4ca03702b65c2a6b55cd64a3f129c5276769b5c7c183bdb31b03078a2c3d6663

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Size

192KB
MD5

f797d23d54142b2ee88b93e80052a1cf
SHA1

ca7f796eaf8834a23feb7439af89f40f320ba1ed
SHA256

4ca03702b65c2a6b55cd64a3f129c5276769b5c7c183bdb31b03078a2c3d6663
SHA512

16f56c62f801be76cc025866e6c825b084252f0c94ddeb7e1b7d990ace51dc62f057d1cd984495a6534623e9e36a3dd2cf56021d67d8e5041383851c547f52bf
SSDEEP

1536:1EGh0oql15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oql1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001222b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001225f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{339032A8-E122-4600-98EC-3865128768AA}	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{339032A8-E122-4600-98EC-3865128768AA}\stubpath = "C:\\Windows\\{339032A8-E122-4600-98EC-3865128768AA}.exe"	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D283DEC4-925D-4c7a-AC65-5B4B4939608E}\stubpath = "C:\\Windows\\{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe"	{339032A8-E122-4600-98EC-3865128768AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD5F940D-F46D-415c-94B8-F30B7598DED0}	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ECBB389-2C7F-4c1a-A05E-F669C386777E}\stubpath = "C:\\Windows\\{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe"	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{807F1532-D853-4a56-839B-DBFF41A357A1}\stubpath = "C:\\Windows\\{807F1532-D853-4a56-839B-DBFF41A357A1}.exe"	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}	{807F1532-D853-4a56-839B-DBFF41A357A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C08C7DD-95D2-4b33-85A4-817657429BD4}	{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}\stubpath = "C:\\Windows\\{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe"	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD5F940D-F46D-415c-94B8-F30B7598DED0}\stubpath = "C:\\Windows\\{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe"	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ECBB389-2C7F-4c1a-A05E-F669C386777E}	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}\stubpath = "C:\\Windows\\{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe"	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D283DEC4-925D-4c7a-AC65-5B4B4939608E}	{339032A8-E122-4600-98EC-3865128768AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}\stubpath = "C:\\Windows\\{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe"	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BBD93BF-467C-4b02-B2F5-712AFFF78484}\stubpath = "C:\\Windows\\{9BBD93BF-467C-4b02-B2F5-712AFFF78484}.exe"	{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{807F1532-D853-4a56-839B-DBFF41A357A1}	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}\stubpath = "C:\\Windows\\{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe"	{807F1532-D853-4a56-839B-DBFF41A357A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C08C7DD-95D2-4b33-85A4-817657429BD4}\stubpath = "C:\\Windows\\{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe"	{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BBD93BF-467C-4b02-B2F5-712AFFF78484}	{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe
2416	{339032A8-E122-4600-98EC-3865128768AA}.exe
2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe
2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe
2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe
280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe
2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe
1632	{807F1532-D853-4a56-839B-DBFF41A357A1}.exe
1240	{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe
1696	{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe
1416	{9BBD93BF-467C-4b02-B2F5-712AFFF78484}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe	{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe
File created	C:\Windows\{339032A8-E122-4600-98EC-3865128768AA}.exe	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe
File created	C:\Windows\{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	{339032A8-E122-4600-98EC-3865128768AA}.exe
File created	C:\Windows\{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe
File created	C:\Windows\{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe
File created	C:\Windows\{807F1532-D853-4a56-839B-DBFF41A357A1}.exe	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe
File created	C:\Windows\{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe	{807F1532-D853-4a56-839B-DBFF41A357A1}.exe
File created	C:\Windows\{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
File created	C:\Windows\{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe
File created	C:\Windows\{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe
File created	C:\Windows\{9BBD93BF-467C-4b02-B2F5-712AFFF78484}.exe	{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe
Token: SeIncBasePriorityPrivilege	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe
Token: SeIncBasePriorityPrivilege	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe
Token: SeIncBasePriorityPrivilege	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe
Token: SeIncBasePriorityPrivilege	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe
Token: SeIncBasePriorityPrivilege	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe
Token: SeIncBasePriorityPrivilege	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe
Token: SeIncBasePriorityPrivilege	1632	{807F1532-D853-4a56-839B-DBFF41A357A1}.exe
Token: SeIncBasePriorityPrivilege	1240	{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe
Token: SeIncBasePriorityPrivilege	1696	{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3020	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	28
PID 1704 wrote to memory of 3020	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	28
PID 1704 wrote to memory of 3020	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	28
PID 1704 wrote to memory of 3020	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	28
PID 1704 wrote to memory of 2536	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	29
PID 1704 wrote to memory of 2536	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	29
PID 1704 wrote to memory of 2536	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	29
PID 1704 wrote to memory of 2536	1704	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	29
PID 3020 wrote to memory of 2416	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	30
PID 3020 wrote to memory of 2416	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	30
PID 3020 wrote to memory of 2416	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	30
PID 3020 wrote to memory of 2416	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	30
PID 3020 wrote to memory of 2524	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	31
PID 3020 wrote to memory of 2524	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	31
PID 3020 wrote to memory of 2524	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	31
PID 3020 wrote to memory of 2524	3020	{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe	31
PID 2416 wrote to memory of 2484	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	34
PID 2416 wrote to memory of 2484	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	34
PID 2416 wrote to memory of 2484	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	34
PID 2416 wrote to memory of 2484	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	34
PID 2416 wrote to memory of 2924	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	35
PID 2416 wrote to memory of 2924	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	35
PID 2416 wrote to memory of 2924	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	35
PID 2416 wrote to memory of 2924	2416	{339032A8-E122-4600-98EC-3865128768AA}.exe	35
PID 2484 wrote to memory of 2320	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	36
PID 2484 wrote to memory of 2320	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	36
PID 2484 wrote to memory of 2320	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	36
PID 2484 wrote to memory of 2320	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	36
PID 2484 wrote to memory of 2764	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	37
PID 2484 wrote to memory of 2764	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	37
PID 2484 wrote to memory of 2764	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	37
PID 2484 wrote to memory of 2764	2484	{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe	37
PID 2320 wrote to memory of 2448	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	38
PID 2320 wrote to memory of 2448	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	38
PID 2320 wrote to memory of 2448	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	38
PID 2320 wrote to memory of 2448	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	38
PID 2320 wrote to memory of 2692	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	39
PID 2320 wrote to memory of 2692	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	39
PID 2320 wrote to memory of 2692	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	39
PID 2320 wrote to memory of 2692	2320	{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe	39
PID 2448 wrote to memory of 280	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	40
PID 2448 wrote to memory of 280	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	40
PID 2448 wrote to memory of 280	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	40
PID 2448 wrote to memory of 280	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	40
PID 2448 wrote to memory of 2476	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	41
PID 2448 wrote to memory of 2476	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	41
PID 2448 wrote to memory of 2476	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	41
PID 2448 wrote to memory of 2476	2448	{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe	41
PID 280 wrote to memory of 2728	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	42
PID 280 wrote to memory of 2728	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	42
PID 280 wrote to memory of 2728	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	42
PID 280 wrote to memory of 2728	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	42
PID 280 wrote to memory of 684	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	43
PID 280 wrote to memory of 684	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	43
PID 280 wrote to memory of 684	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	43
PID 280 wrote to memory of 684	280	{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe	43
PID 2728 wrote to memory of 1632	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	44
PID 2728 wrote to memory of 1632	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	44
PID 2728 wrote to memory of 1632	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	44
PID 2728 wrote to memory of 1632	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	44
PID 2728 wrote to memory of 2716	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	45
PID 2728 wrote to memory of 2716	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	45
PID 2728 wrote to memory of 2716	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	45
PID 2728 wrote to memory of 2716	2728	{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe
  C:\Windows\{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{339032A8-E122-4600-98EC-3865128768AA}.exe
    C:\Windows\{339032A8-E122-4600-98EC-3865128768AA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe
      C:\Windows\{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe
        
        C:\Windows\{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe
        
        C:\Windows\{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe
        
        C:\Windows\{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe
        
        C:\Windows\{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{807F1532-D853-4a56-839B-DBFF41A357A1}.exe
        
        C:\Windows\{807F1532-D853-4a56-839B-DBFF41A357A1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe
        
        C:\Windows\{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe
        
        C:\Windows\{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{9BBD93BF-467C-4b02-B2F5-712AFFF78484}.exe
        
        C:\Windows\{9BBD93BF-467C-4b02-B2F5-712AFFF78484}.exe
        12⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C08C~1.EXE > nul
        12⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37329~1.EXE > nul
        11⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{807F1~1.EXE > nul
        10⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA1D0~1.EXE > nul
        9⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B68~1.EXE > nul
        8⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ECBB~1.EXE > nul
        7⤵
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD5F9~1.EXE > nul
        6⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D283D~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33903~1.EXE > nul
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3011A~1.EXE > nul
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ECBB389-2C7F-4c1a-A05E-F669C386777E}.exe

Filesize
192KB

MD5
308013b96c08295e722b09c63a813fcf

SHA1
ef97875c834214f251ee63fd1e35d8128a0172a7

SHA256
1f0cffae122512378cb5e91bcd4f54db36a21fd26fee2f060682f5cb4adaef35

SHA512
d048c29b0f9b8a211e11e75e9c8d8a7e13a822090233575df3481596566690e0ad62f98c4d23e77974611c91ec85e5abf5cebdcff3d8d25e3c96ffb66c172b93

Download Submit
C:\Windows\{3011A1AF-46A0-4a1e-AC9E-DBDBD54ECEE2}.exe

Filesize
192KB

MD5
935a0caa6403f449a5b9f4294274e5d5

SHA1
70661323e24d42d335c24202584df21cef9b8bf9

SHA256
5ddd7d6352ed3a001f347850082d3fcb9bc2e24ffaebabc4f80fbea6c88d8ef6

SHA512
0d505505a9fc6564755854a2a09410245e340716dacd1a0c9b4ef05dad0a2868ede38ad1207daad412fadfce4bc1ab42acf9565ccceb565865f45a1329f3d05e

Download Submit
C:\Windows\{339032A8-E122-4600-98EC-3865128768AA}.exe

Filesize
192KB

MD5
d775e6082834025fd12952d84e5ce9bf

SHA1
495ef06530190a50d8d86fd1f1c3aefe5b5750cf

SHA256
b6c81f99a4bea03d56a8004bf9f4ad2c76bac4ba4e8b4597d2c804e75fa7f957

SHA512
67eea6641637f502dc4f18fb14cd3ba92d00a3431e971d1a709db6bd21b6b7aa1474f797a6aba06403b4eb6a2fdd0bd5c00e76fc4590d6dee2e6bf3fc882cb36

Download Submit
C:\Windows\{37329F59-E37C-4f15-ADD8-9E1DF1E71DEB}.exe

Filesize
192KB

MD5
dff9960624b6f2b2745b8f18534b092c

SHA1
6d40eb8b3bb2bcc3bcc6c9a0b1fb2878e15ba6d6

SHA256
53f23605186e2eeb7bad218f57147015e16debb41a1e224d5e9a6a79a47f3fa3

SHA512
50fd9a63dd6b43be7fea94365024aa2663928218868f97fd7ce69c21a5e4332c595dc8d533106ca0223e780a1af43b3629749775b806a4051166d65cbe256225

Download Submit
C:\Windows\{807F1532-D853-4a56-839B-DBFF41A357A1}.exe

Filesize
192KB

MD5
d48e38133802d796c0334090a6517c75

SHA1
09c83725640e79bb75a830aaad19c0a4661c36d1

SHA256
cc8c7e8b7ae211253c6cea35104c03dd7cd9502413717b001c0ce3d51fc38b40

SHA512
5d3f1b74bd26fd9a64e537a0bcfc26688baff6dd315df1586402323ba485948a8735439f18cd49d43557dae0ac06c9ca774ca2f74bcbf6ebbb63b6a3fb14ea94

Download Submit
C:\Windows\{9BBD93BF-467C-4b02-B2F5-712AFFF78484}.exe

Filesize
192KB

MD5
383e3ab6d36e148d0f956a783ea8ddf4

SHA1
ac3bb1caf0c1ac5c5c357d012470d91bf589fb6f

SHA256
2e50a6abe914e21ce9d055ad6bc5b5043987e2bb4d66faa2fe07dcb5fd9176fb

SHA512
1e451cf7f25dd7d004b66dbbd466a4efdb72f5eefed1f73bd12c45be2512d72a167765578f174512190a27e41bf4721c3d68c61798fcc08226cd792215baeaae

Download Submit
C:\Windows\{9C08C7DD-95D2-4b33-85A4-817657429BD4}.exe

Filesize
192KB

MD5
dd0f9af474213adbea055c7fd4acc779

SHA1
583980645273b2c4c564cb272f49016ec11318cb

SHA256
9dbc345b68d25f5f938f26dde9c1caa4e90da45885ac392a013f8913e33f7eed

SHA512
817de991f26477105277ae475c9ae60f2bc3897a5b40dc1edf717a8e2de3645820a1d7f110f40e836bc9f28aafd62f4da1f7c2cb8a2e811f14befeb7e04f4747

Download Submit
C:\Windows\{B6B68F2D-0855-4ec5-B7D7-9A4696B2434D}.exe

Filesize
192KB

MD5
06674d7fac8036d949e588c31931cb75

SHA1
e4b0106bdfd4d2fb047f152dfe14f8fdb826d257

SHA256
2e0a1cc409c4aa80f3fc546990003d6bae633ef4425d66afaa7c4020e96ba069

SHA512
0b06702bd640033c7bb9bad6840f8ed27f9bbc18c05d920d28709729656babe15867b70adff32aec5f6d7be13bdc9f0e9db5b6de81bf814aeee2925ff04a26af

Download Submit
C:\Windows\{D283DEC4-925D-4c7a-AC65-5B4B4939608E}.exe

Filesize
192KB

MD5
19a9d4c3ca9b177797407923cb3116ae

SHA1
868cc60d1575bb74703c31059875ce34e1dbba0b

SHA256
e57c5b0107308225a46d8e38dd355c37e6213a35346f3cde28dba25da6ad3f4e

SHA512
9dc2ff2e6064058c4c86b31594f7b8681e39e6b7f1ee6c4be16586d0b11e97b15a39aac73f27041f88cc9eb0acbb1d5b4ebd4e96eea5a9a0ab1764580cba1e91

Download Submit
C:\Windows\{DD5F940D-F46D-415c-94B8-F30B7598DED0}.exe

Filesize
192KB

MD5
51857b97dbd6dff70c68506e9660fbd2

SHA1
389f4b7750014a75c5e406c0ecd3f096e87eac72

SHA256
0aff3c145953ff2a587901a87aa3561d494d68438c173efa79db0b733251d773

SHA512
354f5db2acce0a88cbeff2737eddbf8957966a5a1c1cda284b8cc8c088dc2acb739e73b939ef5cb3bb4296d8b701b131fc024bddfa87371d3d5257fd08c0ca65

Download Submit
C:\Windows\{EA1D08ED-CED0-4d97-A736-74E2DCAEE921}.exe

Filesize
192KB

MD5
ee97432b24b99e9862206294f7afbe64

SHA1
caf9fae15c4d484cea363c886d7b4aa578c52d4d

SHA256
4faa91cc90426d46dd3f8b34388cb8777b5b4ab8b91709877dc68c12e592fecd

SHA512
1b17c74ecc0aa0a058306266da9b4b675f97b97d6fdb9a52964d8558375450d41ba698f3afb2fc3a085acc8639d845d3b5ab7c178bf229a0760619d2c79f315d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads