2ce5b5aff3775a7e1c0538d439af4a6b233521bbe26f426d2f83ed05df3a33e2

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe
Size

380KB
MD5

739004c045e4ac8187f202d15685c9b7
SHA1

ebc2312277b72b8444af31e308ea0a4a9a9ce0a8
SHA256

2ce5b5aff3775a7e1c0538d439af4a6b233521bbe26f426d2f83ed05df3a33e2
SHA512

0bff6904d61b41946d93e8d7fdd514c1d6202221698e4a06a7643425b751317064fd8f7a060aad7d9479ba92edf02cef4ed0bc29068978b3e973751647cfcdd4
SSDEEP

3072:mEGh0oAlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGCl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013ab9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001654a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45EFBF75-330A-4362-BE30-FF4B261A0E1A}	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{968975ED-2D35-4dab-92BD-D79414321414}\stubpath = "C:\\Windows\\{968975ED-2D35-4dab-92BD-D79414321414}.exe"	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}\stubpath = "C:\\Windows\\{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe"	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}\stubpath = "C:\\Windows\\{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe"	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09F6CB9B-A00E-45fe-9045-7337D56FA800}\stubpath = "C:\\Windows\\{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe"	{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}	{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45EFBF75-330A-4362-BE30-FF4B261A0E1A}\stubpath = "C:\\Windows\\{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe"	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{968975ED-2D35-4dab-92BD-D79414321414}	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}	{968975ED-2D35-4dab-92BD-D79414321414}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16085B5-A801-4949-8E58-3674D3DEBA5F}	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB18D903-C483-40fa-B7F1-6A251B7F7543}	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DF4C052-A4D3-4266-ABCD-692357882649}	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DF4C052-A4D3-4266-ABCD-692357882649}\stubpath = "C:\\Windows\\{0DF4C052-A4D3-4266-ABCD-692357882649}.exe"	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}\stubpath = "C:\\Windows\\{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe"	{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09F6CB9B-A00E-45fe-9045-7337D56FA800}	{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}	{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}\stubpath = "C:\\Windows\\{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe"	{968975ED-2D35-4dab-92BD-D79414321414}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16085B5-A801-4949-8E58-3674D3DEBA5F}\stubpath = "C:\\Windows\\{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe"	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB18D903-C483-40fa-B7F1-6A251B7F7543}\stubpath = "C:\\Windows\\{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe"	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}\stubpath = "C:\\Windows\\{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}.exe"	{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe
3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe
2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe
2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe
2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe
1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe
1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe
864	{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe
1976	{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe
588	{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe
2836	{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{968975ED-2D35-4dab-92BD-D79414321414}.exe	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe
File created	C:\Windows\{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe
File created	C:\Windows\{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe
File created	C:\Windows\{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe	{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe
File created	C:\Windows\{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe	{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe
File created	C:\Windows\{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}.exe	{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe
File created	C:\Windows\{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe
File created	C:\Windows\{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	{968975ED-2D35-4dab-92BD-D79414321414}.exe
File created	C:\Windows\{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe
File created	C:\Windows\{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe
File created	C:\Windows\{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe
Token: SeIncBasePriorityPrivilege	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe
Token: SeIncBasePriorityPrivilege	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe
Token: SeIncBasePriorityPrivilege	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe
Token: SeIncBasePriorityPrivilege	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe
Token: SeIncBasePriorityPrivilege	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe
Token: SeIncBasePriorityPrivilege	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe
Token: SeIncBasePriorityPrivilege	864	{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe
Token: SeIncBasePriorityPrivilege	1976	{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe
Token: SeIncBasePriorityPrivilege	588	{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 380	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	28
PID 2080 wrote to memory of 380	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	28
PID 2080 wrote to memory of 380	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	28
PID 2080 wrote to memory of 380	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	28
PID 2080 wrote to memory of 2548	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	29
PID 2080 wrote to memory of 2548	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	29
PID 2080 wrote to memory of 2548	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	29
PID 2080 wrote to memory of 2548	2080	2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe	29
PID 380 wrote to memory of 3032	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	30
PID 380 wrote to memory of 3032	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	30
PID 380 wrote to memory of 3032	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	30
PID 380 wrote to memory of 3032	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	30
PID 380 wrote to memory of 2688	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	31
PID 380 wrote to memory of 2688	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	31
PID 380 wrote to memory of 2688	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	31
PID 380 wrote to memory of 2688	380	{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe	31
PID 3032 wrote to memory of 2568	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	32
PID 3032 wrote to memory of 2568	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	32
PID 3032 wrote to memory of 2568	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	32
PID 3032 wrote to memory of 2568	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	32
PID 3032 wrote to memory of 2628	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	33
PID 3032 wrote to memory of 2628	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	33
PID 3032 wrote to memory of 2628	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	33
PID 3032 wrote to memory of 2628	3032	{968975ED-2D35-4dab-92BD-D79414321414}.exe	33
PID 2568 wrote to memory of 2636	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	36
PID 2568 wrote to memory of 2636	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	36
PID 2568 wrote to memory of 2636	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	36
PID 2568 wrote to memory of 2636	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	36
PID 2568 wrote to memory of 2660	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	37
PID 2568 wrote to memory of 2660	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	37
PID 2568 wrote to memory of 2660	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	37
PID 2568 wrote to memory of 2660	2568	{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe	37
PID 2636 wrote to memory of 2744	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	38
PID 2636 wrote to memory of 2744	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	38
PID 2636 wrote to memory of 2744	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	38
PID 2636 wrote to memory of 2744	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	38
PID 2636 wrote to memory of 2884	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	39
PID 2636 wrote to memory of 2884	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	39
PID 2636 wrote to memory of 2884	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	39
PID 2636 wrote to memory of 2884	2636	{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe	39
PID 2744 wrote to memory of 1628	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	40
PID 2744 wrote to memory of 1628	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	40
PID 2744 wrote to memory of 1628	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	40
PID 2744 wrote to memory of 1628	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	40
PID 2744 wrote to memory of 1380	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	41
PID 2744 wrote to memory of 1380	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	41
PID 2744 wrote to memory of 1380	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	41
PID 2744 wrote to memory of 1380	2744	{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe	41
PID 1628 wrote to memory of 1624	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	42
PID 1628 wrote to memory of 1624	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	42
PID 1628 wrote to memory of 1624	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	42
PID 1628 wrote to memory of 1624	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	42
PID 1628 wrote to memory of 2388	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	43
PID 1628 wrote to memory of 2388	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	43
PID 1628 wrote to memory of 2388	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	43
PID 1628 wrote to memory of 2388	1628	{0DF4C052-A4D3-4266-ABCD-692357882649}.exe	43
PID 1624 wrote to memory of 864	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	44
PID 1624 wrote to memory of 864	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	44
PID 1624 wrote to memory of 864	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	44
PID 1624 wrote to memory of 864	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	44
PID 1624 wrote to memory of 2896	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	45
PID 1624 wrote to memory of 2896	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	45
PID 1624 wrote to memory of 2896	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	45
PID 1624 wrote to memory of 2896	1624	{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_739004c045e4ac8187f202d15685c9b7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe
  C:\Windows\{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\{968975ED-2D35-4dab-92BD-D79414321414}.exe
    C:\Windows\{968975ED-2D35-4dab-92BD-D79414321414}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe
      C:\Windows\{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe
        
        C:\Windows\{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe
        
        C:\Windows\{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{0DF4C052-A4D3-4266-ABCD-692357882649}.exe
        
        C:\Windows\{0DF4C052-A4D3-4266-ABCD-692357882649}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe
        
        C:\Windows\{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe
        
        C:\Windows\{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe
        
        C:\Windows\{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe
        
        C:\Windows\{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}.exe
        
        C:\Windows\{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}.exe
        12⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09F6C~1.EXE > nul
        12⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BD2B~1.EXE > nul
        11⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{561DE~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB2C7~1.EXE > nul
        9⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DF4C~1.EXE > nul
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB18D~1.EXE > nul
        7⤵
        
        PID:1380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1608~1.EXE > nul
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3208C~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96897~1.EXE > nul
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{45EFB~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09F6CB9B-A00E-45fe-9045-7337D56FA800}.exe

Filesize
380KB

MD5
7c4dd9e203b60c37f28b342c390a3dff

SHA1
2e066e153701e95b4f97c4d744e66ac4f3ece700

SHA256
e0c74a88ce0ad1ce153669e4987498936afb9474c3f82377eee628524e028be3

SHA512
e732c697fe85e4cce5aa2fa9c7407c3b4131bec09be044093b5153a641de51232ffd3368a716965f8aef40d5c588e75cf00080a1e78a302a63b5fcc2184a5414

Download Submit
C:\Windows\{0BD2BB32-F3C5-4e4a-B37B-7C19271AE8CD}.exe

Filesize
380KB

MD5
0c1eb8ea46033598637b6f095017d90c

SHA1
fd36d1b9b38d4cc83c5a0724fa5230b501e6c50c

SHA256
2f6e8c1cbda103f0fe13334a2cf96f44602928076ffc3c8add0d55175254a9be

SHA512
5f438dbded3ce2051eb0094e299ebef72750b32afd124becaad12549a06df0b52c1c306bba51f1d276d27bba4e938cf5f2e571227b1a670a5f63d7ba33a8e030

Download Submit
C:\Windows\{0DF4C052-A4D3-4266-ABCD-692357882649}.exe

Filesize
380KB

MD5
274a157df6f1bbe035b7b324cd29be84

SHA1
329307dc4b09ffe3cc8a393d90d9adad9a0e0024

SHA256
0f51d6b912532216c35db9782c0b96f906995fb55a4093280cae15caa9bcd992

SHA512
4ab9e668ec5ce7f93ced7b8e7df6f35e0b190441350ea35a359015da53500cd4c9e91738dbbfca4c549eb4e512d3d8c3f821a3720d26c61d437db65cdc2e33d9

Download Submit
C:\Windows\{3208CAA7-D4A4-4d56-9491-5F2FE7D85C49}.exe

Filesize
380KB

MD5
1eeb085657ebb1f1c506cdd08d4d99a3

SHA1
1a4f7b2ee79c4afcbec012669e9a8d2ec4632bae

SHA256
bd69861f6578896381c8bf4e6f4a0bf10ccc36f57b6f6e89adaa1ba47a8813ba

SHA512
82c9ebc6dc7f376d3ca9733d5bf16d47aab210b48a9c967980a6b1c76d10e48430418689f4db0a94f15d52732e3931ff47fd0f844f70f0931840bd302c296e7d

Download Submit
C:\Windows\{45EFBF75-330A-4362-BE30-FF4B261A0E1A}.exe

Filesize
380KB

MD5
68a47ee73f22c5c532eb162a20e4fdf7

SHA1
84de5ee0ad1e1c538a39f9de08b4be6bcce5688f

SHA256
f508b9872fca1d13d736278ac85e0e3472ff9cbceedecaf0816b0f05b0bc0013

SHA512
f7d3c4d59cbb453511097921463cc104b2f8ab22d6af9cbdb28ed277f1afd60413d641ca9f02a99167b8b631bc41f787228528e5b17c7739d84a5ec4147e7b89

Download Submit
C:\Windows\{561DE4D1-7AB8-4bfc-9D9F-073A5A1DFA78}.exe

Filesize
380KB

MD5
c6ac3e1ac29ea477c2486669133c4959

SHA1
103d202eb4c7112586c8ff073484f2c98093842f

SHA256
de8f913ae8ad97a05c79d0bc1f2deebe15b526549aab68e42b40aaa6e8fd6da3

SHA512
44830a209a777e637c04e48fb08d3bb17fa1a6b71669fb55c68999d35debcdebbb9b3a4a74efc1bd5dce1ca62a340e98f8ec6f1be0907fe46e4901495b210bc3

Download Submit
C:\Windows\{7F2C4AC2-807F-4e97-9AC5-A7A76FDFC392}.exe

Filesize
380KB

MD5
cfbea8168bc1af477aeb0366742332ed

SHA1
394e8a727f1b77ff6b673ce40c37231cd41b9903

SHA256
b6494b81c07cf8d7aa638e79effbdd997e8a12453b0631e15d941bdec5691058

SHA512
853eebcc3d9c3cd96797fcd6be621b17cc17eea72db7a51842c947540a95965098437e031d460346acb7072d5ca5403fa7bd6edbf7b5bed167e6f998bab50f34

Download Submit
C:\Windows\{968975ED-2D35-4dab-92BD-D79414321414}.exe

Filesize
380KB

MD5
cff19c7752495dbbbdefad3f94e29b8c

SHA1
cf135c4d0d321c09c2ac4193a9c778e03e46699b

SHA256
27c5d5137f30f17bbd3f6572f4a6191888a6661afda3a35e8a76e3e25fa716b6

SHA512
88e660dbb7ce0b915b613ecb55058bc37c4d1bdc015dae44ffde86801f9cc7af02fe5c75895cfaf30fa3433e1fd193512c8f37240b311f4cf9270c947468ac70

Download Submit
C:\Windows\{C16085B5-A801-4949-8E58-3674D3DEBA5F}.exe

Filesize
380KB

MD5
26b4408be9b55a764043ab7ea216979f

SHA1
6d4407884f1c484225f038b3ea6850bd917e0437

SHA256
9f4c6610dc9fb4ec8fb349931ab7d6ed834a38f3d5020c7bd2974da3c4131d19

SHA512
93dbaa252b59c27beea9ad3bc3ab3c16682f6ba94fda30a39540b87177b021d587438638e291c64c0857ebfdeb6d71d13d361a5825f2114ad1a25c9899d5b0b7

Download Submit
C:\Windows\{DB2C7ABF-28D8-4b8a-BD71-1EA73BEC7477}.exe

Filesize
380KB

MD5
56387b4fae90c299eb565062ba751778

SHA1
9c9bb1b01e0e8fd3d2713f549c203f074ec7f3bf

SHA256
aba42c855682fb7e6cd24701490b1dcc930a48635c6638d5213c23bb2dba527b

SHA512
5ac6be421923e81ded030f3e73b8bd9abf3a6c246765c6fa564b8fd17ebdd849de22708eda7e24aecee5cada1e11ead6c8af66600484aa5b7638036f4887261a

Download Submit
C:\Windows\{FB18D903-C483-40fa-B7F1-6A251B7F7543}.exe

Filesize
380KB

MD5
622bd612fac392523133d0c1f94b5fbf

SHA1
8e73026f03135acc877ec4954c3a9af8b68c7ea4

SHA256
a603e299ae154a469c5523d28e93a460ab5602feed31a56d4095d29682bc923a

SHA512
9a622a3bc9fe40a10d34ebc073d289318425d513c7308cdd4c21ca1332763ee795dd5e7cc40cc31d435c21430ccc96f50592ddea221aba72d5d09ec14107556f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads