ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe
Size

380KB
MD5

da67cc911b13343d2d871e9ffd67c5cb
SHA1

908e600d4b5364c9b3f900720bdfb8dcbd8ecdcc
SHA256

ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1
SHA512

292335b34bd64c28229c3ec0808b33eaa8299983e170888a62814bc9b933ce4690db84eacb565b568a78ee87a38b9f603183e7ffe564f24f46445a60c7160090
SSDEEP

3072:mEGh0ovlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGdl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001231a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001431c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001231a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014502-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001231a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001231a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001231a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D88065-6D3C-49a8-A078-02AA1C683DB6}	{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D88065-6D3C-49a8-A078-02AA1C683DB6}\stubpath = "C:\\Windows\\{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe"	{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57184A6D-F9EA-43d4-8CA3-48135B64A357}	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}\stubpath = "C:\\Windows\\{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe"	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E094DB6-A87A-4245-895B-789A2B1A3281}\stubpath = "C:\\Windows\\{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe"	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}\stubpath = "C:\\Windows\\{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe"	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57184A6D-F9EA-43d4-8CA3-48135B64A357}\stubpath = "C:\\Windows\\{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe"	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}\stubpath = "C:\\Windows\\{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe"	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E094DB6-A87A-4245-895B-789A2B1A3281}	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}\stubpath = "C:\\Windows\\{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe"	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050B3955-CBAC-424b-93C1-ECC903C84079}	{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91BD837B-44D3-4590-9B56-039A6BAEC927}\stubpath = "C:\\Windows\\{91BD837B-44D3-4590-9B56-039A6BAEC927}.exe"	{050B3955-CBAC-424b-93C1-ECC903C84079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}\stubpath = "C:\\Windows\\{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe"	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050B3955-CBAC-424b-93C1-ECC903C84079}\stubpath = "C:\\Windows\\{050B3955-CBAC-424b-93C1-ECC903C84079}.exe"	{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91BD837B-44D3-4590-9B56-039A6BAEC927}	{050B3955-CBAC-424b-93C1-ECC903C84079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}\stubpath = "C:\\Windows\\{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe"	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe

Deletes itself 1 IoCs

pid	Process
1964	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe
2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe
868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe
3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe
2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe
2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe
700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe
2824	{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe
2700	{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe
1260	{050B3955-CBAC-424b-93C1-ECC903C84079}.exe
856	{91BD837B-44D3-4590-9B56-039A6BAEC927}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe
File created	C:\Windows\{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe
File created	C:\Windows\{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe
File created	C:\Windows\{050B3955-CBAC-424b-93C1-ECC903C84079}.exe	{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe
File created	C:\Windows\{91BD837B-44D3-4590-9B56-039A6BAEC927}.exe	{050B3955-CBAC-424b-93C1-ECC903C84079}.exe
File created	C:\Windows\{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe
File created	C:\Windows\{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe
File created	C:\Windows\{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe
File created	C:\Windows\{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe
File created	C:\Windows\{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe	{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe
File created	C:\Windows\{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe
Token: SeIncBasePriorityPrivilege	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe
Token: SeIncBasePriorityPrivilege	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe
Token: SeIncBasePriorityPrivilege	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe
Token: SeIncBasePriorityPrivilege	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe
Token: SeIncBasePriorityPrivilege	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe
Token: SeIncBasePriorityPrivilege	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe
Token: SeIncBasePriorityPrivilege	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe
Token: SeIncBasePriorityPrivilege	2824	{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe
Token: SeIncBasePriorityPrivilege	2700	{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe
Token: SeIncBasePriorityPrivilege	1260	{050B3955-CBAC-424b-93C1-ECC903C84079}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1032	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	28
PID 2220 wrote to memory of 1032	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	28
PID 2220 wrote to memory of 1032	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	28
PID 2220 wrote to memory of 1032	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	28
PID 2220 wrote to memory of 1964	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	29
PID 2220 wrote to memory of 1964	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	29
PID 2220 wrote to memory of 1964	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	29
PID 2220 wrote to memory of 1964	2220	ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe	29
PID 1032 wrote to memory of 2720	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	30
PID 1032 wrote to memory of 2720	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	30
PID 1032 wrote to memory of 2720	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	30
PID 1032 wrote to memory of 2720	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	30
PID 1032 wrote to memory of 2624	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	31
PID 1032 wrote to memory of 2624	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	31
PID 1032 wrote to memory of 2624	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	31
PID 1032 wrote to memory of 2624	1032	{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe	31
PID 2720 wrote to memory of 868	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	32
PID 2720 wrote to memory of 868	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	32
PID 2720 wrote to memory of 868	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	32
PID 2720 wrote to memory of 868	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	32
PID 2720 wrote to memory of 2808	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	33
PID 2720 wrote to memory of 2808	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	33
PID 2720 wrote to memory of 2808	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	33
PID 2720 wrote to memory of 2808	2720	{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe	33
PID 868 wrote to memory of 3024	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	36
PID 868 wrote to memory of 3024	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	36
PID 868 wrote to memory of 3024	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	36
PID 868 wrote to memory of 3024	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	36
PID 868 wrote to memory of 1836	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	37
PID 868 wrote to memory of 1836	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	37
PID 868 wrote to memory of 1836	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	37
PID 868 wrote to memory of 1836	868	{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe	37
PID 3024 wrote to memory of 2828	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	38
PID 3024 wrote to memory of 2828	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	38
PID 3024 wrote to memory of 2828	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	38
PID 3024 wrote to memory of 2828	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	38
PID 3024 wrote to memory of 2884	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	39
PID 3024 wrote to memory of 2884	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	39
PID 3024 wrote to memory of 2884	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	39
PID 3024 wrote to memory of 2884	3024	{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe	39
PID 2828 wrote to memory of 2696	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	40
PID 2828 wrote to memory of 2696	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	40
PID 2828 wrote to memory of 2696	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	40
PID 2828 wrote to memory of 2696	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	40
PID 2828 wrote to memory of 2000	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	41
PID 2828 wrote to memory of 2000	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	41
PID 2828 wrote to memory of 2000	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	41
PID 2828 wrote to memory of 2000	2828	{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe	41
PID 2696 wrote to memory of 700	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	42
PID 2696 wrote to memory of 700	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	42
PID 2696 wrote to memory of 700	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	42
PID 2696 wrote to memory of 700	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	42
PID 2696 wrote to memory of 620	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	43
PID 2696 wrote to memory of 620	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	43
PID 2696 wrote to memory of 620	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	43
PID 2696 wrote to memory of 620	2696	{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe	43
PID 700 wrote to memory of 2824	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	44
PID 700 wrote to memory of 2824	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	44
PID 700 wrote to memory of 2824	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	44
PID 700 wrote to memory of 2824	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	44
PID 700 wrote to memory of 1608	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	45
PID 700 wrote to memory of 1608	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	45
PID 700 wrote to memory of 1608	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	45
PID 700 wrote to memory of 1608	700	{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe	45

C:\Users\Admin\AppData\Local\Temp\ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe
"C:\Users\Admin\AppData\Local\Temp\ee52c32330d824a198bb33a1148415f154b2b78d168075b4b939bfec1affcab1.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe
  C:\Windows\{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe
    C:\Windows\{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe
      C:\Windows\{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe
        
        C:\Windows\{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe
        
        C:\Windows\{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe
        
        C:\Windows\{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe
        
        C:\Windows\{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe
        
        C:\Windows\{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe
        
        C:\Windows\{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{050B3955-CBAC-424b-93C1-ECC903C84079}.exe
        
        C:\Windows\{050B3955-CBAC-424b-93C1-ECC903C84079}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\{91BD837B-44D3-4590-9B56-039A6BAEC927}.exe
        
        C:\Windows\{91BD837B-44D3-4590-9B56-039A6BAEC927}.exe
        12⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{050B3~1.EXE > nul
        12⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D88~1.EXE > nul
        11⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80C50~1.EXE > nul
        10⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5FE9~1.EXE > nul
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E094~1.EXE > nul
        8⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE7E~1.EXE > nul
        7⤵
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57184~1.EXE > nul
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06E35~1.EXE > nul
        5⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8EDBA~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1FBC~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EE52C3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{050B3955-CBAC-424b-93C1-ECC903C84079}.exe

Filesize
380KB

MD5
07677af2f53e29925793be57ba0f8b2d

SHA1
dc5053814bfc3077871437653c3537ab4aef9e6c

SHA256
94134249079cbede8726d8743b3285b10f2952fc34a7ccf7ad3c80fedf4d00fd

SHA512
6f8e3d31a41245eb58d0256a486e3b57b7b0fbcddceef8ea1c34cfeef715f49e1325f3c6bd0b6c774fced7cc60fbc133feba08ead6d6700c75d4aea9e08aecf4

Download Submit
C:\Windows\{06E35083-9C8B-4df6-AEE1-EA1F7406B73D}.exe

Filesize
380KB

MD5
874acdbe18df4f946db33fa72ab83bfd

SHA1
06e3c52c0a8c972aa27d0d5bfa7c6846be52aaab

SHA256
b4ab20b2e0269c10704620a42172a15f20daf4167357c6be638d48c334e18b46

SHA512
862264c6f4f08b086d5aa58f8f9810c63115cc0fdfb6f08a241aa1922cf82c503abe41e78eb7d5d6b4d714b12b426b5a917cab0da67b1e0e9ea0764a0d7361c8

Download Submit
C:\Windows\{3E094DB6-A87A-4245-895B-789A2B1A3281}.exe

Filesize
380KB

MD5
8a349b35abd2a3ba48cfb3b7f4e99072

SHA1
c74a6ad8418213dbd56eadc223757f788d222d1e

SHA256
3bd9f9db3ff5033510369f5ec0c4094da918f971e32d414a49b332e4d150a345

SHA512
8ad7c3d7e64f5f3efcde2012b5e8e9bbbc3330acf00ff7eb9e269ab336852fb8357367564e778398f0424f5cf2ea18368b0254e841b156fb15f589366bfc6cdd

Download Submit
C:\Windows\{57184A6D-F9EA-43d4-8CA3-48135B64A357}.exe

Filesize
380KB

MD5
eb4a1e9e3b05856eb85fded6c228d4e3

SHA1
cbbc1b33ecf6c91e7db95009e296ef3be5eeef76

SHA256
26da99fd74928ee7df8b50e6fcf2195d0cc7632e13086c4f410954ba91b3dda3

SHA512
daf4eb640e6a27ad0c9aa0e0d3c4df5c9da4095f27f34f326fc6d8774214e1f67d6bcd034d4fed5d201a68a2e5d161fd3f09a92cc13d904da17635448ce690de

Download Submit
C:\Windows\{80C50A2F-0810-440d-9F9A-B5BD8AFE8DD0}.exe

Filesize
380KB

MD5
400afc170667f8f35bc67f10460f6ae4

SHA1
710417ca8f94058adf2fa5ffacfac735eecdb0ea

SHA256
1a84eb7efe10dc903af41f5a8794682c5071a9068928d4d84da26ad71b376e40

SHA512
ec8d65ef52469935da09aa6709837853551d754071da07829539ac98ee9002e18e6d33b67e774a18e67cbc9641aab90b84a1bca497bf4962d47137afad8fd910

Download Submit
C:\Windows\{8EDBA8DA-178C-40a3-B424-CC26D6458E3B}.exe

Filesize
380KB

MD5
b42034ea039048ac7b98685a8d7142c3

SHA1
7825d0ad6a6e6db07522f7db1fa07cc58b3d412c

SHA256
c223a8cbc3daf35f17dc045b6993d88152ba7cf1a1d4ce830e4b7ca018c558f3

SHA512
18de7c065661c161532b851d6ab2c594f3d7a8f4918e2832d9cee49cfa50187ae44de5b177e65945ad714205d1188d48cf3e7b2712baa7e2fd4142235f434e25

Download Submit
C:\Windows\{91BD837B-44D3-4590-9B56-039A6BAEC927}.exe

Filesize
380KB

MD5
15477c6bfde53caf4d941a83f9583353

SHA1
20de608647153cd8eaf93950f7b20c1071719ce7

SHA256
4d31bc4bae8f5fadc039e230b2a6661d2211c40a6fe80961feba07802985ac9b

SHA512
b26a5638bd44e7401a94846ea9f795d4be8176e10399e3c05ed5998f00dab068e018dadb52b462d82af80e913cad5c0cd119d7b88d85f5bd7b6a767b495a4cc9

Download Submit
C:\Windows\{C3D88065-6D3C-49a8-A078-02AA1C683DB6}.exe

Filesize
380KB

MD5
348fa3042a461d81bbf329a12f0b1bdc

SHA1
0373bb665704662c491fd02ff0f6a8a02033b834

SHA256
dc459b2cebd27ed3d952d30390bcb9a13147a17271cbacd9d0f2369a6024622b

SHA512
cabddeffa09e4f8d825cca6806b84373fcadabd63cf6a8a7b6e04d0261ddacb5812e11101e18b03c8d51d8ef1a7190613bdcec050dfe9e913339556e63aaa78b

Download Submit
C:\Windows\{E1FBCAD8-E4F1-4e11-9EF8-CA60D4450DA4}.exe

Filesize
380KB

MD5
f8bd6b0d0a6b692da762f9bcc08d8ee3

SHA1
b260fe4a35f44ea570a0b952b68b95862dec77f9

SHA256
de453beca77d5b13d1b33fbfe4610e867fb7728199480327606e6ffe7dd96ece

SHA512
7073c2eebdb736656890f6bd08aba727e9c5594d263ee45124e881c28561b1806fbf042f6fced407d9155a6a2460d9ffddf17767ee06114e00aca0be6c42ae3b

Download Submit
C:\Windows\{E5FE94C9-84E1-481b-9FB8-EB37AFF3E696}.exe

Filesize
380KB

MD5
438c156041ee19c87262ef4b41895326

SHA1
20f977ca87ba4b6b2fa9310602f037010a872805

SHA256
1f99b8657882af0057582ccf32f571f126d9fb5f29b1b37a957b15bf9671b765

SHA512
42cdad7ca921ab5bc825c657ab69a31c7b68a1932985e9bbc622c96904c8499ef8eee7b53001275bf3c9dee32d3e8ffdbb4e1cd82ddb2980a0fc8e066b5762b2

Download Submit
C:\Windows\{FBE7E5A2-A727-4ab1-803C-DF76A1C94863}.exe

Filesize
380KB

MD5
85c9dc8479f36c8892a2f46d82dab9bd

SHA1
5bb9161899782ef4b7eff2658828fcae02778f4e

SHA256
0873f9d4114b48f84634d6fe80d874bb24efba8684e684dffe030a6808ea51ed

SHA512
8d1362ef402e751ce62a14b5da65c70ede14dcb1dd94134f6a87fe9ba1f4a1890bcf8b2fbede50ad5b843e0f1a0d5ed033939824de5122d98195beaf2192176a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads