32e511c4a6bada2214b44fa5d94317a2b2d1196bc291c6d5c6e51cd6f9b75628

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe
Size

372KB
MD5

bd333904f124f97d9d75ff6a6802ba16
SHA1

763a04cd8a1c91c4c2180ea951079a8e215fc930
SHA256

32e511c4a6bada2214b44fa5d94317a2b2d1196bc291c6d5c6e51cd6f9b75628
SHA512

609a9d80751dcb77719be6ba8ec01e7fa35feefdeecf530ea54510b01c30866120a144a9e9960f204fb99d26a28a75e610d1109fc5c163c2139fcb8cd6db9299
SSDEEP

3072:CEGh0oalMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGolkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014fe1-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155e2-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000155e2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c0d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000155e2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c0d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155e2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c23-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015c2f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c23-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}\stubpath = "C:\\Windows\\{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe"	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406C8DAF-F143-4de4-A30E-E30E28ADBB53}\stubpath = "C:\\Windows\\{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe"	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF39F69B-EACD-4a9e-9035-28DA86D7119B}	{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF39F69B-EACD-4a9e-9035-28DA86D7119B}\stubpath = "C:\\Windows\\{DF39F69B-EACD-4a9e-9035-28DA86D7119B}.exe"	{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}\stubpath = "C:\\Windows\\{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe"	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}\stubpath = "C:\\Windows\\{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe"	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}	{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}\stubpath = "C:\\Windows\\{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe"	{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}\stubpath = "C:\\Windows\\{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe"	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}\stubpath = "C:\\Windows\\{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe"	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406C8DAF-F143-4de4-A30E-E30E28ADBB53}	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2587A936-984F-4215-A2F0-D37028DF2EEF}	{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2587A936-984F-4215-A2F0-D37028DF2EEF}\stubpath = "C:\\Windows\\{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe"	{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A4329E-056B-480c-AA1E-5D9645F32B7C}\stubpath = "C:\\Windows\\{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe"	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}\stubpath = "C:\\Windows\\{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe"	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A4329E-056B-480c-AA1E-5D9645F32B7C}	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe
2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe
2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe
2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe
1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe
1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe
1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe
1960	{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe
940	{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe
768	{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe
2256	{DF39F69B-EACD-4a9e-9035-28DA86D7119B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe
File created	C:\Windows\{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe	{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe
File created	C:\Windows\{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe
File created	C:\Windows\{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe
File created	C:\Windows\{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe
File created	C:\Windows\{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe
File created	C:\Windows\{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe
File created	C:\Windows\{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe	{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe
File created	C:\Windows\{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe
File created	C:\Windows\{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe
File created	C:\Windows\{DF39F69B-EACD-4a9e-9035-28DA86D7119B}.exe	{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe
Token: SeIncBasePriorityPrivilege	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe
Token: SeIncBasePriorityPrivilege	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe
Token: SeIncBasePriorityPrivilege	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe
Token: SeIncBasePriorityPrivilege	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe
Token: SeIncBasePriorityPrivilege	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe
Token: SeIncBasePriorityPrivilege	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe
Token: SeIncBasePriorityPrivilege	1960	{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe
Token: SeIncBasePriorityPrivilege	940	{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe
Token: SeIncBasePriorityPrivilege	768	{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1392	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	28
PID 2812 wrote to memory of 1392	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	28
PID 2812 wrote to memory of 1392	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	28
PID 2812 wrote to memory of 1392	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	28
PID 2812 wrote to memory of 2228	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	29
PID 2812 wrote to memory of 2228	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	29
PID 2812 wrote to memory of 2228	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	29
PID 2812 wrote to memory of 2228	2812	2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe	29
PID 1392 wrote to memory of 2524	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	30
PID 1392 wrote to memory of 2524	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	30
PID 1392 wrote to memory of 2524	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	30
PID 1392 wrote to memory of 2524	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	30
PID 1392 wrote to memory of 2612	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	31
PID 1392 wrote to memory of 2612	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	31
PID 1392 wrote to memory of 2612	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	31
PID 1392 wrote to memory of 2612	1392	{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe	31
PID 2524 wrote to memory of 2500	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	34
PID 2524 wrote to memory of 2500	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	34
PID 2524 wrote to memory of 2500	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	34
PID 2524 wrote to memory of 2500	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	34
PID 2524 wrote to memory of 2332	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	35
PID 2524 wrote to memory of 2332	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	35
PID 2524 wrote to memory of 2332	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	35
PID 2524 wrote to memory of 2332	2524	{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe	35
PID 2500 wrote to memory of 2776	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	36
PID 2500 wrote to memory of 2776	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	36
PID 2500 wrote to memory of 2776	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	36
PID 2500 wrote to memory of 2776	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	36
PID 2500 wrote to memory of 2988	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	37
PID 2500 wrote to memory of 2988	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	37
PID 2500 wrote to memory of 2988	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	37
PID 2500 wrote to memory of 2988	2500	{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe	37
PID 2776 wrote to memory of 1952	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	38
PID 2776 wrote to memory of 1952	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	38
PID 2776 wrote to memory of 1952	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	38
PID 2776 wrote to memory of 1952	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	38
PID 2776 wrote to memory of 1052	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	39
PID 2776 wrote to memory of 1052	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	39
PID 2776 wrote to memory of 1052	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	39
PID 2776 wrote to memory of 1052	2776	{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe	39
PID 1952 wrote to memory of 1428	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	40
PID 1952 wrote to memory of 1428	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	40
PID 1952 wrote to memory of 1428	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	40
PID 1952 wrote to memory of 1428	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	40
PID 1952 wrote to memory of 1840	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	41
PID 1952 wrote to memory of 1840	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	41
PID 1952 wrote to memory of 1840	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	41
PID 1952 wrote to memory of 1840	1952	{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe	41
PID 1428 wrote to memory of 1704	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	42
PID 1428 wrote to memory of 1704	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	42
PID 1428 wrote to memory of 1704	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	42
PID 1428 wrote to memory of 1704	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	42
PID 1428 wrote to memory of 2004	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	43
PID 1428 wrote to memory of 2004	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	43
PID 1428 wrote to memory of 2004	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	43
PID 1428 wrote to memory of 2004	1428	{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe	43
PID 1704 wrote to memory of 1960	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	44
PID 1704 wrote to memory of 1960	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	44
PID 1704 wrote to memory of 1960	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	44
PID 1704 wrote to memory of 1960	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	44
PID 1704 wrote to memory of 1648	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	45
PID 1704 wrote to memory of 1648	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	45
PID 1704 wrote to memory of 1648	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	45
PID 1704 wrote to memory of 1648	1704	{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_bd333904f124f97d9d75ff6a6802ba16_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe
  C:\Windows\{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe
    C:\Windows\{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe
      C:\Windows\{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe
        
        C:\Windows\{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe
        
        C:\Windows\{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe
        
        C:\Windows\{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe
        
        C:\Windows\{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe
        
        C:\Windows\{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe
        
        C:\Windows\{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe
        
        C:\Windows\{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{DF39F69B-EACD-4a9e-9035-28DA86D7119B}.exe
        
        C:\Windows\{DF39F69B-EACD-4a9e-9035-28DA86D7119B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EDE5~1.EXE > nul
        12⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2587A~1.EXE > nul
        11⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{406C8~1.EXE > nul
        10⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ADDD~1.EXE > nul
        9⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{884B7~1.EXE > nul
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EAFA~1.EXE > nul
        7⤵
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD535~1.EXE > nul
        6⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBD12~1.EXE > nul
        5⤵
        
        PID:2988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A0EFF~1.EXE > nul
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3A43~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2587A936-984F-4215-A2F0-D37028DF2EEF}.exe

Filesize
372KB

MD5
efde23a823255f8db7a93c4f0e41f5cf

SHA1
d7e8e0f168ee3b50b7cbd251348a71e4bb70ac13

SHA256
702f21e26f37c6882e02ec137ece9afb98a1734ae25c885916be9a5588b9200d

SHA512
ec671aaa3d9a2f2b9b824c3ad04f336626bba3867b8e8646f10befb0c2c15920895f59be31757fd1a5598f9478d4be46645d06f0d4d22ed972bfc6ede1c77a73

Download Submit
C:\Windows\{406C8DAF-F143-4de4-A30E-E30E28ADBB53}.exe

Filesize
372KB

MD5
1af02fc02ea0f80b0d8b3a1392233dc8

SHA1
400d2984a8985c84fdd0fa1e49699748f8efb684

SHA256
b7c575dd66be526f54fc19645c6d51009530db683b6cadfb99b44909d7ef31e9

SHA512
4e4afafa06c64af7fbdc0a504bae299c7f220cdb84239dc4bca0d8f9f5f2c16d9e9845fbab735c9f6baf0908f0af800db368779aefb2ccbbf36af4caa433b1f2

Download Submit
C:\Windows\{4EAFA1D3-AE74-4996-84E4-911EEC8CBE87}.exe

Filesize
372KB

MD5
8d08a83ff6ef9a38f4bb33e4f08ec863

SHA1
e29e434fae4ed63c6674bd03946d85278c6e5f75

SHA256
4ffd459b5023abca44a7626d1b4dc87141b5e8aa087bd764fe0b9a4ad2a5619e

SHA512
b77bd9cc0b0250c9fc57a4512b2015e446f6543a4ba58bebd4738eb02884337891db10b3e754144f9d088c4040bab429b18e56046d17c03da895184d99f82e8f

Download Submit
C:\Windows\{884B7BFA-CFCC-4f6a-8544-C1EE88BF68F1}.exe

Filesize
372KB

MD5
5a932e8d51ffbe6aa657350cf44e07a7

SHA1
654c3ba13d1210649373037cfad6f5d33e246800

SHA256
03d606f3c27c0efba82bf05d2363f69531fbf1c44f31157cfbfe566d34f22d09

SHA512
29b5246094e352750844adb10d7cecabc20cdb44556accaa31fc90dedd4eb7c7a80e4c74f678f3a10268d8eb7445ac0fc78451b2420966fd0e3a89f408aa19f9

Download Submit
C:\Windows\{9ADDD600-9CF0-4e6f-9645-0B703C1A495A}.exe

Filesize
372KB

MD5
5e4a94b3c282b18f6e06e92dbf0e506b

SHA1
f95341cf7a36754f277f6b970e6d56c57ee79bb2

SHA256
ac959ce751511a7927849a8a32b4777881bb5a676e715507314e54382d2fd039

SHA512
3a97325149899f5a39f5251fcf07eff3b0f1c8405e038a7961e7f82b1cd7e883243520721365d34e0153a4121725542ad6ec5b5697f178c12f076067ec715139

Download Submit
C:\Windows\{9EDE5E7F-C507-4d1e-947C-D78B925B2C53}.exe

Filesize
372KB

MD5
9d6c23ce7340c50c097d233dba73af03

SHA1
e451ef9a10ead2d03e15963c433267e1d1980817

SHA256
7df39097ab11414eaaa491e52fdc9835478aaa64e2889cf3af23b0c07c00e9aa

SHA512
e674953b1c37cfbff4fc7808949a073b883151b2044f0474fe2c2f3f5f25b3c5fb91f63b0a69d1bcfbb9eb23872f1167413cbe261f4409f2e48c20b61cf58fa0

Download Submit
C:\Windows\{A0EFF2E0-DA29-4d4b-AF14-6341A9643326}.exe

Filesize
372KB

MD5
3be633b02859529b047067f091a5d7ca

SHA1
2efc31a17a1938dd2c8700b15461a061dcf9b18d

SHA256
b9d33de7e9cb951dce88dcef931c6d9fa6265bf4136f29c6ca1a14de53ff4ea5

SHA512
4dac27eecf1c1a8c4c5190b24de4d5b14c1662fbb2e81938a8391d512180a6a93c8e919b80310cd14c64409f3d8681ff01ac308adda7e8a6a8cbe0b7778876c3

Download Submit
C:\Windows\{AD5359B7-4D99-41b2-BACB-E9704BFEA36C}.exe

Filesize
372KB

MD5
66af7fb3f0ccb1a8f9888c0d4d3fa2b4

SHA1
bfebf53e2ec2db14d5e75498d1f582696d049284

SHA256
a2b4e90415ee7caf41208557dd11e18c10e85db20b06a9df36880310809c1256

SHA512
2a03fe7ce0f8c10c83fb6e14a7e50267a6d212a15f91dc216dd4ec997430299d377aecddfccf03b79c9a8f51b48cc75994f204c56f88cee5195bbc13956c4ea1

Download Submit
C:\Windows\{D3A4329E-056B-480c-AA1E-5D9645F32B7C}.exe

Filesize
372KB

MD5
caa38116249987ee989ce4f3a36fb1ef

SHA1
902a3d04cb13bf69ac29b40a55060690925d42c0

SHA256
c1e1be36ab3732a56c68c005d58dca2ec678581a8c93104c0612b8abd54d3ac3

SHA512
9e50feb7021f3959ccec1214fc48cda88397b8a3e222dc2d1a1f5e29708b05bf2c7f04bf17d0185171b92bfd419672cbcc51f2a391da4e7c07dd0ad169054df0

Download Submit
C:\Windows\{DBD12ECE-3904-4a8a-954E-AB043C54EBE8}.exe

Filesize
372KB

MD5
d98a6923b0dc09b5ac2dd4f227eb33c4

SHA1
a71aac57d159cc458959599cd508aa02b54e5fcd

SHA256
0aeb6ad4da19c5b40421f03cee2bcf5902ce7871e9f51b4e0ce71956c0fd2c25

SHA512
5409e44a9f37d7077eb048021d4b407f07f017134394ac8ec672433c2c67f7e06f2994cb62c89ff4903f8002bc8b88ba0fe1ab708206e30aae1952b3be8843b5

Download Submit
C:\Windows\{DF39F69B-EACD-4a9e-9035-28DA86D7119B}.exe

Filesize
372KB

MD5
968b5230aa47b540987ba808a64f2aa3

SHA1
b202003735385aa0887f9a3fc5de35876b38c43e

SHA256
5f72e0cda3e0fd49aea3fb4349e62827ce3622fb272c8bbe12d08822f4e52acd

SHA512
bc8a20f37c9fdb451425eaf8c1f09bdc5394ee60991c2703961436bb7b169414294771a232ed36cf4a9d6be6ebc717ba0160d201971da39d77af2ba1e6352994

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads