05e9b0861727d8ef30f7e9100ba4569ff91e0e663da24c4e91163fc68c8cd66e

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Size

180KB
MD5

fda2c50a74929567813e502b36efb32c
SHA1

bffc43787a67eb7b75339706b9e41b6e0237b8fc
SHA256

05e9b0861727d8ef30f7e9100ba4569ff91e0e663da24c4e91163fc68c8cd66e
SHA512

67d6143a8390fb51ed73b7fec9d4f0acdaca6da290f9aefd2295942cbd072d06e8beb9463be805bbec9d6440760566a7e75668169a40199ef5dfe3be81491cf7
SSDEEP

3072:jEGh0oBlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014f03-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015c00-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015c19-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000015c19-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a00000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000015c19-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015c27-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000015c19-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015c27-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC0DBAFE-292B-4412-BCF1-2988225F1F09}\stubpath = "C:\\Windows\\{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe"	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}	{8C900563-2ED5-46be-9C71-2D360068053B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7504354-9DEB-4aac-AF55-5CFE8503C381}\stubpath = "C:\\Windows\\{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe"	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{549C3FFF-820F-4639-A815-B7CC61BB6A8B}	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}\stubpath = "C:\\Windows\\{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe"	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}\stubpath = "C:\\Windows\\{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe"	{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC0DBAFE-292B-4412-BCF1-2988225F1F09}	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A512C07-9714-421d-92CE-109E4110EE9B}	{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C900563-2ED5-46be-9C71-2D360068053B}\stubpath = "C:\\Windows\\{8C900563-2ED5-46be-9C71-2D360068053B}.exe"	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13131F16-C0B3-4b2d-9143-91C51F921785}\stubpath = "C:\\Windows\\{13131F16-C0B3-4b2d-9143-91C51F921785}.exe"	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}	{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C900563-2ED5-46be-9C71-2D360068053B}	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}\stubpath = "C:\\Windows\\{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe"	{8C900563-2ED5-46be-9C71-2D360068053B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13131F16-C0B3-4b2d-9143-91C51F921785}	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{549C3FFF-820F-4639-A815-B7CC61BB6A8B}\stubpath = "C:\\Windows\\{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe"	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}	{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A512C07-9714-421d-92CE-109E4110EE9B}\stubpath = "C:\\Windows\\{3A512C07-9714-421d-92CE-109E4110EE9B}.exe"	{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D3B488-720A-49f5-BFD7-C86291CC42B7}	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7504354-9DEB-4aac-AF55-5CFE8503C381}	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}\stubpath = "C:\\Windows\\{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe"	{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D3B488-720A-49f5-BFD7-C86291CC42B7}\stubpath = "C:\\Windows\\{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe"	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe

Deletes itself 1 IoCs

pid	Process
2328	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe
3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe
2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe
1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe
3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe
1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe
1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe
472	{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe
3008	{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe
3012	{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe
1472	{3A512C07-9714-421d-92CE-109E4110EE9B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe
File created	C:\Windows\{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe
File created	C:\Windows\{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe
File created	C:\Windows\{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
File created	C:\Windows\{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	{8C900563-2ED5-46be-9C71-2D360068053B}.exe
File created	C:\Windows\{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe
File created	C:\Windows\{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe	{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe
File created	C:\Windows\{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe	{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe
File created	C:\Windows\{3A512C07-9714-421d-92CE-109E4110EE9B}.exe	{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe
File created	C:\Windows\{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe
File created	C:\Windows\{8C900563-2ED5-46be-9C71-2D360068053B}.exe	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe
Token: SeIncBasePriorityPrivilege	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe
Token: SeIncBasePriorityPrivilege	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe
Token: SeIncBasePriorityPrivilege	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe
Token: SeIncBasePriorityPrivilege	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe
Token: SeIncBasePriorityPrivilege	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe
Token: SeIncBasePriorityPrivilege	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe
Token: SeIncBasePriorityPrivilege	472	{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe
Token: SeIncBasePriorityPrivilege	3008	{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe
Token: SeIncBasePriorityPrivilege	3012	{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2828	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	28
PID 1684 wrote to memory of 2828	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	28
PID 1684 wrote to memory of 2828	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	28
PID 1684 wrote to memory of 2828	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	28
PID 1684 wrote to memory of 2328	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	29
PID 1684 wrote to memory of 2328	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	29
PID 1684 wrote to memory of 2328	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	29
PID 1684 wrote to memory of 2328	1684	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	29
PID 2828 wrote to memory of 3052	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	30
PID 2828 wrote to memory of 3052	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	30
PID 2828 wrote to memory of 3052	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	30
PID 2828 wrote to memory of 3052	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	30
PID 2828 wrote to memory of 3048	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	31
PID 2828 wrote to memory of 3048	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	31
PID 2828 wrote to memory of 3048	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	31
PID 2828 wrote to memory of 3048	2828	{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe	31
PID 3052 wrote to memory of 2204	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	32
PID 3052 wrote to memory of 2204	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	32
PID 3052 wrote to memory of 2204	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	32
PID 3052 wrote to memory of 2204	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	32
PID 3052 wrote to memory of 2792	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	33
PID 3052 wrote to memory of 2792	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	33
PID 3052 wrote to memory of 2792	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	33
PID 3052 wrote to memory of 2792	3052	{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe	33
PID 2204 wrote to memory of 1944	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	36
PID 2204 wrote to memory of 1944	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	36
PID 2204 wrote to memory of 1944	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	36
PID 2204 wrote to memory of 1944	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	36
PID 2204 wrote to memory of 2844	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	37
PID 2204 wrote to memory of 2844	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	37
PID 2204 wrote to memory of 2844	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	37
PID 2204 wrote to memory of 2844	2204	{8C900563-2ED5-46be-9C71-2D360068053B}.exe	37
PID 1944 wrote to memory of 3000	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	38
PID 1944 wrote to memory of 3000	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	38
PID 1944 wrote to memory of 3000	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	38
PID 1944 wrote to memory of 3000	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	38
PID 1944 wrote to memory of 3032	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	39
PID 1944 wrote to memory of 3032	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	39
PID 1944 wrote to memory of 3032	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	39
PID 1944 wrote to memory of 3032	1944	{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe	39
PID 3000 wrote to memory of 1932	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	40
PID 3000 wrote to memory of 1932	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	40
PID 3000 wrote to memory of 1932	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	40
PID 3000 wrote to memory of 1932	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	40
PID 3000 wrote to memory of 1568	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	41
PID 3000 wrote to memory of 1568	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	41
PID 3000 wrote to memory of 1568	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	41
PID 3000 wrote to memory of 1568	3000	{13131F16-C0B3-4b2d-9143-91C51F921785}.exe	41
PID 1932 wrote to memory of 1612	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	42
PID 1932 wrote to memory of 1612	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	42
PID 1932 wrote to memory of 1612	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	42
PID 1932 wrote to memory of 1612	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	42
PID 1932 wrote to memory of 2724	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	43
PID 1932 wrote to memory of 2724	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	43
PID 1932 wrote to memory of 2724	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	43
PID 1932 wrote to memory of 2724	1932	{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe	43
PID 1612 wrote to memory of 472	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	44
PID 1612 wrote to memory of 472	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	44
PID 1612 wrote to memory of 472	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	44
PID 1612 wrote to memory of 472	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	44
PID 1612 wrote to memory of 576	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	45
PID 1612 wrote to memory of 576	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	45
PID 1612 wrote to memory of 576	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	45
PID 1612 wrote to memory of 576	1612	{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe
  C:\Windows\{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe
    C:\Windows\{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\{8C900563-2ED5-46be-9C71-2D360068053B}.exe
      C:\Windows\{8C900563-2ED5-46be-9C71-2D360068053B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe
        
        C:\Windows\{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\{13131F16-C0B3-4b2d-9143-91C51F921785}.exe
        
        C:\Windows\{13131F16-C0B3-4b2d-9143-91C51F921785}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe
        
        C:\Windows\{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe
        
        C:\Windows\{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe
        
        C:\Windows\{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
        
        C:\Windows\{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe
        
        C:\Windows\{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe
        
        C:\Windows\{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\{3A512C07-9714-421d-92CE-109E4110EE9B}.exe
        
        C:\Windows\{3A512C07-9714-421d-92CE-109E4110EE9B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{186D6~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D0CD~1.EXE > nul
        11⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2A0F~1.EXE > nul
        10⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{549C3~1.EXE > nul
        9⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7504~1.EXE > nul
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13131~1.EXE > nul
        7⤵
        
        PID:1568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F5F0~1.EXE > nul
        6⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C900~1.EXE > nul
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{94D3B~1.EXE > nul
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC0DB~1.EXE > nul
    3⤵
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13131F16-C0B3-4b2d-9143-91C51F921785}.exe

Filesize
180KB

MD5
72eff03a1ef73b36ad7fe43f2ddbc0f9

SHA1
2942813ecaadaed9eee8cec7f5b908202f30db57

SHA256
cb470023ee66bbbbfeeaae62a950b8c3aac9921584506b6b6a94424283115f46

SHA512
06f2fd539be2078e0089413579926fe7d7000f08793a5a7d762ef07e8e7c3544a75e244fdb1656ca77e41e0f921f2747781fd17af2501ce1ce79128c4b5e7578

Download Submit
C:\Windows\{186D6FA5-B832-43a1-95F1-207CBDB7BF3A}.exe

Filesize
180KB

MD5
337c69320bd006e39c8bae3951e87c8f

SHA1
3318bd895665d516692ee4fcfe146b3e9b3cc985

SHA256
c3f24c79e224b92d964b957d9d36b6b7bf640c54018a54feaf9a9d5626006338

SHA512
4e37092d4195a4df8cb5b7d9b5902724cd2fd3c992c4a311f2988f62a7b39f0d0f5b8f4b2f4e5c6c934db892adb502f30fa06483b7ed0c9873029219f481271e

Download Submit
C:\Windows\{3A512C07-9714-421d-92CE-109E4110EE9B}.exe

Filesize
180KB

MD5
b4c415f0abc3e59cc0cee003a70cf36c

SHA1
054dde53e3b351e9df46eddc71fdf7ae57efe873

SHA256
7f1771939d9bce34ffa2aadca66c29e4763f9aa818676781f6e5229e83380c92

SHA512
4ae908350fbe48eaee49470f626a3de17d080f17a73cd8af4a281d0a268bfe3120c3ddbb136e1e73b25cff9690ea937c83b14758c93adfdb299130a39fafb934

Download Submit
C:\Windows\{549C3FFF-820F-4639-A815-B7CC61BB6A8B}.exe

Filesize
180KB

MD5
bd7ac9da40d967a5b4b4c9634cfb6c50

SHA1
c53e6181e72e083018f6f0df2fdd37c223709110

SHA256
5a17ca3996b9e3c0568d92e059024dff90fab9c5b627203eca1a63974eb14c7b

SHA512
75a53376ee1ee2ccb7cce1d0d29dc16c9413ed839ae6aa05e397cb7988611052b3eae800c73c1a25aa646cb61908df7a29a383d0df1827a77e6753bca701b8a6

Download Submit
C:\Windows\{8C900563-2ED5-46be-9C71-2D360068053B}.exe

Filesize
180KB

MD5
8fd17b44d07eb1081c0cd51d5f053cd6

SHA1
c4cb804fe719548638009c1ab60b6a06544a9ac2

SHA256
30923637e643fa5a30b18fa2e7d54f979c237feb9f95f47492eae78bfd81bce1

SHA512
36cc5145ea2b8bbb126880b7ef00d681d7a07c786f50a278569e7f8ac5941ce270a2aa0b967b3cf944a700cf8bc7438088b226720b2a2dd3e338d31f15f62360

Download Submit
C:\Windows\{94D3B488-720A-49f5-BFD7-C86291CC42B7}.exe

Filesize
180KB

MD5
8a4972b567ee5fa2c268ab2d4ba5a88a

SHA1
9d87ed776a961566bf2b895f666a44a7f87cfc48

SHA256
813772a6e0eeae623448c3b10dc102e680ce1d7dd3e5e2ae7fc9d4ca9d9e740c

SHA512
7675127bc7dde8bf8b749098ba33fecad084088af8e6041efde92cc2d954b6d2e2b6cd257e4d07e7a120c9172ae7f5b259e9dc33b8fde36319d8945a89b0e5b9

Download Submit
C:\Windows\{9D0CD79A-B9A3-43ad-9966-DD2E508B9FD1}.exe

Filesize
180KB

MD5
be3a84a43e9e47de37e1bfaf0883ceb5

SHA1
14fd45397941aa4bc8101fc6c573d9d9fd247083

SHA256
810d53684a4a7394010ab294d879fbe10af97e4e516f3c550b977c436377ff6e

SHA512
23cbcc710aecaf242a5a66ada5f0c1c8b65444b212f04326beae374c4c028f5f64c0de90f2aa5d8ce9d306d224a76abfe685b14c72456115aa8974bc4fdb0552

Download Submit
C:\Windows\{9F5F0B4B-24A1-461a-B76E-5FAC453524E4}.exe

Filesize
180KB

MD5
8e9eebcd16a6bed2279d9ffb0319c10b

SHA1
64ef2f756cbbf34eaf477c31d471ecbfe0349ce2

SHA256
ea7c666af6b8914f19306f620ece7218499a05e64ef2948678efea4bdc74c429

SHA512
f15a0561c686ca98ad68c19f339a5d3d840a5300fc59653aa104d868e02e13b8786d3133f4f6e8d1224a760a7748548275dc456f3e7adfce406af016255f225b

Download Submit
C:\Windows\{BC0DBAFE-292B-4412-BCF1-2988225F1F09}.exe

Filesize
180KB

MD5
c06072480494a1a8526dab1bf9c948da

SHA1
7635424fd175d9a64d23e70697604457a837f066

SHA256
0110aab83441e5a33d0a08470f50f40e915c03e0eb44fd03b4c5524c962d478d

SHA512
ab178c7c8061c6e6d71ba3dd7c166927efed43989bbf5bf96efa96d08ab63dd0b5a084c72af36ca0f302c219882231b81f1d76635a1e117404edf9aafd8ba906

Download Submit
C:\Windows\{E7504354-9DEB-4aac-AF55-5CFE8503C381}.exe

Filesize
180KB

MD5
ba1e09c8366efb3dd25c4f2dd1473a05

SHA1
a38d2970594c9cbad4583925b775f4832fa49184

SHA256
4b61c02ce2748802f21b86857870da7659830302e626d76253b5b188ae7d6704

SHA512
1e200da78e8ecabfd3d1588693824f170cb8940ef1a3d260eb6da8fa2ed40e270ce542ce775339a92e19fa0a2cee8dc6cc265275d195b3a4927d8b3bcb878c17

Download Submit
C:\Windows\{F2A0FDA2-2DBA-40c8-9862-9C4B901D99A9}.exe

Filesize
180KB

MD5
fb491407aa797b92fe0e5c60e9aa153f

SHA1
caccf0f94a1e60f915a39e4925b6c071902ba00d

SHA256
3bf8c88f4bb2f253f94e9e15a7530b37cf4f40d2c95d681e3664d38d90d33430

SHA512
6f41708ca5e292118d6e68671ccbe27d719566c81753597ddd7f961783d56ea92555e1b58f4b7be9c1d25c24f186f45c95d4df5b73b0b7e78e2f101a7649fdf2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads