7a77316e0f9da3c4700bc23bcd1de87615ff74a5032e981ae584013e65c8e27a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Size

180KB
MD5

a875ba70957756537d41de15f7a8b369
SHA1

271003a53953078c14d79e77c0867f1345d8c2c1
SHA256

7a77316e0f9da3c4700bc23bcd1de87615ff74a5032e981ae584013e65c8e27a
SHA512

ae477b2115d610a581b64fe797a65e6f342b3bc5b53160a8c051dad7afa759447b9df78dc4b2e3c5f024fb1ace3e49018d21e80b7b7d3198db9935d9989c9e5a
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGol5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012324-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013187-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012324-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000013420-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012324-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012324-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012324-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED87638-9B81-443c-87DB-6C812BC4E797}\stubpath = "C:\\Windows\\{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe"	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}\stubpath = "C:\\Windows\\{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe"	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874609F4-C839-4a3b-8E51-EA75543C7DEF}\stubpath = "C:\\Windows\\{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe"	{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}	{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}\stubpath = "C:\\Windows\\{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe"	{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F754A9-67D9-406d-8B98-F79D31A8A778}	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7719EA7-0332-4df7-AD9D-2B43185D9215}	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}\stubpath = "C:\\Windows\\{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe"	{FE8ECB42-6855-4921-8271-939932885514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0742B350-4973-4379-A039-670B4BC76B83}	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0742B350-4973-4379-A039-670B4BC76B83}\stubpath = "C:\\Windows\\{0742B350-4973-4379-A039-670B4BC76B83}.exe"	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7071400-B611-4ff8-8517-B8A6F6B46A50}	{0742B350-4973-4379-A039-670B4BC76B83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7719EA7-0332-4df7-AD9D-2B43185D9215}\stubpath = "C:\\Windows\\{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe"	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E0B5D0D-802A-4fab-9AED-85C543963F5F}\stubpath = "C:\\Windows\\{2E0B5D0D-802A-4fab-9AED-85C543963F5F}.exe"	{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F754A9-67D9-406d-8B98-F79D31A8A778}\stubpath = "C:\\Windows\\{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe"	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}	{FE8ECB42-6855-4921-8271-939932885514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ED87638-9B81-443c-87DB-6C812BC4E797}	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874609F4-C839-4a3b-8E51-EA75543C7DEF}	{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE8ECB42-6855-4921-8271-939932885514}	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7071400-B611-4ff8-8517-B8A6F6B46A50}\stubpath = "C:\\Windows\\{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe"	{0742B350-4973-4379-A039-670B4BC76B83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E0B5D0D-802A-4fab-9AED-85C543963F5F}	{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE8ECB42-6855-4921-8271-939932885514}\stubpath = "C:\\Windows\\{FE8ECB42-6855-4921-8271-939932885514}.exe"	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe
2612	{FE8ECB42-6855-4921-8271-939932885514}.exe
2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe
2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe
2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe
816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe
332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe
2364	{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe
1312	{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe
2288	{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe
1496	{2E0B5D0D-802A-4fab-9AED-85C543963F5F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	{FE8ECB42-6855-4921-8271-939932885514}.exe
File created	C:\Windows\{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe
File created	C:\Windows\{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe	{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe
File created	C:\Windows\{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	{0742B350-4973-4379-A039-670B4BC76B83}.exe
File created	C:\Windows\{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe
File created	C:\Windows\{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe
File created	C:\Windows\{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe	{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe
File created	C:\Windows\{2E0B5D0D-802A-4fab-9AED-85C543963F5F}.exe	{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe
File created	C:\Windows\{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
File created	C:\Windows\{FE8ECB42-6855-4921-8271-939932885514}.exe	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe
File created	C:\Windows\{0742B350-4973-4379-A039-670B4BC76B83}.exe	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe
Token: SeIncBasePriorityPrivilege	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe
Token: SeIncBasePriorityPrivilege	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe
Token: SeIncBasePriorityPrivilege	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe
Token: SeIncBasePriorityPrivilege	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe
Token: SeIncBasePriorityPrivilege	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe
Token: SeIncBasePriorityPrivilege	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe
Token: SeIncBasePriorityPrivilege	2364	{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe
Token: SeIncBasePriorityPrivilege	1312	{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe
Token: SeIncBasePriorityPrivilege	2288	{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2976	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	28
PID 1700 wrote to memory of 2976	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	28
PID 1700 wrote to memory of 2976	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	28
PID 1700 wrote to memory of 2976	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	28
PID 1700 wrote to memory of 3032	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	29
PID 1700 wrote to memory of 3032	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	29
PID 1700 wrote to memory of 3032	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	29
PID 1700 wrote to memory of 3032	1700	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	29
PID 2976 wrote to memory of 2612	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	30
PID 2976 wrote to memory of 2612	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	30
PID 2976 wrote to memory of 2612	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	30
PID 2976 wrote to memory of 2612	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	30
PID 2976 wrote to memory of 2256	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	31
PID 2976 wrote to memory of 2256	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	31
PID 2976 wrote to memory of 2256	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	31
PID 2976 wrote to memory of 2256	2976	{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe	31
PID 2612 wrote to memory of 2484	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	32
PID 2612 wrote to memory of 2484	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	32
PID 2612 wrote to memory of 2484	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	32
PID 2612 wrote to memory of 2484	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	32
PID 2612 wrote to memory of 2596	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	33
PID 2612 wrote to memory of 2596	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	33
PID 2612 wrote to memory of 2596	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	33
PID 2612 wrote to memory of 2596	2612	{FE8ECB42-6855-4921-8271-939932885514}.exe	33
PID 2484 wrote to memory of 2908	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	36
PID 2484 wrote to memory of 2908	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	36
PID 2484 wrote to memory of 2908	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	36
PID 2484 wrote to memory of 2908	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	36
PID 2484 wrote to memory of 1108	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	37
PID 2484 wrote to memory of 1108	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	37
PID 2484 wrote to memory of 1108	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	37
PID 2484 wrote to memory of 1108	2484	{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe	37
PID 2908 wrote to memory of 2080	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	38
PID 2908 wrote to memory of 2080	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	38
PID 2908 wrote to memory of 2080	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	38
PID 2908 wrote to memory of 2080	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	38
PID 2908 wrote to memory of 2092	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	39
PID 2908 wrote to memory of 2092	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	39
PID 2908 wrote to memory of 2092	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	39
PID 2908 wrote to memory of 2092	2908	{0742B350-4973-4379-A039-670B4BC76B83}.exe	39
PID 2080 wrote to memory of 816	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	40
PID 2080 wrote to memory of 816	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	40
PID 2080 wrote to memory of 816	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	40
PID 2080 wrote to memory of 816	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	40
PID 2080 wrote to memory of 1988	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	41
PID 2080 wrote to memory of 1988	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	41
PID 2080 wrote to memory of 1988	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	41
PID 2080 wrote to memory of 1988	2080	{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe	41
PID 816 wrote to memory of 332	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	42
PID 816 wrote to memory of 332	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	42
PID 816 wrote to memory of 332	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	42
PID 816 wrote to memory of 332	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	42
PID 816 wrote to memory of 1680	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	43
PID 816 wrote to memory of 1680	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	43
PID 816 wrote to memory of 1680	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	43
PID 816 wrote to memory of 1680	816	{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe	43
PID 332 wrote to memory of 2364	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	44
PID 332 wrote to memory of 2364	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	44
PID 332 wrote to memory of 2364	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	44
PID 332 wrote to memory of 2364	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	44
PID 332 wrote to memory of 1528	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	45
PID 332 wrote to memory of 1528	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	45
PID 332 wrote to memory of 1528	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	45
PID 332 wrote to memory of 1528	332	{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe
  C:\Windows\{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{FE8ECB42-6855-4921-8271-939932885514}.exe
    C:\Windows\{FE8ECB42-6855-4921-8271-939932885514}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe
      C:\Windows\{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\{0742B350-4973-4379-A039-670B4BC76B83}.exe
        
        C:\Windows\{0742B350-4973-4379-A039-670B4BC76B83}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe
        
        C:\Windows\{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe
        
        C:\Windows\{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe
        
        C:\Windows\{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe
        
        C:\Windows\{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe
        
        C:\Windows\{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe
        
        C:\Windows\{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\{2E0B5D0D-802A-4fab-9AED-85C543963F5F}.exe
        
        C:\Windows\{2E0B5D0D-802A-4fab-9AED-85C543963F5F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E58~1.EXE > nul
        12⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87460~1.EXE > nul
        11⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB4BF~1.EXE > nul
        10⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ED87~1.EXE > nul
        9⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7719~1.EXE > nul
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7071~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0742B~1.EXE > nul
        6⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC97~1.EXE > nul
        5⤵
        
        PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE8EC~1.EXE > nul
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{82F75~1.EXE > nul
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0742B350-4973-4379-A039-670B4BC76B83}.exe

Filesize
180KB

MD5
e8f372ce7cbbd275792d322d213114fb

SHA1
49724dd6eaa819de374572f8384fae6e777edf19

SHA256
a7a02a1afdcc938a644e8097f9d3994ed43af3e6872753e3f88698f8e308914e

SHA512
a66a45be06bc3d0bdbe5b3e027678e5f4f6d90115bb98e511257b0b3d5cbc9a3f9feedd9462d128eb47f6ad98bf63d7261012fffac59ae3854a0aa1035986cd9

Download Submit
C:\Windows\{2E0B5D0D-802A-4fab-9AED-85C543963F5F}.exe

Filesize
180KB

MD5
3d7ce29981b3d3607f375c8a6d4ea92d

SHA1
4127fc0277d40530d56dcee533770e13e9b0ad5a

SHA256
7700a9edf68ee9e07b3b5d5738464a6efd3511c411c3e37330830dae11c2830c

SHA512
9a6e697f13d1bc077e8e2c27afdbef1e7f600c2d3b4acd01a28990875ceaeb875891b081394d66c570da7fab8b8a8915fa34ceccba8e7db1b2d376dfdfb233aa

Download Submit
C:\Windows\{4ED87638-9B81-443c-87DB-6C812BC4E797}.exe

Filesize
180KB

MD5
77086833eae7970de26db72af42583b3

SHA1
6d6126e7f5cecff81922491f1b915da8a730379d

SHA256
9649271ff01cafd729f80ffe552a8363bc7a69278b49ea1752e2cc209b3d8813

SHA512
59c6ee291f34335b8ceab3d4fc2fca837477163f423fd2a79568d52507f81cf05fca047e7fd1bb6ce5bfe09fb288669aec00ec21fc7c97ed452f8e52f42c0cd3

Download Submit
C:\Windows\{82F754A9-67D9-406d-8B98-F79D31A8A778}.exe

Filesize
180KB

MD5
e08ec85656aea674f381a3ef169ffe5b

SHA1
c66b7289cb9b4b7c4384d5e81d033074f39abe08

SHA256
21b945db718849a5626a28e7b2e0cd6f534c7099b918a28884f2ec07fabe5ac5

SHA512
61bb1ad051b6d9f9ddeccdcc726a29ac5d152b0feeb5031b94eb129dd9e828c41bc2621859f776a04feb6090896143bc1d4be81d74f0f13235c1feafe641d283

Download Submit
C:\Windows\{874609F4-C839-4a3b-8E51-EA75543C7DEF}.exe

Filesize
180KB

MD5
c12fadad962449bc91a7b2d5d153478c

SHA1
0b87ff98f45803e151a8e0b10c31c9a1cb249368

SHA256
5e8047ece2a9eeef00fd658294f05cfd9a971466c5f0c615c992e7717156cd30

SHA512
f4464148a0a3299f52f5d0afb70bba6502604cab685fddbb78c7c110f85913d684835d22c38263f3079c974f75a32ac7a814e28d88f42227e09ac0ab9e70cffb

Download Submit
C:\Windows\{C6E589D0-D4B2-47b3-9772-DFF4F2626B60}.exe

Filesize
180KB

MD5
5729d6c4d541d08e2b8015c88f2056c0

SHA1
d3f9c7048922f964718a09c7bd54e389a75bc708

SHA256
6e74f1f97425463cb1b7901d8ccc00cc8dc26b581242fd6734377d8f93c0ca4f

SHA512
fc1b8241be17391c8cb0082d1a01015737f4e7febe7bbeeb38a4e4b4381fbfe1fff899eed25b740f1c13d046522bb94923ac22250bdb19e1d4bd3510b8aac253

Download Submit
C:\Windows\{CB4BF063-C60A-49dc-8E6B-B55DE1E5DBDA}.exe

Filesize
180KB

MD5
1cf3f4215bd8798cd318ba35338d3de2

SHA1
4829217fa2ff531eae8d1440db1c62468c4a1cfe

SHA256
85db9c85ea05c8bb068ffd2351779604b4988d58d0831c206a16f3ab03f76b51

SHA512
db586a3d86d43c8ac784733514b4085e8f93426a2f2e342aa700cde6bac4241ae7b0d223b2c6f5fa4676ca93c0f7f6a6f4cf29099e61efb51a54dccc4e75ddcc

Download Submit
C:\Windows\{D7719EA7-0332-4df7-AD9D-2B43185D9215}.exe

Filesize
180KB

MD5
c005d853189b2361b951c6e599b56ae6

SHA1
c8bf5ac34b4aad97030e30390840f74f9c264ede

SHA256
ef33ed8c59dcf894bb3c66b5a93cdc384e4729881a4fe801a78440e6f9963c1e

SHA512
04770062167f31487b69fa7b7598bddc9efc27afe184094814098b11ac6234656b340470aa2f815f0ef4d2bbd496df6f17f9d887f05b9580b8edb969986fe89a

Download Submit
C:\Windows\{E7071400-B611-4ff8-8517-B8A6F6B46A50}.exe

Filesize
180KB

MD5
cc1f55064889046311ffabf7edb9a3f0

SHA1
315254380ab6e0ed72721b53bd039d71606a7df9

SHA256
6abb343a4952d2706385b301fb52e16ff9fe6eb4795ee5e34555d037e9235b9b

SHA512
8ae53fc7c2927fe6d58117eb3653e10bbb626ecde149600799cc6a8ec5573b3cccd7082f5c7d48578959f4a35d8b10f8662209cf079f01ed537d481717a49949

Download Submit
C:\Windows\{ECC97352-00D2-4a42-8B8E-E9E0A2BD5C2A}.exe

Filesize
180KB

MD5
6721b12ccdc92f8df332e7151cf38329

SHA1
a1093b729d9e5ac8ea41178699b2248481d3f1a0

SHA256
504ecea8957898a59525e70daae88b60061230592081f5ac4987fabdf66bbf9c

SHA512
29b9fded48ea7fa9148b8a619e9e563dab79375cbd59dcdbdff8bd6f0564fbd906de2aff91c2a9c04825405856a69b2aea0523a0dd8eeeb784fc81973b171dbb

Download Submit
C:\Windows\{FE8ECB42-6855-4921-8271-939932885514}.exe

Filesize
180KB

MD5
a5cb3972a96a6cb0052a975d933527ff

SHA1
3541d84c6aeedaae66931b3afda518900a26dfbb

SHA256
0c8aca542131004202ad09a848c8fefe0905e7b693e0089e1c945ba8c6867f71

SHA512
c4b88c16727c1b5e71161e3bc94e8167e34138b26e48c80f0f1d16ddbe688be54c6e2478973dddfb45f3a4ea143f68e1deade2ebe26530aba6f4558b4925c2bf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads