d611bb2796576c3f36c12646352f87ce345a57bc76022b09c72f00599eb1dc04

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe
Size

180KB
MD5

2bf9a6f0b3db71978a28cacfde2ed409
SHA1

a34fb5ef91e204b53aaa5c937a6ae73f9d4a6fc7
SHA256

d611bb2796576c3f36c12646352f87ce345a57bc76022b09c72f00599eb1dc04
SHA512

efb7f920dbaeed9606f681dfca6d48ad2c6019a3c69c8dbc96b76fe90f5988137aa7eb70ed4b47e95dfd0e8edd740f2becc36dd4a56467d47debad47aa188022
SSDEEP

3072:jEGh0oglfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGKl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a3f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014183-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014183-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B145456-6B5F-496c-A9D7-35CE100705CA}\stubpath = "C:\\Windows\\{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe"	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60C24692-18D9-4d03-AD80-92B9B90AF8A3}\stubpath = "C:\\Windows\\{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe"	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93385A39-0801-468f-9F5C-79A9216CA1B2}	{CE63E285-1458-4e24-82D6-166B69B5C069}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}	{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}\stubpath = "C:\\Windows\\{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe"	{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}	{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86871136-7171-4bda-8133-E6605253BAE1}\stubpath = "C:\\Windows\\{86871136-7171-4bda-8133-E6605253BAE1}.exe"	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}	{86871136-7171-4bda-8133-E6605253BAE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE63E285-1458-4e24-82D6-166B69B5C069}	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86871136-7171-4bda-8133-E6605253BAE1}	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}\stubpath = "C:\\Windows\\{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe"	{86871136-7171-4bda-8133-E6605253BAE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}\stubpath = "C:\\Windows\\{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe"	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}\stubpath = "C:\\Windows\\{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe"	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B145456-6B5F-496c-A9D7-35CE100705CA}	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE63E285-1458-4e24-82D6-166B69B5C069}\stubpath = "C:\\Windows\\{CE63E285-1458-4e24-82D6-166B69B5C069}.exe"	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}\stubpath = "C:\\Windows\\{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}.exe"	{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C6A45B-844B-45a2-B4EE-24CD23389682}	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93385A39-0801-468f-9F5C-79A9216CA1B2}\stubpath = "C:\\Windows\\{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe"	{CE63E285-1458-4e24-82D6-166B69B5C069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C6A45B-844B-45a2-B4EE-24CD23389682}\stubpath = "C:\\Windows\\{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe"	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60C24692-18D9-4d03-AD80-92B9B90AF8A3}	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe
2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe
2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe
2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe
2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe
1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe
800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe
1368	{CE63E285-1458-4e24-82D6-166B69B5C069}.exe
2256	{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe
664	{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe
1164	{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	{86871136-7171-4bda-8133-E6605253BAE1}.exe
File created	C:\Windows\{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe
File created	C:\Windows\{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe
File created	C:\Windows\{CE63E285-1458-4e24-82D6-166B69B5C069}.exe	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe
File created	C:\Windows\{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe	{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe
File created	C:\Windows\{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}.exe	{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe
File created	C:\Windows\{86871136-7171-4bda-8133-E6605253BAE1}.exe	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe
File created	C:\Windows\{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe
File created	C:\Windows\{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe
File created	C:\Windows\{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe	{CE63E285-1458-4e24-82D6-166B69B5C069}.exe
File created	C:\Windows\{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe
Token: SeIncBasePriorityPrivilege	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe
Token: SeIncBasePriorityPrivilege	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe
Token: SeIncBasePriorityPrivilege	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe
Token: SeIncBasePriorityPrivilege	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe
Token: SeIncBasePriorityPrivilege	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe
Token: SeIncBasePriorityPrivilege	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe
Token: SeIncBasePriorityPrivilege	1368	{CE63E285-1458-4e24-82D6-166B69B5C069}.exe
Token: SeIncBasePriorityPrivilege	2256	{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe
Token: SeIncBasePriorityPrivilege	664	{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2172	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	28
PID 2356 wrote to memory of 2172	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	28
PID 2356 wrote to memory of 2172	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	28
PID 2356 wrote to memory of 2172	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	28
PID 2356 wrote to memory of 2208	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	29
PID 2356 wrote to memory of 2208	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	29
PID 2356 wrote to memory of 2208	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	29
PID 2356 wrote to memory of 2208	2356	2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe	29
PID 2172 wrote to memory of 2712	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	30
PID 2172 wrote to memory of 2712	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	30
PID 2172 wrote to memory of 2712	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	30
PID 2172 wrote to memory of 2712	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	30
PID 2172 wrote to memory of 2696	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	31
PID 2172 wrote to memory of 2696	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	31
PID 2172 wrote to memory of 2696	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	31
PID 2172 wrote to memory of 2696	2172	{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe	31
PID 2712 wrote to memory of 2788	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	32
PID 2712 wrote to memory of 2788	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	32
PID 2712 wrote to memory of 2788	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	32
PID 2712 wrote to memory of 2788	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	32
PID 2712 wrote to memory of 2816	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	33
PID 2712 wrote to memory of 2816	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	33
PID 2712 wrote to memory of 2816	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	33
PID 2712 wrote to memory of 2816	2712	{86871136-7171-4bda-8133-E6605253BAE1}.exe	33
PID 2788 wrote to memory of 2976	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	36
PID 2788 wrote to memory of 2976	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	36
PID 2788 wrote to memory of 2976	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	36
PID 2788 wrote to memory of 2976	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	36
PID 2788 wrote to memory of 2060	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	37
PID 2788 wrote to memory of 2060	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	37
PID 2788 wrote to memory of 2060	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	37
PID 2788 wrote to memory of 2060	2788	{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe	37
PID 2976 wrote to memory of 2656	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	38
PID 2976 wrote to memory of 2656	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	38
PID 2976 wrote to memory of 2656	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	38
PID 2976 wrote to memory of 2656	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	38
PID 2976 wrote to memory of 2752	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	39
PID 2976 wrote to memory of 2752	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	39
PID 2976 wrote to memory of 2752	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	39
PID 2976 wrote to memory of 2752	2976	{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe	39
PID 2656 wrote to memory of 1812	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	40
PID 2656 wrote to memory of 1812	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	40
PID 2656 wrote to memory of 1812	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	40
PID 2656 wrote to memory of 1812	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	40
PID 2656 wrote to memory of 2020	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	41
PID 2656 wrote to memory of 2020	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	41
PID 2656 wrote to memory of 2020	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	41
PID 2656 wrote to memory of 2020	2656	{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe	41
PID 1812 wrote to memory of 800	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	42
PID 1812 wrote to memory of 800	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	42
PID 1812 wrote to memory of 800	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	42
PID 1812 wrote to memory of 800	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	42
PID 1812 wrote to memory of 1712	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	43
PID 1812 wrote to memory of 1712	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	43
PID 1812 wrote to memory of 1712	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	43
PID 1812 wrote to memory of 1712	1812	{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe	43
PID 800 wrote to memory of 1368	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	44
PID 800 wrote to memory of 1368	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	44
PID 800 wrote to memory of 1368	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	44
PID 800 wrote to memory of 1368	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	44
PID 800 wrote to memory of 2228	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	45
PID 800 wrote to memory of 2228	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	45
PID 800 wrote to memory of 2228	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	45
PID 800 wrote to memory of 2228	800	{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_2bf9a6f0b3db71978a28cacfde2ed409_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe
  C:\Windows\{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{86871136-7171-4bda-8133-E6605253BAE1}.exe
    C:\Windows\{86871136-7171-4bda-8133-E6605253BAE1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe
      C:\Windows\{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe
        
        C:\Windows\{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe
        
        C:\Windows\{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe
        
        C:\Windows\{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe
        
        C:\Windows\{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{CE63E285-1458-4e24-82D6-166B69B5C069}.exe
        
        C:\Windows\{CE63E285-1458-4e24-82D6-166B69B5C069}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe
        
        C:\Windows\{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe
        
        C:\Windows\{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}.exe
        
        C:\Windows\{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}.exe
        12⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C31DE~1.EXE > nul
        12⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93385~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE63E~1.EXE > nul
        10⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60C24~1.EXE > nul
        9⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B145~1.EXE > nul
        8⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88EA8~1.EXE > nul
        7⤵
        
        PID:2020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{280A1~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC40D~1.EXE > nul
        5⤵
        
        PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{86871~1.EXE > nul
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65C6A~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{280A1F1A-348E-4d28-A6E2-BF42C1F9A153}.exe

Filesize
180KB

MD5
dcc1da317276edb14c8343aed1bd96dd

SHA1
0c660aa88974d622f09202c431f3811510154475

SHA256
592bfa19163c8193c300dd6fb638bf6158490a2b6bf2bf03e746bea059ca99f3

SHA512
4c80042be986c42d21657e64253105707ff15e8e7c8d12823099d0318aef4aba04c8d03248552bf024399672965e16737387fa9454f528e284aa677cb6107fbb

Download Submit
C:\Windows\{3252B1D1-035C-41ef-AF96-C0ABFF09CD16}.exe

Filesize
180KB

MD5
04bd927c2f39707664d43aa4f5f6f043

SHA1
9fcd45680cfa053ee47fc69d26ceeb9a628cca20

SHA256
6f1cf955f6b5c28fc740500a19e2f52ba492ded9623ebf54f0ae17ecf3ed3415

SHA512
be4958cb48defe4d797b6fe7eb1d9afa20043aeb5a70ddd7a9d3c35d1e406c8129c3c8660d8bc5c140d930180f1169786202c71428fb9801c62ce6456093cda8

Download Submit
C:\Windows\{60C24692-18D9-4d03-AD80-92B9B90AF8A3}.exe

Filesize
180KB

MD5
b10285f2d003a29cbb28ae53eb2c8e00

SHA1
43cfc5b9f4acc5d410384167ebb374879e900913

SHA256
8d7e18054a8f4d7011489b6f6be51962f41aef827295e0062ba6dac287c445e1

SHA512
5504210f2b14c3abcef142647b3c13bd2822997a6083638f2db213fcb21ff9f446a3516d1f4c61dec12bfbea432cf1cae8b49edde032cc695bd085090ef7f564

Download Submit
C:\Windows\{65C6A45B-844B-45a2-B4EE-24CD23389682}.exe

Filesize
180KB

MD5
8776d92d1b81220f4954864b0313a3bc

SHA1
ba743cc02e5ef55aa4a651a5ed8565de80b49e8b

SHA256
be1b8171d1cf39bd06bdb76f66001789033421e46ebefea317f7d04de1b4193a

SHA512
8ed4c88754810d9008ba3a1552d8b626c75bfdd521a1e01f358b969f51cdbbe5a3bcec8601a0d6b7793cf197febe55044f2e6e097ad82e3ddd018b60bce82b37

Download Submit
C:\Windows\{7B145456-6B5F-496c-A9D7-35CE100705CA}.exe

Filesize
180KB

MD5
3abe0a00d39b732a5f8479bb7d206d54

SHA1
c6fe8da7a5982bcc27de7460b399867aa7cfb912

SHA256
29c8e1d94a02fdd0c837d6a56412321704257c50fdc7e1e99391203b64abc221

SHA512
b33f8ad759c58f48141525e5a1f9e3aad3d0f3d714b4e502678febfab159a73526edd642b9c944b031289d05152453af853072de06637837e222cc035b272d1a

Download Submit
C:\Windows\{86871136-7171-4bda-8133-E6605253BAE1}.exe

Filesize
180KB

MD5
17c74967a6c850a04a3307ca6c23d008

SHA1
851117015c19a1caa9b8309c8650293536f68dc3

SHA256
1c567c516588df7180db8b983117638555bc71b279c5882993af3f9014d7942a

SHA512
8f8fcbc77f8353388fa4afe5e90e03f46d794939fb35ae948747395f17faaa58dab414b85d208b9f932c80c3d42a3dd28cdfc530f4a4bd56244c2011d1486e39

Download Submit
C:\Windows\{88EA832D-DEFB-4b16-9FAD-F199B1AA590A}.exe

Filesize
180KB

MD5
9b4997eac3cf56cc99123603d9954b78

SHA1
74814c8186fc4e50affe0cf09ec01e115b10c884

SHA256
b7b7591b4824904bbd5ba22c266ce66bd67fec5124d91160c2b6f65869abb16f

SHA512
7b70ab850fc5ef4457ebaa288f555b995f15ad742df78157cb81839f476c98c413897d383eb823cc9d5bd28d7b16cbb1d452aef26c8179871e131411d49f000e

Download Submit
C:\Windows\{93385A39-0801-468f-9F5C-79A9216CA1B2}.exe

Filesize
180KB

MD5
3f56e915cd3f48079987d472e205476a

SHA1
d5ccf366967cd794a1e01dac59625a6f880ce0bc

SHA256
d3914f26a0334d52dba4c77424000df69cbc2703423232dff9b558ced9e2b055

SHA512
c3ce1a3617d18689eba4771a9051c1d0a08b77cc69f067cee970e7c60ce5558bdb0c6d7026b11d031f2547b45a0c17dc9810de6728be578b99e0201e55916159

Download Submit
C:\Windows\{C31DE7BB-E60E-4c28-AB6D-C9D6E979389F}.exe

Filesize
180KB

MD5
0c80d6db03267541c93aa933f213bb68

SHA1
c8b4a6d8e118d537b5b81c5a13e9722ae0662f6a

SHA256
4b639ca3e2b3cdbdcea878bbb9b9895f54bdc89a253f5e391fcf003ddfe1b07c

SHA512
d74dfb7ce5ba34d4c128b861bb05fce77aa0100521cc04e9f89abde9dac4381f0dd480c703a05372e03c882575d1435dd171019d5cbf28fd756a9625e60b0907

Download Submit
C:\Windows\{CE63E285-1458-4e24-82D6-166B69B5C069}.exe

Filesize
180KB

MD5
6bdbfe6de74dc4a44d1e84edbf13b489

SHA1
6dd9818f2ae3be78228576596539a1244f710e82

SHA256
28e3959e760df37b697a960390906283e65d24f2ac4f3829f92bb67cb5373dc4

SHA512
9c944e5275f851368f467c5222c5911498204ca62b6b7af277662117e485e147d7aaa6defbc0cb5ada28b6d79ca1523e5020456b09b3ff8613bace30125d96e8

Download Submit
C:\Windows\{DC40D2B8-28C9-48a2-A967-0C83585A3BCE}.exe

Filesize
180KB

MD5
a38a87dfde810a50bcfc326a1f20f46a

SHA1
d322b7ba83eeb84685a5bf02210191d55f25edf5

SHA256
2d6a4b3b240c027b09e43e529943ac4616da6bbdaa1cb3ecfd00b30e20286ea7

SHA512
3bb872789f377ca21d8eeff26e2b4e765ae20d20ae5aaa9ce5145c97a79fc476f594c6c8b8a5cafa91e24e451f1c4ce25cfc6a40606d6b73a2516a7b8810cb6a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads