3a0ad4febf202898bcdbbddc4150e206582404c68a8cfc11c0984f085b30715c

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Size

380KB
MD5

1aadef64cd9bb30c73cea5330e4caaa1
SHA1

2cd3ddad1a95a30c3782dd26b8fc22dc0e4946eb
SHA256

3a0ad4febf202898bcdbbddc4150e206582404c68a8cfc11c0984f085b30715c
SHA512

d9ca4d6655582bf1f4ae632ea4e1e4b6c165b50c2e8348d4ce8a29699d190cdf7b06fcc887b86d9ea9af98a2fd11a7b17023d143ac48514ad62760f0eeb1c5b8
SSDEEP

3072:mEGh0o2lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGUl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012243-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012243-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012243-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ac-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012243-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1389EA-B9BE-49d8-A8AF-0C118C841142}\stubpath = "C:\\Windows\\{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe"	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCE01C2B-6E14-4282-80EB-7892E77C35CD}\stubpath = "C:\\Windows\\{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe"	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD8015D5-DD97-4928-8752-64F4825F3C27}	{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76D7075-6CE1-4759-AF65-59151FB3E30D}	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}\stubpath = "C:\\Windows\\{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe"	{A5476279-E263-4002-B1E5-5E65928134D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C45047C-FC12-44e2-BC60-E04DEF5D165D}	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C45047C-FC12-44e2-BC60-E04DEF5D165D}\stubpath = "C:\\Windows\\{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe"	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFCE2EFF-8193-4d72-8239-6A691E4658F6}	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}	{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}	{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFCE2EFF-8193-4d72-8239-6A691E4658F6}\stubpath = "C:\\Windows\\{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe"	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1389EA-B9BE-49d8-A8AF-0C118C841142}	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD8015D5-DD97-4928-8752-64F4825F3C27}\stubpath = "C:\\Windows\\{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe"	{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}\stubpath = "C:\\Windows\\{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe"	{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D76D7075-6CE1-4759-AF65-59151FB3E30D}\stubpath = "C:\\Windows\\{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe"	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5476279-E263-4002-B1E5-5E65928134D1}\stubpath = "C:\\Windows\\{A5476279-E263-4002-B1E5-5E65928134D1}.exe"	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD8E425-4505-483e-8417-981B2DC556E9}	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD8E425-4505-483e-8417-981B2DC556E9}\stubpath = "C:\\Windows\\{CCD8E425-4505-483e-8417-981B2DC556E9}.exe"	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5476279-E263-4002-B1E5-5E65928134D1}	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}	{A5476279-E263-4002-B1E5-5E65928134D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCE01C2B-6E14-4282-80EB-7892E77C35CD}	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}\stubpath = "C:\\Windows\\{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}.exe"	{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe
2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe
2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe
2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe
1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe
320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe
2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe
1908	{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe
1096	{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe
2808	{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe
1488	{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe
File created	C:\Windows\{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe
File created	C:\Windows\{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe
File created	C:\Windows\{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe
File created	C:\Windows\{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe	{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe
File created	C:\Windows\{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
File created	C:\Windows\{A5476279-E263-4002-B1E5-5E65928134D1}.exe	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe
File created	C:\Windows\{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	{A5476279-E263-4002-B1E5-5E65928134D1}.exe
File created	C:\Windows\{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe
File created	C:\Windows\{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe	{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe
File created	C:\Windows\{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}.exe	{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe
Token: SeIncBasePriorityPrivilege	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe
Token: SeIncBasePriorityPrivilege	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe
Token: SeIncBasePriorityPrivilege	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe
Token: SeIncBasePriorityPrivilege	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe
Token: SeIncBasePriorityPrivilege	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe
Token: SeIncBasePriorityPrivilege	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe
Token: SeIncBasePriorityPrivilege	1908	{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe
Token: SeIncBasePriorityPrivilege	1096	{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe
Token: SeIncBasePriorityPrivilege	2808	{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2712	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	28
PID 2852 wrote to memory of 2712	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	28
PID 2852 wrote to memory of 2712	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	28
PID 2852 wrote to memory of 2712	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	28
PID 2852 wrote to memory of 2772	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	29
PID 2852 wrote to memory of 2772	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	29
PID 2852 wrote to memory of 2772	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	29
PID 2852 wrote to memory of 2772	2852	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	29
PID 2712 wrote to memory of 2704	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	30
PID 2712 wrote to memory of 2704	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	30
PID 2712 wrote to memory of 2704	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	30
PID 2712 wrote to memory of 2704	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	30
PID 2712 wrote to memory of 2688	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	31
PID 2712 wrote to memory of 2688	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	31
PID 2712 wrote to memory of 2688	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	31
PID 2712 wrote to memory of 2688	2712	{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe	31
PID 2704 wrote to memory of 2948	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	32
PID 2704 wrote to memory of 2948	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	32
PID 2704 wrote to memory of 2948	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	32
PID 2704 wrote to memory of 2948	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	32
PID 2704 wrote to memory of 2832	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	33
PID 2704 wrote to memory of 2832	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	33
PID 2704 wrote to memory of 2832	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	33
PID 2704 wrote to memory of 2832	2704	{A5476279-E263-4002-B1E5-5E65928134D1}.exe	33
PID 2948 wrote to memory of 2968	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	36
PID 2948 wrote to memory of 2968	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	36
PID 2948 wrote to memory of 2968	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	36
PID 2948 wrote to memory of 2968	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	36
PID 2948 wrote to memory of 3016	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	37
PID 2948 wrote to memory of 3016	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	37
PID 2948 wrote to memory of 3016	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	37
PID 2948 wrote to memory of 3016	2948	{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe	37
PID 2968 wrote to memory of 1160	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	38
PID 2968 wrote to memory of 1160	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	38
PID 2968 wrote to memory of 1160	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	38
PID 2968 wrote to memory of 1160	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	38
PID 2968 wrote to memory of 2896	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	39
PID 2968 wrote to memory of 2896	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	39
PID 2968 wrote to memory of 2896	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	39
PID 2968 wrote to memory of 2896	2968	{CCD8E425-4505-483e-8417-981B2DC556E9}.exe	39
PID 1160 wrote to memory of 320	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	41
PID 1160 wrote to memory of 320	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	41
PID 1160 wrote to memory of 320	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	41
PID 1160 wrote to memory of 320	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	41
PID 1160 wrote to memory of 1928	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	40
PID 1160 wrote to memory of 1928	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	40
PID 1160 wrote to memory of 1928	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	40
PID 1160 wrote to memory of 1928	1160	{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe	40
PID 320 wrote to memory of 2668	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	42
PID 320 wrote to memory of 2668	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	42
PID 320 wrote to memory of 2668	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	42
PID 320 wrote to memory of 2668	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	42
PID 320 wrote to memory of 2868	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	43
PID 320 wrote to memory of 2868	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	43
PID 320 wrote to memory of 2868	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	43
PID 320 wrote to memory of 2868	320	{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe	43
PID 2668 wrote to memory of 1908	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	45
PID 2668 wrote to memory of 1908	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	45
PID 2668 wrote to memory of 1908	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	45
PID 2668 wrote to memory of 1908	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	45
PID 2668 wrote to memory of 1356	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	44
PID 2668 wrote to memory of 1356	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	44
PID 2668 wrote to memory of 1356	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	44
PID 2668 wrote to memory of 1356	2668	{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe
  C:\Windows\{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{A5476279-E263-4002-B1E5-5E65928134D1}.exe
    C:\Windows\{A5476279-E263-4002-B1E5-5E65928134D1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe
      C:\Windows\{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\{CCD8E425-4505-483e-8417-981B2DC556E9}.exe
        
        C:\Windows\{CCD8E425-4505-483e-8417-981B2DC556E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe
        
        C:\Windows\{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCE2~1.EXE > nul
        7⤵
        
        PID:1928
        
        C:\Windows\{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe
        
        C:\Windows\{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe
        
        C:\Windows\{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC138~1.EXE > nul
        9⤵
        
        PID:1356
        
        C:\Windows\{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe
        
        C:\Windows\{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCE01~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe
        
        C:\Windows\{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD801~1.EXE > nul
        11⤵
        
        PID:2340
        
        C:\Windows\{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe
        
        C:\Windows\{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8259B~1.EXE > nul
        12⤵
        
        PID:2068
        
        C:\Windows\{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}.exe
        
        C:\Windows\{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C450~1.EXE > nul
        8⤵
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD8E~1.EXE > nul
        6⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19E6C~1.EXE > nul
        5⤵
        
        PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A5476~1.EXE > nul
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D76D7~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19E6C62F-FE75-44ac-9BDF-D9695A2EA99B}.exe

Filesize
380KB

MD5
72920f938454635179158d039af9c16e

SHA1
defaea512aad4d00b857aac12686dc2a83f03c5e

SHA256
a977b3a7995b704e12f9f2825adf0eeb3970b26096e9ac7a39b3ec81bd88c3b4

SHA512
5514c4ec9f900f171769ad2f4bb09105610d6eb056dc35831bf4e303cc1460e5431215f3af06691a38f006bf5ef729b92195a080b912a15457245d459f155832

Download Submit
C:\Windows\{52F2A7B0-F7AA-4329-A9F4-5EC0C9C7D4CC}.exe

Filesize
380KB

MD5
b4d76c7eb34954fd8643d81703eae469

SHA1
689c8c52f3d34c64fc535673077f8d9a33ba0910

SHA256
8bf5104fd00d24ca41c59a1db18526596ccf6dda2be8d68e6da7f389299936dd

SHA512
29e006020ffa0f47013b6fc87e3591aba86f4bf8589087988cf6efde705f25d438d64385cf70bb9ec3bac1168db0e8589327f54a7b9e89ea610f922114faa5a2

Download Submit
C:\Windows\{8259B9A4-D090-44cc-B546-B7BFB7BD1D07}.exe

Filesize
380KB

MD5
660f82cf6e9ab631d6bdcfd5a72e2dad

SHA1
49173ff33cb0f1434fd1b823b3b9e0e4f9caeb04

SHA256
a1d19946916a31e47b89cbf1ac53da8def80cb06e17ea1f84d993cc53b590a32

SHA512
7a160f38b24ae4e7a617321b972e2a0e8ff3d023624cfa41439b6c6330612c62c4c291ce0c144bdfda85e90039af3da6a4ec7c00cdbb34c2855f3f7adb7721e6

Download Submit
C:\Windows\{8C45047C-FC12-44e2-BC60-E04DEF5D165D}.exe

Filesize
380KB

MD5
9f7807d8290d2cdcb3fd40b515285f9e

SHA1
41da47f182692b63356954d1388d1cc3b3d1e844

SHA256
22fdd2285032dacfeb91d9d04fb347447fb05d49fe0b528b4638fe5a3f23f7f3

SHA512
9ab6df451e6211e60f71ab3da0e285aa8f53764258b88d916ef8fecfdcf2e4490e440a055dfc6590970e964457166ba3183b414af530e6384ad7c8db894cd452

Download Submit
C:\Windows\{A5476279-E263-4002-B1E5-5E65928134D1}.exe

Filesize
380KB

MD5
c73bc462bf9c6997ce8b902115d0b332

SHA1
e63a604b1b42803d0d25d02d1e0321c4e279a1c3

SHA256
3a5b7fbc45636eb214c30f0f2e26ef695c8c24d2f3998d10fdf34c6a58c3b2a9

SHA512
a8d0292a4aafaf52fc5a8ae40481dfa3211cd1776d997ba7f21de504b41785c894dc4b7f5c960ef5d149ad56cf96aca2c601f905fbce86cc27fe2add3aa27f6a

Download Submit
C:\Windows\{BFCE2EFF-8193-4d72-8239-6A691E4658F6}.exe

Filesize
380KB

MD5
68ca4b97529de79d8f94e3e2b03f80bf

SHA1
92f1909057a3571b2ab0e42cd1dba89387b8456c

SHA256
6ae6e1c287dd4e4d977686f15a0010b3ee252b3e68be782f6322bc6a4fdaf23d

SHA512
bd2e662c0a81db98c32bf458a4b6d5dff1acfd6df2cb9b005027f863d265698fc15d5c691a90689f1cce3e483efe32001a4ea20931ef843cabcc6027d5d526f3

Download Submit
C:\Windows\{CC1389EA-B9BE-49d8-A8AF-0C118C841142}.exe

Filesize
380KB

MD5
c20ea56869794ccd6ed02cc76a5a8e31

SHA1
69b3cff6eda595ad5b02a3f9f7df06fbb1729605

SHA256
f84806408f5ec54ca0963b3c831c9ec73de007e5be67f03a931ea8fc943426f4

SHA512
538f5a199283f110ae2403dceecdeeb45293b78429eb2c4d69db0e1574cd22bfc8d35ca850d2749c1b81d5dfc1aa86c2647dd60a79cddb1c431b530dd73669c5

Download Submit
C:\Windows\{CCD8E425-4505-483e-8417-981B2DC556E9}.exe

Filesize
380KB

MD5
e44e8a8853cc66272596e56a5874a289

SHA1
c95b0fb0a0694293c6013bf05780cbd3f01e5c9e

SHA256
88e157563c64f2748c2a42314be64f2f955751c994de23f6d9495ad2d068a09a

SHA512
99c6d4da6c66daf8c1e8bbc73f9cf5dae64cb9156ce8dc5723cc93c13fc0a8b6eaa1a5b3b0207f06870a8a015ca6bcc82973de61642541bd43566ff7288cea5d

Download Submit
C:\Windows\{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe

Filesize
128KB

MD5
6531568d976f98acaa23eef694af8876

SHA1
4baaaca8068958782f7d0d44b8c0482f88011d5f

SHA256
ce1a1677ba5b531231419ddb6792ae1e8d8fef75308c771559cf76b672c8bc17

SHA512
873f9a6bfd08fe984ce99bb63856587eace30b8761311bf367ab107eaa6dfbc275198bfcf6e92fef88e379055b8799458d0ed29a38aa52098ac9912510a406c8

Download Submit
C:\Windows\{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe

Filesize
166KB

MD5
cfb43bb412374d9fee8615d92c8f693c

SHA1
5de62bb628998264bdb36849a0c7c808d600dc32

SHA256
0b0aeb331b7e286c36a2416cc90a9724ab3e3af70b9525bc1a717f6a9ccaf22d

SHA512
e6e469697383ab58076f5961c08f8878cd6b8cda581b79de3f46bb400968113fba224cbfa1221c8cb1bfbff77ac3f69d364617952d72f0e69549d061dba4cf09

Download Submit
C:\Windows\{D76D7075-6CE1-4759-AF65-59151FB3E30D}.exe

Filesize
380KB

MD5
2fc03ecb0413d416ac3ab29e6cab30fb

SHA1
a111f470d7eb43665ccf11c0aa4716239a03eaf4

SHA256
a30ae71fffec110b260fa308c209c65ab803430eab697c9ab33776279ac1af50

SHA512
e02d88851db957aba5266b2b269d8d3a80227415467c89b466f413612e9ea5c5352fbc50b583d34358f16ddbb2c46ee9165436882597a19e73a85dc205cf5dfd

Download Submit
C:\Windows\{DCE01C2B-6E14-4282-80EB-7892E77C35CD}.exe

Filesize
380KB

MD5
256e02d0f32ba3abafe6e3fdb5149ddc

SHA1
520ad915c1df9519237614a44683ff0ebf7199d3

SHA256
c80e8cca4c7c18bf23bef4b6fa5d7cf2f86d6ad9ba262e81e500f22197950a03

SHA512
79db17a8d878513b106d0dc875ec30cb80373be8f25a0b1809c1a4fbbc4675d254e1ac27c3ac89ce1e668ba7a050e4e1f98249be3088136d4ccedcda51dd2db3

Download Submit
C:\Windows\{FD8015D5-DD97-4928-8752-64F4825F3C27}.exe

Filesize
380KB

MD5
12c0a02cb1e32ded6796fff3b324fc46

SHA1
cf428c9bf2763bdb1b23b0dc6a3088ebdf53e2ab

SHA256
14e9e6df6a44df9a40edfd2d16b3e9aa2239cda2f10258bbf960ccf56bc73c95

SHA512
c000471abdc54fb8f0a205b430a10db4c63e40176766cb0ec4d75a9c7573d3840a15c1b94e12707c12248771d7d0e3620577f378085685ff4d633f33b19d4fac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads