C~1.EXE > nul
        9⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC4B~1.EXE > nul
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3E3E~1.EXE > nul
        7⤵
        
        PID:1556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B35B~1.EXE > nul
        6⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB10A~1.EXE > nul
        5⤵
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80E20~1.EXE > nul
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1A79~1.EXE > nul
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{38D6CF63-4D21-4132-A969-65F1FE53E96E}.exe

Filesize
216KB

MD5
dbed6f93a5600bacfc2bff561d372af8

SHA1
f2b173b8c598f94db12ff38a196c1ba2aa64ec48

SHA256
93b3e44f35ed8fa8e833694943289cc61bbd4fdca0da228196fc2182ae55320c

SHA512
feacb4e02e4bbc1191ab659ae5b65819025dd13511d8c0a15fb841dff63d0dd99f43890bc3100499e30bec443bf23a4700db75fcae4ae13a40b3cafa9beb4610

Download Submit
C:\Windows\{44BAA5CA-C9FA-46b9-A0FA-CD288076FC61}.exe

Filesize
216KB

MD5
0002dc253d2b3039eaa0299230484335

SHA1
8e73a2f733b82bbd7c74ceae62bb9c354a05599d

SHA256
137a0277fb49904482e2986b4cd693545fd78adf948867a94cd83c6680ee3785

SHA512
a281aeddc082a29a299f3dd0597d143bcffcd10ddbeeec0c60b3932cb1a4393886923bfa1a9bdccf0651bee10f9b154cd79c88ddf220f03421a0894cab38163b

Download Submit
C:\Windows\{472E7171-724D-48dd-95E3-A8B0A9CF82F5}.exe

Filesize
216KB

MD5
2a36c3e3eb3cf5cd7b4d281726c9a4d1

SHA1
773e07f7e56125541406befbb30f50d63284a8e9

SHA256
f1807414221b67a3e4c1602035a8cc04bdf2f73aef16b3c941bcb94085f3e726

SHA512
9d11c9657d705d4114e329681c6e68bfca588a87289375604b95a0b64a9a1724a979369fe40cf4448e301ac32c2411f0fd8cbb9e1acd27c8c0e7e9336fc1dbff

Download Submit
C:\Windows\{51117906-43E5-4ce1-88B4-23A193466EEC}.exe

Filesize
216KB

MD5
6839264cf9c2b021a33305dd0bead1bf

SHA1
7bddc2c972aec9c13cd6e5d91de66f12e96d0ba1

SHA256
45e28505237f13c11915821d751ea236d7af9eac8a520712e85c3fc9a7cd4744

SHA512
b9d1e9fa822f01cb8326fa6114de6a43044dfe49df7717a2a329d675b58168e1a047f96940f8369cb76e687fb2ba2dd667ab2bacf3738e03471c0e6e7b687c4e

Download Submit
C:\Windows\{5B35B0ED-2F7F-43ef-A4CC-47E05CEEA735}.exe

Filesize
216KB

MD5
17ce70e6a543f3746371a341eabd51be

SHA1
949a8e8c9707b60bb583e27ae03b263a32b65574

SHA256
3c5653330581af102571dd5063bdcaf21dd6d733dfa97b517651632b32881c9a

SHA512
6a9ed7e1adac5fc4764721e5efe757a9c82877853a1df802884c16de70cc240faa0249115141cfd750b3dd70fcd295a182e081f88b9045cd29bac9258d8fb745

Download Submit
C:\Windows\{6BC4B49D-01E5-4044-B479-AF2D5656CF8B}.exe

Filesize
216KB

MD5
3acde04f69da89c64cb7568318288e7d

SHA1
1db61aab74458a643663ee6281fbf4de17863b00

SHA256
ba7c5c0a70e192d9c50d8a92a78dbfbb196cd1c3cb717fed988c7f3e02197f0b

SHA512
c6bfea0f9883c7e4a911fb4c74ca4fbd1d88d1b2fb1ecfba75f354e45ce17525fe50d38b1b4d039aa0380a110fbaf4a11caf445bbe3abc29055d4dd7c49a670f

Download Submit
C:\Windows\{80E20B6B-4507-4179-B14F-DBD0961474CD}.exe

Filesize
216KB

MD5
0792bc8b07d0db947aef11c5a941a0f0

SHA1
1ca25e891fba7da0284f7f8e1088151b1b0e581a

SHA256
8d562ca68883e5324c0dd2b7bcb294f38ba4ebe420491513c16ee7a4d348a5ab

SHA512
5f5d01b3f0289ec4629fa6769080eb61e5e79d5ad352c21fac1659bcad2f96b06131f42b2c8a978085f9d637caf448c9022f12aaf41f9c4abd0f59c9e0f270c8

Download Submit
C:\Windows\{9BAADCCE-E877-4ac4-B0D6-0BCEEA2AF920}.exe

Filesize
216KB

MD5
e6390c442606e3e61a42ea2fdf5e27b7

SHA1
3ca966b5cdc01adc83a2f281fd4c5561c9921ea0

SHA256
60beead0f7913a364d77fc48915d25e3505f97af615cc4c70d6eb55b443fbc99

SHA512
865858d9d1db9f68767b455924e7059ae6cf14518c2f9b50c46e2a76c561bc4068e13fbc6789684c275178a060d6a48c450bae7e5ee97e758d8ee1a67bb2b946

Download Submit
C:\Windows\{B3E3E64C-988E-4b78-8567-EB39E369423D}.exe

Filesize
216KB

MD5
92a4a0eb84e899720d54fcb90b67d40a

SHA1
ba50b98374e73059a20b05098fbab0cb43d56b47

SHA256
8c117ee03f1129feb592a2df5fb666120d603f0790a7642c3d529675873fdd72

SHA512
57399eaa1ce0b46d171fe15d1829bf2d282f63ac7d17d167d38c5055345b6389133091d2b75a64860f12fb69e16c32cf86efc50259f1349078d5006ebf8ebf8f

Download Submit
C:\Windows\{BB10A947-6ED9-4573-9802-066639A686FE}.exe

Filesize
216KB

MD5
5f5b88212c66a6b34f6686ec78975644

SHA1
e5128f86cbbaace0ce718fa5b6f75a19955adee7

SHA256
a98149e3ace5859cf3e406dcf55f19b37dfb8a2ecef136758f965530bf002a37

SHA512
e46e70c07a6bf2ce1c867a5e8cf50d89adecaa06679b41567f67dc687923eef9b2519f77b9034ba5ac03eb47fa137b91ad8babfaa31348d58c46135521c8684f

Download Submit
C:\Windows\{C1A79577-3515-478c-B756-03E025BEA71C}.exe

Filesize
216KB

MD5
137ec3b5bef5cd542e7030b9ee85670e

SHA1
5c3b35bee83f7f27f33426fc452ad913a9ee6740

SHA256
1a6e5e5e547335fef18fa002067af454cf9299d6720d0483aa850a2885413abd

SHA512
e62d8448b957ea6a751c4bef848e491dd0b3c82a3c8fd432eccdc9f7e42f9473fee823928181d2957ce365ab2ea9d0a2c674d9eba912ab54e8fa92353beb3894

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads