1c7b87ef90c55ec01ea251d1cc24f01b438d1ff94e3f48f1934a2d8418954293

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Size

408KB
MD5

331b16c89cf7370e3416ad0841a779d1
SHA1

c0fedffda6481ae75b1182013d2ff99af820be41
SHA256

1c7b87ef90c55ec01ea251d1cc24f01b438d1ff94e3f48f1934a2d8418954293
SHA512

a7b33e9b7249ff54d9498dcfd95b55af8cef4570b7d26c85b2ba387775ec1d6439e3e657ac6b192be53d2721468432bd4667f47f864a0070bb9b3a4f89110b5e
SSDEEP

3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGnldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120e4-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015c5d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000120e4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000015c5d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c7c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c7c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4877B8D-C713-4645-AC47-A1696A25EF31}\stubpath = "C:\\Windows\\{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe"	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{415FD666-D9AA-4bf6-950C-F9A0D97B764C}\stubpath = "C:\\Windows\\{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe"	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53EA0EE1-0DDF-4d44-88CA-3ED516265675}\stubpath = "C:\\Windows\\{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe"	{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}	{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE2434B1-A37C-42b9-A496-C07D857AC967}\stubpath = "C:\\Windows\\{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe"	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}\stubpath = "C:\\Windows\\{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe"	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{415FD666-D9AA-4bf6-950C-F9A0D97B764C}	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}\stubpath = "C:\\Windows\\{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe"	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{734D18F8-8BCA-4cff-90E3-867C60D437D8}	{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74D85D0F-63F4-41b3-B44F-41845F4E8A75}	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE2434B1-A37C-42b9-A496-C07D857AC967}	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}\stubpath = "C:\\Windows\\{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe"	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53EA0EE1-0DDF-4d44-88CA-3ED516265675}	{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}\stubpath = "C:\\Windows\\{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}.exe"	{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74D85D0F-63F4-41b3-B44F-41845F4E8A75}\stubpath = "C:\\Windows\\{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe"	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4877B8D-C713-4645-AC47-A1696A25EF31}	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}\stubpath = "C:\\Windows\\{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe"	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{734D18F8-8BCA-4cff-90E3-867C60D437D8}\stubpath = "C:\\Windows\\{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe"	{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe

Deletes itself 1 IoCs

pid	Process
2464	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe
2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe
2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe
2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe
792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe
2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe
1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe
1964	{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe
1688	{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe
848	{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe
1784	{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe
File created	C:\Windows\{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe
File created	C:\Windows\{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe
File created	C:\Windows\{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe
File created	C:\Windows\{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe	{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe
File created	C:\Windows\{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe	{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe
File created	C:\Windows\{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe
File created	C:\Windows\{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe
File created	C:\Windows\{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe
File created	C:\Windows\{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}.exe	{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe
File created	C:\Windows\{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe
Token: SeIncBasePriorityPrivilege	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe
Token: SeIncBasePriorityPrivilege	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe
Token: SeIncBasePriorityPrivilege	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe
Token: SeIncBasePriorityPrivilege	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe
Token: SeIncBasePriorityPrivilege	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe
Token: SeIncBasePriorityPrivilege	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe
Token: SeIncBasePriorityPrivilege	1964	{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe
Token: SeIncBasePriorityPrivilege	1688	{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe
Token: SeIncBasePriorityPrivilege	848	{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 3036	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	28
PID 2660 wrote to memory of 3036	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	28
PID 2660 wrote to memory of 3036	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	28
PID 2660 wrote to memory of 3036	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	28
PID 2660 wrote to memory of 2464	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	29
PID 2660 wrote to memory of 2464	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	29
PID 2660 wrote to memory of 2464	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	29
PID 2660 wrote to memory of 2464	2660	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	29
PID 3036 wrote to memory of 2652	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	32
PID 3036 wrote to memory of 2652	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	32
PID 3036 wrote to memory of 2652	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	32
PID 3036 wrote to memory of 2652	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	32
PID 3036 wrote to memory of 2668	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	33
PID 3036 wrote to memory of 2668	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	33
PID 3036 wrote to memory of 2668	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	33
PID 3036 wrote to memory of 2668	3036	{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe	33
PID 2652 wrote to memory of 2384	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	34
PID 2652 wrote to memory of 2384	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	34
PID 2652 wrote to memory of 2384	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	34
PID 2652 wrote to memory of 2384	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	34
PID 2652 wrote to memory of 2436	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	35
PID 2652 wrote to memory of 2436	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	35
PID 2652 wrote to memory of 2436	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	35
PID 2652 wrote to memory of 2436	2652	{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe	35
PID 2384 wrote to memory of 2324	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	36
PID 2384 wrote to memory of 2324	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	36
PID 2384 wrote to memory of 2324	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	36
PID 2384 wrote to memory of 2324	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	36
PID 2384 wrote to memory of 1052	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	37
PID 2384 wrote to memory of 1052	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	37
PID 2384 wrote to memory of 1052	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	37
PID 2384 wrote to memory of 1052	2384	{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe	37
PID 2324 wrote to memory of 792	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	38
PID 2324 wrote to memory of 792	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	38
PID 2324 wrote to memory of 792	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	38
PID 2324 wrote to memory of 792	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	38
PID 2324 wrote to memory of 1856	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	39
PID 2324 wrote to memory of 1856	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	39
PID 2324 wrote to memory of 1856	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	39
PID 2324 wrote to memory of 1856	2324	{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe	39
PID 792 wrote to memory of 2672	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	40
PID 792 wrote to memory of 2672	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	40
PID 792 wrote to memory of 2672	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	40
PID 792 wrote to memory of 2672	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	40
PID 792 wrote to memory of 2696	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	41
PID 792 wrote to memory of 2696	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	41
PID 792 wrote to memory of 2696	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	41
PID 792 wrote to memory of 2696	792	{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe	41
PID 2672 wrote to memory of 1800	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	42
PID 2672 wrote to memory of 1800	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	42
PID 2672 wrote to memory of 1800	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	42
PID 2672 wrote to memory of 1800	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	42
PID 2672 wrote to memory of 1944	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	43
PID 2672 wrote to memory of 1944	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	43
PID 2672 wrote to memory of 1944	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	43
PID 2672 wrote to memory of 1944	2672	{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe	43
PID 1800 wrote to memory of 1964	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	44
PID 1800 wrote to memory of 1964	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	44
PID 1800 wrote to memory of 1964	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	44
PID 1800 wrote to memory of 1964	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	44
PID 1800 wrote to memory of 2896	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	45
PID 1800 wrote to memory of 2896	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	45
PID 1800 wrote to memory of 2896	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	45
PID 1800 wrote to memory of 2896	1800	{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe
  C:\Windows\{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe
    C:\Windows\{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe
      C:\Windows\{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe
        
        C:\Windows\{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe
        
        C:\Windows\{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe
        
        C:\Windows\{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe
        
        C:\Windows\{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe
        
        C:\Windows\{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe
        
        C:\Windows\{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe
        
        C:\Windows\{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}.exe
        
        C:\Windows\{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53EA0~1.EXE > nul
        12⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{734D1~1.EXE > nul
        11⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D022~1.EXE > nul
        10⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCF26~1.EXE > nul
        9⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC33~1.EXE > nul
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{415FD~1.EXE > nul
        7⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4877~1.EXE > nul
        6⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AE53~1.EXE > nul
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE243~1.EXE > nul
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74D85~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3EC33F2D-12D8-4ebe-86D2-7B59A05F5274}.exe

Filesize
408KB

MD5
4e7b789533a70e0907b99e692fb99ea0

SHA1
2b655d44a7ac9d42a2203a8595a109150c1488ac

SHA256
c2f563d8df4e0b7ff6688a45f75900f4cf35ff12631221b159a234de81ddeb93

SHA512
71940a6b8e692b48b74bc295c63854ba22af18ed5e82349a4babd53b34060ce4613cbbfe4f5b96a29ca183c6662e83dd247fbd683290da5151850e90839f9a8d

Download Submit
C:\Windows\{415FD666-D9AA-4bf6-950C-F9A0D97B764C}.exe

Filesize
408KB

MD5
281935b636fea387691e3a7b42c5ed3c

SHA1
af01f9aa6c10bb5c7da57084b36430aa3c75aacc

SHA256
214812bbfef1752c57bf79995796f0827d59a0a4573c0c7a6e826b956cb7c685

SHA512
97eb7753384c5983ba507456ffd6851206c8d067831028f685cdaecf3a0ab76a0fb839a2141475ae51270fe98f18ab79b2c2b32964d991b12b086a7beee3a42e

Download Submit
C:\Windows\{4D02208A-CF78-4e39-BD93-48FB4E8B82CB}.exe

Filesize
408KB

MD5
c2e537c1ddcd0dc5c03269e4093af76c

SHA1
8334de24f121c09395abe1117f89c141eca6913a

SHA256
329fb93aca3681565876c6b820695b9c4b1f5e6e7b19140d4afae6a00d738a06

SHA512
25ad3c0d8b603fdd5efb6c782bf3a680b7dd4d5df4c372e5c2ffbe870c2b9bc24af6846ee3b52a9945af656580473c76763ff614013b5413417f747167815439

Download Submit
C:\Windows\{53EA0EE1-0DDF-4d44-88CA-3ED516265675}.exe

Filesize
408KB

MD5
cf523580ca5e2143a1a21b275afd77c3

SHA1
709ffb2a11fecd213ffbdae9fb8494cda4f39762

SHA256
bb19c15ab13181e6131bc39bb21ef30cf93f3a14599650f5bcc0c74db4c7254f

SHA512
03b5ecd99cbacf5de7eb2b0474222db6545aaee7574f72f45fb069ac482981980259309e7106ec4d3f1054638fdd452170cea5b2b49a3524a769b7485379c172

Download Submit
C:\Windows\{734D18F8-8BCA-4cff-90E3-867C60D437D8}.exe

Filesize
408KB

MD5
bf48ecee08e784932637e2198b2c9400

SHA1
29e3e8b5c8c6cb1af1bda49f47f71cdc84b130bf

SHA256
dfb1d2dec05d0cc99155c3b13d7e3ce005b68e95f3e700ff683453db20d4e706

SHA512
56974d01cad5ee5d81c70379a5547aa30f701a9324e221862300906a027ec8a7989112b447c3f45fa6db0302bc02621940ff179fd429f7b558458d1fefa6b912

Download Submit
C:\Windows\{74D85D0F-63F4-41b3-B44F-41845F4E8A75}.exe

Filesize
408KB

MD5
be0d59b042f4a659fa12435ca71c9025

SHA1
fca1fc627088e11c93e5b88c5bc9fbd71d6a9511

SHA256
65ea7f2d7babfb838f9b93131617315a410466cab1e87362627200cfc28f2b0e

SHA512
4e7a103023b8559f16e312f1c55b389f755744328a92a7156dbba18a7c30553bb70f3a8396d992a46a39e91330476c0626222618818a706e2adb4aac4ea30813

Download Submit
C:\Windows\{8AE5322D-AF2F-4cdf-B8DF-533B62626AC2}.exe

Filesize
408KB

MD5
26cc96c7ef33b866d246f13990d7e081

SHA1
1675cb6a8680c8cfeec91f6633a70be6c04e6f9d

SHA256
6f97314e79f1a45f2548b45e2c87e2f58c00da80ea8ec26560679149bb6c2fe8

SHA512
a296c69e87f86280c7616efe056a19ea4b8a50fd6ed3030ccb753e85144b68e552ab0ef16a84cfd6e5e7d1ed77f10cdc325bde5a182fb17397478c11bcfd3bbf

Download Submit
C:\Windows\{AE2434B1-A37C-42b9-A496-C07D857AC967}.exe

Filesize
408KB

MD5
516826886ef7a235eb078737ba9232d0

SHA1
c08b82034e886e519803708c97ca46164ccba87d

SHA256
1a238e6c57c061878028f844f9ad438fa06f84a7a337989d412d89179c3614e6

SHA512
f6485c24606fa3d387855b5a66d021809b732db5c33311b1c33308273b4565f571cb150b6e9da9a540397d412dc68c1179c5df9c12ee1a997142b4e293c5a473

Download Submit
C:\Windows\{B4877B8D-C713-4645-AC47-A1696A25EF31}.exe

Filesize
408KB

MD5
ea51ee70f366a860b17ae0f9502eb423

SHA1
8a9e8cd25eb1ceede7b31544d69920bc720b3973

SHA256
9527760a3dda33f8c0e2268f89c10283818971bdbc20adea797aca50803f6fed

SHA512
bde643dbbe1683429fd0eacea2d4eda23bf5778d86fc021f8d37cb4afe8d9947e6e0176e21d94efcd3f42bc6cffb567e71120b7c066463fe09f9d264c4e5921b

Download Submit
C:\Windows\{B5EE3ACF-3CF2-412d-91C2-CBCF6A24ECB3}.exe

Filesize
408KB

MD5
02799173ebbaa41a055a54f81ed62f0c

SHA1
93e696ff897a4d0cc68f63ab4f628529542c95f5

SHA256
cf7f3c7b4bb83d0b058c18bb4b1bfe96ca4af559179316ca181ad1ca3a9c02b9

SHA512
ff7a2e00b74ce0de81e6c21de60d470d87637a881def73907dbd1e35ee1d1e3d925d2ed83fdba86aaa3b54772d04cfb6e2f10793b4e9bc9bda2e55f899ef8906

Download Submit
C:\Windows\{FCF26EE0-A152-4f3f-8442-3EBB5B4270C9}.exe

Filesize
408KB

MD5
31a11390d8faad2743d7a70061844522

SHA1
5b762acf993588106cf87da4cace42b808d47635

SHA256
642c991833b56c7f5671f5c77d6a15249a40db13cf4f45efef1b669d5da367f4

SHA512
812c843863cfb6c45aa5a66307150ce5bd04ec93cd87e7726f8b4a950fb8336e074c882ddbac004ea4fd09acf1091f5c310919776c6bf0d4c8e685e04bf6c30c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads