a2af6883f4c401e482f8ed884f08c7e9f412efc95f700b55d41039eee43bd438

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe
Size

408KB
MD5

419dbd3a2cad42630f6e868b4bb7dbba
SHA1

7a6788b465428498e82254103cf7b49e0f05a1a4
SHA256

a2af6883f4c401e482f8ed884f08c7e9f412efc95f700b55d41039eee43bd438
SHA512

2e0e0aab90ed65d777d150cb7b5b143dce026e0bce096e3300895e7af17278ddca8a89f7cb79ea81ba705171b94f134556c32fa38fd361af572b88c6669888ce
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGRldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001222a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015364-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015364-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015364-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015364-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015364-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C60094-15C1-421a-99D8-17BABAC12B36}\stubpath = "C:\\Windows\\{07C60094-15C1-421a-99D8-17BABAC12B36}.exe"	{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B37FA23-AD65-4d16-90F6-46970BE517A8}\stubpath = "C:\\Windows\\{1B37FA23-AD65-4d16-90F6-46970BE517A8}.exe"	{07C60094-15C1-421a-99D8-17BABAC12B36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92339183-1335-4032-8BF2-22278031C387}	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92339183-1335-4032-8BF2-22278031C387}\stubpath = "C:\\Windows\\{92339183-1335-4032-8BF2-22278031C387}.exe"	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24F91B53-51B7-4030-9436-1DF11BB05F6F}	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA27460C-4B44-4085-84DB-F325C700DF00}\stubpath = "C:\\Windows\\{EA27460C-4B44-4085-84DB-F325C700DF00}.exe"	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}\stubpath = "C:\\Windows\\{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe"	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB00D9A-5707-43ac-A272-E86E1F769DC4}	{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}\stubpath = "C:\\Windows\\{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe"	{92339183-1335-4032-8BF2-22278031C387}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}\stubpath = "C:\\Windows\\{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe"	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24F91B53-51B7-4030-9436-1DF11BB05F6F}\stubpath = "C:\\Windows\\{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe"	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}\stubpath = "C:\\Windows\\{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe"	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDB00D9A-5707-43ac-A272-E86E1F769DC4}\stubpath = "C:\\Windows\\{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe"	{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}	{92339183-1335-4032-8BF2-22278031C387}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA27460C-4B44-4085-84DB-F325C700DF00}	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}\stubpath = "C:\\Windows\\{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe"	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C60094-15C1-421a-99D8-17BABAC12B36}	{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B37FA23-AD65-4d16-90F6-46970BE517A8}	{07C60094-15C1-421a-99D8-17BABAC12B36}.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2032	{92339183-1335-4032-8BF2-22278031C387}.exe
2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe
2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe
860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe
2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe
2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe
1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe
1848	{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe
1624	{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe
2044	{07C60094-15C1-421a-99D8-17BABAC12B36}.exe
476	{1B37FA23-AD65-4d16-90F6-46970BE517A8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe
File created	C:\Windows\{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe
File created	C:\Windows\{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe	{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe
File created	C:\Windows\{92339183-1335-4032-8BF2-22278031C387}.exe	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe
File created	C:\Windows\{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	{92339183-1335-4032-8BF2-22278031C387}.exe
File created	C:\Windows\{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe
File created	C:\Windows\{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe
File created	C:\Windows\{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe
File created	C:\Windows\{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe
File created	C:\Windows\{07C60094-15C1-421a-99D8-17BABAC12B36}.exe	{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe
File created	C:\Windows\{1B37FA23-AD65-4d16-90F6-46970BE517A8}.exe	{07C60094-15C1-421a-99D8-17BABAC12B36}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2032	{92339183-1335-4032-8BF2-22278031C387}.exe
Token: SeIncBasePriorityPrivilege	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe
Token: SeIncBasePriorityPrivilege	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe
Token: SeIncBasePriorityPrivilege	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe
Token: SeIncBasePriorityPrivilege	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe
Token: SeIncBasePriorityPrivilege	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe
Token: SeIncBasePriorityPrivilege	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe
Token: SeIncBasePriorityPrivilege	1848	{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe
Token: SeIncBasePriorityPrivilege	1624	{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe
Token: SeIncBasePriorityPrivilege	2044	{07C60094-15C1-421a-99D8-17BABAC12B36}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2032	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	28
PID 1760 wrote to memory of 2032	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	28
PID 1760 wrote to memory of 2032	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	28
PID 1760 wrote to memory of 2032	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	28
PID 1760 wrote to memory of 2532	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	29
PID 1760 wrote to memory of 2532	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	29
PID 1760 wrote to memory of 2532	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	29
PID 1760 wrote to memory of 2532	1760	2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe	29
PID 2032 wrote to memory of 2616	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	32
PID 2032 wrote to memory of 2616	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	32
PID 2032 wrote to memory of 2616	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	32
PID 2032 wrote to memory of 2616	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	32
PID 2032 wrote to memory of 2560	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	33
PID 2032 wrote to memory of 2560	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	33
PID 2032 wrote to memory of 2560	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	33
PID 2032 wrote to memory of 2560	2032	{92339183-1335-4032-8BF2-22278031C387}.exe	33
PID 2616 wrote to memory of 2468	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	34
PID 2616 wrote to memory of 2468	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	34
PID 2616 wrote to memory of 2468	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	34
PID 2616 wrote to memory of 2468	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	34
PID 2616 wrote to memory of 2844	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	35
PID 2616 wrote to memory of 2844	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	35
PID 2616 wrote to memory of 2844	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	35
PID 2616 wrote to memory of 2844	2616	{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe	35
PID 2468 wrote to memory of 860	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	36
PID 2468 wrote to memory of 860	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	36
PID 2468 wrote to memory of 860	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	36
PID 2468 wrote to memory of 860	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	36
PID 2468 wrote to memory of 572	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	37
PID 2468 wrote to memory of 572	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	37
PID 2468 wrote to memory of 572	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	37
PID 2468 wrote to memory of 572	2468	{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe	37
PID 860 wrote to memory of 2284	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	38
PID 860 wrote to memory of 2284	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	38
PID 860 wrote to memory of 2284	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	38
PID 860 wrote to memory of 2284	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	38
PID 860 wrote to memory of 1728	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	39
PID 860 wrote to memory of 1728	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	39
PID 860 wrote to memory of 1728	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	39
PID 860 wrote to memory of 1728	860	{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe	39
PID 2284 wrote to memory of 2632	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	40
PID 2284 wrote to memory of 2632	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	40
PID 2284 wrote to memory of 2632	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	40
PID 2284 wrote to memory of 2632	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	40
PID 2284 wrote to memory of 2264	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	41
PID 2284 wrote to memory of 2264	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	41
PID 2284 wrote to memory of 2264	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	41
PID 2284 wrote to memory of 2264	2284	{EA27460C-4B44-4085-84DB-F325C700DF00}.exe	41
PID 2632 wrote to memory of 1292	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	42
PID 2632 wrote to memory of 1292	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	42
PID 2632 wrote to memory of 1292	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	42
PID 2632 wrote to memory of 1292	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	42
PID 2632 wrote to memory of 1792	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	43
PID 2632 wrote to memory of 1792	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	43
PID 2632 wrote to memory of 1792	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	43
PID 2632 wrote to memory of 1792	2632	{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe	43
PID 1292 wrote to memory of 1848	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	44
PID 1292 wrote to memory of 1848	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	44
PID 1292 wrote to memory of 1848	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	44
PID 1292 wrote to memory of 1848	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	44
PID 1292 wrote to memory of 2180	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	45
PID 1292 wrote to memory of 2180	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	45
PID 1292 wrote to memory of 2180	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	45
PID 1292 wrote to memory of 2180	1292	{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_419dbd3a2cad42630f6e868b4bb7dbba_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\{92339183-1335-4032-8BF2-22278031C387}.exe
  C:\Windows\{92339183-1335-4032-8BF2-22278031C387}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe
    C:\Windows\{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe
      C:\Windows\{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe
        
        C:\Windows\{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Windows\{EA27460C-4B44-4085-84DB-F325C700DF00}.exe
        
        C:\Windows\{EA27460C-4B44-4085-84DB-F325C700DF00}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe
        
        C:\Windows\{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe
        
        C:\Windows\{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe
        
        C:\Windows\{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe
        
        C:\Windows\{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{07C60094-15C1-421a-99D8-17BABAC12B36}.exe
        
        C:\Windows\{07C60094-15C1-421a-99D8-17BABAC12B36}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{1B37FA23-AD65-4d16-90F6-46970BE517A8}.exe
        
        C:\Windows\{1B37FA23-AD65-4d16-90F6-46970BE517A8}.exe
        12⤵
        Executes dropped EXE
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07C60~1.EXE > nul
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDB00~1.EXE > nul
        11⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CB4C~1.EXE > nul
        10⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D7A~1.EXE > nul
        9⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4835~1.EXE > nul
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA274~1.EXE > nul
        7⤵
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24F91~1.EXE > nul
        6⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89712~1.EXE > nul
        5⤵
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA01~1.EXE > nul
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{92339~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07C60094-15C1-421a-99D8-17BABAC12B36}.exe

Filesize
408KB

MD5
9f4651e8fdd0e9789d5cadfcb75ee383

SHA1
8c3d8fcef0476b91a3993f0d4b209aae32e3916a

SHA256
e0f7586543755dc1c621024a8402bef75c2b911e5ce17c1fb3367fb6a291fb7a

SHA512
9e148695acef8996f591bb8174aa3b023cf88dc50ae15a12c201aa68f026120a849cb9a6b697ec492327a982c62493d8c8dfe9d7f6644c28a981557fb316d1f4

Download Submit
C:\Windows\{1B37FA23-AD65-4d16-90F6-46970BE517A8}.exe

Filesize
408KB

MD5
639f2d8c4b6f0820ccb96ced626779af

SHA1
362e792a15396c7d126d95d4c0d67bd5790a4213

SHA256
5ab8ee6a95f16d01bbc1144744384b9dd2a2d3bc7be7be5552627a5cd40fd034

SHA512
c2e2b3633d3e2dedf5bf718cb09ca090f4005799381a70557ea227fbda4c0d192508980e7cd38b84ac15267dadabf23a8f93e5ecff915f192396cc079c12443e

Download Submit
C:\Windows\{24F91B53-51B7-4030-9436-1DF11BB05F6F}.exe

Filesize
408KB

MD5
67b334243ff7ef141a699e9faff48e8a

SHA1
469ab4dae1dbc8aa94d3ef4ceed2b1d275f3f884

SHA256
9076b199cd53a9e41a30c2fc3347aa40c4527b9dcf0b7314be7a2a8886bf825c

SHA512
c10860732e188152235a64a090315ba613d3bb139ff879e5b45bdb527e7e50a75ed8c83570e808b35f3f29c8afaba0d3703125584d299d02233df21681f2fb37

Download Submit
C:\Windows\{89712BDB-20CB-478f-A0FA-FC7325CB4F9A}.exe

Filesize
408KB

MD5
26def61833749c8b0d91ea6bc23e1c7f

SHA1
8a46f8230e4e8d6afa288879778f90cd8e496271

SHA256
d186383f8281c8652971c68ae5f8394a4c3282af8d8bb299649dc0d93f29c256

SHA512
3f6ca30e8454a2a4a30e45fb267e77231e2b9715d728d5f76d07262c904949cbf1cdfa6a1dd1e124fda47bb08e8e6e453d5bb77ed746e788aa122ad7f7a82afe

Download Submit
C:\Windows\{92339183-1335-4032-8BF2-22278031C387}.exe

Filesize
408KB

MD5
2f7906322f92dcea97e0713e199899e0

SHA1
7527500fa792d2731de6efb7d0e4eb4963a2bf31

SHA256
f587846641167c51b0f22e44c217281b265836cd91b264bdd780e536544a43f5

SHA512
dfe3b2e98ccc31ca92da22610cf54621bf18cd474a2e487755c236eeef938fb85ec601a340678fa7d18c1a738dc44760173762ef197ee428c93a0642eeab9099

Download Submit
C:\Windows\{9CB4CB28-E871-4e4e-9C0F-57D7D73D4A54}.exe

Filesize
408KB

MD5
20f870b47b2163294813d8892fc1e8ea

SHA1
03fb8001c6baf16e8b6b12962e184352c11f4b7e

SHA256
ad8b4ed783e6064b22080c974330f77578582d9f58ae1bd372555e3fda92ec80

SHA512
dc05137a698147398ca143334c8e3e40cc8b499f9c96d2e93680b19b4508c0230944436de5aba2d2cfcbefbce850bd4116da58dc31131c176c3efb0205d8adb2

Download Submit
C:\Windows\{BAA0106D-EF58-438d-84E3-DDDEC5EC42A7}.exe

Filesize
408KB

MD5
e8916b0854f897d70b40b860bf2c5a66

SHA1
1d153aebb85bc6574e51382ce23c0532a0c16f66

SHA256
eae84b3ce345ca583c44a8c98a0b5c72e25bea8436ff36d71c1a81eaa3311c6e

SHA512
b1c3a02b6b352bcc3785f7f18315d47d8a5c42693358701ffb91684056e1182de651d7408b2601171a179a465c0dbbf1c8a07e5de33008d34e96ae0141e8d31c

Download Submit
C:\Windows\{E4835DFB-28EF-4bcf-A16F-3887BA5524AA}.exe

Filesize
408KB

MD5
08c5f4e5965457c9600ba97a16906a63

SHA1
73ad815eaf48524ffac0f8d27791e03d1412ab4d

SHA256
41e340871c74769a6896fedf4250c6ca1ede72b18b20da4f74c1dd5ab5e7ae47

SHA512
c2b23e89218b9525b6c0275af9aa70133ddcded595fc4bc6c7def09fa0a58872f7d461f2ee79e811d55b985f50240f59e616098524ae1479818dce7b1ecadcd8

Download Submit
C:\Windows\{EA27460C-4B44-4085-84DB-F325C700DF00}.exe

Filesize
408KB

MD5
3c0b280852a0f191ecaf6b964b13e5bc

SHA1
4423d65742f7b39542272cfea810861e90fe7157

SHA256
60744903028b38bab3cfb54fafd5e156b521226d7397195703a5284091682127

SHA512
c47a272df33eccfd562cdb90d278d38e3770850916cf30d07a71b82d47ad4a08ec31522d5c4378be19840289327ae4e37543534678df6abcc0f9f8436d379666

Download Submit
C:\Windows\{EDB00D9A-5707-43ac-A272-E86E1F769DC4}.exe

Filesize
408KB

MD5
4c66bc13751b73e6ee315c63de23cbb1

SHA1
950016724fb19c31c1a645790d11f9b44d4469e5

SHA256
4aebbdb549a66a8d69ea55115946cc06c27b6f01bbe8b2f75c210081eff1eaf5

SHA512
30fb79b21fddd77e9b0ffb9ab233399974ec45dbc70e5b190c16c8b1ff44522001d4366a2445ad402fd1bde2027e397e436957e76daa095a792b935781903a5e

Download Submit
C:\Windows\{F6D7AE28-A4EE-4f39-BE3A-B8AEA702B7AB}.exe

Filesize
408KB

MD5
17796ad7617155f635f9fa725f9cff88

SHA1
9eac6e7d00bc5d4ab75ff8724054dad37aeba4d6

SHA256
cb41154eb8c59d663f24842d0110acaa6dbf1d08da34ed8dda4fde666dd1db37

SHA512
da8e4c33b866da79a460c88896c3d736392f95c37960b8cb72a0691918ce82a48ab804335114e45babb3a7432b244b507bb6b0f0957b306022bff28dad470d7e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads