540ea6eefec94453d488fe12c9ec2a36f4c890541b1610011c5cc60a1f45055b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Size

344KB
MD5

c1c914b974832a5132dcd0194d17c0bd
SHA1

30940967c9c03d281e0f501a765ac44d9d3d3185
SHA256

540ea6eefec94453d488fe12c9ec2a36f4c890541b1610011c5cc60a1f45055b
SHA512

fcb180e9b2853e4ab245c18ceed60c235ef04c2864a9e4805e86dab8ed4bcac7a9cf3c86f5dfa36a1af48f5350c48d4c5e584e29bf8eef29d854c6e0e16d7ef1
SSDEEP

3072:mEGh0oslEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG+lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012339-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001470b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012339-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014e5a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012339-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012339-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012339-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77490FE-9680-4d8f-B78F-1A607A393EBA}	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02748BEF-0381-4498-96FF-7140F7A32AF3}	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}\stubpath = "C:\\Windows\\{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe"	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA86F184-92B7-43eb-99AC-DBA266932B2E}\stubpath = "C:\\Windows\\{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe"	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F779250-BB46-478b-B18E-7DB5435E52E3}	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02748BEF-0381-4498-96FF-7140F7A32AF3}\stubpath = "C:\\Windows\\{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe"	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}\stubpath = "C:\\Windows\\{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe"	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68D83F2C-727F-4675-80B3-6CE34FE28A22}	{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D703C665-54B5-4428-805B-6A97779EBBDE}	{08CB0C57-D332-444f-A213-5005C4B674F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08CB0C57-D332-444f-A213-5005C4B674F4}\stubpath = "C:\\Windows\\{08CB0C57-D332-444f-A213-5005C4B674F4}.exe"	{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F779250-BB46-478b-B18E-7DB5435E52E3}\stubpath = "C:\\Windows\\{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe"	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B42D5FF-2F72-4872-A343-FB89A028B9A0}\stubpath = "C:\\Windows\\{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe"	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77490FE-9680-4d8f-B78F-1A607A393EBA}\stubpath = "C:\\Windows\\{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe"	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA86F184-92B7-43eb-99AC-DBA266932B2E}	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28579091-ECC2-4d3c-91F9-18CD7D623099}	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28579091-ECC2-4d3c-91F9-18CD7D623099}\stubpath = "C:\\Windows\\{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe"	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08CB0C57-D332-444f-A213-5005C4B674F4}	{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D703C665-54B5-4428-805B-6A97779EBBDE}\stubpath = "C:\\Windows\\{D703C665-54B5-4428-805B-6A97779EBBDE}.exe"	{08CB0C57-D332-444f-A213-5005C4B674F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B42D5FF-2F72-4872-A343-FB89A028B9A0}	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68D83F2C-727F-4675-80B3-6CE34FE28A22}\stubpath = "C:\\Windows\\{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe"	{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe

Deletes itself 1 IoCs

pid	Process
3000	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe
2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe
2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe
780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe
2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe
1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe
240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe
1720	{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe
3016	{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe
1828	{08CB0C57-D332-444f-A213-5005C4B674F4}.exe
1424	{D703C665-54B5-4428-805B-6A97779EBBDE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe	{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe
File created	C:\Windows\{08CB0C57-D332-444f-A213-5005C4B674F4}.exe	{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe
File created	C:\Windows\{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
File created	C:\Windows\{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe
File created	C:\Windows\{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe
File created	C:\Windows\{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe
File created	C:\Windows\{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe
File created	C:\Windows\{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe
File created	C:\Windows\{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe
File created	C:\Windows\{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe
File created	C:\Windows\{D703C665-54B5-4428-805B-6A97779EBBDE}.exe	{08CB0C57-D332-444f-A213-5005C4B674F4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe
Token: SeIncBasePriorityPrivilege	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe
Token: SeIncBasePriorityPrivilege	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe
Token: SeIncBasePriorityPrivilege	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe
Token: SeIncBasePriorityPrivilege	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe
Token: SeIncBasePriorityPrivilege	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe
Token: SeIncBasePriorityPrivilege	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe
Token: SeIncBasePriorityPrivilege	1720	{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe
Token: SeIncBasePriorityPrivilege	3016	{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe
Token: SeIncBasePriorityPrivilege	1828	{08CB0C57-D332-444f-A213-5005C4B674F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2724	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	28
PID 2292 wrote to memory of 2724	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	28
PID 2292 wrote to memory of 2724	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	28
PID 2292 wrote to memory of 2724	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	28
PID 2292 wrote to memory of 3000	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	29
PID 2292 wrote to memory of 3000	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	29
PID 2292 wrote to memory of 3000	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	29
PID 2292 wrote to memory of 3000	2292	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	29
PID 2724 wrote to memory of 2500	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	30
PID 2724 wrote to memory of 2500	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	30
PID 2724 wrote to memory of 2500	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	30
PID 2724 wrote to memory of 2500	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	30
PID 2724 wrote to memory of 2524	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	31
PID 2724 wrote to memory of 2524	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	31
PID 2724 wrote to memory of 2524	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	31
PID 2724 wrote to memory of 2524	2724	{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe	31
PID 2500 wrote to memory of 2744	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	32
PID 2500 wrote to memory of 2744	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	32
PID 2500 wrote to memory of 2744	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	32
PID 2500 wrote to memory of 2744	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	32
PID 2500 wrote to memory of 2528	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	33
PID 2500 wrote to memory of 2528	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	33
PID 2500 wrote to memory of 2528	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	33
PID 2500 wrote to memory of 2528	2500	{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe	33
PID 2744 wrote to memory of 780	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	36
PID 2744 wrote to memory of 780	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	36
PID 2744 wrote to memory of 780	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	36
PID 2744 wrote to memory of 780	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	36
PID 2744 wrote to memory of 2612	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	37
PID 2744 wrote to memory of 2612	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	37
PID 2744 wrote to memory of 2612	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	37
PID 2744 wrote to memory of 2612	2744	{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe	37
PID 780 wrote to memory of 2828	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	38
PID 780 wrote to memory of 2828	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	38
PID 780 wrote to memory of 2828	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	38
PID 780 wrote to memory of 2828	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	38
PID 780 wrote to memory of 2908	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	39
PID 780 wrote to memory of 2908	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	39
PID 780 wrote to memory of 2908	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	39
PID 780 wrote to memory of 2908	780	{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe	39
PID 2828 wrote to memory of 1568	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	40
PID 2828 wrote to memory of 1568	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	40
PID 2828 wrote to memory of 1568	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	40
PID 2828 wrote to memory of 1568	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	40
PID 2828 wrote to memory of 1616	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	41
PID 2828 wrote to memory of 1616	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	41
PID 2828 wrote to memory of 1616	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	41
PID 2828 wrote to memory of 1616	2828	{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe	41
PID 1568 wrote to memory of 240	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	42
PID 1568 wrote to memory of 240	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	42
PID 1568 wrote to memory of 240	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	42
PID 1568 wrote to memory of 240	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	42
PID 1568 wrote to memory of 1364	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	43
PID 1568 wrote to memory of 1364	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	43
PID 1568 wrote to memory of 1364	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	43
PID 1568 wrote to memory of 1364	1568	{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe	43
PID 240 wrote to memory of 1720	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	44
PID 240 wrote to memory of 1720	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	44
PID 240 wrote to memory of 1720	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	44
PID 240 wrote to memory of 1720	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	44
PID 240 wrote to memory of 1576	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	45
PID 240 wrote to memory of 1576	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	45
PID 240 wrote to memory of 1576	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	45
PID 240 wrote to memory of 1576	240	{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe
  C:\Windows\{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe
    C:\Windows\{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe
      C:\Windows\{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe
        
        C:\Windows\{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
      - C:\Windows\{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe
        
        C:\Windows\{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe
        
        C:\Windows\{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe
        
        C:\Windows\{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Windows\{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe
        
        C:\Windows\{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe
        
        C:\Windows\{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{08CB0C57-D332-444f-A213-5005C4B674F4}.exe
        
        C:\Windows\{08CB0C57-D332-444f-A213-5005C4B674F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\{D703C665-54B5-4428-805B-6A97779EBBDE}.exe
        
        C:\Windows\{D703C665-54B5-4428-805B-6A97779EBBDE}.exe
        12⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08CB0~1.EXE > nul
        12⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68D83~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28579~1.EXE > nul
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E4A1~1.EXE > nul
        9⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA86F~1.EXE > nul
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7ADE~1.EXE > nul
        7⤵
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02748~1.EXE > nul
        6⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7749~1.EXE > nul
        5⤵
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B42D~1.EXE > nul
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F779~1.EXE > nul
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02748BEF-0381-4498-96FF-7140F7A32AF3}.exe

Filesize
344KB

MD5
f0a92da494e3e5574fa443cfd71a8c38

SHA1
496bf6529385a83819f188c525cb9243dbcb4a73

SHA256
5ba9688572b11c5baea052f3464263d7d729acb1f0b37238e7e93ed355bd7ed4

SHA512
21a6ca92a2593906d7d84c0eb8e6f7f3eac98ef5d7ef5f52eced2021a22403f7cb303afb84e55f2062c48f8532f0cb38d7942724237ea5fb6e5b4b3a95eb6a81

Download Submit
C:\Windows\{08CB0C57-D332-444f-A213-5005C4B674F4}.exe

Filesize
344KB

MD5
48d08ec736f7f84e997233ff52069c2f

SHA1
91bdffbfa01edf10be766d47c2a2a7c55de20a63

SHA256
4c130cff3d6e58845d15c3dfde64ae776a1ccb83be53a1726c745c225dac6873

SHA512
455dbc2008310b3013d7d83489829564ef33b44e4de26881b2abcc4753a9b1983ffc3c573cb24ba4d55f5f4e936133812a58d714bb68a6b506f453f6aaab1a9c

Download Submit
C:\Windows\{28579091-ECC2-4d3c-91F9-18CD7D623099}.exe

Filesize
344KB

MD5
62a9cae86ef3c8187016ca98b52acd5e

SHA1
1070f4918478162efcb8785672b31bbe876c420a

SHA256
cd34a1b3a818dde5df222c7d2ea773b5da29f631a5d3b376bf1464eb23e2ad86

SHA512
d44c4101ae06449540d5d8ae2342202e5e301ef624e091a0d31668274a8e7c288ee637111377d92cbc3e6bb938b12fd4a52a8b58ed219358f4df1e3dd9a95541

Download Submit
C:\Windows\{2E4A18FB-D6B1-40a6-ABD3-5A8E0BFCAC14}.exe

Filesize
344KB

MD5
e21fc6249e1881c52cf735c00948a662

SHA1
5e7539001754e0e1a505836f53cc4a59bb8e58b3

SHA256
473ed0a82b2c2738b334ec4e7b3930de19bcf7af599f113be5890b68debd0249

SHA512
2ec22fbc6f0af995990a6bceb3ab6bfad0a06326ec88e7169cf3114c917f50fa5e8d8980c332744163ac28c40546bba1e9328f938f093c7224c675d38f6e0aff

Download Submit
C:\Windows\{5F779250-BB46-478b-B18E-7DB5435E52E3}.exe

Filesize
344KB

MD5
ea038de5c907bfaffe4f873b30c4799d

SHA1
dd2a6ac666406a5775ec9dd1f36896c399088a99

SHA256
0e675192c284211d6f2e76cc9604284d887139a76cbc599bfe99cecddff5dd8a

SHA512
cb0aa450007813a49eb54a12e2cbf5cf24b6f1e37c3c2ba82ec6e0c258fd1cef26e14c0e30575f16754708ecb6a55fac4d613158e9e6c33684514475b68a5332

Download Submit
C:\Windows\{68D83F2C-727F-4675-80B3-6CE34FE28A22}.exe

Filesize
344KB

MD5
f299cbe33c46a99c1965d85ef254e713

SHA1
47af2b907473ad98c91abf0ce8befe6c8f774499

SHA256
be34bdeb082bd9f541ec796bacef851fff269611a64e0541b65cbf6d11a9e02c

SHA512
99fa0fe770a9362e788d8054293259dadbffa3746cf379d4e998d1cb26c7e3a39bb332cf2c93f30281d44a4c13cd3eac2656166b2a9191ac1346a538ebd08dba

Download Submit
C:\Windows\{7B42D5FF-2F72-4872-A343-FB89A028B9A0}.exe

Filesize
344KB

MD5
90a87d143dd44cb987bdcd5c41341873

SHA1
57c6966ab734e534d0ac743c962e22174f5afdab

SHA256
0a9f44923449ab7d18bbac1353d6521ba6fdb61aeb64bf85fbe071b89ed903a0

SHA512
089c5c7c988deebdb8faf3820e969732809f3fd27bf19c952b20293e4753deec268ec9c70069cf3f14b7be5a96ba6cf0c345e275e2a1a344cfa1f522420f3618

Download Submit
C:\Windows\{B77490FE-9680-4d8f-B78F-1A607A393EBA}.exe

Filesize
344KB

MD5
e757aa5d05e687a30d9edf265cedb1fc

SHA1
cb4b8598dd901cc0eda4cf78b1440f1bebf1b403

SHA256
35a5b1feba9acd88697afa13052fe0e56991c2889f9865fdf8fba41b633cfc41

SHA512
ea211ddabb0507bf65eb4fd2fb4726c8f949fb472768c6be395fa38fd5c60a718e399151949d2e603baf99f336453fd8906302d22a314d3278b4904d4402afff

Download Submit
C:\Windows\{CA86F184-92B7-43eb-99AC-DBA266932B2E}.exe

Filesize
344KB

MD5
800e184355a81f6437a5bb255396a151

SHA1
e9941c8bd7c194d316da9267929ba6401ae9d430

SHA256
656e0b16a6309bba549f9b614b242b4a904b0cf51f2a9a3be4b6f643c0fa4095

SHA512
ab949ad5410ba14c5b7a6aeb6029319d60ac437b97cfdcca23cda035c95a5157dd4025686d38c7c26fa207433490cdd892f4f0dfdbec2e68eb0df716a6084228

Download Submit
C:\Windows\{D703C665-54B5-4428-805B-6A97779EBBDE}.exe

Filesize
344KB

MD5
8af2c4a28263d958315da53402614c56

SHA1
1bb63306e17499cba72f61e1628e9412c30ae7ef

SHA256
023306cdd95c68932f5c8cd7cc371eaea83f4c78d964822e1d89ff947612c677

SHA512
9bbfcd191692cfea1350565c09414e8569d8f9d8c6ea6d1bef21822e1be5597e5796710e393702b2d25742a855947e64724e1e7de49221e16bdeaadcf0a4063f

Download Submit
C:\Windows\{F7ADE8C7-6D34-4a0d-8D15-5849E2E4073A}.exe

Filesize
344KB

MD5
da6a7dc70f67ad900d2ef7cf4130264e

SHA1
810b7d29380f6d3785e935b25031928a0373872c

SHA256
0aa675597a50cdfba6d23e601e55367b6e3712912e7ddb47f9403acd0aba7ed1

SHA512
30cfd13cb95a50a106948ce5e72cd56bced4ae6abcf4fd36e70a1b6b94388e751653e78de51774181fdf52f144caf2eb89997ead81ac0b4aa53049e1b8f18c7c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads