040508e690e69d3890762983516d053b0351b0d776c5d813664d803e78e00828

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe
Size

372KB
MD5

b4b10455c9eb49fe08f381434dd21aa4
SHA1

0a49d1c636bb34f4aa8f69adb780d015efd7e182
SHA256

040508e690e69d3890762983516d053b0351b0d776c5d813664d803e78e00828
SHA512

47910407316ed36729bf9cab57632f9aa982400a62973aa92222e707372582ddd4fe8862b6c5488ce3099b917a8e2417f0522b74e378b1593e8aa33d07bfa1ae
SSDEEP

3072:CEGh0otlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGHlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d59-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0025000000016013-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0025000000016122-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0026000000016013-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000161ee-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000016013-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000167bf-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}\stubpath = "C:\\Windows\\{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe"	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2B2B43D-A863-4281-850D-F130091DC89A}\stubpath = "C:\\Windows\\{D2B2B43D-A863-4281-850D-F130091DC89A}.exe"	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}\stubpath = "C:\\Windows\\{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}.exe"	{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1510A7C8-5428-47c1-893B-3B6172A065AD}	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}\stubpath = "C:\\Windows\\{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe"	{B420D590-88C8-4423-81B4-B3803911B706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E3C9CC-41D3-4227-B444-20C042701308}	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E3C9CC-41D3-4227-B444-20C042701308}\stubpath = "C:\\Windows\\{D7E3C9CC-41D3-4227-B444-20C042701308}.exe"	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31EF7F36-23FA-4068-B441-662AFA601B8E}\stubpath = "C:\\Windows\\{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe"	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130D3E43-E599-4008-B71F-EE75CFA534C0}\stubpath = "C:\\Windows\\{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe"	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130D3E43-E599-4008-B71F-EE75CFA534C0}	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1510A7C8-5428-47c1-893B-3B6172A065AD}\stubpath = "C:\\Windows\\{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe"	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B420D590-88C8-4423-81B4-B3803911B706}	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B420D590-88C8-4423-81B4-B3803911B706}\stubpath = "C:\\Windows\\{B420D590-88C8-4423-81B4-B3803911B706}.exe"	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}	{B420D590-88C8-4423-81B4-B3803911B706}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808A2E6D-FF86-4818-821A-EE7201C4160B}\stubpath = "C:\\Windows\\{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe"	{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}	{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}\stubpath = "C:\\Windows\\{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe"	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31EF7F36-23FA-4068-B441-662AFA601B8E}	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2B2B43D-A863-4281-850D-F130091DC89A}	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808A2E6D-FF86-4818-821A-EE7201C4160B}	{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe

Deletes itself 1 IoCs

pid	Process
1324	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe
2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe
2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe
2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe
2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe
2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe
1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe
540	{B420D590-88C8-4423-81B4-B3803911B706}.exe
1544	{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe
2880	{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe
2632	{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe
File created	C:\Windows\{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe
File created	C:\Windows\{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe	{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe
File created	C:\Windows\{B420D590-88C8-4423-81B4-B3803911B706}.exe	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe
File created	C:\Windows\{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe	{B420D590-88C8-4423-81B4-B3803911B706}.exe
File created	C:\Windows\{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}.exe	{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe
File created	C:\Windows\{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe
File created	C:\Windows\{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe
File created	C:\Windows\{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe
File created	C:\Windows\{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe
File created	C:\Windows\{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe
Token: SeIncBasePriorityPrivilege	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe
Token: SeIncBasePriorityPrivilege	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe
Token: SeIncBasePriorityPrivilege	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe
Token: SeIncBasePriorityPrivilege	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe
Token: SeIncBasePriorityPrivilege	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe
Token: SeIncBasePriorityPrivilege	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe
Token: SeIncBasePriorityPrivilege	540	{B420D590-88C8-4423-81B4-B3803911B706}.exe
Token: SeIncBasePriorityPrivilege	1544	{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe
Token: SeIncBasePriorityPrivilege	2880	{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2172	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	28
PID 2852 wrote to memory of 2172	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	28
PID 2852 wrote to memory of 2172	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	28
PID 2852 wrote to memory of 2172	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	28
PID 2852 wrote to memory of 1324	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	29
PID 2852 wrote to memory of 1324	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	29
PID 2852 wrote to memory of 1324	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	29
PID 2852 wrote to memory of 1324	2852	2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe	29
PID 2172 wrote to memory of 2580	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	30
PID 2172 wrote to memory of 2580	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	30
PID 2172 wrote to memory of 2580	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	30
PID 2172 wrote to memory of 2580	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	30
PID 2172 wrote to memory of 2684	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	31
PID 2172 wrote to memory of 2684	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	31
PID 2172 wrote to memory of 2684	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	31
PID 2172 wrote to memory of 2684	2172	{D7E3C9CC-41D3-4227-B444-20C042701308}.exe	31
PID 2580 wrote to memory of 2436	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	32
PID 2580 wrote to memory of 2436	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	32
PID 2580 wrote to memory of 2436	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	32
PID 2580 wrote to memory of 2436	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	32
PID 2580 wrote to memory of 2708	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	33
PID 2580 wrote to memory of 2708	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	33
PID 2580 wrote to memory of 2708	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	33
PID 2580 wrote to memory of 2708	2580	{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe	33
PID 2436 wrote to memory of 2884	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	36
PID 2436 wrote to memory of 2884	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	36
PID 2436 wrote to memory of 2884	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	36
PID 2436 wrote to memory of 2884	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	36
PID 2436 wrote to memory of 2312	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	37
PID 2436 wrote to memory of 2312	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	37
PID 2436 wrote to memory of 2312	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	37
PID 2436 wrote to memory of 2312	2436	{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe	37
PID 2884 wrote to memory of 2628	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	38
PID 2884 wrote to memory of 2628	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	38
PID 2884 wrote to memory of 2628	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	38
PID 2884 wrote to memory of 2628	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	38
PID 2884 wrote to memory of 2724	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	39
PID 2884 wrote to memory of 2724	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	39
PID 2884 wrote to memory of 2724	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	39
PID 2884 wrote to memory of 2724	2884	{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe	39
PID 2628 wrote to memory of 2232	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	40
PID 2628 wrote to memory of 2232	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	40
PID 2628 wrote to memory of 2232	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	40
PID 2628 wrote to memory of 2232	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	40
PID 2628 wrote to memory of 784	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	41
PID 2628 wrote to memory of 784	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	41
PID 2628 wrote to memory of 784	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	41
PID 2628 wrote to memory of 784	2628	{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe	41
PID 2232 wrote to memory of 1448	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	42
PID 2232 wrote to memory of 1448	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	42
PID 2232 wrote to memory of 1448	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	42
PID 2232 wrote to memory of 1448	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	42
PID 2232 wrote to memory of 1260	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	43
PID 2232 wrote to memory of 1260	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	43
PID 2232 wrote to memory of 1260	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	43
PID 2232 wrote to memory of 1260	2232	{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe	43
PID 1448 wrote to memory of 540	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	44
PID 1448 wrote to memory of 540	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	44
PID 1448 wrote to memory of 540	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	44
PID 1448 wrote to memory of 540	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	44
PID 1448 wrote to memory of 336	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	45
PID 1448 wrote to memory of 336	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	45
PID 1448 wrote to memory of 336	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	45
PID 1448 wrote to memory of 336	1448	{D2B2B43D-A863-4281-850D-F130091DC89A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_b4b10455c9eb49fe08f381434dd21aa4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\{D7E3C9CC-41D3-4227-B444-20C042701308}.exe
  C:\Windows\{D7E3C9CC-41D3-4227-B444-20C042701308}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe
    C:\Windows\{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe
      C:\Windows\{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe
        
        C:\Windows\{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe
        
        C:\Windows\{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe
        
        C:\Windows\{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{D2B2B43D-A863-4281-850D-F130091DC89A}.exe
        
        C:\Windows\{D2B2B43D-A863-4281-850D-F130091DC89A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{B420D590-88C8-4423-81B4-B3803911B706}.exe
        
        C:\Windows\{B420D590-88C8-4423-81B4-B3803911B706}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe
        
        C:\Windows\{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe
        
        C:\Windows\{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}.exe
        
        C:\Windows\{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{808A2~1.EXE > nul
        12⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDCF5~1.EXE > nul
        11⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B420D~1.EXE > nul
        10⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2B2B~1.EXE > nul
        9⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1510A~1.EXE > nul
        8⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9356~1.EXE > nul
        7⤵
        
        PID:784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{130D3~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31EF7~1.EXE > nul
        5⤵
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB81~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E3C~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{130D3E43-E599-4008-B71F-EE75CFA534C0}.exe

Filesize
372KB

MD5
86414287163dcde21e60653521720005

SHA1
ec26496cfae6396441a42806ff4f8d155b4afdf8

SHA256
2a39198fb7858f781f3ba8669f9f60841d8b52a6be08745f799ecca9a61c8396

SHA512
0571ece2a814e58acd335e0afa239329115681e28de5252250b1d87f0410bc4b768e49a696cf2e9df3a27c52fa6f5ec796c01c532d9b63b26881e7428fdeeeca

Download Submit
C:\Windows\{1510A7C8-5428-47c1-893B-3B6172A065AD}.exe

Filesize
372KB

MD5
3df8c2e554e04a0984fb8589d4cd6731

SHA1
1e2a688e75dcbe4ed9cb1fd704fab6f06890a088

SHA256
a4bfb4b4744fd739e55b6c2e8157ea029fdbc0b08552054f008b178d0310de34

SHA512
4d12f33db5361853ca6c0d14f34e32c41ef1d041cba83cc08548fb23c3ae74eca79f0e38a13e2e5493ff9552ee1fef9f08f1e6117885c7502afedc9c3efdbe19

Download Submit
C:\Windows\{31EF7F36-23FA-4068-B441-662AFA601B8E}.exe

Filesize
372KB

MD5
14ccd97ceafc93884760d59ccf9f8f04

SHA1
3b51beff62f3555a6697acde2c8e4e66ca4b4a1a

SHA256
fec8896a8d9eb5f0784d29cc36539d61249bb37355f789ffac25176a69d99efc

SHA512
3b080862a1c4ea10da7b3489194146808ab5999d8b90c2588e66b44d291f602df60dcbc93a4f2d3d06a1d9c599676ec91aa3765a156dc0743d4041d84289cd51

Download Submit
C:\Windows\{808A2E6D-FF86-4818-821A-EE7201C4160B}.exe

Filesize
372KB

MD5
43322f896703d5f2dc3b8d522757f78f

SHA1
2f8000f56b01a15fbf69e76f245b511beaeb210f

SHA256
fa94cfa1ca888e6facfa6bbc2ce43902be5664b0fea4592c991308671f22733c

SHA512
3c6fca01a85b2438fd0f2d85787658830289a89cd637d251d604a75b5e2123659984e7644301fe90776ac5e0573562d231ccf32e5d5e25efcf49e835de1318d8

Download Submit
C:\Windows\{8AB81DA7-BE56-4de1-8125-C403B74FA4ED}.exe

Filesize
372KB

MD5
3d5a7e0c70de4aae97aa348666a4f47e

SHA1
0e46795693fbcea79e6feec583295ff33699e553

SHA256
2bcc5192020871124ab431ac8193df8015065ab0b6306b830e4d0cc9673f0723

SHA512
c4011cb35f92920bd23102475600964ee4f892483ae63e4ca51ec54335c5541f5bf33902a9a7f5f6d5c28711f5a94e3788089dcb7e37a33134eba060c7ec4e61

Download Submit
C:\Windows\{B420D590-88C8-4423-81B4-B3803911B706}.exe

Filesize
372KB

MD5
647e80a2728412ad6bc841a7d744aa79

SHA1
77c94393a48669cfebfc3e3975ffebcfbca4b391

SHA256
a6122e120e39f8f4da0296434c236289b5972915e376b9fc57f15109db780d00

SHA512
c9e8e0ba2b755f257cd0edd565806b29efe6b9f167cb7f2183102308f4dcdcb843ae4ec23468e1a588b11b28d707056f052dd74fb176950419bd86565edee269

Download Submit
C:\Windows\{BDCF5522-3A13-49f7-93C6-3CA556AE5C89}.exe

Filesize
372KB

MD5
1cdbc01d05cd78ce55f3a515ac89da60

SHA1
04b011a1aafe90c225dd210556486c77dde7e9b5

SHA256
7e1030ea2822d4440ca98ed56dc333dddcc8e84149c0d61e0d70208e75b8785c

SHA512
f2b6a06b72703e7a60937963e8192776659b057ebff6ff29184ebd6164cf5669606a1e43d2d4a422b66d966edf76ed4e1996fb21622afd188e3792f66a3264de

Download Submit
C:\Windows\{C9356E6A-E00E-49a8-A353-D1AC3540A4E8}.exe

Filesize
372KB

MD5
7149d7c51f55ac7df14de32532a23814

SHA1
8079c965feb17bfa29d72e62a6d6ad3f78a8ff21

SHA256
bd4abe6e0dc6c2fc98d06f5e20ec91b38a64b0fac849bdea0ad19bbd8f45717c

SHA512
8cb4309e5e5ac323c38d9ab6c07778fb8eff346539ddc16edce5b1fd36d248035aca7a88d40c3bd74b9984c3500b25e213fa044cd4ca9dbbf73e4d49a6cbd900

Download Submit
C:\Windows\{D2B2B43D-A863-4281-850D-F130091DC89A}.exe

Filesize
372KB

MD5
ab53410a2a9bc29632ba13f8a8d651ef

SHA1
50b1af6df61e3897157ea57fc8ea2df0eeae0053

SHA256
eef3188f2937a5c3d0565dbdec8b66f4277482004827c678018973f369f9e19a

SHA512
0d3bb6d25fb6b1615c329a758bfc5b24e31fa91b546bf61a6eb2572c45f8324161bf7955df31ad631ef4819071f013165f64bec53d4105fc57cfcc668327aeca

Download Submit
C:\Windows\{D7E3C9CC-41D3-4227-B444-20C042701308}.exe

Filesize
372KB

MD5
2423dce1fb70a79088e87cec20ef9ca0

SHA1
6452511245ca23ea543d920651563401cdfb2982

SHA256
fd5b90a4f761f19812a2d695cba114ad5a6d08d638b74a26f72cf212086db9f5

SHA512
bd0495b94ce4db00fefed96269c9fe02945055131be7568ef039a4d14950632523efab932ee865c057cf3cd9ad30267424c751bc490560e02a93a99fe4de6d58

Download Submit
C:\Windows\{DC77AF71-0F0F-4bbe-B944-236B8280FFCC}.exe

Filesize
372KB

MD5
a5fc42e04c795985953e85c83fc9281d

SHA1
13e361191635d37fc084f391fbfa1c049b69f50d

SHA256
6d6c6c94c40979d22edbb5a1ea6b9bf2b1b043129d4952c8b90fe8c0a0e3e41c

SHA512
69e8c981276dc4722d9cbd1229f8f438c17d56322fe3ef92c3645fd54021c120fee9cf80e3c91955056db1750e2de80d74dd8af4bbeeba4dbcab28a3c0e98e42

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads