5bb596a5f4d1159e3316a3539a7f268e5c9655c57884e2c33db1806e3e65b582

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Size

216KB
MD5

6ab95c887955283a17b855e67e1218c7
SHA1

c21ca9f7258383e2586cd4eecbc51bef65d76ad4
SHA256

5bb596a5f4d1159e3316a3539a7f268e5c9655c57884e2c33db1806e3e65b582
SHA512

2509e5328ca7f8e2062a17e3adbaad200a4d8eb260f6ccfe936467b10a5a3dfab7b8cfd462fb39fd6664ba4e4b7a48c5f120871b02d8b9a7eaff362333649e0c
SSDEEP

3072:jEGh0oWl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGslEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00170000000155d9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}\stubpath = "C:\\Windows\\{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe"	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2B17278-BE72-4591-A501-EDA7DE120938}	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C173D8-6882-47ba-85A9-2284B7E09FA9}\stubpath = "C:\\Windows\\{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe"	{65499359-4809-47f3-9324-06EB4F0D16C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2B17278-BE72-4591-A501-EDA7DE120938}\stubpath = "C:\\Windows\\{D2B17278-BE72-4591-A501-EDA7DE120938}.exe"	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65499359-4809-47f3-9324-06EB4F0D16C3}	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65499359-4809-47f3-9324-06EB4F0D16C3}\stubpath = "C:\\Windows\\{65499359-4809-47f3-9324-06EB4F0D16C3}.exe"	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{608B56A2-448E-45bc-84EF-B9DF30AD7225}	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA6EA332-A982-4cde-875F-8E91D64175E0}	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA6EA332-A982-4cde-875F-8E91D64175E0}\stubpath = "C:\\Windows\\{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe"	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}	{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}\stubpath = "C:\\Windows\\{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe"	{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}\stubpath = "C:\\Windows\\{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe"	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C173D8-6882-47ba-85A9-2284B7E09FA9}	{65499359-4809-47f3-9324-06EB4F0D16C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA284CD-F618-4c4e-B015-A8B4C2030971}	{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA284CD-F618-4c4e-B015-A8B4C2030971}\stubpath = "C:\\Windows\\{3FA284CD-F618-4c4e-B015-A8B4C2030971}.exe"	{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{608B56A2-448E-45bc-84EF-B9DF30AD7225}\stubpath = "C:\\Windows\\{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe"	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}\stubpath = "C:\\Windows\\{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe"	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}\stubpath = "C:\\Windows\\{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe"	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe
2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe
2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe
2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe
2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe
2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe
2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe
2016	{65499359-4809-47f3-9324-06EB4F0D16C3}.exe
2884	{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe
1780	{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe
1484	{3FA284CD-F618-4c4e-B015-A8B4C2030971}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe
File created	C:\Windows\{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe
File created	C:\Windows\{65499359-4809-47f3-9324-06EB4F0D16C3}.exe	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe
File created	C:\Windows\{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe	{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe
File created	C:\Windows\{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe
File created	C:\Windows\{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe
File created	C:\Windows\{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe
File created	C:\Windows\{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe	{65499359-4809-47f3-9324-06EB4F0D16C3}.exe
File created	C:\Windows\{3FA284CD-F618-4c4e-B015-A8B4C2030971}.exe	{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe
File created	C:\Windows\{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
File created	C:\Windows\{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe
Token: SeIncBasePriorityPrivilege	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe
Token: SeIncBasePriorityPrivilege	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe
Token: SeIncBasePriorityPrivilege	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe
Token: SeIncBasePriorityPrivilege	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe
Token: SeIncBasePriorityPrivilege	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe
Token: SeIncBasePriorityPrivilege	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe
Token: SeIncBasePriorityPrivilege	2016	{65499359-4809-47f3-9324-06EB4F0D16C3}.exe
Token: SeIncBasePriorityPrivilege	2884	{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe
Token: SeIncBasePriorityPrivilege	1780	{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2852	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	28
PID 2756 wrote to memory of 2852	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	28
PID 2756 wrote to memory of 2852	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	28
PID 2756 wrote to memory of 2852	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	28
PID 2756 wrote to memory of 3052	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	29
PID 2756 wrote to memory of 3052	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	29
PID 2756 wrote to memory of 3052	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	29
PID 2756 wrote to memory of 3052	2756	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	29
PID 2852 wrote to memory of 2492	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	32
PID 2852 wrote to memory of 2492	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	32
PID 2852 wrote to memory of 2492	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	32
PID 2852 wrote to memory of 2492	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	32
PID 2852 wrote to memory of 2640	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	33
PID 2852 wrote to memory of 2640	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	33
PID 2852 wrote to memory of 2640	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	33
PID 2852 wrote to memory of 2640	2852	{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe	33
PID 2492 wrote to memory of 2400	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	35
PID 2492 wrote to memory of 2400	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	35
PID 2492 wrote to memory of 2400	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	35
PID 2492 wrote to memory of 2400	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	35
PID 2492 wrote to memory of 2528	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	34
PID 2492 wrote to memory of 2528	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	34
PID 2492 wrote to memory of 2528	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	34
PID 2492 wrote to memory of 2528	2492	{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe	34
PID 2400 wrote to memory of 2436	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	37
PID 2400 wrote to memory of 2436	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	37
PID 2400 wrote to memory of 2436	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	37
PID 2400 wrote to memory of 2436	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	37
PID 2400 wrote to memory of 2776	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	36
PID 2400 wrote to memory of 2776	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	36
PID 2400 wrote to memory of 2776	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	36
PID 2400 wrote to memory of 2776	2400	{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe	36
PID 2436 wrote to memory of 2152	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	39
PID 2436 wrote to memory of 2152	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	39
PID 2436 wrote to memory of 2152	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	39
PID 2436 wrote to memory of 2152	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	39
PID 2436 wrote to memory of 2180	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	38
PID 2436 wrote to memory of 2180	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	38
PID 2436 wrote to memory of 2180	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	38
PID 2436 wrote to memory of 2180	2436	{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe	38
PID 2152 wrote to memory of 2652	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	40
PID 2152 wrote to memory of 2652	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	40
PID 2152 wrote to memory of 2652	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	40
PID 2152 wrote to memory of 2652	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	40
PID 2152 wrote to memory of 2760	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	41
PID 2152 wrote to memory of 2760	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	41
PID 2152 wrote to memory of 2760	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	41
PID 2152 wrote to memory of 2760	2152	{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe	41
PID 2652 wrote to memory of 2100	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	43
PID 2652 wrote to memory of 2100	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	43
PID 2652 wrote to memory of 2100	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	43
PID 2652 wrote to memory of 2100	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	43
PID 2652 wrote to memory of 1248	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	42
PID 2652 wrote to memory of 1248	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	42
PID 2652 wrote to memory of 1248	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	42
PID 2652 wrote to memory of 1248	2652	{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe	42
PID 2100 wrote to memory of 2016	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	45
PID 2100 wrote to memory of 2016	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	45
PID 2100 wrote to memory of 2016	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	45
PID 2100 wrote to memory of 2016	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	45
PID 2100 wrote to memory of 1816	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	44
PID 2100 wrote to memory of 1816	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	44
PID 2100 wrote to memory of 1816	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	44
PID 2100 wrote to memory of 1816	2100	{D2B17278-BE72-4591-A501-EDA7DE120938}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe
  C:\Windows\{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe
    C:\Windows\{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6EA~1.EXE > nul
      4⤵
      PID:2528
  - - C:\Windows\{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe
      C:\Windows\{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80DEB~1.EXE > nul
        5⤵
        
        PID:2776
    - - C:\Windows\{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe
        
        C:\Windows\{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF38F~1.EXE > nul
        6⤵
        
        PID:2180
      - C:\Windows\{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe
        
        C:\Windows\{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe
        
        C:\Windows\{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCAAE~1.EXE > nul
        8⤵
        
        PID:1248
        
        C:\Windows\{D2B17278-BE72-4591-A501-EDA7DE120938}.exe
        
        C:\Windows\{D2B17278-BE72-4591-A501-EDA7DE120938}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2B17~1.EXE > nul
        9⤵
        
        PID:1816
        
        C:\Windows\{65499359-4809-47f3-9324-06EB4F0D16C3}.exe
        
        C:\Windows\{65499359-4809-47f3-9324-06EB4F0D16C3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe
        
        C:\Windows\{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe
        
        C:\Windows\{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\{3FA284CD-F618-4c4e-B015-A8B4C2030971}.exe
        
        C:\Windows\{3FA284CD-F618-4c4e-B015-A8B4C2030971}.exe
        12⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42DC1~1.EXE > nul
        12⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C17~1.EXE > nul
        11⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65499~1.EXE > nul
        10⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1BC9~1.EXE > nul
        7⤵
        
        PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{608B5~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3FA284CD-F618-4c4e-B015-A8B4C2030971}.exe

Filesize
216KB

MD5
69712935bbcbbb0c635844b7bf923089

SHA1
8a8ff7d53eccca4bf5633de4fbee4f8d875b77a2

SHA256
1a0fa2a417ed7cea323006bfdc458cc443277317525debe12e6920992af56512

SHA512
acdbc3ce3474c13999238a3e6fc9400a7c5e7ef3da31f1fff16b846203ea7dd52de6f8858a6a053fdf23314cff609dd93a3eb8a1545b4585128042a7010ecd3e

Download Submit
C:\Windows\{42DC13B7-EF0F-48c1-90CD-F76AA2D30352}.exe

Filesize
216KB

MD5
ec97e665108bb0cbd79d5b67cdd78a3a

SHA1
a801fdf67f0cf1b714de09088bf52c06487b6db1

SHA256
3ed60fb34c3233e711bb9cd344f68fd2b8b78ccbefbb55694f50e7356b830ba7

SHA512
d74207d130e40cea30d098bc7674120be86c028355db57678e11b22f86688a84d71d654cbdae8534aab7b791d4cb6c05bd8d277ffc1bca08f3e5e9cf2fc4ec95

Download Submit
C:\Windows\{49C173D8-6882-47ba-85A9-2284B7E09FA9}.exe

Filesize
216KB

MD5
0bb3920e744dec3cb71c221b5e035fee

SHA1
6f42408116eb0948a6ee8e06e6933eb41b090c9d

SHA256
2742d1ed443b2e1ca69567dd96f9603b66d6f6fbc77ad81135a6545b801807f1

SHA512
cb197665dfe85c826557539527287a33f74f4ecea7eda22f583f31c1b619cf1290c2c87660ba9eb04644e70a63d6b1d3419cfa2eedeaf8432755241e866acdc1

Download Submit
C:\Windows\{608B56A2-448E-45bc-84EF-B9DF30AD7225}.exe

Filesize
216KB

MD5
05be18c11e1b2eb2b17d4c8e30127577

SHA1
b1f7002a55c27d8e72c6c7f3e2df33921352438c

SHA256
4d01e1735d1cbb3f820a1debf7d570f6be5286b7117149eb40a0a3d790756ade

SHA512
4b778a227c71ca448b0b91b33d51fa2ddea4b930ac684d3ec627fc0b107c783c5632c5e8b2887427d4d48498991ba5cf6b93639bf25d08209808c6939c6345bd

Download Submit
C:\Windows\{65499359-4809-47f3-9324-06EB4F0D16C3}.exe

Filesize
216KB

MD5
6514572484b6da97d22b0a0290eac3e2

SHA1
7eefa223d510a4e9d8061d3c26e6a070f8f6ec43

SHA256
5b54ada7ea84ba42c538727b3233c8568b6da20bd7e9ea7f8677a6a63df80428

SHA512
06ed87a73b707063005fc115a16ab461e84e59ec0cdbc72245cc0993554851402cf0ac72a60a2dc958f90c2a36b5c603ca76961df0137d4487a9576ba8b2f772

Download Submit
C:\Windows\{80DEB875-B7A6-484e-8362-5D0B6C1ADA5C}.exe

Filesize
216KB

MD5
323131b4e19870ed144a13c47e992fe9

SHA1
e5d6e0aeda910547fd2d354d7e49ed51893d25c0

SHA256
5c1a1df111efaab9f74dbe85c487d98d90384e995389c24080f55db745068543

SHA512
1cff95a1b6e5d55f19acb6428445e4407e88ae753c45153b3559dd5d18cb64a404b3ace59a0ca98739861875ca591fa7f9657f3d0b677d462600d4a33296aea1

Download Submit
C:\Windows\{D1BC91E8-7F75-4660-AB4C-B36A12E38C32}.exe

Filesize
216KB

MD5
e4bd103aaa4e5ea7d9004b2f53698238

SHA1
123a0b5233a628c13f1cd5190cd2873f1756aa4b

SHA256
d486b9c8f693e954ec15f6c1744bab932d173321c318eab17d2f391ef684ad42

SHA512
a6a76c26cd136b002bde03f1a6b43a655e76e56660a3bd7ded0474dca43179d40289059227073f16e9274e807deed66c934a1faa99db7c27f0daedecb43e56fe

Download Submit
C:\Windows\{D2B17278-BE72-4591-A501-EDA7DE120938}.exe

Filesize
216KB

MD5
3e638774e4940f594029e43ae4f89baf

SHA1
afce60d0f487b584e03fc3671d9341de6037f2c4

SHA256
13d0f61679ab38cd5ea0a99cd778fca506661c6ef25d95b302bf48c2c52235f3

SHA512
db105e55b9913985c4f796f7e7aa0bc507e505a160c7b09625f5f148af7811e45a4903cb57e53402ddf6677805e10a363cb25e5eabbced5ab87dd06e4e3fda49

Download Submit
C:\Windows\{DA6EA332-A982-4cde-875F-8E91D64175E0}.exe

Filesize
216KB

MD5
0fdeb477b4ac2d01bf2feeaf1742cf75

SHA1
cbeba2b9d202395cc9f898aadde6469e194ad45a

SHA256
7bbcc5133257dff932ad006ef60dcbfe8c3d7de96c6e27b5aae7c81c6a0dc309

SHA512
cd7dcdd3a7ff2e5e30148c1ec5a0f892c7c7f38c040a67e1a13747f4891188a51ba4524b90c57389261653e4430d5022fcfd9937954a3b8e4e318e41adf7c1a8

Download Submit
C:\Windows\{DCAAE22D-5551-4ba4-B465-3F122C8DBB5F}.exe

Filesize
216KB

MD5
317ca8d5ad9e0e8387e18d0cfb96898d

SHA1
97d882e09b6bb54fab75c41e20ef0679a5767d99

SHA256
9ad5a823c08a4343c6d44530e30d86e569ee4a2bb7815810861eb3f77afaf73e

SHA512
38dea3ca6e5d2c9d23f3da299c23f2ef43e54a5009dd0a1283b84a774acea0bfeffa81964a99bd65419faf69d6386ab15e71e82eadefc59f254c520f007c7a2c

Download Submit
C:\Windows\{FF38F4D0-E7A3-49a2-8E8A-4D8CE04BFAA8}.exe

Filesize
216KB

MD5
d2eed4a10613d42809fd93ee0319e3b0

SHA1
ca8c059738aabd51e5688c349eeaca10b53770f5

SHA256
97d3528a7f374f3ff4249f409a5e88aa530f497bc0f641c396f88a29a4e15c14

SHA512
1f7328b94afbd48256d71b8eaf64492f7648c6d27d8fe055e3454a0348b6ccc95f426841e6fd1a3aac75e49bdfb8c80559cb5d8adbb5950e0359cc81af329f2c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads