a5e6410326177c043ac910f44638e47a2c4d1168ca078f8c3cebc291fa27ea82

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe
Size

380KB
MD5

e56684e28f1b5026c80bec98d16052ef
SHA1

a4f30e293064b2a46d241cab79a55954a9585f52
SHA256

a5e6410326177c043ac910f44638e47a2c4d1168ca078f8c3cebc291fa27ea82
SHA512

099e83088184f9e438ac076ab0c15051ec54cde8e26698cdd7950f640aa9cfd12447ecd95b047b89c5466e90a468d8e9c896985662a52e13656283239cc5a33a
SSDEEP

3072:mEGh0ovlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGBl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000016056-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00220000000167ef-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016056-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016056-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000016056-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000016056-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000016056-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34FC6143-BA4D-4cab-80F2-E3E48296602B}	{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34FC6143-BA4D-4cab-80F2-E3E48296602B}\stubpath = "C:\\Windows\\{34FC6143-BA4D-4cab-80F2-E3E48296602B}.exe"	{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C8E5463-4F8A-415b-8292-E891112622D4}\stubpath = "C:\\Windows\\{0C8E5463-4F8A-415b-8292-E891112622D4}.exe"	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9877829-60C2-4bf6-B035-112D5E82B23F}	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4642B6FC-CA48-4f5b-9B48-18C6C5970473}	{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4642B6FC-CA48-4f5b-9B48-18C6C5970473}\stubpath = "C:\\Windows\\{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe"	{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9877829-60C2-4bf6-B035-112D5E82B23F}\stubpath = "C:\\Windows\\{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe"	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{870BEBF0-B4EA-4c29-8127-91FCC11044EC}	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}\stubpath = "C:\\Windows\\{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe"	{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D7423D8-A37A-4751-8C2D-6B60B598856C}\stubpath = "C:\\Windows\\{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe"	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07338175-0AB4-435b-88A4-81A055C882D2}\stubpath = "C:\\Windows\\{07338175-0AB4-435b-88A4-81A055C882D2}.exe"	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419D8FF6-F920-4c56-A189-7BF8D394157E}	{07338175-0AB4-435b-88A4-81A055C882D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C8E5463-4F8A-415b-8292-E891112622D4}	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5517183-1EC4-4d2e-823D-017F43C24F35}\stubpath = "C:\\Windows\\{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe"	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}	{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5517183-1EC4-4d2e-823D-017F43C24F35}	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62AF9D0E-2C14-4656-9E8C-148959B2B313}	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62AF9D0E-2C14-4656-9E8C-148959B2B313}\stubpath = "C:\\Windows\\{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe"	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D7423D8-A37A-4751-8C2D-6B60B598856C}	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07338175-0AB4-435b-88A4-81A055C882D2}	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419D8FF6-F920-4c56-A189-7BF8D394157E}\stubpath = "C:\\Windows\\{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe"	{07338175-0AB4-435b-88A4-81A055C882D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{870BEBF0-B4EA-4c29-8127-91FCC11044EC}\stubpath = "C:\\Windows\\{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe"	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe
2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe
2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe
1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe
796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe
1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe
2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe
1552	{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe
2816	{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe
1040	{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe
1664	{34FC6143-BA4D-4cab-80F2-E3E48296602B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe
File created	C:\Windows\{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe	{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe
File created	C:\Windows\{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe
File created	C:\Windows\{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe
File created	C:\Windows\{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	{07338175-0AB4-435b-88A4-81A055C882D2}.exe
File created	C:\Windows\{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe
File created	C:\Windows\{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe
File created	C:\Windows\{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe	{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe
File created	C:\Windows\{34FC6143-BA4D-4cab-80F2-E3E48296602B}.exe	{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe
File created	C:\Windows\{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe
File created	C:\Windows\{07338175-0AB4-435b-88A4-81A055C882D2}.exe	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe
Token: SeIncBasePriorityPrivilege	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe
Token: SeIncBasePriorityPrivilege	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe
Token: SeIncBasePriorityPrivilege	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe
Token: SeIncBasePriorityPrivilege	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe
Token: SeIncBasePriorityPrivilege	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe
Token: SeIncBasePriorityPrivilege	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe
Token: SeIncBasePriorityPrivilege	1552	{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe
Token: SeIncBasePriorityPrivilege	2816	{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe
Token: SeIncBasePriorityPrivilege	1040	{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2076	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	28
PID 2932 wrote to memory of 2076	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	28
PID 2932 wrote to memory of 2076	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	28
PID 2932 wrote to memory of 2076	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	28
PID 2932 wrote to memory of 2524	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	29
PID 2932 wrote to memory of 2524	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	29
PID 2932 wrote to memory of 2524	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	29
PID 2932 wrote to memory of 2524	2932	2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe	29
PID 2076 wrote to memory of 2508	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	30
PID 2076 wrote to memory of 2508	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	30
PID 2076 wrote to memory of 2508	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	30
PID 2076 wrote to memory of 2508	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	30
PID 2076 wrote to memory of 2684	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	31
PID 2076 wrote to memory of 2684	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	31
PID 2076 wrote to memory of 2684	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	31
PID 2076 wrote to memory of 2684	2076	{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe	31
PID 2508 wrote to memory of 2420	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	32
PID 2508 wrote to memory of 2420	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	32
PID 2508 wrote to memory of 2420	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	32
PID 2508 wrote to memory of 2420	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	32
PID 2508 wrote to memory of 2556	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	33
PID 2508 wrote to memory of 2556	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	33
PID 2508 wrote to memory of 2556	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	33
PID 2508 wrote to memory of 2556	2508	{07338175-0AB4-435b-88A4-81A055C882D2}.exe	33
PID 2420 wrote to memory of 1592	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	36
PID 2420 wrote to memory of 1592	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	36
PID 2420 wrote to memory of 1592	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	36
PID 2420 wrote to memory of 1592	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	36
PID 2420 wrote to memory of 2120	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	37
PID 2420 wrote to memory of 2120	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	37
PID 2420 wrote to memory of 2120	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	37
PID 2420 wrote to memory of 2120	2420	{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe	37
PID 1592 wrote to memory of 796	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	38
PID 1592 wrote to memory of 796	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	38
PID 1592 wrote to memory of 796	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	38
PID 1592 wrote to memory of 796	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	38
PID 1592 wrote to memory of 1708	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	39
PID 1592 wrote to memory of 1708	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	39
PID 1592 wrote to memory of 1708	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	39
PID 1592 wrote to memory of 1708	1592	{0C8E5463-4F8A-415b-8292-E891112622D4}.exe	39
PID 796 wrote to memory of 1484	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	40
PID 796 wrote to memory of 1484	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	40
PID 796 wrote to memory of 1484	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	40
PID 796 wrote to memory of 1484	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	40
PID 796 wrote to memory of 984	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	41
PID 796 wrote to memory of 984	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	41
PID 796 wrote to memory of 984	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	41
PID 796 wrote to memory of 984	796	{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe	41
PID 1484 wrote to memory of 2208	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	42
PID 1484 wrote to memory of 2208	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	42
PID 1484 wrote to memory of 2208	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	42
PID 1484 wrote to memory of 2208	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	42
PID 1484 wrote to memory of 1656	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	43
PID 1484 wrote to memory of 1656	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	43
PID 1484 wrote to memory of 1656	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	43
PID 1484 wrote to memory of 1656	1484	{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe	43
PID 2208 wrote to memory of 1552	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	44
PID 2208 wrote to memory of 1552	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	44
PID 2208 wrote to memory of 1552	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	44
PID 2208 wrote to memory of 1552	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	44
PID 2208 wrote to memory of 2024	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	45
PID 2208 wrote to memory of 2024	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	45
PID 2208 wrote to memory of 2024	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	45
PID 2208 wrote to memory of 2024	2208	{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_e56684e28f1b5026c80bec98d16052ef_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe
  C:\Windows\{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\{07338175-0AB4-435b-88A4-81A055C882D2}.exe
    C:\Windows\{07338175-0AB4-435b-88A4-81A055C882D2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe
      C:\Windows\{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\{0C8E5463-4F8A-415b-8292-E891112622D4}.exe
        
        C:\Windows\{0C8E5463-4F8A-415b-8292-E891112622D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe
        
        C:\Windows\{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe
        
        C:\Windows\{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe
        
        C:\Windows\{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe
        
        C:\Windows\{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe
        
        C:\Windows\{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe
        
        C:\Windows\{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\{34FC6143-BA4D-4cab-80F2-E3E48296602B}.exe
        
        C:\Windows\{34FC6143-BA4D-4cab-80F2-E3E48296602B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F798~1.EXE > nul
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4642B~1.EXE > nul
        11⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62AF9~1.EXE > nul
        10⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5517~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{870BE~1.EXE > nul
        8⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9877~1.EXE > nul
        7⤵
        
        PID:984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C8E5~1.EXE > nul
        6⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{419D8~1.EXE > nul
        5⤵
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07338~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D742~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07338175-0AB4-435b-88A4-81A055C882D2}.exe

Filesize
380KB

MD5
bbff0051725b79a65b06fceaeb3bdf4c

SHA1
2fa51ea9c8d0f5e7f6524e7a319d814ad64f8033

SHA256
5e1120dd2837f56606dcaf8d83a08755a6909734b85b160d2ac101ffc48dce80

SHA512
320325a594a109ff80a791b79fb04be080056e82a7d0ce103c1bc4f0120e601d28359f3594254e6f347338c01f5f379592bbfc107b104a7ba49d6a9c32feebac

Download Submit
C:\Windows\{0C8E5463-4F8A-415b-8292-E891112622D4}.exe

Filesize
380KB

MD5
a4c973198d5cdee29bfd5d853a840d2b

SHA1
295746beae90c501f5aec121e87c495ee36637f9

SHA256
b8532f1868fa6f1a30d9058372862baf73de39113dc0fb239ed9567e8e3e9de8

SHA512
a44fbcb78cbd6ea9520c985e13ac7945b92d51e4076d8fea567ab132f8450a7ce425fd9d3f03807510488e1caf1ec3327e652d66582337f2dbca39a647c80d60

Download Submit
C:\Windows\{2D7423D8-A37A-4751-8C2D-6B60B598856C}.exe

Filesize
380KB

MD5
9e5ee3b9922ded7f38a1ec251c83dcc6

SHA1
35cb3c91b87ecf9dc2783303c9d216af9ee9fbc8

SHA256
921b57df56bfcb3bcc4f69696b52b473fd5562a33e34112c1321beb69cc81949

SHA512
c652b252d6f9a14cc2e9cf2093026401049dfead186e89af7b09c23686b24b7a1ef5d7d203c91a61e6ab39cc72556524e70824887e3595f0e58b90f860a2131d

Download Submit
C:\Windows\{34FC6143-BA4D-4cab-80F2-E3E48296602B}.exe

Filesize
380KB

MD5
c7aabc7d9e1fb684048eaa3a7f14590a

SHA1
749fe3119a4eacef62eced1adf954a0a043aa7f5

SHA256
c57cfba907feeff67e505a299a245b36c00913158a9d335ece50688ca10a24e1

SHA512
22918a214f088aa8aef14c3aebe54a279594438d315dc724ddb24f9e5a18e061044b141ddc282d50e0c906945fd6efff610ad9f97d8be56626b26e6b9adfbf8a

Download Submit
C:\Windows\{419D8FF6-F920-4c56-A189-7BF8D394157E}.exe

Filesize
380KB

MD5
0689665eb9380261b1c7ba1c707dd55b

SHA1
a67cc627fb514381dcdde62cd0ade2a3b0e8ec4e

SHA256
1a2098b3d481d0fbbf34f526c4ed1d4c469534eb08114211d1676033755eec69

SHA512
b746f29d37abb2484af6e747ac9e05a730c61bdef0de5f275ced5fad2bf4fce17ab4753acc430170c1c26f173b2f4180114da9e38a745c064413a4a12f109fdb

Download Submit
C:\Windows\{4642B6FC-CA48-4f5b-9B48-18C6C5970473}.exe

Filesize
380KB

MD5
d549f2a00421c715144818d586dfea99

SHA1
9ee4b265aaf3128fad09342d9e7c3d951d0c65f6

SHA256
d0ab03a406e145ed7639efb2a7030bd2baf468605c014b94cc7accfdfc14dbd3

SHA512
f667e313a980bc98238691a1a2c220a7a942f1c7aa6b929a3d6922e0a931ef0f0519b3c7ebade161fb7e984fdb784be9817c511e6a88b419eab2dfbb989a8194

Download Submit
C:\Windows\{62AF9D0E-2C14-4656-9E8C-148959B2B313}.exe

Filesize
380KB

MD5
4d86bb371443df4dd04b74b0fb9f13ad

SHA1
a1722eb6cc15f96d511b720f76d17dd20aea9765

SHA256
db7bcefa272f44d36abf365ac92ee896bf79aeb9d15231dc876b5988c601ce5e

SHA512
3d62781575bbc3b776a4c891476ae1068ead5fed145fd0e5306df20609da74bdf680a9717819a03df779eb8cb5751780ffb95ea5c248b8c3e8d643b36494ebe6

Download Submit
C:\Windows\{7F798B0E-26FD-44c5-AA7A-5545F12CD82D}.exe

Filesize
380KB

MD5
5de5c8870b1717fbb454a2cd787bd206

SHA1
8fca41e1fba6e22f8edec0dae673b0b24b4ff18d

SHA256
54635ca4e08a0e770d5f3a5ec891c07ddc0702e92ebec2ab6c3967acfde2afa2

SHA512
fdfb12e0c0cb9e7886118d815965c2dbcd9b609a1b4d8e0372bccdfd2f9dd03d00e165eb4aaa8dfaf0a1b6f74e8c2599e0086293c0038374688f7bb16c1606f1

Download Submit
C:\Windows\{870BEBF0-B4EA-4c29-8127-91FCC11044EC}.exe

Filesize
380KB

MD5
d2d2e0184751b686db32618e4c93c7bf

SHA1
96087aed84250b848b0586d9ba827a8d80f102c5

SHA256
f2fac97655dd667c779b3929bba71d576f5336ade13eb94a51496272bea18723

SHA512
a6ea7d72866077a08258a387a01661faa79f050ae93adfa37861c937b78f18a6256f239f75b5284fea98ab9add6819f8c17b6d1b9bcf2225af7b5c3256b809b0

Download Submit
C:\Windows\{A5517183-1EC4-4d2e-823D-017F43C24F35}.exe

Filesize
380KB

MD5
3b96750f0bc19f5c14fb49bf74e42068

SHA1
5becb6583d108a83b553ec12b7eb0a94f86daabb

SHA256
40e0944a132431eb8486fffcf81e136efb1e9c59187f84124fb788e3f7ddb827

SHA512
8ae1467a2d49f4ffe12a77d0c302a0a2bad728f9e3a87abd442a1f6946ba609e86355d30bb4d6811e023f59847f3277e14a91a22b13ee32b64249e058fe5d313

Download Submit
C:\Windows\{F9877829-60C2-4bf6-B035-112D5E82B23F}.exe

Filesize
380KB

MD5
7f1e9f66504083e4901b14c057260d65

SHA1
a5a73cc3ee1f5b9c39bad6aca18b302776eda724

SHA256
bfb57d35fce2b5931574c7a3398c5dd86a1c3b26924441dcf934aed10023ed3d

SHA512
a48c051b8ef00e7c611f0b06b60650c91c9fdcc057794105fc1767ffe60801fb49fc23d00a2cd851120d319425ca7770814873138599b4cc84fdf0267270c79f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads