5b575bc0b92635c752a5c19f72cc36f3dfd92d5788efa86cbf424403307de638

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe
Size

408KB
MD5

b15a2ba97955fc8dd54521a6bd8f37a8
SHA1

acee28d3b929ca4967e76d84c43a410e616c705a
SHA256

5b575bc0b92635c752a5c19f72cc36f3dfd92d5788efa86cbf424403307de638
SHA512

c461473fb2363becc80642e36eb656c02e6591daf201ccfa650386ad134a8248f99278d54c014631db8b6cd9805a5d7764b06457169681d713e2ed901bb1908d
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGtldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012265-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014133-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0027000000014391-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000014391-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002800000001447a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000001447a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014482-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC3A63FC-EB51-4253-9121-BADAF32B4657}	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}\stubpath = "C:\\Windows\\{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe"	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}\stubpath = "C:\\Windows\\{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe"	{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}	{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}\stubpath = "C:\\Windows\\{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}.exe"	{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D36265E9-206E-43f9-9CED-1882F52912C9}	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D36265E9-206E-43f9-9CED-1882F52912C9}\stubpath = "C:\\Windows\\{D36265E9-206E-43f9-9CED-1882F52912C9}.exe"	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}	{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7711D5A-A55F-4503-80F9-BCE07888D85A}\stubpath = "C:\\Windows\\{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe"	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8839D3A9-C534-497d-BD6E-28D99406E68C}	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}\stubpath = "C:\\Windows\\{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe"	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}	{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}\stubpath = "C:\\Windows\\{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe"	{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}\stubpath = "C:\\Windows\\{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe"	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC3A63FC-EB51-4253-9121-BADAF32B4657}\stubpath = "C:\\Windows\\{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe"	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7711D5A-A55F-4503-80F9-BCE07888D85A}	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8839D3A9-C534-497d-BD6E-28D99406E68C}\stubpath = "C:\\Windows\\{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe"	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350FD4A9-CD82-4451-894E-C8C2D98057EC}	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350FD4A9-CD82-4451-894E-C8C2D98057EC}\stubpath = "C:\\Windows\\{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe"	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe
2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe
2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe
2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe
472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe
1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe
752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe
1092	{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe
1608	{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe
2732	{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe
2536	{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe
File created	C:\Windows\{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe
File created	C:\Windows\{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe
File created	C:\Windows\{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe	{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe
File created	C:\Windows\{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe
File created	C:\Windows\{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe
File created	C:\Windows\{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe
File created	C:\Windows\{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe
File created	C:\Windows\{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe
File created	C:\Windows\{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe	{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe
File created	C:\Windows\{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}.exe	{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe
Token: SeIncBasePriorityPrivilege	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe
Token: SeIncBasePriorityPrivilege	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe
Token: SeIncBasePriorityPrivilege	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe
Token: SeIncBasePriorityPrivilege	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe
Token: SeIncBasePriorityPrivilege	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe
Token: SeIncBasePriorityPrivilege	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe
Token: SeIncBasePriorityPrivilege	1092	{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe
Token: SeIncBasePriorityPrivilege	1608	{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe
Token: SeIncBasePriorityPrivilege	2732	{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2652	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	28
PID 2196 wrote to memory of 2652	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	28
PID 2196 wrote to memory of 2652	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	28
PID 2196 wrote to memory of 2652	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	28
PID 2196 wrote to memory of 2452	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	29
PID 2196 wrote to memory of 2452	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	29
PID 2196 wrote to memory of 2452	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	29
PID 2196 wrote to memory of 2452	2196	2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe	29
PID 2652 wrote to memory of 2760	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	30
PID 2652 wrote to memory of 2760	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	30
PID 2652 wrote to memory of 2760	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	30
PID 2652 wrote to memory of 2760	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	30
PID 2652 wrote to memory of 2748	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	31
PID 2652 wrote to memory of 2748	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	31
PID 2652 wrote to memory of 2748	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	31
PID 2652 wrote to memory of 2748	2652	{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe	31
PID 2760 wrote to memory of 2596	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	34
PID 2760 wrote to memory of 2596	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	34
PID 2760 wrote to memory of 2596	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	34
PID 2760 wrote to memory of 2596	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	34
PID 2760 wrote to memory of 2380	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	35
PID 2760 wrote to memory of 2380	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	35
PID 2760 wrote to memory of 2380	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	35
PID 2760 wrote to memory of 2380	2760	{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe	35
PID 2596 wrote to memory of 2056	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	36
PID 2596 wrote to memory of 2056	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	36
PID 2596 wrote to memory of 2056	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	36
PID 2596 wrote to memory of 2056	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	36
PID 2596 wrote to memory of 1040	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	37
PID 2596 wrote to memory of 1040	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	37
PID 2596 wrote to memory of 1040	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	37
PID 2596 wrote to memory of 1040	2596	{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe	37
PID 2056 wrote to memory of 472	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	38
PID 2056 wrote to memory of 472	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	38
PID 2056 wrote to memory of 472	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	38
PID 2056 wrote to memory of 472	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	38
PID 2056 wrote to memory of 2420	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	39
PID 2056 wrote to memory of 2420	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	39
PID 2056 wrote to memory of 2420	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	39
PID 2056 wrote to memory of 2420	2056	{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe	39
PID 472 wrote to memory of 1952	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	40
PID 472 wrote to memory of 1952	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	40
PID 472 wrote to memory of 1952	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	40
PID 472 wrote to memory of 1952	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	40
PID 472 wrote to memory of 2040	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	41
PID 472 wrote to memory of 2040	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	41
PID 472 wrote to memory of 2040	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	41
PID 472 wrote to memory of 2040	472	{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe	41
PID 1952 wrote to memory of 752	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	42
PID 1952 wrote to memory of 752	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	42
PID 1952 wrote to memory of 752	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	42
PID 1952 wrote to memory of 752	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	42
PID 1952 wrote to memory of 2448	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	43
PID 1952 wrote to memory of 2448	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	43
PID 1952 wrote to memory of 2448	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	43
PID 1952 wrote to memory of 2448	1952	{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe	43
PID 752 wrote to memory of 1092	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	44
PID 752 wrote to memory of 1092	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	44
PID 752 wrote to memory of 1092	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	44
PID 752 wrote to memory of 1092	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	44
PID 752 wrote to memory of 1916	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	45
PID 752 wrote to memory of 1916	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	45
PID 752 wrote to memory of 1916	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	45
PID 752 wrote to memory of 1916	752	{D36265E9-206E-43f9-9CED-1882F52912C9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_b15a2ba97955fc8dd54521a6bd8f37a8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe
  C:\Windows\{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe
    C:\Windows\{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe
      C:\Windows\{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe
        
        C:\Windows\{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe
        
        C:\Windows\{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe
        
        C:\Windows\{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{D36265E9-206E-43f9-9CED-1882F52912C9}.exe
        
        C:\Windows\{D36265E9-206E-43f9-9CED-1882F52912C9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe
        
        C:\Windows\{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe
        
        C:\Windows\{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe
        
        C:\Windows\{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}.exe
        
        C:\Windows\{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4EF1~1.EXE > nul
        12⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A09F~1.EXE > nul
        11⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F11E~1.EXE > nul
        10⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3626~1.EXE > nul
        9⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3CBF~1.EXE > nul
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0C3~1.EXE > nul
        7⤵
        
        PID:2040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{350FD~1.EXE > nul
        6⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8839D~1.EXE > nul
        5⤵
        
        PID:1040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7711~1.EXE > nul
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC3A6~1.EXE > nul
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B0C342D-B4DB-4f9b-ABD7-108A16AF2A4E}.exe

Filesize
408KB

MD5
9d7268bfb254e331d081f3a78d74540a

SHA1
50692ec6f4b3b64ac5b938cb2af169ac2909650c

SHA256
a2078244f2fc7b7754122f5763a10dc8563cbabcef8d2947f766f790c9bcd643

SHA512
c99cc6a2c87f19b5d7a55cd18bc117cced4dd688e23ffc7452b2514bbf0c2b5453b2606ad9381215ba26707de9897bceeb839de0f7714018c1fe4b9dfcc06d35

Download Submit
C:\Windows\{350FD4A9-CD82-4451-894E-C8C2D98057EC}.exe

Filesize
408KB

MD5
c848be37706dcb090e05df4650ef310b

SHA1
a4aae8d646d762a8c619978f280b77dc7a819851

SHA256
abc73040d3f2de501c737a0dcaff5115501997e1923423984e6afefafde0bb13

SHA512
c37318e03e10e18d44a4ef939540c9504691b1416d0065a661919cc5f30c442fc02e9359b25f8d19c893815db502e35baae8902b47136aba1eaf54f1582fc43d

Download Submit
C:\Windows\{6B5BC813-6508-4e34-B6DA-AD29B30C92FC}.exe

Filesize
408KB

MD5
04151fd3c8a4183ebe9e9ec96576f5b1

SHA1
bd2aea256d0108e79e57dd81843e8c1c83cf649d

SHA256
edf7ad0360a2e6261bb0e0c73cfef3ded17af9b320439cca0e6b466664168391

SHA512
11022d96477b9d9552e4f2f474a5e9b9f4c71d85ba54715d85f9d4acc4a701a768293c01786091d32160e794e2215278aced8bb3cfa6bab0d67e20f6ed899672

Download Submit
C:\Windows\{7F11E8C6-2D8D-413a-9DDA-3C16066168E0}.exe

Filesize
408KB

MD5
4ee7ed11c1911d4084b434a17347a600

SHA1
38f2317b5bc1479193153f6e7ae64dccf81fe19d

SHA256
3ae3dba636c9e517a2a5c2070a799ae7cec0fed61224c25d33023843cfa2f096

SHA512
eb73aac74112c72d61d5c834e393cb2dc7622ebd54baf3ca616fabc56773f584334e56230463f03c006bb6dbe1af5d423489db876d4f574b2da050d8784c0c82

Download Submit
C:\Windows\{8839D3A9-C534-497d-BD6E-28D99406E68C}.exe

Filesize
408KB

MD5
b238e502e1b1a3df32789b5e0318e0c1

SHA1
b3056df81382d21f813cc2d7ef4c69f1c1614e7e

SHA256
3816d9c8f78ad9421c33bff5ef9fb43f7497a9b1e7b20e6e663350f900489b5c

SHA512
9da6db6cd403556bd891c4a01381e048d97ea7618bb32428c04d9d4f9139bde6340277699f7edc93f774f750a49e95b76f977ed85622a3cbcd169466d20bf1ab

Download Submit
C:\Windows\{9A09FAAC-F2E0-4bfe-91D8-CDF1613575A6}.exe

Filesize
408KB

MD5
c7e111d31bdde5e2f56e769dabbc384c

SHA1
e33b0bf5f91bbadcc970732759bdff605c40e549

SHA256
5338049f32d0af5851ef2b3733390bcaa5417e95516e8735b04f4f75d0b98c6e

SHA512
7dbc4ebec504bc16301f2f17eb1b983e95058693f62befce014f30f6cf73af02cb0865530a7ae24a4af4a20c0a29524d53ea52c74da2d288c115ae1a6ed712de

Download Submit
C:\Windows\{A4EF1876-5637-4c98-9F84-64F4EFFA4CFF}.exe

Filesize
408KB

MD5
fe822432729f242d769d8f79dcec967f

SHA1
d0b67041180a791731a69bb0bea0758a0053b87f

SHA256
c95e8f03b0ca0b644f6a4a69e908a76355f2f6f1837f34f33b8d660d2c552f24

SHA512
bea3139e0673804e91487c22968bc609e952e75f46a8b7f28eaaeb721f463447c0863cebcf631eeff3bac3ff05c13e33f8c7cf6efa254062b37c2c15a678cb4f

Download Submit
C:\Windows\{A7711D5A-A55F-4503-80F9-BCE07888D85A}.exe

Filesize
408KB

MD5
e2d175c58dae27874e3fd174288abdb0

SHA1
771761756226551e4731a4ff95b3fa6e786b005a

SHA256
1033d0d4ca92938de34a3a66f7d654a1465ce85e1dec27bc52743ede8e7c98f8

SHA512
0e859f7d1612af3430de78cd1fb89e5c41a88de87b23599b13419eb72334fdd178c9052bbee611aa77b7494ca1344e1ec616e260b3c84840f61a05ee4c4674d4

Download Submit
C:\Windows\{BC3A63FC-EB51-4253-9121-BADAF32B4657}.exe

Filesize
408KB

MD5
bf8d75e7a2bc9e0a4c336b2a1f3bf9fd

SHA1
37d4f618b872bee0367d19921f955644dcb5e1e1

SHA256
52782843455326c708776be8212df68918c00cf4f404c7087328755efc9be2ae

SHA512
2c903261760efb133645365d8372aaeecca3b6c348a271409215bf7398c1ff12ecddc7091242505522f32e3c7165de905d142693018f2bafe838ae57ccf21712

Download Submit
C:\Windows\{D36265E9-206E-43f9-9CED-1882F52912C9}.exe

Filesize
408KB

MD5
a5e4c3e7d2fce38116e57af2f27d4f76

SHA1
b5773bac2ca7d35f4382e820b62e123867217ac2

SHA256
4d993f3d0be37d1be06ac8f74992e16eef5510fb84a2aef713f70dc167998c0b

SHA512
d2aead4d91c5d4d37ff28b83a920871bc7600e104c907a9819b47be27bfe3d20ec702ac259704b2d1a483d7070654e82be5a1bdf85c532c1c72abbd55218998f

Download Submit
C:\Windows\{E3CBF886-3C78-4f72-AC82-B9D7A86D5B6E}.exe

Filesize
408KB

MD5
e72b306debca45636c451a96878a4c96

SHA1
8010fb26946fcc5d40655f53ea12fb665c6bd399

SHA256
19a955be8ab56607c928471428de58faffcbfc7179a0bafe43ccf5544d74ace4

SHA512
2641a886ece7733263fe1bf0c293b4c6d2f1d4c32d05c658ae0ba36214af9055a4261fd27bb20e5b2a94d3024a6150bd12ea6314af58bbd7c2b626497fd607e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads