c549d7f9f165b5503c226ac489a4897d2263b01896bfb799648aa8a760accff4

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe
Size

168KB
MD5

815db731e0f57ae82f5aa7cf4ec71436
SHA1

1ebbcc3a38f542371b1b56f26e87879b515dddc2
SHA256

c549d7f9f165b5503c226ac489a4897d2263b01896bfb799648aa8a760accff4
SHA512

9c75ab96b78de14c2b99f9699acbcc4b085d938c1bfe6d34f7a60e633a3fb4ec5bc80c1a196e9b59cd1fe283d888a8c3eb294210dfa6da56f2ebd7458702c2a6
SSDEEP

1536:1EGh0o7li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7liOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012265-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014e67-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012265-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012265-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012265-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012265-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012265-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D90A6C7-16C6-4550-A46F-40149685D817}\stubpath = "C:\\Windows\\{3D90A6C7-16C6-4550-A46F-40149685D817}.exe"	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02492FA5-5924-4a4b-9B92-268C1E470422}	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE19D867-995F-47a8-9042-31A1240D4E8F}	{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9002479-2D2C-4237-80F7-C30863008319}\stubpath = "C:\\Windows\\{F9002479-2D2C-4237-80F7-C30863008319}.exe"	{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D90A6C7-16C6-4550-A46F-40149685D817}	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9C0279-8712-4681-81A0-76428D4D613A}	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9C0279-8712-4681-81A0-76428D4D613A}\stubpath = "C:\\Windows\\{DF9C0279-8712-4681-81A0-76428D4D613A}.exe"	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02492FA5-5924-4a4b-9B92-268C1E470422}\stubpath = "C:\\Windows\\{02492FA5-5924-4a4b-9B92-268C1E470422}.exe"	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC72E17D-AD2A-42dd-83B6-C2FE48077161}	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC72E17D-AD2A-42dd-83B6-C2FE48077161}\stubpath = "C:\\Windows\\{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe"	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6239BC46-B66C-4a78-80CF-A61EED1A1B48}	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}\stubpath = "C:\\Windows\\{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe"	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE19D867-995F-47a8-9042-31A1240D4E8F}\stubpath = "C:\\Windows\\{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe"	{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8150AF24-BB26-47af-83FD-36AF04C243F1}\stubpath = "C:\\Windows\\{8150AF24-BB26-47af-83FD-36AF04C243F1}.exe"	{F9002479-2D2C-4237-80F7-C30863008319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}\stubpath = "C:\\Windows\\{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe"	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0CBFDE5-233B-4b24-8547-5A6060C465E9}	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0CBFDE5-233B-4b24-8547-5A6060C465E9}\stubpath = "C:\\Windows\\{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe"	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6239BC46-B66C-4a78-80CF-A61EED1A1B48}\stubpath = "C:\\Windows\\{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe"	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9002479-2D2C-4237-80F7-C30863008319}	{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8150AF24-BB26-47af-83FD-36AF04C243F1}	{F9002479-2D2C-4237-80F7-C30863008319}.exe

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe
2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe
2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe
2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe
2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe
2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe
1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe
2820	{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe
2808	{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe
2292	{F9002479-2D2C-4237-80F7-C30863008319}.exe
1656	{8150AF24-BB26-47af-83FD-36AF04C243F1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe
File created	C:\Windows\{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe	{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe
File created	C:\Windows\{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe
File created	C:\Windows\{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe
File created	C:\Windows\{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe
File created	C:\Windows\{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe
File created	C:\Windows\{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe
File created	C:\Windows\{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe
File created	C:\Windows\{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe
File created	C:\Windows\{F9002479-2D2C-4237-80F7-C30863008319}.exe	{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe
File created	C:\Windows\{8150AF24-BB26-47af-83FD-36AF04C243F1}.exe	{F9002479-2D2C-4237-80F7-C30863008319}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe
Token: SeIncBasePriorityPrivilege	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe
Token: SeIncBasePriorityPrivilege	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe
Token: SeIncBasePriorityPrivilege	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe
Token: SeIncBasePriorityPrivilege	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe
Token: SeIncBasePriorityPrivilege	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe
Token: SeIncBasePriorityPrivilege	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe
Token: SeIncBasePriorityPrivilege	2820	{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe
Token: SeIncBasePriorityPrivilege	2808	{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe
Token: SeIncBasePriorityPrivilege	2292	{F9002479-2D2C-4237-80F7-C30863008319}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1640	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	28
PID 1740 wrote to memory of 2220	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe	29
PID 1640 wrote to memory of 2532	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	30
PID 1640 wrote to memory of 2532	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	30
PID 1640 wrote to memory of 2532	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	30
PID 1640 wrote to memory of 2532	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	30
PID 1640 wrote to memory of 2624	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	31
PID 1640 wrote to memory of 2624	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	31
PID 1640 wrote to memory of 2624	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	31
PID 1640 wrote to memory of 2624	1640	{3D90A6C7-16C6-4550-A46F-40149685D817}.exe	31
PID 2532 wrote to memory of 2900	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	32
PID 2532 wrote to memory of 2900	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	32
PID 2532 wrote to memory of 2900	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	32
PID 2532 wrote to memory of 2900	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	32
PID 2532 wrote to memory of 3060	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	33
PID 2532 wrote to memory of 3060	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	33
PID 2532 wrote to memory of 3060	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	33
PID 2532 wrote to memory of 3060	2532	{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe	33
PID 2900 wrote to memory of 2452	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	36
PID 2900 wrote to memory of 2452	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	36
PID 2900 wrote to memory of 2452	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	36
PID 2900 wrote to memory of 2452	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	36
PID 2900 wrote to memory of 2088	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	37
PID 2900 wrote to memory of 2088	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	37
PID 2900 wrote to memory of 2088	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	37
PID 2900 wrote to memory of 2088	2900	{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe	37
PID 2452 wrote to memory of 2400	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	38
PID 2452 wrote to memory of 2400	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	38
PID 2452 wrote to memory of 2400	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	38
PID 2452 wrote to memory of 2400	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	38
PID 2452 wrote to memory of 1648	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	39
PID 2452 wrote to memory of 1648	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	39
PID 2452 wrote to memory of 1648	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	39
PID 2452 wrote to memory of 1648	2452	{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe	39
PID 2400 wrote to memory of 2764	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	40
PID 2400 wrote to memory of 2764	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	40
PID 2400 wrote to memory of 2764	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	40
PID 2400 wrote to memory of 2764	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	40
PID 2400 wrote to memory of 1072	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	41
PID 2400 wrote to memory of 1072	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	41
PID 2400 wrote to memory of 1072	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	41
PID 2400 wrote to memory of 1072	2400	{DF9C0279-8712-4681-81A0-76428D4D613A}.exe	41
PID 2764 wrote to memory of 1228	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	42
PID 2764 wrote to memory of 1228	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	42
PID 2764 wrote to memory of 1228	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	42
PID 2764 wrote to memory of 1228	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	42
PID 2764 wrote to memory of 1868	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	43
PID 2764 wrote to memory of 1868	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	43
PID 2764 wrote to memory of 1868	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	43
PID 2764 wrote to memory of 1868	2764	{02492FA5-5924-4a4b-9B92-268C1E470422}.exe	43
PID 1228 wrote to memory of 2820	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	44
PID 1228 wrote to memory of 2820	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	44
PID 1228 wrote to memory of 2820	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	44
PID 1228 wrote to memory of 2820	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	44
PID 1228 wrote to memory of 516	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	45
PID 1228 wrote to memory of 516	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	45
PID 1228 wrote to memory of 516	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	45
PID 1228 wrote to memory of 516	1228	{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_815db731e0f57ae82f5aa7cf4ec71436_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{3D90A6C7-16C6-4550-A46F-40149685D817}.exe
  C:\Windows\{3D90A6C7-16C6-4550-A46F-40149685D817}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe
    C:\Windows\{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe
      C:\Windows\{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe
        
        C:\Windows\{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\{DF9C0279-8712-4681-81A0-76428D4D613A}.exe
        
        C:\Windows\{DF9C0279-8712-4681-81A0-76428D4D613A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{02492FA5-5924-4a4b-9B92-268C1E470422}.exe
        
        C:\Windows\{02492FA5-5924-4a4b-9B92-268C1E470422}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe
        
        C:\Windows\{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe
        
        C:\Windows\{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe
        
        C:\Windows\{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\{F9002479-2D2C-4237-80F7-C30863008319}.exe
        
        C:\Windows\{F9002479-2D2C-4237-80F7-C30863008319}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{8150AF24-BB26-47af-83FD-36AF04C243F1}.exe
        
        C:\Windows\{8150AF24-BB26-47af-83FD-36AF04C243F1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9002~1.EXE > nul
        12⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE19D~1.EXE > nul
        11⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6239B~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC72E~1.EXE > nul
        9⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02492~1.EXE > nul
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF9C0~1.EXE > nul
        7⤵
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0CBF~1.EXE > nul
        6⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C32~1.EXE > nul
        5⤵
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2982A~1.EXE > nul
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3D90A~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02492FA5-5924-4a4b-9B92-268C1E470422}.exe

Filesize
168KB

MD5
79e03bbbe4e2bc19dd944253d055fd83

SHA1
dc2f9fe448f7c4accdd2f7c5ff566cde97afeabe

SHA256
61e5cced339791fcaed17c113a4376fc042ddde3c0b47eee0656fcc099e071f1

SHA512
3c404d726d1d47bab71f2381de7d30a407f205028b41bc888b2651878656bd4d29757a5d385de438c9664f567ce46b26e6b5f4b8cff83fc2f8d7d24ab091ee69

Download Submit
C:\Windows\{2982A90B-07E9-4ab2-A9B4-B481DAE81EEF}.exe

Filesize
168KB

MD5
5ddfdf165d142d8ca1aee35424f3b14e

SHA1
dad332d469599e496c7f641a39fca38579674f9e

SHA256
d6d4ab6a3b90991e70867fc7951da9596464e2dc02ebdfd69dbc361271b0dae3

SHA512
f60ed49ef45b49f878b1111c41e9dc2239705e3e9bcb447956d22d0cbff477797a1c02c0a949afdf9efbc6bdbd803e70dc3b2f3c809b13811fb572fdb2c96652

Download Submit
C:\Windows\{3D90A6C7-16C6-4550-A46F-40149685D817}.exe

Filesize
168KB

MD5
35ca707576816a3bbc15209c0d4fc8db

SHA1
aabfaa33d3df959cadbfde712af4406148125c83

SHA256
2c55018f09d0c8f4465bd7e02a819362c743cb72c29ded66ef2d67ae057c05ab

SHA512
29b0fa8970f885dfdde074c652478427a44428eb21d62a4865754cae5b019448f94636ee01b8087c14f4ad620d2120a8c47f2f1058c8ded1dabe2fdee0e92b01

Download Submit
C:\Windows\{6239BC46-B66C-4a78-80CF-A61EED1A1B48}.exe

Filesize
168KB

MD5
6524f15af8649fbf8b913b0d7e4be292

SHA1
5ed7cf441be2624154c081c78bd301480c221984

SHA256
c16978f31c2011535b9663540c4b69f33819262423b5d0d38670fce20129b842

SHA512
4f9ec1ae12d283b720e19d901851112e0eedf086794d5f3b8f42be738c41cfde087007294c0f1a4652876e8349685dbb66e0e397240a4f80a979d3b1c8ef1102

Download Submit
C:\Windows\{8150AF24-BB26-47af-83FD-36AF04C243F1}.exe

Filesize
168KB

MD5
41220b649627b26a0a9a98140f95fce9

SHA1
059c4d26a7d75a9b8366887f52ab6ffcca2e6b11

SHA256
d0d05240d3a04f78809825a75cc6d4e700a812eeb41a85f72e2a8da821cf3740

SHA512
a2e9cd70a40e3fd58f54862321d8c0085d76a1fc8a3dd4bba4c8f7ffcd15b70565ee6a974f76e45ee78b9315aa9f390590d0ad506a21bd81858d363ff9dcea17

Download Submit
C:\Windows\{A1C32C0A-8338-48f1-B0F9-1155EE6FAE98}.exe

Filesize
168KB

MD5
1b294210797d512c91690b5a9157acd1

SHA1
9cb1b67a558ee040b668750d34f84c63b4aa2ceb

SHA256
49cc02c005e48f445e82266ae97c6e5a360d4a501d6440801969b339b5c4bf47

SHA512
e0c9cf69b37086edfb27c20344315b6bfd71af8d53f7b6a23428a99f59f20191285297d0917ee54d75a11778a64d773bfca6e447f09147994b2055c5749d19a7

Download Submit
C:\Windows\{BC72E17D-AD2A-42dd-83B6-C2FE48077161}.exe

Filesize
168KB

MD5
50db9c6288e7215470af79c238ae41c0

SHA1
11271eb4deff9b7d81d3923fdb30568279cacca6

SHA256
362f9713fc1ce22d545ff8d5322482521fd14edddba334e5d2e5c22617a5a339

SHA512
bde2e56a4e926bf4d7f926996a6f67da7d64b06ec99af56e023b9b42f00c5e64873f76d278211c4e8e762c92c4bccfd31c8d44be41c3b9c9cdcf329eb3e06273

Download Submit
C:\Windows\{CE19D867-995F-47a8-9042-31A1240D4E8F}.exe

Filesize
168KB

MD5
9d1e533e099d350a07b18d70d1e51937

SHA1
048aa9ef63bd0c017b4c1b62ad7c445bea3db5d4

SHA256
b262e296c730b899c02281700adabe0fe3a1766b3485bc46c2f87d4ee21e864d

SHA512
79043ae6d067b2df245a4f93d98248e4ba9b41baa299c8d636b420b962491949e5292aad56da3f774c6c1dfcf91769a9b1d93ccb8e5f9ddfaee0fe3ef728a788

Download Submit
C:\Windows\{DF9C0279-8712-4681-81A0-76428D4D613A}.exe

Filesize
168KB

MD5
e53f9475ab1a1c23e75fb0e40a681219

SHA1
c112bd365130ada63dd00abb02c8c484a095af21

SHA256
bc7e6ee57404ed954eb54f1791d5d434aac1f7d53987e93d101405e08d1a99b4

SHA512
7137f842d5fdb00800ea743a554c27b0139edbfb1d204a4281f82e97fb484b3801337246061a378ff9c4dbc371a2ce7f2bb9ba85c4b339f28685c175ba8213b5

Download Submit
C:\Windows\{E0CBFDE5-233B-4b24-8547-5A6060C465E9}.exe

Filesize
168KB

MD5
e95a0998787c6d473d147d765cd559fa

SHA1
9bd1de79d76ee87bec219a94be89f33380398b02

SHA256
211627c44bb4d44a9da40e16db20b0e3941a542c97fd0063a46e04b76608ed8c

SHA512
d2100b3fb061bac167221cc1bd3e401ab6efc2360871810e7bfc3bd0b4964de3d0e4fdc2015b92cf6c43c0e692d0a12e3746e6496860cdcbb5aa9811de21749f

Download Submit
C:\Windows\{F9002479-2D2C-4237-80F7-C30863008319}.exe

Filesize
168KB

MD5
2c494d8773431a0d42117f2df3ff0fa7

SHA1
e90fdbcc8c39c1902a3608a2ae82046815f9a33d

SHA256
737875ea3a83f061e637bca13fa89efa45897ad406a54ba7bb9d3fc4d6a7cf70

SHA512
97cdf7187d09ed50fcbe3355311e4011c30c44ccb9e3e880b361a62e13dcb68fceb7e21aa3c28055016f190d8e42712af703e875d775cd3c4db8b40acac0697e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads