24ab66e8ebc081f5c1ffa1633676c4f77bd6d9d300dae1a9f1cf5737eec3ff0a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 15:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe
Size

344KB
MD5

393f8308cb3917f1a9b924d778427e45
SHA1

5899cd1a1c29c58f27786fcca5352235acc0b89c
SHA256

24ab66e8ebc081f5c1ffa1633676c4f77bd6d9d300dae1a9f1cf5737eec3ff0a
SHA512

00e8e61bc9d00a5908d47575a3723fe0899aef680e759ced58729cd1206cebe26e2f0ace8b4dcfcd7cea41d4dc51de01e79f4b169ddcd2e32f7faf87a464c0fe
SSDEEP

3072:mEGh0oYlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGWlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012243-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ac-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012243-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}\stubpath = "C:\\Windows\\{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe"	{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{728FAEAA-392D-4b2f-909C-81014ED293A0}	{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A92E38B7-412E-43e1-9E21-6031F976E1A4}\stubpath = "C:\\Windows\\{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe"	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B3D527-D2B0-4c87-BB69-C7EFB6946198}\stubpath = "C:\\Windows\\{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe"	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}\stubpath = "C:\\Windows\\{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe"	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}\stubpath = "C:\\Windows\\{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe"	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7202C639-65F7-4609-8F7C-6725D51B1BDA}\stubpath = "C:\\Windows\\{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe"	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C25CABD-1EF2-4587-9F21-B686976035F6}	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87446741-CF28-4256-A784-4DAEC8CAEB3E}	{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87446741-CF28-4256-A784-4DAEC8CAEB3E}\stubpath = "C:\\Windows\\{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe"	{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}\stubpath = "C:\\Windows\\{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe"	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A92E38B7-412E-43e1-9E21-6031F976E1A4}	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B3D527-D2B0-4c87-BB69-C7EFB6946198}	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7202C639-65F7-4609-8F7C-6725D51B1BDA}	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CAAC42-D582-40eb-A128-D583DB592B5F}	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}	{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{728FAEAA-392D-4b2f-909C-81014ED293A0}\stubpath = "C:\\Windows\\{728FAEAA-392D-4b2f-909C-81014ED293A0}.exe"	{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C25CABD-1EF2-4587-9F21-B686976035F6}\stubpath = "C:\\Windows\\{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe"	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99CAAC42-D582-40eb-A128-D583DB592B5F}\stubpath = "C:\\Windows\\{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe"	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe
2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe
2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe
2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe
2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe
2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe
2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe
776	{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe
1760	{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe
2108	{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe
1616	{728FAEAA-392D-4b2f-909C-81014ED293A0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe	{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe
File created	C:\Windows\{728FAEAA-392D-4b2f-909C-81014ED293A0}.exe	{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe
File created	C:\Windows\{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe
File created	C:\Windows\{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe
File created	C:\Windows\{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe
File created	C:\Windows\{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe
File created	C:\Windows\{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe	{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe
File created	C:\Windows\{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe
File created	C:\Windows\{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe
File created	C:\Windows\{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe
File created	C:\Windows\{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe
Token: SeIncBasePriorityPrivilege	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe
Token: SeIncBasePriorityPrivilege	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe
Token: SeIncBasePriorityPrivilege	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe
Token: SeIncBasePriorityPrivilege	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe
Token: SeIncBasePriorityPrivilege	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe
Token: SeIncBasePriorityPrivilege	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe
Token: SeIncBasePriorityPrivilege	776	{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe
Token: SeIncBasePriorityPrivilege	1760	{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe
Token: SeIncBasePriorityPrivilege	2108	{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2712	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	28
PID 2288 wrote to memory of 2712	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	28
PID 2288 wrote to memory of 2712	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	28
PID 2288 wrote to memory of 2712	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	28
PID 2288 wrote to memory of 2772	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	29
PID 2288 wrote to memory of 2772	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	29
PID 2288 wrote to memory of 2772	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	29
PID 2288 wrote to memory of 2772	2288	2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe	29
PID 2712 wrote to memory of 2580	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	31
PID 2712 wrote to memory of 2580	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	31
PID 2712 wrote to memory of 2580	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	31
PID 2712 wrote to memory of 2580	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	31
PID 2712 wrote to memory of 2732	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	30
PID 2712 wrote to memory of 2732	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	30
PID 2712 wrote to memory of 2732	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	30
PID 2712 wrote to memory of 2732	2712	{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe	30
PID 2580 wrote to memory of 2140	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	33
PID 2580 wrote to memory of 2140	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	33
PID 2580 wrote to memory of 2140	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	33
PID 2580 wrote to memory of 2140	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	33
PID 2580 wrote to memory of 2628	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	32
PID 2580 wrote to memory of 2628	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	32
PID 2580 wrote to memory of 2628	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	32
PID 2580 wrote to memory of 2628	2580	{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe	32
PID 2140 wrote to memory of 2944	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	36
PID 2140 wrote to memory of 2944	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	36
PID 2140 wrote to memory of 2944	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	36
PID 2140 wrote to memory of 2944	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	36
PID 2140 wrote to memory of 2964	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	37
PID 2140 wrote to memory of 2964	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	37
PID 2140 wrote to memory of 2964	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	37
PID 2140 wrote to memory of 2964	2140	{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe	37
PID 2944 wrote to memory of 2416	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	38
PID 2944 wrote to memory of 2416	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	38
PID 2944 wrote to memory of 2416	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	38
PID 2944 wrote to memory of 2416	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	38
PID 2944 wrote to memory of 2928	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	39
PID 2944 wrote to memory of 2928	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	39
PID 2944 wrote to memory of 2928	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	39
PID 2944 wrote to memory of 2928	2944	{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe	39
PID 2416 wrote to memory of 2672	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	40
PID 2416 wrote to memory of 2672	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	40
PID 2416 wrote to memory of 2672	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	40
PID 2416 wrote to memory of 2672	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	40
PID 2416 wrote to memory of 2872	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	41
PID 2416 wrote to memory of 2872	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	41
PID 2416 wrote to memory of 2872	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	41
PID 2416 wrote to memory of 2872	2416	{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe	41
PID 2672 wrote to memory of 2912	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	43
PID 2672 wrote to memory of 2912	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	43
PID 2672 wrote to memory of 2912	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	43
PID 2672 wrote to memory of 2912	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	43
PID 2672 wrote to memory of 2988	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	42
PID 2672 wrote to memory of 2988	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	42
PID 2672 wrote to memory of 2988	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	42
PID 2672 wrote to memory of 2988	2672	{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe	42
PID 2912 wrote to memory of 776	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	45
PID 2912 wrote to memory of 776	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	45
PID 2912 wrote to memory of 776	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	45
PID 2912 wrote to memory of 776	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	45
PID 2912 wrote to memory of 1344	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	44
PID 2912 wrote to memory of 1344	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	44
PID 2912 wrote to memory of 1344	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	44
PID 2912 wrote to memory of 1344	2912	{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_393f8308cb3917f1a9b924d778427e45_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe
  C:\Windows\{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A92E3~1.EXE > nul
    3⤵
    PID:2732
- - C:\Windows\{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe
    C:\Windows\{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{24B3D~1.EXE > nul
      4⤵
      PID:2628
  - - C:\Windows\{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe
      C:\Windows\{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe
        
        C:\Windows\{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe
        
        C:\Windows\{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe
        
        C:\Windows\{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99CAA~1.EXE > nul
        8⤵
        
        PID:2988
        
        C:\Windows\{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe
        
        C:\Windows\{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CA8E~1.EXE > nul
        9⤵
        
        PID:1344
        
        C:\Windows\{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe
        
        C:\Windows\{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{321DC~1.EXE > nul
        10⤵
        
        PID:1796
        
        C:\Windows\{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe
        
        C:\Windows\{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D435~1.EXE > nul
        11⤵
        
        PID:3060
        
        C:\Windows\{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe
        
        C:\Windows\{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87446~1.EXE > nul
        12⤵
        
        PID:2456
        
        C:\Windows\{728FAEAA-392D-4b2f-909C-81014ED293A0}.exe
        
        C:\Windows\{728FAEAA-392D-4b2f-909C-81014ED293A0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC50~1.EXE > nul
        7⤵
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C25C~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7202C~1.EXE > nul
        5⤵
        
        PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CA8E45A-B48E-4498-8FF9-A75A5878EAA3}.exe

Filesize
344KB

MD5
3187d2bc65975b5b38cb32bba4ee6579

SHA1
eed8020282a9fb89276071fd945ee2ad1d68332b

SHA256
3e842ab20759dc40b2b9f67d19d9b8c59db8545566d8cdad3ef2798520e2d338

SHA512
fb4179f89457f834b5b95154d20267886b419da83f8f51cb5c9fc21d0c5a3a34891c7c3c72899d3120bb8911e5bfc6fc919e627d27310c201f3499aefabb2df6

Download Submit
C:\Windows\{1DC503B6-B116-4ace-8ADB-3F86F4D09ABE}.exe

Filesize
344KB

MD5
22b93d73c65576c5298e8ce11bcaf1f6

SHA1
69791ade37d5c3bc9e030e2daa8b009bbb551c77

SHA256
b427cacbc46c798256198e879550900b619b1741706a5c46361a7d1cca4cd02a

SHA512
026c98d38afb5bbd0e876c32314a5174c2352d6972478a3de3b32726f10296af4b52e501d566dc2bce0cca68272de55f222f56848e5cfd87b1f064537cc135d7

Download Submit
C:\Windows\{24B3D527-D2B0-4c87-BB69-C7EFB6946198}.exe

Filesize
344KB

MD5
1005da5167989d4214bec272987b49dc

SHA1
fe3d5e75477500a6efc5223389d18deb94eb92f7

SHA256
abcc9b9fc9fe5d2fbbfdf493096606195bf98066667e1c89b20cf1c8c24084cf

SHA512
f696383ecd21cd3d7fe2e83666456452e80540738c81c9a843e09b71c387694c89dee9bbdfe638a31ea7a7ec6799b64315dd7c9e2daea6b40e84bb0babde5d79

Download Submit
C:\Windows\{321DC5C4-CAB8-462d-9C39-03DA645AD7C2}.exe

Filesize
344KB

MD5
8c0560220dc1670c67dd0c9fb1819989

SHA1
08ba314327c575a2416616ee9ffeb795f96b2111

SHA256
7af1f668ad656c29bc3bfa34fdeebce1f12bac84e39ea9bcd012a5dfb066e673

SHA512
2ff37349cf4b1f25f345f5d9d41735d60afb5cedd7dab737f6e1380be483b65bc6795851db80205c70ecc9c5a5b20f9c6e0115392593c7ff61d409a4fd236985

Download Submit
C:\Windows\{4D4357D2-C26C-4db8-8B76-8ADC2DA76544}.exe

Filesize
344KB

MD5
28be43c96c0b3de4a541d1b21a6d2407

SHA1
c193f2e6446d592f313b1e0070c85e98a0675631

SHA256
f20cf14506e8630edc4e5f10cafd9758a8545fe7f710b9137f33f8f4ea2fd05f

SHA512
aea3bf7a84a76b715b6ea05506ad298cd4dd39896ae32e9336c73ab8f236e682df2cef45c3a186fefcf457aa59bc8a81d65a7f97ec4417da26d8662b2a61309c

Download Submit
C:\Windows\{7202C639-65F7-4609-8F7C-6725D51B1BDA}.exe

Filesize
344KB

MD5
8cb05b9f4c3191adb737038f384d3819

SHA1
fbdc413defb9fd429f0b5412623c394bdcb7c5e1

SHA256
00bf9cfd405a7f81245d18727c0a3ea7574b14d0bfcebe651cdc8a5857be82a8

SHA512
4f39506139ca7500f3a65dd1c780658cb35954cb40b73ebdbc5d0429cee390d7e8a6dc64c6070965cd86dc6524da46a32f85ceb433e1fff1883c15b99c3ae8cc

Download Submit
C:\Windows\{728FAEAA-392D-4b2f-909C-81014ED293A0}.exe

Filesize
344KB

MD5
b9e2e53dcdefd0a0b12e5a914fd75bfa

SHA1
4a08c0178cb8bd4b673f0ade60691d41a7140b19

SHA256
f9d8bb0088382bcc5f6f82a2d32751b175915b214f741c74566f0e164b7f47c6

SHA512
9f44424b56c5f50116be4a14086d2ce640f15dfad36b0de0e6588b262567743dddf9c96bed412d4ae4be25e5fcd31fcd80fa6b9e0ce33ebf8d8bf3300ac21887

Download Submit
C:\Windows\{87446741-CF28-4256-A784-4DAEC8CAEB3E}.exe

Filesize
344KB

MD5
c177565eb3e237bd636eb7b258978e50

SHA1
258c6b2021db030f5339177a77317f5118b34f01

SHA256
c649d680a0fd2764aa0aab7362b354c634ea50a32dce293c729ffb96a41314bd

SHA512
218336b947d4df4851f6fc2c9a6d12005b158d90a49e4bdc17d50f391d99d420cc746ba32eec758dbd8be0c4dacb1a1019d88040103f3abc1c64f372c01e584b

Download Submit
C:\Windows\{8C25CABD-1EF2-4587-9F21-B686976035F6}.exe

Filesize
344KB

MD5
44ec013b7683df2ccb0d01df796bbede

SHA1
0c2f5a6c11cb4c7c5c2aa5a0dbacf34d73f67d5d

SHA256
7ee748faf63ab4eecf12635a974d5e1762a2193de5d42cf4d6587d348d5f61df

SHA512
209971750dccc5df672ad6d73c97c3874d1026d4b50ac8877694b80ecf831af4246b88fcf9236ab3deec515b085fe1ca01f745fffcfbfa809af88c8178e391f4

Download Submit
C:\Windows\{99CAAC42-D582-40eb-A128-D583DB592B5F}.exe

Filesize
344KB

MD5
d281cdf30378be7f52b2741fae02a97a

SHA1
d153613f01a29c29eb7c6a2ee5bead63185eb56f

SHA256
0fd69b91beec2d2f76fedbf5de9903e2943dac9b0925ed00955cda3c1b40c267

SHA512
46302bdcb1713b9557d309110e76ff3b528a2248cd923f1fc412d0430ec72c7ca4f5514d3d7b566faf156a387ac6fd43941a8fead85bf5c690ffe892779e020e

Download Submit
C:\Windows\{A92E38B7-412E-43e1-9E21-6031F976E1A4}.exe

Filesize
344KB

MD5
b7d68a12132602ed16f2a8f33bcb10e0

SHA1
b7a1948831953212be4ef9622b9e42da88bc5ece

SHA256
0c5717924b865a03d96452a00bb99da132113348dca578770a7cac3e9f8c0ae0

SHA512
9f3ca12ac631f142ba6e3adb9c775984e43bee9e6e378f07c07257d80f3bc6df9d1fcfe0f92dc95fb65a8b7fc8595444e55ba3dc1a2036919a1072cbdd15b538

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads