b32a9b67def538a9d9a0f0247ef7f13134dec2c0562f2c22c02f74250f2eff57

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Size

204KB
MD5

e2aaca778584f5ccd074603952fa003d
SHA1

079fb5d2e0c7a30718c617036563b23d9349a321
SHA256

b32a9b67def538a9d9a0f0247ef7f13134dec2c0562f2c22c02f74250f2eff57
SHA512

3ecc92c27aec86edf60d4c83533bd6e779c6114b008f95dbb458514c5fe470d787afed2102cd3e934ad30689524229a5d06110fe1f9c84836bcb0c3128d6ad07
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0osl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d1a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d31-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015d1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016287-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d1a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015d1a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016287-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015d1a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016287-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CC0F49-ACAD-4c8a-A2DC-402783D29548}	{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2759543F-76BA-46bf-9E49-6C402247A19F}	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2759543F-76BA-46bf-9E49-6C402247A19F}\stubpath = "C:\\Windows\\{2759543F-76BA-46bf-9E49-6C402247A19F}.exe"	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D4FF113-996F-4100-BBA8-FE99FEEB443E}	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}\stubpath = "C:\\Windows\\{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe"	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}	{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}\stubpath = "C:\\Windows\\{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe"	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4B4E173-5449-4222-AA3D-5B392E5C6080}	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}\stubpath = "C:\\Windows\\{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe"	{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59A747A3-5480-4dbc-983A-2B99A953DBDE}	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59A747A3-5480-4dbc-983A-2B99A953DBDE}\stubpath = "C:\\Windows\\{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe"	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}\stubpath = "C:\\Windows\\{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe"	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}	{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D4FF113-996F-4100-BBA8-FE99FEEB443E}\stubpath = "C:\\Windows\\{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe"	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A731A4B9-DB7F-4a5d-A61E-44D362275080}	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A731A4B9-DB7F-4a5d-A61E-44D362275080}\stubpath = "C:\\Windows\\{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe"	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4B4E173-5449-4222-AA3D-5B392E5C6080}\stubpath = "C:\\Windows\\{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe"	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}\stubpath = "C:\\Windows\\{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe"	{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CC0F49-ACAD-4c8a-A2DC-402783D29548}\stubpath = "C:\\Windows\\{40CC0F49-ACAD-4c8a-A2DC-402783D29548}.exe"	{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe
2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe
2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe
2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe
1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe
2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe
948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe
1660	{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe
2852	{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe
2332	{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe
640	{40CC0F49-ACAD-4c8a-A2DC-402783D29548}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe
File created	C:\Windows\{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe
File created	C:\Windows\{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe
File created	C:\Windows\{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe
File created	C:\Windows\{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe	{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe
File created	C:\Windows\{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe	{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe
File created	C:\Windows\{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
File created	C:\Windows\{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe
File created	C:\Windows\{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe
File created	C:\Windows\{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe
File created	C:\Windows\{40CC0F49-ACAD-4c8a-A2DC-402783D29548}.exe	{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe
Token: SeIncBasePriorityPrivilege	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe
Token: SeIncBasePriorityPrivilege	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe
Token: SeIncBasePriorityPrivilege	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe
Token: SeIncBasePriorityPrivilege	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe
Token: SeIncBasePriorityPrivilege	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe
Token: SeIncBasePriorityPrivilege	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe
Token: SeIncBasePriorityPrivilege	1660	{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe
Token: SeIncBasePriorityPrivilege	2852	{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe
Token: SeIncBasePriorityPrivilege	2332	{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1972	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	28
PID 2040 wrote to memory of 1972	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	28
PID 2040 wrote to memory of 1972	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	28
PID 2040 wrote to memory of 1972	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	28
PID 2040 wrote to memory of 3040	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	29
PID 2040 wrote to memory of 3040	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	29
PID 2040 wrote to memory of 3040	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	29
PID 2040 wrote to memory of 3040	2040	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	29
PID 1972 wrote to memory of 2584	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	30
PID 1972 wrote to memory of 2584	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	30
PID 1972 wrote to memory of 2584	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	30
PID 1972 wrote to memory of 2584	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	30
PID 1972 wrote to memory of 2688	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	31
PID 1972 wrote to memory of 2688	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	31
PID 1972 wrote to memory of 2688	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	31
PID 1972 wrote to memory of 2688	1972	{2759543F-76BA-46bf-9E49-6C402247A19F}.exe	31
PID 2584 wrote to memory of 2744	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	32
PID 2584 wrote to memory of 2744	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	32
PID 2584 wrote to memory of 2744	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	32
PID 2584 wrote to memory of 2744	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	32
PID 2584 wrote to memory of 3012	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	33
PID 2584 wrote to memory of 3012	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	33
PID 2584 wrote to memory of 3012	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	33
PID 2584 wrote to memory of 3012	2584	{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe	33
PID 2744 wrote to memory of 2552	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	36
PID 2744 wrote to memory of 2552	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	36
PID 2744 wrote to memory of 2552	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	36
PID 2744 wrote to memory of 2552	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	36
PID 2744 wrote to memory of 2764	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	37
PID 2744 wrote to memory of 2764	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	37
PID 2744 wrote to memory of 2764	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	37
PID 2744 wrote to memory of 2764	2744	{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe	37
PID 2552 wrote to memory of 1964	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	38
PID 2552 wrote to memory of 1964	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	38
PID 2552 wrote to memory of 1964	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	38
PID 2552 wrote to memory of 1964	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	38
PID 2552 wrote to memory of 628	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	39
PID 2552 wrote to memory of 628	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	39
PID 2552 wrote to memory of 628	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	39
PID 2552 wrote to memory of 628	2552	{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe	39
PID 1964 wrote to memory of 2208	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	40
PID 1964 wrote to memory of 2208	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	40
PID 1964 wrote to memory of 2208	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	40
PID 1964 wrote to memory of 2208	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	40
PID 1964 wrote to memory of 1760	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	41
PID 1964 wrote to memory of 1760	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	41
PID 1964 wrote to memory of 1760	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	41
PID 1964 wrote to memory of 1760	1964	{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe	41
PID 2208 wrote to memory of 948	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	42
PID 2208 wrote to memory of 948	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	42
PID 2208 wrote to memory of 948	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	42
PID 2208 wrote to memory of 948	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	42
PID 2208 wrote to memory of 1224	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	43
PID 2208 wrote to memory of 1224	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	43
PID 2208 wrote to memory of 1224	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	43
PID 2208 wrote to memory of 1224	2208	{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe	43
PID 948 wrote to memory of 1660	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	44
PID 948 wrote to memory of 1660	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	44
PID 948 wrote to memory of 1660	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	44
PID 948 wrote to memory of 1660	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	44
PID 948 wrote to memory of 2828	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	45
PID 948 wrote to memory of 2828	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	45
PID 948 wrote to memory of 2828	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	45
PID 948 wrote to memory of 2828	948	{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{2759543F-76BA-46bf-9E49-6C402247A19F}.exe
  C:\Windows\{2759543F-76BA-46bf-9E49-6C402247A19F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe
    C:\Windows\{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe
      C:\Windows\{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe
        
        C:\Windows\{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe
        
        C:\Windows\{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe
        
        C:\Windows\{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe
        
        C:\Windows\{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe
        
        C:\Windows\{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe
        
        C:\Windows\{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe
        
        C:\Windows\{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\{40CC0F49-ACAD-4c8a-A2DC-402783D29548}.exe
        
        C:\Windows\{40CC0F49-ACAD-4c8a-A2DC-402783D29548}.exe
        12⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{343F6~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2F8E~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4B4E~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB369~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E03F1~1.EXE > nul
        8⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A731A~1.EXE > nul
        7⤵
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59A74~1.EXE > nul
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D4FF~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C618A~1.EXE > nul
      4⤵
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27595~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D4FF113-996F-4100-BBA8-FE99FEEB443E}.exe

Filesize
204KB

MD5
fde6b9a6cdd4aa817167b221dbebcbf7

SHA1
05535ad2b472cd0a37678817247d6a344b8c0074

SHA256
6e05726374ce9193134b492e2ef0dc454195101f8ba63d46b5529363f4a4009c

SHA512
ef3214f88db6744bc3bbefcd9fb0ab604f528088b4eff6cec55adc0adb20a3419be6f18eca657d6fb67b19b29a98f11343bd4c1239604780f4f0bfd9e3f81157

Download Submit
C:\Windows\{2759543F-76BA-46bf-9E49-6C402247A19F}.exe

Filesize
204KB

MD5
fe472e9f69d87d6557c82a2d7e54fb26

SHA1
8006b45fa112b8dd15d5b01378f1da9955ef2dd6

SHA256
80fe9c6b46afdae52cf195972af01d4fe1daba097ff98be44d474f6854103bbc

SHA512
e291e7675300225ffb72d301e79c70102490abcb7b9839e947c640404e7ca30f4c4da649498ef2d7c538418dc05e327c119b17148ed64eab352663a3253e9758

Download Submit
C:\Windows\{343F6D36-ADB1-4ae1-B39C-77BF7F93EDEF}.exe

Filesize
204KB

MD5
e418a23c71f5c60fc4d7ae9e0df27137

SHA1
fc84f080b3400a00e0f715a210d9b54ceb88f752

SHA256
cfc5f78a3b95f3f715fee4080c3ee4e5bd02f481eba614b9fb20af37f3cab541

SHA512
9698345458bd465827f64930195e635d1ab205dd87b487c2c18815577c38589af4521189f9bdea9c66e523643b8762a77a324b7e713ca789718e1f735af9f99b

Download Submit
C:\Windows\{40CC0F49-ACAD-4c8a-A2DC-402783D29548}.exe

Filesize
204KB

MD5
2dc8077446254f6e346db1c9a182ce45

SHA1
be0acbec1864d98fda5e5a45f4e2dc3b7a49b794

SHA256
79faefbca8a8a8e0921a9bf9bb647dacfe20a3e572b245791e84e9e12854a17c

SHA512
3732fd57b273a3fc2361759539b738bec5385fc46b11ad99f7aaac47b3288db54a9cec5a142a690b567894c06eff6a89d46b35a3d85c44625bd16d1e71e3b686

Download Submit
C:\Windows\{59A747A3-5480-4dbc-983A-2B99A953DBDE}.exe

Filesize
204KB

MD5
93a83be926a76620959cf9a01d60ceea

SHA1
a0837c412c392e0b99a0f4e09252d5035ceb4f93

SHA256
7d89c72b2ec134f32aa662767c1023e8af309497573b0210fd3fb6ff553a01aa

SHA512
e1b8212960aea108d7c17b0ead79653edd548db2ec3c19ba5113988bd8f4cbc20bb2434bff0d2cb3791f438b11031dda0606ba53e424f56533731e324527e976

Download Submit
C:\Windows\{A4B4E173-5449-4222-AA3D-5B392E5C6080}.exe

Filesize
204KB

MD5
d78e2e8f88ee5ce00aa3edb73e91ecb6

SHA1
b3d18b9f17fc43751dfa653ed11cc41d73a2ba82

SHA256
6a2fd95bad4658219a655cf4bf340a3e3afbc0a8557a85f032de08fb241b4a23

SHA512
3861ef20bf624cf6300a1869eaadb5e9bd95f136ef4dd7457744135edf44164cb44c8e7e8ca20d7a28d5abd7fde4bb483c431a7d475578a898547bc9bb31d05c

Download Submit
C:\Windows\{A731A4B9-DB7F-4a5d-A61E-44D362275080}.exe

Filesize
204KB

MD5
58c719fbfd4a34cd600fe5832313be3a

SHA1
b1e137c79f9bd47bbefa47a0924b7c208f3fd5a0

SHA256
8a9256aff2f5fdec95db232496313dc4be17d3de3d10ad5949fdee87c851ffa0

SHA512
809606286b669b9465b86bee9e0bc6eaa4b756dccc731ffd24de51b87ed8fed2edf6f51007d4313118a6c282f9641f7f94f6ca901928aa8f1e4239ea954595a9

Download Submit
C:\Windows\{AB3698CC-5B0C-4aea-8E3B-DEB91F585BF6}.exe

Filesize
204KB

MD5
b66e197066360d8b69b7cb46a4700396

SHA1
45dea2fa184de5d7984d74e0ca94b5bbb693f7e9

SHA256
4607d2d9373bb819a7673d5647f09dc44fe2d3bc2cb777d571f726576f37df5c

SHA512
fff46d3b7a9c022b61df6941a7cfa3ab02de9fec391a35ea942ee476ea65c17c0f4bda59950ba947bf60047e13c084ea9a367bffa3c3977a6f266785ef99e931

Download Submit
C:\Windows\{C618AA75-C44E-46ca-9FF8-A0AB90E1873F}.exe

Filesize
204KB

MD5
f37ef0d320203e033aa068b6cfaf6b62

SHA1
9bc07da80139f38aaba107498309abd10726d751

SHA256
3a136490ff28f126f94c387dc97e851d5f48c15fab4dac9911173e3cc51174b6

SHA512
097aa0b9b522fcb5cc4941b907111e3556099391159d6592af95d774209b9f38eeb3059a313d15ac3dce0273b1d93bbb7881259bf0d067d181908414544eecbb

Download Submit
C:\Windows\{D2F8E9AC-C901-4a99-A067-F9E67CDECE96}.exe

Filesize
204KB

MD5
eec4aaf7c28700dcaa779adef2b9f614

SHA1
df902fdee5fbb357f8ad2f3e4bd0a97aefa8a740

SHA256
4d7f7fa0f1a0d898ad92336ce4fb71b332359cab86f6c93b20f4aef2a1841b2c

SHA512
de5f11353e22d2b73f7d6a41e9ff5e1135020b2dc1636dc7f7ce8f466ff067f5ef24663c152df3e9cf3daefd4274334db25b90ea8b138afec459f358afa78448

Download Submit
C:\Windows\{E03F12A9-7F34-44ba-A5CC-B595A5FFF761}.exe

Filesize
204KB

MD5
0861e8ac3d8e19cf3a7d73f5e90fa379

SHA1
bd8d062374bcbe1559e5855376e1c23974a1a205

SHA256
3a5ac9449c589bc606d15e70a38a1ba134e505db6e926846848dd1bb942a8784

SHA512
f7b263a4469519537ce203170c8141282908ab265ada0cad7879fc742c136e57a8b535bcee0b67e1f7adb0b37bf09ad6adb35f2579f87737fec64b64ea488ff3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads