49878940f3463858d85db3d0623fad9acf32c61a002556f651ae670eb59cac5a

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Size

216KB
MD5

632e996f941eb8b629da9f7149609861
SHA1

83518d294c1517ac2e51d2b86c56dbc74aa247fe
SHA256

49878940f3463858d85db3d0623fad9acf32c61a002556f651ae670eb59cac5a
SHA512

28fa12b26b33ccf8f17f5571051a1039cb4c81bc096f9a98b9f4d8a5f78d5feecc182938b6fec6958918890fbd26648fa2deca09b2ccb5dc4ccf1b0358660e48
SSDEEP

3072:jEGh0o+l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG0lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000011fde-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001345a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000011fde-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001410b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000011fde-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000011fde-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000011fde-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B45E30C-2F19-4c62-951A-1789826DB373}	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{571B162C-995E-4fe6-A2B8-C79AEAFB4255}	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}	{DAA90338-4B18-4805-ABAF-92E632206068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC01EEE-087A-4562-B05C-C1B07DC33224}\stubpath = "C:\\Windows\\{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe"	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{571B162C-995E-4fe6-A2B8-C79AEAFB4255}\stubpath = "C:\\Windows\\{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe"	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7511879-8508-433d-B269-FFCFDE527FED}	{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7511879-8508-433d-B269-FFCFDE527FED}\stubpath = "C:\\Windows\\{B7511879-8508-433d-B269-FFCFDE527FED}.exe"	{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}\stubpath = "C:\\Windows\\{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe"	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}\stubpath = "C:\\Windows\\{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe"	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAA90338-4B18-4805-ABAF-92E632206068}	{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAA90338-4B18-4805-ABAF-92E632206068}\stubpath = "C:\\Windows\\{DAA90338-4B18-4805-ABAF-92E632206068}.exe"	{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B45E30C-2F19-4c62-951A-1789826DB373}\stubpath = "C:\\Windows\\{2B45E30C-2F19-4c62-951A-1789826DB373}.exe"	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5851AA-3FBE-4910-A526-414F853F0AD2}	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5851AA-3FBE-4910-A526-414F853F0AD2}\stubpath = "C:\\Windows\\{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe"	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC01EEE-087A-4562-B05C-C1B07DC33224}	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}\stubpath = "C:\\Windows\\{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe"	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}\stubpath = "C:\\Windows\\{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe"	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}\stubpath = "C:\\Windows\\{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe"	{DAA90338-4B18-4805-ABAF-92E632206068}.exe

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe
2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe
3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe
2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe
1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe
1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe
2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe
2932	{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe
2180	{DAA90338-4B18-4805-ABAF-92E632206068}.exe
2808	{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe
1468	{B7511879-8508-433d-B269-FFCFDE527FED}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe
File created	C:\Windows\{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe
File created	C:\Windows\{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe
File created	C:\Windows\{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe
File created	C:\Windows\{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe
File created	C:\Windows\{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe
File created	C:\Windows\{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe	{DAA90338-4B18-4805-ABAF-92E632206068}.exe
File created	C:\Windows\{B7511879-8508-433d-B269-FFCFDE527FED}.exe	{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe
File created	C:\Windows\{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
File created	C:\Windows\{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe
File created	C:\Windows\{DAA90338-4B18-4805-ABAF-92E632206068}.exe	{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe
Token: SeIncBasePriorityPrivilege	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe
Token: SeIncBasePriorityPrivilege	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe
Token: SeIncBasePriorityPrivilege	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe
Token: SeIncBasePriorityPrivilege	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe
Token: SeIncBasePriorityPrivilege	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe
Token: SeIncBasePriorityPrivilege	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe
Token: SeIncBasePriorityPrivilege	2932	{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe
Token: SeIncBasePriorityPrivilege	2180	{DAA90338-4B18-4805-ABAF-92E632206068}.exe
Token: SeIncBasePriorityPrivilege	2808	{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1528	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	28
PID 2124 wrote to memory of 1528	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	28
PID 2124 wrote to memory of 1528	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	28
PID 2124 wrote to memory of 1528	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	28
PID 2124 wrote to memory of 2404	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	29
PID 2124 wrote to memory of 2404	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	29
PID 2124 wrote to memory of 2404	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	29
PID 2124 wrote to memory of 2404	2124	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	29
PID 1528 wrote to memory of 2672	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	30
PID 1528 wrote to memory of 2672	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	30
PID 1528 wrote to memory of 2672	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	30
PID 1528 wrote to memory of 2672	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	30
PID 1528 wrote to memory of 2720	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	31
PID 1528 wrote to memory of 2720	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	31
PID 1528 wrote to memory of 2720	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	31
PID 1528 wrote to memory of 2720	1528	{2B45E30C-2F19-4c62-951A-1789826DB373}.exe	31
PID 2672 wrote to memory of 3008	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	32
PID 2672 wrote to memory of 3008	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	32
PID 2672 wrote to memory of 3008	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	32
PID 2672 wrote to memory of 3008	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	32
PID 2672 wrote to memory of 1696	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	33
PID 2672 wrote to memory of 1696	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	33
PID 2672 wrote to memory of 1696	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	33
PID 2672 wrote to memory of 1696	2672	{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe	33
PID 3008 wrote to memory of 2512	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	37
PID 3008 wrote to memory of 2512	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	37
PID 3008 wrote to memory of 2512	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	37
PID 3008 wrote to memory of 2512	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	37
PID 3008 wrote to memory of 3040	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	36
PID 3008 wrote to memory of 3040	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	36
PID 3008 wrote to memory of 3040	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	36
PID 3008 wrote to memory of 3040	3008	{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe	36
PID 2512 wrote to memory of 1484	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	38
PID 2512 wrote to memory of 1484	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	38
PID 2512 wrote to memory of 1484	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	38
PID 2512 wrote to memory of 1484	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	38
PID 2512 wrote to memory of 1892	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	39
PID 2512 wrote to memory of 1892	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	39
PID 2512 wrote to memory of 1892	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	39
PID 2512 wrote to memory of 1892	2512	{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe	39
PID 1484 wrote to memory of 1296	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	40
PID 1484 wrote to memory of 1296	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	40
PID 1484 wrote to memory of 1296	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	40
PID 1484 wrote to memory of 1296	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	40
PID 1484 wrote to memory of 2748	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	41
PID 1484 wrote to memory of 2748	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	41
PID 1484 wrote to memory of 2748	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	41
PID 1484 wrote to memory of 2748	1484	{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe	41
PID 1296 wrote to memory of 2712	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	43
PID 1296 wrote to memory of 2712	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	43
PID 1296 wrote to memory of 2712	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	43
PID 1296 wrote to memory of 2712	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	43
PID 1296 wrote to memory of 2796	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	42
PID 1296 wrote to memory of 2796	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	42
PID 1296 wrote to memory of 2796	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	42
PID 1296 wrote to memory of 2796	1296	{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe	42
PID 2712 wrote to memory of 2932	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	45
PID 2712 wrote to memory of 2932	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	45
PID 2712 wrote to memory of 2932	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	45
PID 2712 wrote to memory of 2932	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	45
PID 2712 wrote to memory of 1592	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	44
PID 2712 wrote to memory of 1592	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	44
PID 2712 wrote to memory of 1592	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	44
PID 2712 wrote to memory of 1592	2712	{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{2B45E30C-2F19-4c62-951A-1789826DB373}.exe
  C:\Windows\{2B45E30C-2F19-4c62-951A-1789826DB373}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe
    C:\Windows\{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe
      C:\Windows\{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E8C~1.EXE > nul
        5⤵
        
        PID:3040
    - - C:\Windows\{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe
        
        C:\Windows\{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe
        
        C:\Windows\{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe
        
        C:\Windows\{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDB2C~1.EXE > nul
        8⤵
        
        PID:2796
        
        C:\Windows\{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe
        
        C:\Windows\{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{571B1~1.EXE > nul
        9⤵
        
        PID:1592
        
        C:\Windows\{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe
        
        C:\Windows\{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E88D~1.EXE > nul
        10⤵
        
        PID:2068
        
        C:\Windows\{DAA90338-4B18-4805-ABAF-92E632206068}.exe
        
        C:\Windows\{DAA90338-4B18-4805-ABAF-92E632206068}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAA90~1.EXE > nul
        11⤵
        
        PID:680
        
        C:\Windows\{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe
        
        C:\Windows\{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBDEA~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\{B7511879-8508-433d-B269-FFCFDE527FED}.exe
        
        C:\Windows\{B7511879-8508-433d-B269-FFCFDE527FED}.exe
        12⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC01~1.EXE > nul
        7⤵
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CBCA~1.EXE > nul
        6⤵
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FB585~1.EXE > nul
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B45E~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CBCA138-F200-4b0c-9E69-CAF5386BF72F}.exe

Filesize
216KB

MD5
fbd862adf56055061543a1cb7b9fe4d4

SHA1
13a2a6369f6ee9635676bf6083e213eee9e00633

SHA256
5ba1d765e89552aabf35f26c488c740fe7f76555af38e492e1a4af9592e49236

SHA512
922e311e1424ba425fb9d6130817db455223b298cdea372def22b1ab6edd14096a77d20c70fc196ef1caa7db1cfca4c7f04e6c5c05e7a6836c81e12b2d37939d

Download Submit
C:\Windows\{2B45E30C-2F19-4c62-951A-1789826DB373}.exe

Filesize
216KB

MD5
6602bea7743fed3c62baa81af8ad6614

SHA1
66dc606babbb6bc914ab512f25698ee0be98644d

SHA256
7e702c50faff2eacdf51570375da1ede965fece9a4be73d499d2265ef559510b

SHA512
d4247261524ad63d83a5133c21ca30db8bfdc9590a703665ea49edf9aeca5dc480df8e645d278d2067230fcc0155fce85cd01553227b0e9a41eca2b887b5c624

Download Submit
C:\Windows\{3E88D08F-FDB3-43c0-9F7E-884AEFF746B4}.exe

Filesize
216KB

MD5
cc400636a35d73f769f53f75ee6d1d22

SHA1
608a57b136bdaec685528c9af9294e2191e19d6c

SHA256
fe49a4a6dfd336f72ac73d5faaf65f3ccedfc5d142db2db51f56f63212066a89

SHA512
31144cc244c7defae85550b69f5385f25387de942905c080e19d8cb0d64da89639778ab9081d6338c7e6d8100b9faf6af0a3c7490407ffc16ec9ff7bd34d31b5

Download Submit
C:\Windows\{571B162C-995E-4fe6-A2B8-C79AEAFB4255}.exe

Filesize
216KB

MD5
e43884634c383925032a850f5596e622

SHA1
892e9c3e872b70dd66985af20f4454395134b1a7

SHA256
e8e03e9aa63d31c522386a725eddd3511dd7755a2c152e72f2dedf00c8420ceb

SHA512
485f3eb35bc9f662df9c10ff35c8b071172c37cde71d3b302e2ce8bd661fdd96275ca41aba154ac7c00314e97a9fbccdf78fc065a8b4015eb83aec2b48042c92

Download Submit
C:\Windows\{9DC01EEE-087A-4562-B05C-C1B07DC33224}.exe

Filesize
216KB

MD5
5d951bd64c2f348e684b14d89cda5cf6

SHA1
4c0b74a266c9f58b53e502ca7d4d3a2c0e5083de

SHA256
ed81feb566dcb6f47f1803c875e6c2305040882cfcc16a455b6f109668e82ff1

SHA512
635719b7acd16a9b0ea2cf76f4f739df3aea09b117575321387403b91db4feb85b16e78b66010f5278595eaa35ff29ba1ad5d2acd15fba4384e6ac6358133aca

Download Submit
C:\Windows\{B7511879-8508-433d-B269-FFCFDE527FED}.exe

Filesize
216KB

MD5
0b6951671425b9044540088506c12725

SHA1
18ee25d49292af06f769eaf02ac46650677aecfe

SHA256
6f057a10b20dce2678563f2ab870ec291993f39af12b32995c4a1996c014489e

SHA512
b2103788a0dd76cb84d4f42a43c5cc9265eb07b63ec312b5ec9575fc57fd98e735a0e6e312ab1300b54e36109cb998be8562dcc4dfc5ae6e34539bf0279fd93d

Download Submit
C:\Windows\{D4E8C8F2-660F-4ceb-B1C8-4CC66E814037}.exe

Filesize
216KB

MD5
46a8f4a9b947c34251b81c7e7bb74293

SHA1
fbd61444769c4da60753a3be4cc875d60279e3f1

SHA256
bb74416db0630e2ab2e7d3504ed20d159e1c85e8344ee62fe99d4c71b6bbb93e

SHA512
be761c828c06ee279830e35b1e93889f6cf7126f7616a799ec88eeaba1ff2fb4a58cb3620ddedd5a36d607932459d5ed761f1113f9fd11dd7d484706c167a395

Download Submit
C:\Windows\{DAA90338-4B18-4805-ABAF-92E632206068}.exe

Filesize
216KB

MD5
339e31cce2e8321668d92a434846bce6

SHA1
e1b133cb9453b60087878c320d0fd5945f18e1ae

SHA256
b189e563f190b878cc863ae1dab3b0578402109bb1fe0a084638bb9c16471e54

SHA512
01d5d8588a7f34bcf95221269589a6ab0ce756c92aedf0dd44101a0a828a0f2dd21f08e3a856d189f6084b7567d3ef8e027d5173df7e1e3076c60f6592e7b657

Download Submit
C:\Windows\{DBDEA754-BF6F-4e17-B764-BFF397FAE1F9}.exe

Filesize
216KB

MD5
e3b264275c96bd5be4cbe5acfa2cc71b

SHA1
8f4cbb56abd796493a0a6ec59291078fab68a33f

SHA256
a82ecfc39e3b13875f527a157e4454db93ce08f78c4494ff99ed808dd98da8de

SHA512
b6850fe32f951a9c5d7ad049a3065e776e9866ee644311cb7dc0521e962956f2d370a3d7fc5c00f4a5661d49d3eca04751d10c3adc2c32f1dbb60232f79c95bc

Download Submit
C:\Windows\{FB5851AA-3FBE-4910-A526-414F853F0AD2}.exe

Filesize
216KB

MD5
dc89b4a689f47572802409d30c4bd45a

SHA1
acdd7a306cb6976a14129d8f182cdff55ff0e09c

SHA256
c9f4b30dbf448c57bc21f36ee204f899781fc23b5d184db23c78b2cc1e26bb63

SHA512
38b6d19794244e814aa752f0f4b9b4d4587949e69d76d885502773a4776c8c4b3699a197b43745de8f878d729636341b595c1da3a75db55cc73861ae3fcb682d

Download Submit
C:\Windows\{FDB2C01D-07B4-4bb4-906E-8A8C6B248DE2}.exe

Filesize
216KB

MD5
6b7cb88502113e49dc7c6b030f067636

SHA1
bcea1d7cfd8dbe496fff39e1bf1e0981f7cc8a5a

SHA256
4ea53971e346b2c141258424842ce013ab8d647c7bbd37c2fdd0f0a9a96ce96a

SHA512
1b1ed08d5ac12bf50a61b422d02f31624919d126789ea73894aa3d96ae37ba5fb6b2b81e73458b0c48d2eef66642dab8855c2a8c34260f934b683955deaa6e72

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads