881225db026aac0e0360f4201846ada14867937b2cfa284428db4319dcb17ad1

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Size

408KB
MD5

8e39310db07304607d7f771358286ab8
SHA1

7d53a758f8184ebdd15a8a7864831b9b93905f6d
SHA256

881225db026aac0e0360f4201846ada14867937b2cfa284428db4319dcb17ad1
SHA512

fa4fe4af638ac92907ed1c00885f5d72be2ddc8ee511b72da342c3295ca64e6d700055a2958bee6ecb834727c25ba32023c177ed79b5f8df554762dcd84f80fe
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGtldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001223a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122a3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001223a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}	{5E985431-3CFB-47d1-9829-E66454F12776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}\stubpath = "C:\\Windows\\{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe"	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45DAF88D-E69C-4477-B142-111ED8221839}	{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED57983-471F-4fed-A276-54CF9BB40068}	{45DAF88D-E69C-4477-B142-111ED8221839}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED57983-471F-4fed-A276-54CF9BB40068}\stubpath = "C:\\Windows\\{DED57983-471F-4fed-A276-54CF9BB40068}.exe"	{45DAF88D-E69C-4477-B142-111ED8221839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C773F401-6505-44c3-9051-DD2CEEA1A1BB}	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}\stubpath = "C:\\Windows\\{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe"	{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E985431-3CFB-47d1-9829-E66454F12776}\stubpath = "C:\\Windows\\{5E985431-3CFB-47d1-9829-E66454F12776}.exe"	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CF545B-17FD-41e7-B168-7991DA700366}\stubpath = "C:\\Windows\\{38CF545B-17FD-41e7-B168-7991DA700366}.exe"	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54D57EA3-1796-4951-BDD4-87CE2C324453}\stubpath = "C:\\Windows\\{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe"	{38CF545B-17FD-41e7-B168-7991DA700366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAB16E7F-D59C-4606-95A8-27E85D103D03}	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAB16E7F-D59C-4606-95A8-27E85D103D03}\stubpath = "C:\\Windows\\{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe"	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}	{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E985431-3CFB-47d1-9829-E66454F12776}	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CF545B-17FD-41e7-B168-7991DA700366}	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54D57EA3-1796-4951-BDD4-87CE2C324453}	{38CF545B-17FD-41e7-B168-7991DA700366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C773F401-6505-44c3-9051-DD2CEEA1A1BB}\stubpath = "C:\\Windows\\{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe"	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}\stubpath = "C:\\Windows\\{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe"	{5E985431-3CFB-47d1-9829-E66454F12776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}\stubpath = "C:\\Windows\\{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe"	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45DAF88D-E69C-4477-B142-111ED8221839}\stubpath = "C:\\Windows\\{45DAF88D-E69C-4477-B142-111ED8221839}.exe"	{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe

Deletes itself 1 IoCs

pid	Process
1408	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe
2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe
2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe
2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe
2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe
2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe
2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe
1016	{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe
1640	{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe
2852	{45DAF88D-E69C-4477-B142-111ED8221839}.exe
588	{DED57983-471F-4fed-A276-54CF9BB40068}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	{5E985431-3CFB-47d1-9829-E66454F12776}.exe
File created	C:\Windows\{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	{38CF545B-17FD-41e7-B168-7991DA700366}.exe
File created	C:\Windows\{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe
File created	C:\Windows\{45DAF88D-E69C-4477-B142-111ED8221839}.exe	{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe
File created	C:\Windows\{DED57983-471F-4fed-A276-54CF9BB40068}.exe	{45DAF88D-E69C-4477-B142-111ED8221839}.exe
File created	C:\Windows\{5E985431-3CFB-47d1-9829-E66454F12776}.exe	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
File created	C:\Windows\{38CF545B-17FD-41e7-B168-7991DA700366}.exe	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe
File created	C:\Windows\{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe
File created	C:\Windows\{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe
File created	C:\Windows\{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe
File created	C:\Windows\{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe	{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe
Token: SeIncBasePriorityPrivilege	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe
Token: SeIncBasePriorityPrivilege	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe
Token: SeIncBasePriorityPrivilege	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe
Token: SeIncBasePriorityPrivilege	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe
Token: SeIncBasePriorityPrivilege	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe
Token: SeIncBasePriorityPrivilege	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe
Token: SeIncBasePriorityPrivilege	1016	{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe
Token: SeIncBasePriorityPrivilege	1640	{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe
Token: SeIncBasePriorityPrivilege	2852	{45DAF88D-E69C-4477-B142-111ED8221839}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2056	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	28
PID 2184 wrote to memory of 2056	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	28
PID 2184 wrote to memory of 2056	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	28
PID 2184 wrote to memory of 2056	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	28
PID 2184 wrote to memory of 1408	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	29
PID 2184 wrote to memory of 1408	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	29
PID 2184 wrote to memory of 1408	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	29
PID 2184 wrote to memory of 1408	2184	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	29
PID 2056 wrote to memory of 2124	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	30
PID 2056 wrote to memory of 2124	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	30
PID 2056 wrote to memory of 2124	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	30
PID 2056 wrote to memory of 2124	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	30
PID 2056 wrote to memory of 2380	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	31
PID 2056 wrote to memory of 2380	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	31
PID 2056 wrote to memory of 2380	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	31
PID 2056 wrote to memory of 2380	2056	{5E985431-3CFB-47d1-9829-E66454F12776}.exe	31
PID 2124 wrote to memory of 2584	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	32
PID 2124 wrote to memory of 2584	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	32
PID 2124 wrote to memory of 2584	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	32
PID 2124 wrote to memory of 2584	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	32
PID 2124 wrote to memory of 2536	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	33
PID 2124 wrote to memory of 2536	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	33
PID 2124 wrote to memory of 2536	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	33
PID 2124 wrote to memory of 2536	2124	{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe	33
PID 2584 wrote to memory of 2356	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	36
PID 2584 wrote to memory of 2356	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	36
PID 2584 wrote to memory of 2356	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	36
PID 2584 wrote to memory of 2356	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	36
PID 2584 wrote to memory of 2440	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	37
PID 2584 wrote to memory of 2440	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	37
PID 2584 wrote to memory of 2440	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	37
PID 2584 wrote to memory of 2440	2584	{38CF545B-17FD-41e7-B168-7991DA700366}.exe	37
PID 2356 wrote to memory of 2052	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	38
PID 2356 wrote to memory of 2052	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	38
PID 2356 wrote to memory of 2052	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	38
PID 2356 wrote to memory of 2052	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	38
PID 2356 wrote to memory of 1564	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	39
PID 2356 wrote to memory of 1564	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	39
PID 2356 wrote to memory of 1564	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	39
PID 2356 wrote to memory of 1564	2356	{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe	39
PID 2052 wrote to memory of 2460	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	40
PID 2052 wrote to memory of 2460	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	40
PID 2052 wrote to memory of 2460	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	40
PID 2052 wrote to memory of 2460	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	40
PID 2052 wrote to memory of 2624	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	41
PID 2052 wrote to memory of 2624	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	41
PID 2052 wrote to memory of 2624	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	41
PID 2052 wrote to memory of 2624	2052	{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe	41
PID 2460 wrote to memory of 2268	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	42
PID 2460 wrote to memory of 2268	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	42
PID 2460 wrote to memory of 2268	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	42
PID 2460 wrote to memory of 2268	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	42
PID 2460 wrote to memory of 2192	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	43
PID 2460 wrote to memory of 2192	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	43
PID 2460 wrote to memory of 2192	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	43
PID 2460 wrote to memory of 2192	2460	{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe	43
PID 2268 wrote to memory of 1016	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	44
PID 2268 wrote to memory of 1016	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	44
PID 2268 wrote to memory of 1016	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	44
PID 2268 wrote to memory of 1016	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	44
PID 2268 wrote to memory of 1184	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	45
PID 2268 wrote to memory of 1184	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	45
PID 2268 wrote to memory of 1184	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	45
PID 2268 wrote to memory of 1184	2268	{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\{5E985431-3CFB-47d1-9829-E66454F12776}.exe
  C:\Windows\{5E985431-3CFB-47d1-9829-E66454F12776}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe
    C:\Windows\{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\{38CF545B-17FD-41e7-B168-7991DA700366}.exe
      C:\Windows\{38CF545B-17FD-41e7-B168-7991DA700366}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe
        
        C:\Windows\{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe
        
        C:\Windows\{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe
        
        C:\Windows\{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe
        
        C:\Windows\{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe
        
        C:\Windows\{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe
        
        C:\Windows\{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\{45DAF88D-E69C-4477-B142-111ED8221839}.exe
        
        C:\Windows\{45DAF88D-E69C-4477-B142-111ED8221839}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{DED57983-471F-4fed-A276-54CF9BB40068}.exe
        
        C:\Windows\{DED57983-471F-4fed-A276-54CF9BB40068}.exe
        12⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45DAF~1.EXE > nul
        12⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46283~1.EXE > nul
        11⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD16A~1.EXE > nul
        10⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C773F~1.EXE > nul
        9⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B247B~1.EXE > nul
        8⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAB16~1.EXE > nul
        7⤵
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54D57~1.EXE > nul
        6⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38CF5~1.EXE > nul
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D97D1~1.EXE > nul
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E985~1.EXE > nul
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{38CF545B-17FD-41e7-B168-7991DA700366}.exe

Filesize
408KB

MD5
4ed56c36aba5f2b175a9128eb18d755c

SHA1
7a917012245ac387dcabc5ebd7b816688e6d8ba9

SHA256
92f5d92b66d3ec656fe6038bd3290dd351adb21d4769194440d0c524eb4864f6

SHA512
92a0c71e1772e70718164258078e3d296333a810e6a387666839df7e63c20d871a40a7057c5253a31ace672c8f2340f490a70a648817bd6eece70f457b902c90

Download Submit
C:\Windows\{45DAF88D-E69C-4477-B142-111ED8221839}.exe

Filesize
408KB

MD5
31c14cd45094fc1f2e0515206f05edbd

SHA1
fa40c9a7d3707187127ca767ad1c8319373ef6ed

SHA256
97b6bd89bd4e303e49f1011939d048665ca613efe79aa94cfd223654c9b8806e

SHA512
ee43744c4e28fd84666f937b0c33a55c42f6a7b11d9577751ab5827db895641a5e5ecdf9bbf63b2872fa8727b560a2eaa6b70d791448a75565465a5edc955ee1

Download Submit
C:\Windows\{46283536-6F0C-4c8d-BEBC-81BB4AD831AF}.exe

Filesize
408KB

MD5
77e1d3aad9c0f87785ac80c72c10ec01

SHA1
fbdfab66286fda0e1b5da43f8045e61ca6a460c8

SHA256
752ea33ff9eb760e3a873961ae0d5d2ac6bc3a274b01b198de56a5bd959002d4

SHA512
4f5b5393e41fa61f07b88d11fbbdc9a6efd85893f5b464b9fb0ea38301a7079eaf53a7b6fb2adc53e844d692cba6607c56ec8dfb4ea26066a7ad072e481dac79

Download Submit
C:\Windows\{54D57EA3-1796-4951-BDD4-87CE2C324453}.exe

Filesize
408KB

MD5
cfff119a1aa373c3ffeab7e26804339d

SHA1
4d18e3de5d0dfb5498c26da9c5d27c584c639c02

SHA256
c107a867417aa24cf214226e1b65f5e8817ee2878c425223b66b452d790e3136

SHA512
ebbd7cef3f91ed3a2f3290deb14dcc2f7f0c9ac46136384763bc32ebda2ff4af0563074c082c9fb1241d0a0bb55a0fc8584fcfcd67de600dd29a2e09f12cd7f5

Download Submit
C:\Windows\{5E985431-3CFB-47d1-9829-E66454F12776}.exe

Filesize
408KB

MD5
e3d56246e755033c308a5e2a6e535a54

SHA1
30bb0a3ff07ab78e511129f311954ff1c693ece6

SHA256
ec1531ab36fc72369349f6d1615faf802be013b6401765857c08dc3f6213f0a8

SHA512
e76ecbd77edc24e381b2290575d01939a053f7c00a9eb064033a6147f2733baca5ab4dafc927a56c36ab0aa41752c670c30ff691d3d8bd30a7f4f0ed8fb70b1c

Download Submit
C:\Windows\{B247BEB7-B7C6-45f5-ABCF-A7481FDDF26B}.exe

Filesize
408KB

MD5
93527763aa4d5a26c641232c20d932bf

SHA1
f2d7f0a5b7d2e8093b06b2d45b339177b8fdf9f6

SHA256
001632743788113427db76c594714efcc7728c8a93383c461c5f9f69aeac3a90

SHA512
55000d681e3c98fc08c35d146b5b8cd37b0bd41a21c19cd2bb9fa959b33a04b9b9c62ca5fda4ae8bd00884e72c40a05191d8307572bdf9a39febfcb0abc060f1

Download Submit
C:\Windows\{BD16AE24-BFDA-4388-9B38-AFA0ADBE6BA2}.exe

Filesize
408KB

MD5
dc6ab56f44b853ee561adf2398697381

SHA1
f010c8ee81659f467e4adc5112947655f409af31

SHA256
ebf9860faa1c897c6e31e62c969332512049dc265a3266137aee2d621fce5623

SHA512
39ec88a023e0dcacbe3f5f51cfb0215df166e34bfd3d886849e2edc2597b19779be7fcb8b3b1ee945fa0cc31c268083d2c064b41bd2727f91b9dd09bc09f76a0

Download Submit
C:\Windows\{C773F401-6505-44c3-9051-DD2CEEA1A1BB}.exe

Filesize
408KB

MD5
17d66dfadfc633dfa2e54858560bde49

SHA1
2cb51644c09e8ddeaffc8e16699dcbb83d33be2c

SHA256
456fc159b9e0d67cfc5abc27a72060cba4808a8296b07a1800e3b7bb461f5196

SHA512
a7909daa6373b6c250d3405f411434ba90eddbb983e64355900cbefec3b90410336d0f8497f0d08f5e97bfbac6eb7ea26f1bf78ab4824cd54faa99995a52574b

Download Submit
C:\Windows\{D97D1C98-5A5A-4ea6-BAD8-384644DEC7D6}.exe

Filesize
408KB

MD5
22e5bf5fff253b53414fdcf982d6588a

SHA1
5b9ddfca2fe0ee88355f9395b11ede2b88aeb9ff

SHA256
8b3629fd0bada9f2caadaf114abf5b533a566648ed0fe4811eb879a166149a29

SHA512
c62aa85a0ac481addd8274db862a68d6c38ea92819b0eeb214951468f964165daf21ac16daa6a347a1451678c920a4ca48a2d67b2405f7a448502ebde465f196

Download Submit
C:\Windows\{DED57983-471F-4fed-A276-54CF9BB40068}.exe

Filesize
408KB

MD5
157ebe9fc8727227cbe6c8af253d0d9a

SHA1
ace7c9acb8cd9ae0f9ef8bacee769c51b8eb2bfe

SHA256
3ab7f0b3f28d925757d2ab586df507564da6c86fc5b299bf87a142713d0adf4f

SHA512
f1245a245943702ec98a2d75213f5d09bbdff12b302e3326e1bf538abe3fb148767ea67de6a1d76a3cb43ae4472755296d104be01f78a3050be331df8d0a986f

Download Submit
C:\Windows\{EAB16E7F-D59C-4606-95A8-27E85D103D03}.exe

Filesize
408KB

MD5
89ed92b55618dac85c9613cc91ea121a

SHA1
ecd33c8f6770970bd2f390c8f213716c1342ad98

SHA256
ce57382c4548edf3c9d5051d02c51dc308ad9e21aab7bf2683db51cb77ce333f

SHA512
1329ae4f5cdfa1ec662f090c6b9e07fef9ca87fa595a52e461c7784e7573bec34f6f65ae4920ea22071d576ab481ab12fb6351a6aba96c8a5233ee7e8b23ceb0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads