27a046695194353d345f23d2d58e42a27f2f752ae316aea551ba30b04e0d03e7

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe
Size

180KB
MD5

33c3af8588d4ecfb24129b8b8bc34862
SHA1

0e4c5a14010cf2c04e6fd6f3b0fa6240d88ab7b2
SHA256

27a046695194353d345f23d2d58e42a27f2f752ae316aea551ba30b04e0d03e7
SHA512

ad3a7775bf3ee3b0e9e97f5dd3b1ba10cf98eae59f751f14026f639fb807eb5bf42115de811e90487e4aff45dacddda03a6cf4e718e89f060f459230393b1189
SSDEEP

3072:jEGh0o9lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012671-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012256-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012256-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012256-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012256-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211C055A-6BF2-4687-A734-7902CDAC4456}	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAF06698-9645-4a76-987B-04C4D1DD5F55}	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C987FA66-8595-445a-A638-BE4C2506E110}\stubpath = "C:\\Windows\\{C987FA66-8595-445a-A638-BE4C2506E110}.exe"	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97A51A10-348E-4f36-A366-87CA183A4E5E}	{0A629214-D254-454f-B87D-AAB735545291}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE67494-39F3-4887-9A22-EE9600791619}\stubpath = "C:\\Windows\\{3AE67494-39F3-4887-9A22-EE9600791619}.exe"	{937F8218-ED38-4bef-A28B-E934C1D01926}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C54824F2-EE32-4164-BDBF-DBCA6F079138}	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C987FA66-8595-445a-A638-BE4C2506E110}	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}\stubpath = "C:\\Windows\\{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe"	{C987FA66-8595-445a-A638-BE4C2506E110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C54824F2-EE32-4164-BDBF-DBCA6F079138}\stubpath = "C:\\Windows\\{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe"	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}\stubpath = "C:\\Windows\\{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe"	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAF06698-9645-4a76-987B-04C4D1DD5F55}\stubpath = "C:\\Windows\\{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe"	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}	{C987FA66-8595-445a-A638-BE4C2506E110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937F8218-ED38-4bef-A28B-E934C1D01926}\stubpath = "C:\\Windows\\{937F8218-ED38-4bef-A28B-E934C1D01926}.exe"	{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE67494-39F3-4887-9A22-EE9600791619}	{937F8218-ED38-4bef-A28B-E934C1D01926}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937F8218-ED38-4bef-A28B-E934C1D01926}	{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211C055A-6BF2-4687-A734-7902CDAC4456}\stubpath = "C:\\Windows\\{211C055A-6BF2-4687-A734-7902CDAC4456}.exe"	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01CC4037-D5F3-45f9-8A5D-F433082505C7}	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01CC4037-D5F3-45f9-8A5D-F433082505C7}\stubpath = "C:\\Windows\\{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe"	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A629214-D254-454f-B87D-AAB735545291}	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A629214-D254-454f-B87D-AAB735545291}\stubpath = "C:\\Windows\\{0A629214-D254-454f-B87D-AAB735545291}.exe"	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97A51A10-348E-4f36-A366-87CA183A4E5E}\stubpath = "C:\\Windows\\{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe"	{0A629214-D254-454f-B87D-AAB735545291}.exe

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe
2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe
2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe
2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe
2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe
2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe
2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe
1644	{0A629214-D254-454f-B87D-AAB735545291}.exe
2908	{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe
1420	{937F8218-ED38-4bef-A28B-E934C1D01926}.exe
2780	{3AE67494-39F3-4887-9A22-EE9600791619}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe
File created	C:\Windows\{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe
File created	C:\Windows\{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	{C987FA66-8595-445a-A638-BE4C2506E110}.exe
File created	C:\Windows\{0A629214-D254-454f-B87D-AAB735545291}.exe	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe
File created	C:\Windows\{937F8218-ED38-4bef-A28B-E934C1D01926}.exe	{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe
File created	C:\Windows\{3AE67494-39F3-4887-9A22-EE9600791619}.exe	{937F8218-ED38-4bef-A28B-E934C1D01926}.exe
File created	C:\Windows\{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe
File created	C:\Windows\{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe
File created	C:\Windows\{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe	{0A629214-D254-454f-B87D-AAB735545291}.exe
File created	C:\Windows\{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe
File created	C:\Windows\{C987FA66-8595-445a-A638-BE4C2506E110}.exe	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe
Token: SeIncBasePriorityPrivilege	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe
Token: SeIncBasePriorityPrivilege	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe
Token: SeIncBasePriorityPrivilege	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe
Token: SeIncBasePriorityPrivilege	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe
Token: SeIncBasePriorityPrivilege	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe
Token: SeIncBasePriorityPrivilege	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe
Token: SeIncBasePriorityPrivilege	1644	{0A629214-D254-454f-B87D-AAB735545291}.exe
Token: SeIncBasePriorityPrivilege	2908	{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe
Token: SeIncBasePriorityPrivilege	1420	{937F8218-ED38-4bef-A28B-E934C1D01926}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2340	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	28
PID 1460 wrote to memory of 2340	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	28
PID 1460 wrote to memory of 2340	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	28
PID 1460 wrote to memory of 2340	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	28
PID 1460 wrote to memory of 2608	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	29
PID 1460 wrote to memory of 2608	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	29
PID 1460 wrote to memory of 2608	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	29
PID 1460 wrote to memory of 2608	1460	2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe	29
PID 2340 wrote to memory of 2624	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	30
PID 2340 wrote to memory of 2624	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	30
PID 2340 wrote to memory of 2624	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	30
PID 2340 wrote to memory of 2624	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	30
PID 2340 wrote to memory of 2784	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	31
PID 2340 wrote to memory of 2784	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	31
PID 2340 wrote to memory of 2784	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	31
PID 2340 wrote to memory of 2784	2340	{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe	31
PID 2624 wrote to memory of 2692	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	32
PID 2624 wrote to memory of 2692	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	32
PID 2624 wrote to memory of 2692	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	32
PID 2624 wrote to memory of 2692	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	32
PID 2624 wrote to memory of 2712	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	33
PID 2624 wrote to memory of 2712	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	33
PID 2624 wrote to memory of 2712	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	33
PID 2624 wrote to memory of 2712	2624	{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe	33
PID 2692 wrote to memory of 2120	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	36
PID 2692 wrote to memory of 2120	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	36
PID 2692 wrote to memory of 2120	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	36
PID 2692 wrote to memory of 2120	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	36
PID 2692 wrote to memory of 2592	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	37
PID 2692 wrote to memory of 2592	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	37
PID 2692 wrote to memory of 2592	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	37
PID 2692 wrote to memory of 2592	2692	{211C055A-6BF2-4687-A734-7902CDAC4456}.exe	37
PID 2120 wrote to memory of 2696	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	38
PID 2120 wrote to memory of 2696	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	38
PID 2120 wrote to memory of 2696	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	38
PID 2120 wrote to memory of 2696	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	38
PID 2120 wrote to memory of 2752	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	39
PID 2120 wrote to memory of 2752	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	39
PID 2120 wrote to memory of 2752	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	39
PID 2120 wrote to memory of 2752	2120	{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe	39
PID 2696 wrote to memory of 2904	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	40
PID 2696 wrote to memory of 2904	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	40
PID 2696 wrote to memory of 2904	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	40
PID 2696 wrote to memory of 2904	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	40
PID 2696 wrote to memory of 2328	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	41
PID 2696 wrote to memory of 2328	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	41
PID 2696 wrote to memory of 2328	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	41
PID 2696 wrote to memory of 2328	2696	{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe	41
PID 2904 wrote to memory of 2020	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	42
PID 2904 wrote to memory of 2020	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	42
PID 2904 wrote to memory of 2020	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	42
PID 2904 wrote to memory of 2020	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	42
PID 2904 wrote to memory of 1220	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	43
PID 2904 wrote to memory of 1220	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	43
PID 2904 wrote to memory of 1220	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	43
PID 2904 wrote to memory of 1220	2904	{C987FA66-8595-445a-A638-BE4C2506E110}.exe	43
PID 2020 wrote to memory of 1644	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	44
PID 2020 wrote to memory of 1644	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	44
PID 2020 wrote to memory of 1644	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	44
PID 2020 wrote to memory of 1644	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	44
PID 2020 wrote to memory of 540	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	45
PID 2020 wrote to memory of 540	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	45
PID 2020 wrote to memory of 540	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	45
PID 2020 wrote to memory of 540	2020	{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_33c3af8588d4ecfb24129b8b8bc34862_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe
  C:\Windows\{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe
    C:\Windows\{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{211C055A-6BF2-4687-A734-7902CDAC4456}.exe
      C:\Windows\{211C055A-6BF2-4687-A734-7902CDAC4456}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe
        
        C:\Windows\{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe
        
        C:\Windows\{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{C987FA66-8595-445a-A638-BE4C2506E110}.exe
        
        C:\Windows\{C987FA66-8595-445a-A638-BE4C2506E110}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe
        
        C:\Windows\{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{0A629214-D254-454f-B87D-AAB735545291}.exe
        
        C:\Windows\{0A629214-D254-454f-B87D-AAB735545291}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe
        
        C:\Windows\{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{937F8218-ED38-4bef-A28B-E934C1D01926}.exe
        
        C:\Windows\{937F8218-ED38-4bef-A28B-E934C1D01926}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\{3AE67494-39F3-4887-9A22-EE9600791619}.exe
        
        C:\Windows\{3AE67494-39F3-4887-9A22-EE9600791619}.exe
        12⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937F8~1.EXE > nul
        12⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97A51~1.EXE > nul
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A629~1.EXE > nul
        10⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF712~1.EXE > nul
        9⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C987F~1.EXE > nul
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAF06~1.EXE > nul
        7⤵
        
        PID:2328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01CC4~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{211C0~1.EXE > nul
        5⤵
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EDB79~1.EXE > nul
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C5482~1.EXE > nul
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01CC4037-D5F3-45f9-8A5D-F433082505C7}.exe

Filesize
180KB

MD5
56c2a7ca7d72131609f101cb9b34ac4e

SHA1
402cfb75dc5629a6a030bf99d55698a7000603db

SHA256
c6e34dd38e4aae862c85b0d4fec2419ad913beae7f01cb8b9dc760a18e493ead

SHA512
57aa6e5e06c8ef5e1418d2fc4b2aaedc1c6051875339b32188ae85a03cc141ba4bf99eac2d9b0894a207213235ae8b3cb1400e210401e0f6f659e1c5be3ec1fa

Download Submit
C:\Windows\{0A629214-D254-454f-B87D-AAB735545291}.exe

Filesize
180KB

MD5
5b344713413e45df3ac37a39431a2525

SHA1
cc8f81a127891f943e3050f92416d511ba332546

SHA256
92ff6c8c3f5b92da59133d0c2b1603cc0fb53fb13de701075a70473c6f89a23e

SHA512
7b5adca3c9e90293013aaea49336826460e5b47ff9667d8c74687562134bbccd559aea6caebf535cb6dad31b1a0e951f3f37e471c9843e6b6cc066408b13687b

Download Submit
C:\Windows\{211C055A-6BF2-4687-A734-7902CDAC4456}.exe

Filesize
180KB

MD5
1590d8559d7e00548766082d9c382789

SHA1
b35ed33da9a4d3e6e93b6383c5cbd177770931c2

SHA256
8978aeb962473a935d0437f53104c6298f248067a77526baa7f4aba0760a57fa

SHA512
bd41024ef12bb6296b04b34000a9e482458567fbb4750782bbe2ab22eb72f5ddb45e37f53e6cb496d5ae6ff56241bb8886902e04770423b5fdcb656a47f308e9

Download Submit
C:\Windows\{3AE67494-39F3-4887-9A22-EE9600791619}.exe

Filesize
180KB

MD5
98ce870db1a86b451da6a9dbbd659f92

SHA1
624776504c5dc9d194d82d610c23f60803b0afd3

SHA256
3db5ea8fcba15ee88efba538fb29041d3ba73c4ce24d0d3e317d681e78019dcc

SHA512
55af720c3ee980d470b761c216138b26959d3bc81dc3de31061e0387a17a0d5db7b6036bebb8f7da92b96d5a5ab3416d0e513f9b76608b91bb074c6d03607289

Download Submit
C:\Windows\{937F8218-ED38-4bef-A28B-E934C1D01926}.exe

Filesize
180KB

MD5
02f8fe7d9616c27853f4f6bda5630731

SHA1
c361a8c547be97168b2ee46731221cccf4baa212

SHA256
b365cd0dc5f244dd1f0a67657a487a4fce1af6c73ab699b355c6ac84755e0587

SHA512
4abe9739a43c87ce653d7eb7e146bd9f128bb5b2f75f7cb7c610e1cb93922c4588977d6bf0d47224ad07e6e56ec32e4e057f3591a5a2201e73a7546515f3b7d2

Download Submit
C:\Windows\{97A51A10-348E-4f36-A366-87CA183A4E5E}.exe

Filesize
180KB

MD5
d27d6048fea92a8cad4c30c7fc8c8916

SHA1
605049e12c3af5e329a7730b912d175c644f7eeb

SHA256
0d5e3da98962c73df086471a074bbb42237e931f531d7d0e3db0fe13bc6c6ad3

SHA512
8a96779bfd08eb69bb117cb2d494c411008bfb78cd77032e950405cab57cc30c7b00f7fa82c05f88021497940db3ce09db6af7c2e4d9b1520da1adfa83dceb06

Download Submit
C:\Windows\{AF712EC1-8E5F-4dae-A9E3-75F3399B1BDA}.exe

Filesize
180KB

MD5
037974b879142f4193c64fcc3ac49d8c

SHA1
bec46a9c564cb37ef24d838691a15836c943f906

SHA256
97d4d1d560951071865825b7a9b5f8d6f401c2fe437f67914c8e32bc06610519

SHA512
0019eb9c4e901c88aa6c613cb87eb7e878bc0b69618d218dae18137fd848bbee2a92fa83e79463f9b7558322d060ead88a634e0bb6ca0a7e9715b09801ec7f88

Download Submit
C:\Windows\{C54824F2-EE32-4164-BDBF-DBCA6F079138}.exe

Filesize
180KB

MD5
565ed026d38e25b6faf2d2afce19b172

SHA1
6ee9eb9eb438991ccb9d90731986e35ad2e50bd0

SHA256
0e321923832775247f3c55a46d69f9de245ea15fee894373777239927e2196f1

SHA512
41622349946951e32d471b7dcc63654fba79454c52ea32f4f4c0181ea5501294c4c41f7fee7eed8fcb633c2a1ce6bc304b9c671ea0ed10a1da9f4451207a1fac

Download Submit
C:\Windows\{C987FA66-8595-445a-A638-BE4C2506E110}.exe

Filesize
180KB

MD5
2619c33c1345bfb9f3bae2fb8eabcaef

SHA1
4514158c31e54030d14bb631315ca59c6bf7b8b8

SHA256
5fa0e63e6f44457ef5606558f305741051bc1103ab9c7a824d6b1fbc05de2243

SHA512
186f3c8309a87e0e943dd4363343643e7ed8451291b1d9af702574631307b26224106c9ac7fbe1ef8c081ba13fa2dc7afd7a3623fe78acae2de40c9da243f8eb

Download Submit
C:\Windows\{EAF06698-9645-4a76-987B-04C4D1DD5F55}.exe

Filesize
180KB

MD5
533488ed8f8e4522f23a893ed646dab3

SHA1
5e6ea4d591bfddf4dd972521d92526aaa6698d57

SHA256
2b0f15662219ab12942b8d28e16c5358710cd66a8ce40d01945e59e8afbdf6b4

SHA512
ec7f6e4c9e549c3144a1bcdee80e4b911616ca8d3174cd6dfcf8a36bbe7c3b49caf80523a8c14e53a0dfda8ba7a08fd69d8c0f0aa58ff4871dbd35d119337af7

Download Submit
C:\Windows\{EDB7957D-A78E-4bbc-9BC6-20BA098E91DF}.exe

Filesize
180KB

MD5
72df47be9921e9e1f8b7bc2ec0456e62

SHA1
dff6db17b5c86f449d0afba802b578da609f06dd

SHA256
cc6a65e9c5d8ea23ef5c0cf837e9733efba6cf833d92d1b50b2ae0fe1b86ce7f

SHA512
5bb81449991363deab46ed80663bf112f54ff775e4fb10c949c90c80cf5f5c34778a1fc281bfd9e5a0dbe96864bde7faf593054f2285262691896a9ebbfe63ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads