513431148338963242d5359966e5222d071b8f994231f062904ac3888de0ba39

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe
Size

372KB
MD5

c888fc904a41f991fe67cf9faa72345d
SHA1

cf72621831e12a3feff50b85ee119b47d7b55e15
SHA256

513431148338963242d5359966e5222d071b8f994231f062904ac3888de0ba39
SHA512

103eb90c8b419340a893254703c4910d57e6c55d025217dc12c73812fbb25370f5bcae525f469d8e278458cecfb42647eff38accb66e63c0d4514f76370081de
SSDEEP

3072:CEGh0oLlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGllkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001223a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012309-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000015c85-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000015cb3-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000015c85-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015cc2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015e07-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000015cc2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015e07-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}\stubpath = "C:\\Windows\\{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}.exe"	{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}\stubpath = "C:\\Windows\\{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe"	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A174E798-ECEE-4048-A219-732436DA8234}	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B2D92A0-7110-45c0-8D8B-BE59186B6903}\stubpath = "C:\\Windows\\{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe"	{A174E798-ECEE-4048-A219-732436DA8234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112D23C2-20D5-4519-A7DC-79FE414D8294}\stubpath = "C:\\Windows\\{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe"	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A174E798-ECEE-4048-A219-732436DA8234}\stubpath = "C:\\Windows\\{A174E798-ECEE-4048-A219-732436DA8234}.exe"	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07775CC3-8CFF-410f-B24D-574424DF4ADB}\stubpath = "C:\\Windows\\{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe"	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}	{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}\stubpath = "C:\\Windows\\{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe"	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2367C278-671E-42ca-B2AF-E384016DC95C}\stubpath = "C:\\Windows\\{2367C278-671E-42ca-B2AF-E384016DC95C}.exe"	{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879DE5A4-71D0-479d-B9DA-24E5C5978085}	{2367C278-671E-42ca-B2AF-E384016DC95C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5234A5DF-73C9-4817-9097-295F8BF4A14C}\stubpath = "C:\\Windows\\{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe"	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112D23C2-20D5-4519-A7DC-79FE414D8294}	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B2D92A0-7110-45c0-8D8B-BE59186B6903}	{A174E798-ECEE-4048-A219-732436DA8234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07775CC3-8CFF-410f-B24D-574424DF4ADB}	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DDF805C-93B0-4706-8C02-2B27B5A13945}	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DDF805C-93B0-4706-8C02-2B27B5A13945}\stubpath = "C:\\Windows\\{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe"	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5234A5DF-73C9-4817-9097-295F8BF4A14C}	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2367C278-671E-42ca-B2AF-E384016DC95C}	{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879DE5A4-71D0-479d-B9DA-24E5C5978085}\stubpath = "C:\\Windows\\{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe"	{2367C278-671E-42ca-B2AF-E384016DC95C}.exe

Deletes itself 1 IoCs

pid	Process
2000	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe
2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe
2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe
1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe
1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe
808	{A174E798-ECEE-4048-A219-732436DA8234}.exe
2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe
2036	{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe
1480	{2367C278-671E-42ca-B2AF-E384016DC95C}.exe
2840	{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe
3048	{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe
File created	C:\Windows\{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe
File created	C:\Windows\{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe
File created	C:\Windows\{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	{A174E798-ECEE-4048-A219-732436DA8234}.exe
File created	C:\Windows\{2367C278-671E-42ca-B2AF-E384016DC95C}.exe	{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe
File created	C:\Windows\{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe	{2367C278-671E-42ca-B2AF-E384016DC95C}.exe
File created	C:\Windows\{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe
File created	C:\Windows\{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe
File created	C:\Windows\{A174E798-ECEE-4048-A219-732436DA8234}.exe	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe
File created	C:\Windows\{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe
File created	C:\Windows\{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}.exe	{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe
Token: SeIncBasePriorityPrivilege	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe
Token: SeIncBasePriorityPrivilege	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe
Token: SeIncBasePriorityPrivilege	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe
Token: SeIncBasePriorityPrivilege	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe
Token: SeIncBasePriorityPrivilege	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe
Token: SeIncBasePriorityPrivilege	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe
Token: SeIncBasePriorityPrivilege	2036	{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe
Token: SeIncBasePriorityPrivilege	1480	{2367C278-671E-42ca-B2AF-E384016DC95C}.exe
Token: SeIncBasePriorityPrivilege	2840	{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2132	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	28
PID 2076 wrote to memory of 2132	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	28
PID 2076 wrote to memory of 2132	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	28
PID 2076 wrote to memory of 2132	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	28
PID 2076 wrote to memory of 2000	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	29
PID 2076 wrote to memory of 2000	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	29
PID 2076 wrote to memory of 2000	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	29
PID 2076 wrote to memory of 2000	2076	2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe	29
PID 2132 wrote to memory of 2528	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	30
PID 2132 wrote to memory of 2528	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	30
PID 2132 wrote to memory of 2528	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	30
PID 2132 wrote to memory of 2528	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	30
PID 2132 wrote to memory of 2604	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	31
PID 2132 wrote to memory of 2604	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	31
PID 2132 wrote to memory of 2604	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	31
PID 2132 wrote to memory of 2604	2132	{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe	31
PID 2528 wrote to memory of 2464	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	34
PID 2528 wrote to memory of 2464	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	34
PID 2528 wrote to memory of 2464	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	34
PID 2528 wrote to memory of 2464	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	34
PID 2528 wrote to memory of 2860	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	35
PID 2528 wrote to memory of 2860	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	35
PID 2528 wrote to memory of 2860	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	35
PID 2528 wrote to memory of 2860	2528	{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe	35
PID 2464 wrote to memory of 1772	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	36
PID 2464 wrote to memory of 1772	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	36
PID 2464 wrote to memory of 1772	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	36
PID 2464 wrote to memory of 1772	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	36
PID 2464 wrote to memory of 680	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	37
PID 2464 wrote to memory of 680	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	37
PID 2464 wrote to memory of 680	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	37
PID 2464 wrote to memory of 680	2464	{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe	37
PID 1772 wrote to memory of 1552	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	38
PID 1772 wrote to memory of 1552	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	38
PID 1772 wrote to memory of 1552	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	38
PID 1772 wrote to memory of 1552	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	38
PID 1772 wrote to memory of 1672	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	39
PID 1772 wrote to memory of 1672	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	39
PID 1772 wrote to memory of 1672	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	39
PID 1772 wrote to memory of 1672	1772	{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe	39
PID 1552 wrote to memory of 808	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	40
PID 1552 wrote to memory of 808	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	40
PID 1552 wrote to memory of 808	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	40
PID 1552 wrote to memory of 808	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	40
PID 1552 wrote to memory of 1288	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	41
PID 1552 wrote to memory of 1288	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	41
PID 1552 wrote to memory of 1288	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	41
PID 1552 wrote to memory of 1288	1552	{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe	41
PID 808 wrote to memory of 2228	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	42
PID 808 wrote to memory of 2228	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	42
PID 808 wrote to memory of 2228	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	42
PID 808 wrote to memory of 2228	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	42
PID 808 wrote to memory of 1740	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	43
PID 808 wrote to memory of 1740	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	43
PID 808 wrote to memory of 1740	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	43
PID 808 wrote to memory of 1740	808	{A174E798-ECEE-4048-A219-732436DA8234}.exe	43
PID 2228 wrote to memory of 2036	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	44
PID 2228 wrote to memory of 2036	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	44
PID 2228 wrote to memory of 2036	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	44
PID 2228 wrote to memory of 2036	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	44
PID 2228 wrote to memory of 1720	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	45
PID 2228 wrote to memory of 1720	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	45
PID 2228 wrote to memory of 1720	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	45
PID 2228 wrote to memory of 1720	2228	{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_c888fc904a41f991fe67cf9faa72345d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe
  C:\Windows\{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe
    C:\Windows\{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe
      C:\Windows\{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe
        
        C:\Windows\{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe
        
        C:\Windows\{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{A174E798-ECEE-4048-A219-732436DA8234}.exe
        
        C:\Windows\{A174E798-ECEE-4048-A219-732436DA8234}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe
        
        C:\Windows\{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe
        
        C:\Windows\{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{2367C278-671E-42ca-B2AF-E384016DC95C}.exe
        
        C:\Windows\{2367C278-671E-42ca-B2AF-E384016DC95C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe
        
        C:\Windows\{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}.exe
        
        C:\Windows\{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}.exe
        12⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{879DE~1.EXE > nul
        12⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2367C~1.EXE > nul
        11⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07775~1.EXE > nul
        10⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B2D9~1.EXE > nul
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A174E~1.EXE > nul
        8⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{112D2~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1DC7~1.EXE > nul
        6⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5234A~1.EXE > nul
        5⤵
        
        PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AC0D5~1.EXE > nul
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1DDF8~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07775CC3-8CFF-410f-B24D-574424DF4ADB}.exe

Filesize
372KB

MD5
37691e1735805a0053a24690aa3b419f

SHA1
70c31019a995000ef6ca4a31024ba6d01a7b5d03

SHA256
090e8af2a0e1fbf7bb3438257c49dc7e959cce9c69765d3c7b8e9e606dac4c0e

SHA512
13059d8cc2091abefaec54ab8f2ce928fd19ce851bdbc3bf8c3119641ec14bb1b8cadf64e7b8209941f77100653be206f02e357697ce31db52d38abb7f5f62e8

Download Submit
C:\Windows\{112D23C2-20D5-4519-A7DC-79FE414D8294}.exe

Filesize
372KB

MD5
329142b3ad91b90cd9d273e6b13320c1

SHA1
30178599c24b01baaa8377b023e4087fe16f861b

SHA256
1cb3feab2eeb02a301bf09b7e78b1841a900e27de183d008b7c55d9a06808172

SHA512
873b5104eca8f5e73c220b3a4f843728f8fa971c2a6670063dc7a16d54c92d13e64b26e50ee98cdc1042e9f587a826d8ce251bee3d04131f3f9a28a0f3bc24c2

Download Submit
C:\Windows\{1B2D92A0-7110-45c0-8D8B-BE59186B6903}.exe

Filesize
372KB

MD5
c4df29a3f37f6a622608f6b4aa1b139a

SHA1
aeb405479271e15033f38f8b75d1052771ff9092

SHA256
6b685fbb9b79319f16026eae9ed5a7ebc8374756a0fb4b6f0c11ee8e6458a0b4

SHA512
c489cf399996283f3486eb5f61968f8c33ffd045daeb2eff8136f25c9efbac7f88a0d7d131f3962a0a3ba7237a86161d583629721b13199ba7be61f30d25bb08

Download Submit
C:\Windows\{1DDF805C-93B0-4706-8C02-2B27B5A13945}.exe

Filesize
372KB

MD5
256458e268063ad65f5c3b6b80aafc99

SHA1
1f60a7bbcc42fb3ce0f945c4b6ad074795793abe

SHA256
1144f2bddd7b8fc54e94add2a40227f5daf59f3e54f2887223bf37a606e0f296

SHA512
a6e11540c01c29ddeec35be82f85b3aea576cec83fb61041389cc0e276209e44a09bc400380f5b284d7646acbb52fb096d021c9195f6416c20c573d387cff88e

Download Submit
C:\Windows\{2367C278-671E-42ca-B2AF-E384016DC95C}.exe

Filesize
372KB

MD5
01530dcfeb4b855aeaeda01feab5cc32

SHA1
38cab8b658c1a7863f0e9cf7bceea8e6f9cf597d

SHA256
43927e555633ed71c53e9cf06aa600cdae07f4987aee8412f3752cbfd37c5e49

SHA512
bf23ecb639f3d4f1c89ccd869c8878cc34c7e1f8f4e4c3f0ec9fd76f559f0eb1bc77599d20dcc089bf057e8fcc779444f6778ea127ca5ba2360586c74864225c

Download Submit
C:\Windows\{5234A5DF-73C9-4817-9097-295F8BF4A14C}.exe

Filesize
372KB

MD5
2a26e80cca659dcd4d194e70de293072

SHA1
8c86e2ce113a9e3949e4fd187ed8cde2021eec10

SHA256
dc72f67d4b8c7038c2a9fe87de9fff8942fcea07e02574b12af4372453c24f05

SHA512
47b8bacfaa1cea1858698080a60d80dbae6636deb3ab151491777e24d50a1a458a300c0d6a031a300b9104f504d057f6ac3ad32d9f2b0364b3ccf83685fe60e7

Download Submit
C:\Windows\{879DE5A4-71D0-479d-B9DA-24E5C5978085}.exe

Filesize
372KB

MD5
0ff8c559c4ab82dca4d63a859f7bb550

SHA1
c8ada231489104fdea944998d4f8aee4c53504db

SHA256
b682ad213cd0f4ac272b5e991ca8954bd51089f601afe9d28b55366417524a24

SHA512
ecb951fef3c8129d3cad4d972550e2f707274f902d04a90acea5560590076b14f2de38888c6c80c6aa543d0c6899053b3656c9fa03100cbea85bf2e6e8cf452c

Download Submit
C:\Windows\{A174E798-ECEE-4048-A219-732436DA8234}.exe

Filesize
372KB

MD5
8bdeb79814aeb1aea87785561d2ef48b

SHA1
753178fe409db9172e6e521b259a7b587f10eecf

SHA256
6fc9c04ba5a02c339e644685a9209f00704993d9bde40db2a38fe1b116c0bf5a

SHA512
9d074fffa9dd246a2303e739f733a19b399d35cab71ecb5d6ab5e7ad00939cab27dc6e74309eb91e1e2f1dade161eda9a3d4ca1ba4e9897960c276c197eedb4d

Download Submit
C:\Windows\{AC0D5621-5BF9-464c-83BF-AD83CA760EF6}.exe

Filesize
372KB

MD5
bb5eee81abea2d9b710d5ba93c75debe

SHA1
ace803350f08a32a3bed53215223a67e0f16b02e

SHA256
bf27c99a68e57fbc2091992b558e05bc338b88d09c6ed9f1ae80af2b3be8758d

SHA512
6b45a5631a0abc1394f94126a05c5dd43a1966145f09ad940bff76629d123bd0c49585b1c5216bb7977bf9e2cb85ac5e0c11ca3193cbb16b8cdb23a40354a971

Download Submit
C:\Windows\{B1DC7BE1-A560-4b3c-A4AB-C14C65935F9C}.exe

Filesize
372KB

MD5
bc1dea791489bffb9c7b87a8f8040f0c

SHA1
491b7298d750ad6aa3be7d8a79d3f8a75d540330

SHA256
391862bd411f3352a6eecf88a2a7ed4840c1a7605484234ca76b644115a1821e

SHA512
25d4e993d3c730fbc7a0ba72bd10d9edbe5ecf9f9f7e48787451e4447d38babf84127a0d9859a80297ac714a09d39e3af908ecb34a3a6890a128abc802ec1f2c

Download Submit
C:\Windows\{B36B3BC2-626E-4ee1-A768-9C19AD52E3CB}.exe

Filesize
372KB

MD5
574a0c5cf04c6bf16c65ba460e5bf66d

SHA1
6307076094db2dbdd2431a6b842972c167ae6823

SHA256
8f68912ba3174e07cf2b62b1a42e032f7c97d6ad48f741d774fe9cc8f8ed4963

SHA512
b070c05dda8fcedc257dffd00f9e7a4261c26e65adcbb176e8e1987e125ef87eda06aee0b6178f921be8bbd7ca0f4419057854a5685ae7bfdd36f3be24f244ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads