2ceea86a9c711e15a28ce9561870f3190ca296670879fcf9e79ac6dd1a717f64

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe
Size

204KB
MD5

fd6ba4643fee10b357f4a41a88929226
SHA1

ba7887a68dbd379b4dcba51d4132d124aeed5ed3
SHA256

2ceea86a9c711e15a28ce9561870f3190ca296670879fcf9e79ac6dd1a717f64
SHA512

d1ae2d2a4f6aa76cf1b5495c6e74ed8521beaeae24f994bfa2874533bfd002d63e11d9382b7edde7c1fd76e4b40acbcad169579d75321bae56636ed66f1bed27
SSDEEP

1536:1EGh0o1Ll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oZl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0013000000014e3d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{320E3AE5-0117-4a62-A674-4ED69C933FE9}\stubpath = "C:\\Windows\\{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe"	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91ACE8CA-ADED-42b7-8159-23F3C7029B63}\stubpath = "C:\\Windows\\{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe"	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC54690F-9589-461a-8DED-64488715C8AB}	{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC54690F-9589-461a-8DED-64488715C8AB}\stubpath = "C:\\Windows\\{CC54690F-9589-461a-8DED-64488715C8AB}.exe"	{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}\stubpath = "C:\\Windows\\{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}.exe"	{34262F12-4132-4a3b-8432-E29735972425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}\stubpath = "C:\\Windows\\{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe"	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B4D520C-43AB-4373-AFEC-79670F4901B4}	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}\stubpath = "C:\\Windows\\{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe"	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91ACE8CA-ADED-42b7-8159-23F3C7029B63}	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}\stubpath = "C:\\Windows\\{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe"	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34262F12-4132-4a3b-8432-E29735972425}	{CC54690F-9589-461a-8DED-64488715C8AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34262F12-4132-4a3b-8432-E29735972425}\stubpath = "C:\\Windows\\{34262F12-4132-4a3b-8432-E29735972425}.exe"	{CC54690F-9589-461a-8DED-64488715C8AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}	{34262F12-4132-4a3b-8432-E29735972425}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B4D520C-43AB-4373-AFEC-79670F4901B4}\stubpath = "C:\\Windows\\{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe"	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}\stubpath = "C:\\Windows\\{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe"	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}\stubpath = "C:\\Windows\\{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe"	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{320E3AE5-0117-4a62-A674-4ED69C933FE9}	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe
2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe
2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe
2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe
2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe
2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe
1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe
2180	{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe
1652	{CC54690F-9589-461a-8DED-64488715C8AB}.exe
2096	{34262F12-4132-4a3b-8432-E29735972425}.exe
1324	{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe
File created	C:\Windows\{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe
File created	C:\Windows\{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe
File created	C:\Windows\{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}.exe	{34262F12-4132-4a3b-8432-E29735972425}.exe
File created	C:\Windows\{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe
File created	C:\Windows\{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe
File created	C:\Windows\{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe
File created	C:\Windows\{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe
File created	C:\Windows\{CC54690F-9589-461a-8DED-64488715C8AB}.exe	{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe
File created	C:\Windows\{34262F12-4132-4a3b-8432-E29735972425}.exe	{CC54690F-9589-461a-8DED-64488715C8AB}.exe
File created	C:\Windows\{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe
Token: SeIncBasePriorityPrivilege	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe
Token: SeIncBasePriorityPrivilege	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe
Token: SeIncBasePriorityPrivilege	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe
Token: SeIncBasePriorityPrivilege	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe
Token: SeIncBasePriorityPrivilege	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe
Token: SeIncBasePriorityPrivilege	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe
Token: SeIncBasePriorityPrivilege	2180	{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe
Token: SeIncBasePriorityPrivilege	1652	{CC54690F-9589-461a-8DED-64488715C8AB}.exe
Token: SeIncBasePriorityPrivilege	2096	{34262F12-4132-4a3b-8432-E29735972425}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2632	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	28
PID 640 wrote to memory of 2632	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	28
PID 640 wrote to memory of 2632	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	28
PID 640 wrote to memory of 2632	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	28
PID 640 wrote to memory of 2924	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	29
PID 640 wrote to memory of 2924	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	29
PID 640 wrote to memory of 2924	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	29
PID 640 wrote to memory of 2924	640	2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe	29
PID 2632 wrote to memory of 2652	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	32
PID 2632 wrote to memory of 2652	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	32
PID 2632 wrote to memory of 2652	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	32
PID 2632 wrote to memory of 2652	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	32
PID 2632 wrote to memory of 2380	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	33
PID 2632 wrote to memory of 2380	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	33
PID 2632 wrote to memory of 2380	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	33
PID 2632 wrote to memory of 2380	2632	{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe	33
PID 2652 wrote to memory of 2372	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	34
PID 2652 wrote to memory of 2372	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	34
PID 2652 wrote to memory of 2372	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	34
PID 2652 wrote to memory of 2372	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	34
PID 2652 wrote to memory of 2428	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	35
PID 2652 wrote to memory of 2428	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	35
PID 2652 wrote to memory of 2428	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	35
PID 2652 wrote to memory of 2428	2652	{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe	35
PID 2372 wrote to memory of 2804	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	36
PID 2372 wrote to memory of 2804	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	36
PID 2372 wrote to memory of 2804	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	36
PID 2372 wrote to memory of 2804	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	36
PID 2372 wrote to memory of 1052	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	37
PID 2372 wrote to memory of 1052	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	37
PID 2372 wrote to memory of 1052	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	37
PID 2372 wrote to memory of 1052	2372	{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe	37
PID 2804 wrote to memory of 2336	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	38
PID 2804 wrote to memory of 2336	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	38
PID 2804 wrote to memory of 2336	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	38
PID 2804 wrote to memory of 2336	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	38
PID 2804 wrote to memory of 1820	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	39
PID 2804 wrote to memory of 1820	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	39
PID 2804 wrote to memory of 1820	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	39
PID 2804 wrote to memory of 1820	2804	{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe	39
PID 2336 wrote to memory of 2532	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	40
PID 2336 wrote to memory of 2532	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	40
PID 2336 wrote to memory of 2532	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	40
PID 2336 wrote to memory of 2532	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	40
PID 2336 wrote to memory of 2696	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	41
PID 2336 wrote to memory of 2696	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	41
PID 2336 wrote to memory of 2696	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	41
PID 2336 wrote to memory of 2696	2336	{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe	41
PID 2532 wrote to memory of 1836	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	42
PID 2532 wrote to memory of 1836	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	42
PID 2532 wrote to memory of 1836	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	42
PID 2532 wrote to memory of 1836	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	42
PID 2532 wrote to memory of 2020	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	43
PID 2532 wrote to memory of 2020	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	43
PID 2532 wrote to memory of 2020	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	43
PID 2532 wrote to memory of 2020	2532	{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe	43
PID 1836 wrote to memory of 2180	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	44
PID 1836 wrote to memory of 2180	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	44
PID 1836 wrote to memory of 2180	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	44
PID 1836 wrote to memory of 2180	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	44
PID 1836 wrote to memory of 3040	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	45
PID 1836 wrote to memory of 3040	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	45
PID 1836 wrote to memory of 3040	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	45
PID 1836 wrote to memory of 3040	1836	{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_fd6ba4643fee10b357f4a41a88929226_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe
  C:\Windows\{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe
    C:\Windows\{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe
      C:\Windows\{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe
        
        C:\Windows\{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe
        
        C:\Windows\{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe
        
        C:\Windows\{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe
        
        C:\Windows\{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe
        
        C:\Windows\{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\{CC54690F-9589-461a-8DED-64488715C8AB}.exe
        
        C:\Windows\{CC54690F-9589-461a-8DED-64488715C8AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{34262F12-4132-4a3b-8432-E29735972425}.exe
        
        C:\Windows\{34262F12-4132-4a3b-8432-E29735972425}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}.exe
        
        C:\Windows\{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34262~1.EXE > nul
        12⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC546~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2B3~1.EXE > nul
        10⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91ACE~1.EXE > nul
        9⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{320E3~1.EXE > nul
        8⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7790D~1.EXE > nul
        7⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47A31~1.EXE > nul
        6⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B22FE~1.EXE > nul
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B4D5~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FC7~1.EXE > nul
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{320E3AE5-0117-4a62-A674-4ED69C933FE9}.exe

Filesize
204KB

MD5
058d15e3b93431bf4af8e1787c3c2f24

SHA1
20190ad460ce177c690a07ef9b7ea85499ad1e8b

SHA256
6b7da5ccf84b440663a842c291105694c538ba9dbf093f762c7458605eed465e

SHA512
f129240c592c818b314c416f3631ffda95051b9dcacdd01caa73c1e999804d10aaec2a8a9b3ae62eed8179b5f0b3f8acc2d41aaf6f12eac58c42cd98c75e719e

Download Submit
C:\Windows\{34262F12-4132-4a3b-8432-E29735972425}.exe

Filesize
204KB

MD5
e63769578799e125c10afe0b276e4992

SHA1
56624dbae0eb8d775c2708b9fcdeea12c6ad7296

SHA256
3870ba28ba46726b7fd4151debb3e1d772f08d39f8fb2889a5008093d5debb72

SHA512
1878b0040da8739f1d42b567777a30d5db7515572eab49c7e2b023c8e115d87f20a082bff05903893044feb47722d358eaf3450ccaafbdf9ecfa177b1e709c47

Download Submit
C:\Windows\{47A31DF3-DA25-4ce2-A257-D54A9B999F6A}.exe

Filesize
204KB

MD5
4d8866ff553848fdaef3abb2451b554d

SHA1
636564f4798ff22b31a9740c5ef3d39cca85cc1f

SHA256
d47615ba6ccf6ff3722eca5b985baf9c50bbafbd26aa4fce49fe55c724715e11

SHA512
9174fc1915b0a783493065145e3be9681b828a7b5b2f05f94384dc9cca16c5b5eedec7405b756e3ddc4c8a0169301d9eaa3de9eb7b921246a2e0d89656566956

Download Submit
C:\Windows\{7790D719-81CE-4d6d-8D9A-B8005C21B7A0}.exe

Filesize
204KB

MD5
face6b5ad7b11f07902b247ee892e2fa

SHA1
063dcef98677ff0babaddd43b364ca2ea966496c

SHA256
32342e17036f88e35c35e78608758c34862f979d702433083fbb24a384341227

SHA512
5c02e61e7f346c695e0366356cc59523570c2a6d3e623e2a691ee3d2d890d57f20cd9acbbf71ce0ee8e5353f49d729868ad4d363fbe5fd9baefb2faf0e4cff84

Download Submit
C:\Windows\{7B4D520C-43AB-4373-AFEC-79670F4901B4}.exe

Filesize
204KB

MD5
1e2f45c76329ebb640e8a317a74f1805

SHA1
4308aa786e126aad324ea1624ea5b0316f3a33f4

SHA256
7ed264980ac377e020c36c5e36d0e0298e4d092bc043a28aedc4b99b0f726209

SHA512
0d32636f11041099d0cc032f13622a0e41bc36d09d3334f0bba6d1e25475c7a4ce5975d2f78fc859fc543d1273dbf2703b713f74b314356e89e12259bb1b538b

Download Submit
C:\Windows\{8F2B3509-5E01-4f6b-90A8-3A3FD440A42F}.exe

Filesize
204KB

MD5
2e2749016aa9fa70e490268224a97868

SHA1
d386dec28276cf4ca864b4c7d402ff24d2c40892

SHA256
98d6583583ea0fd1d130c9df37c618a7a7d7baee0cb4c160b1631cd5da55fc21

SHA512
322218ff4a5545c5a0359c1da2ad90d6bd95d73320a0aaffa1f74ee865ef907b677319d7782c0dc817512ca389eadaa2e6a60559cb6796484681eaad89405c40

Download Submit
C:\Windows\{91ACE8CA-ADED-42b7-8159-23F3C7029B63}.exe

Filesize
204KB

MD5
a5d3482d411a635b08a7d52aab9623e7

SHA1
582237b7f6f5d031f302aeb24d5113905ef231ae

SHA256
78c097d3ca6a50e72f87a0bf674f168973ffea41d59b9752dc69e5a816bc1a57

SHA512
9d0d70f7a57cfd196ee7b88a03ab9a1d61c56e3c1d1000a219255920b9932b8d7de637437efecd6dec24f470aed2fa1869191ec58e1f683f2330b37b329bb6e7

Download Submit
C:\Windows\{B22FE5A3-DC70-40ff-9851-A5FE78EC0178}.exe

Filesize
204KB

MD5
dcf3743fe24334542a4569859ef584fb

SHA1
eaf186b0600d907efe0bb5f8ad32fce92ccbd084

SHA256
81bf836244e1e5032ed6c651b3c2917df5a5961d01c6b67db30a01a149859b5e

SHA512
9f5ce407beb88f84651d9ac6c75e9da492af039108fb0bad770d2ebaa2313e6df0f1990b4a4037fe1d13e0ff95e553397a7965417c1cdc1a2214ca859b8b9d35

Download Submit
C:\Windows\{BB5CFA94-C8F7-47c6-AFBE-238AB811CC9A}.exe

Filesize
204KB

MD5
7ab82d2fdcfc40c00dddab010c7b07ad

SHA1
c0d507d48423d12eabfd78b8501e3765160fffc9

SHA256
f8aab7e839d5302d1bab1cc1180eaee7c80fba029c20b14c0d9e0110d4873bd3

SHA512
0a42eaf1a41d70d790a9256622ce047effd7dd31ef395f672d082d6a753282e769a70676e8185db9b4f6fc1d8de914e8cc029102515beeb90bf13eea4f024410

Download Submit
C:\Windows\{C6FC7BC4-8D59-4a71-8A55-5E9EB0477997}.exe

Filesize
204KB

MD5
c1f6323b9bfbdb93d91a477d8b174bfc

SHA1
b1dc984f8acaf89c77a0c554efd47c2bb83c5ab5

SHA256
24b5c5ae49752da66b0f66e014f628be935e9d5cd026c6c2792f089292020c2c

SHA512
fa6fe344cb47a4508507abbd245028bdee5512a3bd3389bb456c9646ddd557dbf0bcc8d9721710d0716245731936a78d9d3e5aae6aac004452fd5f91cc55c251

Download Submit
C:\Windows\{CC54690F-9589-461a-8DED-64488715C8AB}.exe

Filesize
204KB

MD5
326ccb649569a3d14c811725f6efeb84

SHA1
b4dbb5e6196c9a174c669b16bcd22dc5160600cc

SHA256
f991c9699d7444c20a490b5ecccc9400b043cfef316127e16588cb962af04034

SHA512
be0f400da3fd3eb0bb2358cb795c8df22105a712051054ef2619786a7d9ccbe7eda98db9ef83fc88910f75e8e07fac8e9f17cf66e3392d76e71869fb4cc793d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads