1a895688bfa2cad861ee295aa02e1de7a487739d848c8c62e9477aa43b79e55b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
Size

180KB
MD5

085463c90b4bb4e02632734fa032b375
SHA1

a66184275f1c3b8f6e917efe0943aa3401f37280
SHA256

1a895688bfa2cad861ee295aa02e1de7a487739d848c8c62e9477aa43b79e55b
SHA512

6cb053ac438d8033b129155c4d04bade4c1f9afede207739e40296877f0f75beb3d1b9dadadc38534d2d6ea6c4864cb877a28066bcb87643bbad7258395a8ff7
SSDEEP

3072:jEGh0o0klfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00070000000122cd-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a45-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a7c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122cd-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a84-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a84-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90EB7997-829C-469d-806A-DEA3B862BAD1}\stubpath = "C:\\Windows\\{90EB7997-829C-469d-806A-DEA3B862BAD1}.exe"	{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}\stubpath = "C:\\Windows\\{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe"	{DC95A068-D284-4664-8F01-424C36785F6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39DDA117-1AD2-4646-8485-D5C2FEB10735}	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}\stubpath = "C:\\Windows\\{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe"	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{298DD2DD-C890-435a-B1EC-CDA4C2146039}	{E41F8103-D879-43bc-9661-328A88D8DF27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F969B803-E07A-45d4-9C6E-3E1658C92583}\stubpath = "C:\\Windows\\{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe"	{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39DDA117-1AD2-4646-8485-D5C2FEB10735}\stubpath = "C:\\Windows\\{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe"	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}\stubpath = "C:\\Windows\\{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe"	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E41F8103-D879-43bc-9661-328A88D8DF27}\stubpath = "C:\\Windows\\{E41F8103-D879-43bc-9661-328A88D8DF27}.exe"	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{298DD2DD-C890-435a-B1EC-CDA4C2146039}\stubpath = "C:\\Windows\\{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe"	{E41F8103-D879-43bc-9661-328A88D8DF27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F969B803-E07A-45d4-9C6E-3E1658C92583}	{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{867F4B29-D042-45aa-B834-B916F139546A}	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{867F4B29-D042-45aa-B834-B916F139546A}\stubpath = "C:\\Windows\\{867F4B29-D042-45aa-B834-B916F139546A}.exe"	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC95A068-D284-4664-8F01-424C36785F6F}	{867F4B29-D042-45aa-B834-B916F139546A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC95A068-D284-4664-8F01-424C36785F6F}\stubpath = "C:\\Windows\\{DC95A068-D284-4664-8F01-424C36785F6F}.exe"	{867F4B29-D042-45aa-B834-B916F139546A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}	{DC95A068-D284-4664-8F01-424C36785F6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E41F8103-D879-43bc-9661-328A88D8DF27}	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90EB7997-829C-469d-806A-DEA3B862BAD1}	{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}\stubpath = "C:\\Windows\\{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe"	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe
2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe
2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe
2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe
2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe
2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe
1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe
2712	{E41F8103-D879-43bc-9661-328A88D8DF27}.exe
2920	{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe
312	{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe
576	{90EB7997-829C-469d-806A-DEA3B862BAD1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	{DC95A068-D284-4664-8F01-424C36785F6F}.exe
File created	C:\Windows\{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe
File created	C:\Windows\{E41F8103-D879-43bc-9661-328A88D8DF27}.exe	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe
File created	C:\Windows\{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe	{E41F8103-D879-43bc-9661-328A88D8DF27}.exe
File created	C:\Windows\{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe	{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe
File created	C:\Windows\{90EB7997-829C-469d-806A-DEA3B862BAD1}.exe	{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe
File created	C:\Windows\{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
File created	C:\Windows\{867F4B29-D042-45aa-B834-B916F139546A}.exe	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe
File created	C:\Windows\{DC95A068-D284-4664-8F01-424C36785F6F}.exe	{867F4B29-D042-45aa-B834-B916F139546A}.exe
File created	C:\Windows\{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe
File created	C:\Windows\{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe
Token: SeIncBasePriorityPrivilege	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe
Token: SeIncBasePriorityPrivilege	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe
Token: SeIncBasePriorityPrivilege	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe
Token: SeIncBasePriorityPrivilege	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe
Token: SeIncBasePriorityPrivilege	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe
Token: SeIncBasePriorityPrivilege	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe
Token: SeIncBasePriorityPrivilege	2712	{E41F8103-D879-43bc-9661-328A88D8DF27}.exe
Token: SeIncBasePriorityPrivilege	2920	{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe
Token: SeIncBasePriorityPrivilege	312	{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2268	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	28
PID 2028 wrote to memory of 2268	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	28
PID 2028 wrote to memory of 2268	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	28
PID 2028 wrote to memory of 2268	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	28
PID 2028 wrote to memory of 2320	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	29
PID 2028 wrote to memory of 2320	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	29
PID 2028 wrote to memory of 2320	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	29
PID 2028 wrote to memory of 2320	2028	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	29
PID 2268 wrote to memory of 2120	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	30
PID 2268 wrote to memory of 2120	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	30
PID 2268 wrote to memory of 2120	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	30
PID 2268 wrote to memory of 2120	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	30
PID 2268 wrote to memory of 2988	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	31
PID 2268 wrote to memory of 2988	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	31
PID 2268 wrote to memory of 2988	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	31
PID 2268 wrote to memory of 2988	2268	{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe	31
PID 2120 wrote to memory of 2572	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	32
PID 2120 wrote to memory of 2572	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	32
PID 2120 wrote to memory of 2572	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	32
PID 2120 wrote to memory of 2572	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	32
PID 2120 wrote to memory of 2556	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	33
PID 2120 wrote to memory of 2556	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	33
PID 2120 wrote to memory of 2556	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	33
PID 2120 wrote to memory of 2556	2120	{867F4B29-D042-45aa-B834-B916F139546A}.exe	33
PID 2572 wrote to memory of 2536	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	36
PID 2572 wrote to memory of 2536	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	36
PID 2572 wrote to memory of 2536	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	36
PID 2572 wrote to memory of 2536	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	36
PID 2572 wrote to memory of 1552	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	37
PID 2572 wrote to memory of 1552	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	37
PID 2572 wrote to memory of 1552	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	37
PID 2572 wrote to memory of 1552	2572	{DC95A068-D284-4664-8F01-424C36785F6F}.exe	37
PID 2536 wrote to memory of 2880	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	38
PID 2536 wrote to memory of 2880	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	38
PID 2536 wrote to memory of 2880	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	38
PID 2536 wrote to memory of 2880	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	38
PID 2536 wrote to memory of 628	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	39
PID 2536 wrote to memory of 628	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	39
PID 2536 wrote to memory of 628	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	39
PID 2536 wrote to memory of 628	2536	{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe	39
PID 2880 wrote to memory of 2748	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	40
PID 2880 wrote to memory of 2748	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	40
PID 2880 wrote to memory of 2748	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	40
PID 2880 wrote to memory of 2748	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	40
PID 2880 wrote to memory of 1676	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	41
PID 2880 wrote to memory of 1676	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	41
PID 2880 wrote to memory of 1676	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	41
PID 2880 wrote to memory of 1676	2880	{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe	41
PID 2748 wrote to memory of 1860	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	42
PID 2748 wrote to memory of 1860	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	42
PID 2748 wrote to memory of 1860	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	42
PID 2748 wrote to memory of 1860	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	42
PID 2748 wrote to memory of 2600	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	43
PID 2748 wrote to memory of 2600	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	43
PID 2748 wrote to memory of 2600	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	43
PID 2748 wrote to memory of 2600	2748	{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe	43
PID 1860 wrote to memory of 2712	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	44
PID 1860 wrote to memory of 2712	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	44
PID 1860 wrote to memory of 2712	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	44
PID 1860 wrote to memory of 2712	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	44
PID 1860 wrote to memory of 2032	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	45
PID 1860 wrote to memory of 2032	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	45
PID 1860 wrote to memory of 2032	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	45
PID 1860 wrote to memory of 2032	1860	{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe
  C:\Windows\{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\{867F4B29-D042-45aa-B834-B916F139546A}.exe
    C:\Windows\{867F4B29-D042-45aa-B834-B916F139546A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\{DC95A068-D284-4664-8F01-424C36785F6F}.exe
      C:\Windows\{DC95A068-D284-4664-8F01-424C36785F6F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe
        
        C:\Windows\{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe
        
        C:\Windows\{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe
        
        C:\Windows\{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe
        
        C:\Windows\{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\{E41F8103-D879-43bc-9661-328A88D8DF27}.exe
        
        C:\Windows\{E41F8103-D879-43bc-9661-328A88D8DF27}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe
        
        C:\Windows\{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe
        
        C:\Windows\{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\{90EB7997-829C-469d-806A-DEA3B862BAD1}.exe
        
        C:\Windows\{90EB7997-829C-469d-806A-DEA3B862BAD1}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F969B~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{298DD~1.EXE > nul
        11⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E41F8~1.EXE > nul
        10⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B98B~1.EXE > nul
        9⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2FF~1.EXE > nul
        8⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39DDA~1.EXE > nul
        7⤵
        
        PID:1676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96CFE~1.EXE > nul
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC95A~1.EXE > nul
        5⤵
        
        PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{867F4~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B32D5~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{298DD2DD-C890-435a-B1EC-CDA4C2146039}.exe

Filesize
180KB

MD5
d200b6b3f17f9322511603b943b16abf

SHA1
b9cebdae464874c30f8db9a52908546ab93f9132

SHA256
98d9b9e32d1f283dbcad244c2cbdf0f04f84c6d491ebb649bf9d0322aac9dcc4

SHA512
3f96a8f7254988f802ca8779bc541a8e1e823461a1c6e223ee25bb1ec31da95dc15e2e71e57012e1cd8f67fbecb4c44b9d96a2704b219044bdcf17dd3fab485a

Download Submit
C:\Windows\{39DDA117-1AD2-4646-8485-D5C2FEB10735}.exe

Filesize
180KB

MD5
2b31447447d4370b1faa94b4f770a290

SHA1
b4f9338adb180088d55e9d2a64f4b7690e2384ae

SHA256
54dd9c63a7529928141df9e6e416f93334353cf1c4efd9430e0da67c110e46af

SHA512
652de7ee32ce0d56a7ed2bd2ff445b88619b5278eb379202b9edba05c2d4f1b05d0a993e1a8ee2436e9c3c22c8f00bb8d3147076dc2c18da442fa91d6a14c21a

Download Submit
C:\Windows\{4B98BCF0-A343-43a5-8DEF-B442B6A2FF0B}.exe

Filesize
180KB

MD5
b8471cdebeb428e1b9631c52b712e3da

SHA1
e1f23608dc17cec6bc41f3a189aad29d24c23868

SHA256
6967a601f8712c9d7a46fecf60118b2e9356f58b26297dc768143353fd2fa1fe

SHA512
154089706f549e1720662a87787aaf4cad0914c8cdaf719e4869ee7ebf69da0711f5fd6d2e777c9009b4f6f52781032ae12877b0e171ac547f218c510836d965

Download Submit
C:\Windows\{867F4B29-D042-45aa-B834-B916F139546A}.exe

Filesize
180KB

MD5
b2b499368b06ec5785c3362569affcc6

SHA1
69ee9f764c815fef81e4555d5067c4b16cb32cf2

SHA256
a4f14bb58898e4eb02218a89c6bddb312c63b2447b40ee4ef41ff49c8e187475

SHA512
e70e9812db9c1b1f6c91a34e0fe0b7523803f99f0b5e9d693db23b3d904b9fe42c9c8da6e7503f626de65e5657e51ad57cf05afdfe97f2aeb42a58a70fde72e4

Download Submit
C:\Windows\{8F2FF96D-F066-42a5-9384-3F57DAE23CEA}.exe

Filesize
180KB

MD5
d2b051fad01d2725d700240e8b4142b6

SHA1
d4920b8557db1bc920e313e6200efd7268570138

SHA256
bb3b09fc3dfcfeb3055502052a1fd63d0bd35f4017ea55fb4032c41afa35bf82

SHA512
c29babf1643adf0082c89b6a98bc0810309d6a4ffb9acbbcfc90b4392ad942b034e029a0b53d17ec42f36cfd742900a8b0f729c936e39cb188ea4f637f8e6016

Download Submit
C:\Windows\{90EB7997-829C-469d-806A-DEA3B862BAD1}.exe

Filesize
180KB

MD5
d392ac12654720c773a62a18e9da8ef4

SHA1
924930a43b29848010f4eb45de846c2af6001cf2

SHA256
e06e2f71752e6e6e5420b1ef4b7de0afe14ec19b151d50dd76edf6ba25aaa215

SHA512
bccdd037f81807cc9ec34d8388a40c804b71010fe86d67ed874ac6f19d5240ddcb58a18bcb4d49fcf8499176d77b76d20de1879bacafdc1370454342a37e2be9

Download Submit
C:\Windows\{96CFE6A6-3EB7-4195-A445-279D71BC6B1D}.exe

Filesize
180KB

MD5
2676e1522f2fed35a1a27f3eecec040b

SHA1
340aba5129ea082535b477219375ebba9538527d

SHA256
0f019e2bb98859e67c8587de8a7accbb2f9e1eb6170566a3a9ee5bc7e3abe686

SHA512
4a3463bfb70d5f90c247afa87eeaf2bccde606bc582fe85e630a5f9b5a3e8c78bf6c638a02015701812f6f8d5b1aee8a08feba2b7bc528dbaf26e540350a9da6

Download Submit
C:\Windows\{B32D57DA-7F8B-4fc2-9816-BDE07EA1BBBB}.exe

Filesize
180KB

MD5
184d22c3c00601a7990136768d59773a

SHA1
cca434420c9dd40c49fbebed4bf92b5f78cb9172

SHA256
ad1593c837462b726be4b15f48ca471d9aa34d346215cdaebf11105776d61217

SHA512
dcfde50491139a4fdb23b708c9324365e2b951d904a14b34158d6290490149e5353b2432aef35a345dc1654a401716f8f142dddde505a6046a7ef0cb9b36360c

Download Submit
C:\Windows\{DC95A068-D284-4664-8F01-424C36785F6F}.exe

Filesize
180KB

MD5
2c345aeeb84ee2774a3ab236821c8cd5

SHA1
8e3b83a0643a1ffd684ff169efc26d9da6ede78c

SHA256
85420573997f2a40021003fc5303b76ccee502e6fe6fa6c607aa7c00b16bf4df

SHA512
c25480794046bc06800a55b31e9ca90491aba5ac0fd9c87eb9a2f2b0a4778dab58fe0401ebb5785ab986830e1b1b183b83db896f9b917b993a7a191e668d3b6e

Download Submit
C:\Windows\{E41F8103-D879-43bc-9661-328A88D8DF27}.exe

Filesize
180KB

MD5
3c4a27faae426ae54e68e5512e78cbdf

SHA1
4b6afaa3abb16beb9e2711438fac04a04e63672a

SHA256
742aa4d61f0d4f2e7286a235525f8ce03eab796039364d4e340bb7fd0705bbd7

SHA512
ba1ec23b3f75d06ac420cfc387f13a9323ae04537cfcce22f5c65a919d96c1bcb4f7c0df77d2f6ff24a368c313d7f95848b1b853c0abd7d1cd1917e5450b2994

Download Submit
C:\Windows\{F969B803-E07A-45d4-9C6E-3E1658C92583}.exe

Filesize
180KB

MD5
f01a195af6212f82641776c7bee329e3

SHA1
5dc843f6f1fc040a086acd027e5143d1b8ef4035

SHA256
1bb96f7b0f535c1e7213438a87618813f9ba738a56011da09f24ce4be041b409

SHA512
f049c02fca0b4c2ac23ce15d18af16402b17a56dae2fe0bcf8b40602c76d94ea7ddbdb87bd92591c44477c725ca753604d0d7840c715dd433cccc3c8cb9a164a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads