bfc38efc6164b12c7e617a71132e4f148c296132785b568925a51eea6d7c92e7

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 20:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe
Size

180KB
MD5

56de6624457bd3d469fd19284f9bdb09
SHA1

008cdf7c2d7cd2edf45d34fb3bcd7e1a8b87d6f7
SHA256

bfc38efc6164b12c7e617a71132e4f148c296132785b568925a51eea6d7c92e7
SHA512

a04d40a600bc71c84b2f762629782ccdf509d99372b98cd234d59007162c47b2dc98bd83610fb95bee239e1fc11e9df1a23ac861f5a8237b4b10e8416d48397f
SSDEEP

3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGll5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012272-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016cd0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000016ce9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016cd0-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016cd0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016cd0-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016cd0-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8133ED8-728B-4b06-8C71-7035C0EB14CE}	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8079645-CE60-4e68-8345-B359ACF43D19}	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162A8980-B939-4ab6-8CA2-8CD07F35B783}	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{291A60C5-51EE-4f71-A082-B426436BE967}	{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8133ED8-728B-4b06-8C71-7035C0EB14CE}\stubpath = "C:\\Windows\\{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe"	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E93DC3A0-301A-4c44-A069-C701709497DC}	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E93DC3A0-301A-4c44-A069-C701709497DC}\stubpath = "C:\\Windows\\{E93DC3A0-301A-4c44-A069-C701709497DC}.exe"	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}\stubpath = "C:\\Windows\\{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe"	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{291A60C5-51EE-4f71-A082-B426436BE967}\stubpath = "C:\\Windows\\{291A60C5-51EE-4f71-A082-B426436BE967}.exe"	{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B2157A9-30A3-45d3-BC6D-11808AADC535}	{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B2157A9-30A3-45d3-BC6D-11808AADC535}\stubpath = "C:\\Windows\\{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe"	{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{446E9D74-18C3-476e-B538-530A3A212BED}\stubpath = "C:\\Windows\\{446E9D74-18C3-476e-B538-530A3A212BED}.exe"	{291A60C5-51EE-4f71-A082-B426436BE967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8079645-CE60-4e68-8345-B359ACF43D19}\stubpath = "C:\\Windows\\{B8079645-CE60-4e68-8345-B359ACF43D19}.exe"	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91E2E756-2821-4b71-8E6B-5589FBCBABA2}	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}\stubpath = "C:\\Windows\\{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe"	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACDFD988-881A-4341-A6BC-FEC1BDED2172}\stubpath = "C:\\Windows\\{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe"	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{162A8980-B939-4ab6-8CA2-8CD07F35B783}\stubpath = "C:\\Windows\\{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe"	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91E2E756-2821-4b71-8E6B-5589FBCBABA2}\stubpath = "C:\\Windows\\{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe"	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACDFD988-881A-4341-A6BC-FEC1BDED2172}	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{446E9D74-18C3-476e-B538-530A3A212BED}	{291A60C5-51EE-4f71-A082-B426436BE967}.exe

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe
2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe
2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe
324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe
2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe
2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe
2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe
2632	{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe
1520	{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe
2308	{291A60C5-51EE-4f71-A082-B426436BE967}.exe
2284	{446E9D74-18C3-476e-B538-530A3A212BED}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe
File created	C:\Windows\{291A60C5-51EE-4f71-A082-B426436BE967}.exe	{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe
File created	C:\Windows\{446E9D74-18C3-476e-B538-530A3A212BED}.exe	{291A60C5-51EE-4f71-A082-B426436BE967}.exe
File created	C:\Windows\{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe
File created	C:\Windows\{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe
File created	C:\Windows\{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe
File created	C:\Windows\{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe
File created	C:\Windows\{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe	{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe
File created	C:\Windows\{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe
File created	C:\Windows\{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe
File created	C:\Windows\{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe
Token: SeIncBasePriorityPrivilege	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe
Token: SeIncBasePriorityPrivilege	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe
Token: SeIncBasePriorityPrivilege	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe
Token: SeIncBasePriorityPrivilege	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe
Token: SeIncBasePriorityPrivilege	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe
Token: SeIncBasePriorityPrivilege	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe
Token: SeIncBasePriorityPrivilege	2632	{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe
Token: SeIncBasePriorityPrivilege	1520	{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe
Token: SeIncBasePriorityPrivilege	2308	{291A60C5-51EE-4f71-A082-B426436BE967}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2684	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	28
PID 2488 wrote to memory of 2684	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	28
PID 2488 wrote to memory of 2684	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	28
PID 2488 wrote to memory of 2684	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	28
PID 2488 wrote to memory of 2676	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	29
PID 2488 wrote to memory of 2676	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	29
PID 2488 wrote to memory of 2676	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	29
PID 2488 wrote to memory of 2676	2488	2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe	29
PID 2684 wrote to memory of 2872	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	30
PID 2684 wrote to memory of 2872	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	30
PID 2684 wrote to memory of 2872	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	30
PID 2684 wrote to memory of 2872	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	30
PID 2684 wrote to memory of 2232	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	31
PID 2684 wrote to memory of 2232	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	31
PID 2684 wrote to memory of 2232	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	31
PID 2684 wrote to memory of 2232	2684	{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe	31
PID 2872 wrote to memory of 2468	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	34
PID 2872 wrote to memory of 2468	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	34
PID 2872 wrote to memory of 2468	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	34
PID 2872 wrote to memory of 2468	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	34
PID 2872 wrote to memory of 2964	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	35
PID 2872 wrote to memory of 2964	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	35
PID 2872 wrote to memory of 2964	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	35
PID 2872 wrote to memory of 2964	2872	{B8079645-CE60-4e68-8345-B359ACF43D19}.exe	35
PID 2468 wrote to memory of 324	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	36
PID 2468 wrote to memory of 324	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	36
PID 2468 wrote to memory of 324	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	36
PID 2468 wrote to memory of 324	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	36
PID 2468 wrote to memory of 772	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	37
PID 2468 wrote to memory of 772	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	37
PID 2468 wrote to memory of 772	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	37
PID 2468 wrote to memory of 772	2468	{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe	37
PID 324 wrote to memory of 2812	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	38
PID 324 wrote to memory of 2812	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	38
PID 324 wrote to memory of 2812	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	38
PID 324 wrote to memory of 2812	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	38
PID 324 wrote to memory of 2820	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	39
PID 324 wrote to memory of 2820	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	39
PID 324 wrote to memory of 2820	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	39
PID 324 wrote to memory of 2820	324	{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe	39
PID 2812 wrote to memory of 2652	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	40
PID 2812 wrote to memory of 2652	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	40
PID 2812 wrote to memory of 2652	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	40
PID 2812 wrote to memory of 2652	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	40
PID 2812 wrote to memory of 2056	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	41
PID 2812 wrote to memory of 2056	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	41
PID 2812 wrote to memory of 2056	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	41
PID 2812 wrote to memory of 2056	2812	{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe	41
PID 2652 wrote to memory of 2168	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	42
PID 2652 wrote to memory of 2168	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	42
PID 2652 wrote to memory of 2168	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	42
PID 2652 wrote to memory of 2168	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	42
PID 2652 wrote to memory of 2512	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	43
PID 2652 wrote to memory of 2512	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	43
PID 2652 wrote to memory of 2512	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	43
PID 2652 wrote to memory of 2512	2652	{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe	43
PID 2168 wrote to memory of 2632	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	44
PID 2168 wrote to memory of 2632	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	44
PID 2168 wrote to memory of 2632	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	44
PID 2168 wrote to memory of 2632	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	44
PID 2168 wrote to memory of 2184	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	45
PID 2168 wrote to memory of 2184	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	45
PID 2168 wrote to memory of 2184	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	45
PID 2168 wrote to memory of 2184	2168	{E93DC3A0-301A-4c44-A069-C701709497DC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_56de6624457bd3d469fd19284f9bdb09_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe
  C:\Windows\{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{B8079645-CE60-4e68-8345-B359ACF43D19}.exe
    C:\Windows\{B8079645-CE60-4e68-8345-B359ACF43D19}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe
      C:\Windows\{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe
        
        C:\Windows\{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
      - C:\Windows\{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe
        
        C:\Windows\{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe
        
        C:\Windows\{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{E93DC3A0-301A-4c44-A069-C701709497DC}.exe
        
        C:\Windows\{E93DC3A0-301A-4c44-A069-C701709497DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe
        
        C:\Windows\{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe
        
        C:\Windows\{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{291A60C5-51EE-4f71-A082-B426436BE967}.exe
        
        C:\Windows\{291A60C5-51EE-4f71-A082-B426436BE967}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{446E9D74-18C3-476e-B538-530A3A212BED}.exe
        
        C:\Windows\{446E9D74-18C3-476e-B538-530A3A212BED}.exe
        12⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{291A6~1.EXE > nul
        12⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B215~1.EXE > nul
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD4D~1.EXE > nul
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E93DC~1.EXE > nul
        9⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACDFD~1.EXE > nul
        8⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D76FA~1.EXE > nul
        7⤵
        
        PID:2056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91E2E~1.EXE > nul
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{162A8~1.EXE > nul
        5⤵
        
        PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8079~1.EXE > nul
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8133~1.EXE > nul
    3⤵
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{162A8980-B939-4ab6-8CA2-8CD07F35B783}.exe

Filesize
180KB

MD5
15d959ffb282029dd34d28b4b3b493df

SHA1
ab3c1b1639a605ba3854f10e48303c8d6979156b

SHA256
cdb0e62b71e4cea850eaf1d84e3ed7f6b182bb9f308444cfafe68445ebd5e637

SHA512
00d2871ebd478fc8aa0b0b7337a213036bbdc494a807e779f8972b145f5f99ca1171358b6582c79c8b115d29a7278d7a98fb1f40654b331d176459d9baee13bf

Download Submit
C:\Windows\{1B2157A9-30A3-45d3-BC6D-11808AADC535}.exe

Filesize
180KB

MD5
6e9c763bd4ae3eaf15fd1706cfba41f2

SHA1
7ad9d7f4094ebe31eb3e1a08fa4e7981c4b20b95

SHA256
a541269913d0fecd6b01ff137769d2f2b48c4e3a1f231363c0896eeb09a5c7d8

SHA512
4997e06f564599bc7d458eae9cd9890eaa8be73bc46b5f552d3dcde428362f9a75c09c8f8bc2f1f9118faef21e89a2b8efdd3ccd9f75fa49c28b051ba5f13066

Download Submit
C:\Windows\{291A60C5-51EE-4f71-A082-B426436BE967}.exe

Filesize
180KB

MD5
dfea6c705f4b603f8bcdba1ab22b3a8c

SHA1
4e98a44d52297bc4c68b0b593a95c1f30928e028

SHA256
2ac7ab9168a28a1dfc3c04e8c705c46f95f6c21917c190f7d1dfd02d9e537b92

SHA512
266a11d6b7d5a10d83399268bf0bb96653e3612d23d09ae4e87a4e65103dcf2bd03320283f84a592b6be6038bcb0d7a13182ae6d9d5604c1dad8c9683121cd7e

Download Submit
C:\Windows\{446E9D74-18C3-476e-B538-530A3A212BED}.exe

Filesize
180KB

MD5
079b5594456b1f5ea2a4498a614f4bef

SHA1
7b718030758c6ab126f66e4b699cb26dacfc97b3

SHA256
be3db29f742de9fe98e4f414620f50cb22d5638d65245c2054ed80d57320a814

SHA512
7612d1512cf6cc3f49277d63efc64b70f22b5d84213dbd4a12eadd2b4751f6f0369e0c735118f9b65e06083fe1e7e038ee167f9a58578e1a4abe8ec667b4a27f

Download Submit
C:\Windows\{8BD4D2F4-5139-4f5c-B21B-E350A7C9C10A}.exe

Filesize
180KB

MD5
ba54b916685f6225b7545059fa8b2b68

SHA1
61b32128485bc74e7127eea35f9352a9db369294

SHA256
e3798beba3e03e70e5d17f8c2391a0674227359c0bffdabb60a935be1831afba

SHA512
6e3741dd6d5cba0ba24d6522a56eb348cb41419474882318b4ad53f7a887c74e41cb6edbfdc7ae16ab60402ad853d5111a51eae3c4d7b98f8098d5cc4fd6ca98

Download Submit
C:\Windows\{91E2E756-2821-4b71-8E6B-5589FBCBABA2}.exe

Filesize
180KB

MD5
7cd4c978177bc3b1475fc67ba645eaab

SHA1
3ec9739a4304ef50327a5d7d1eabccbd0730964a

SHA256
800e22c70b81ca2f4de2c8d0d6205c2f5f4f5ad165e1f4e41f4c382f3b18f158

SHA512
917f80955e5cd652ab08690ea46848cf308c75da026c676d60eb75405fe1ca8d32b00bedfb4e7e0fdac81ef628487208d905d39b17dce9a81ce87937a1bf19dc

Download Submit
C:\Windows\{ACDFD988-881A-4341-A6BC-FEC1BDED2172}.exe

Filesize
180KB

MD5
f6cf814649c605426517fa13978ccbae

SHA1
56d29ba3d537994b36749b3c650b2dc75714b347

SHA256
9ec622773d1ab877cbbdde614ccd40437d0f393e987b98fe7e44ae2574f52b90

SHA512
5ceb0cfb3e6787a7912ebcd9451e623b673dd97f931c8030b6b295a6f87e2bbbbef1346e1ab9f176abfd64f930f7acd7ae9da8783f80210b56170cf2499f3cd8

Download Submit
C:\Windows\{B8079645-CE60-4e68-8345-B359ACF43D19}.exe

Filesize
180KB

MD5
c00977e44beef0a8c841574e54377794

SHA1
c5673cec4096958bc90384dd07b1f1440c069676

SHA256
069c7e4c6cca0ef3e1dfb60299482f6e273d954ac04ce2cb12f10ce6f7ffa4ff

SHA512
fd58f72af83bfa8e755b8e352d5a9676b480b08b7fef698a3a8453686c1aa4165686068450278e320d3dd4d904a04b001657f75d80dca1b28fab72d027334098

Download Submit
C:\Windows\{D76FA7AE-A796-49cd-8DBF-39D644C2DDCF}.exe

Filesize
180KB

MD5
897e8c554502d6e4e3cb9c02d0b51899

SHA1
455b44402f24f6e7fdc72f451c861e38a60772f1

SHA256
a78959a3924c5d0280ac5cfdd7558da5afd791f43c33631b6243988332d5f19b

SHA512
400a8220ff535b0865633f826d4b662499fd537b40f6899fb11b5c1edd0ddcea31292907a3a45ed7433a7a1493c0ce52597b47fea7694dd2ee4ef2a37b7da7ac

Download Submit
C:\Windows\{D8133ED8-728B-4b06-8C71-7035C0EB14CE}.exe

Filesize
180KB

MD5
a6ee3b5c60787787fc600b3a014ce3df

SHA1
ec0113e7c625ed046a0e8406c261d8435c543f72

SHA256
be3e33a921fc0ee62d795da328145b2e96872f3845ff9e40942a44811975b8ec

SHA512
cb4281455eb30505f3387e2ab57dfa3b538af9cd70de4e133e003a01fe8ae5ffeefa70692d54a6216653013dfa0f4d8de57181e8abc2ce4141d42a14d91c1941

Download Submit
C:\Windows\{E93DC3A0-301A-4c44-A069-C701709497DC}.exe

Filesize
180KB

MD5
bbc18c1f7c30a35471951922c656e68f

SHA1
a6c15d3b89d09a376d98dc4ca7d7a9a3f4599c52

SHA256
ae8e5814889f0045bcd71ab3102cb10efdacc365480c36268a312f84a578fe53

SHA512
fe48fdf518e77a0e755804a6355e2150a05db1e6d78a0753ce9206f7b5fdf854842ca6484f8b129e5ad03d1f257e709ca5d43a6af7f11196dae1569f5c433607

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads