92ef050adeccd487569f8839d845c413f7891ae11ece63677d3271dd81da888a

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Size

408KB
MD5

de2f7d8796c1a582c314f11f98351e18
SHA1

ceb6abd026aad9685f1f15a8ff32158b3611dfbd
SHA256

92ef050adeccd487569f8839d845c413f7891ae11ece63677d3271dd81da888a
SHA512

8d334a4bb8ef9bfacd90da89dff91e61c02fcc89216bb4f8ce56abc18b08ff04cb9aaabf666b606178f6bc1e8e6912d50b590045785a51a1798ce9cf0dc3fab2
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGnldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001223d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001223d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001223d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001223d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001223d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001223d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDBD0575-DDFB-4e05-9414-B6EAA5444619}	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDBD0575-DDFB-4e05-9414-B6EAA5444619}\stubpath = "C:\\Windows\\{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe"	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93A61E6C-16E2-4463-9033-E3FE8ED84C85}\stubpath = "C:\\Windows\\{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe"	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E109BF6F-7A29-4b3e-8D41-9899B73B4366}	{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}\stubpath = "C:\\Windows\\{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe"	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E109BF6F-7A29-4b3e-8D41-9899B73B4366}\stubpath = "C:\\Windows\\{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe"	{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D207B10-4215-41c8-BD98-459F2B6246DB}	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D207B10-4215-41c8-BD98-459F2B6246DB}\stubpath = "C:\\Windows\\{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe"	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}\stubpath = "C:\\Windows\\{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe"	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AF56535-2023-4da0-9613-C87C01CD5DC1}	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AF56535-2023-4da0-9613-C87C01CD5DC1}\stubpath = "C:\\Windows\\{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe"	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}	{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}\stubpath = "C:\\Windows\\{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe"	{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D65577-A74D-4662-B67F-2A40EE1BC412}	{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D65577-A74D-4662-B67F-2A40EE1BC412}\stubpath = "C:\\Windows\\{C7D65577-A74D-4662-B67F-2A40EE1BC412}.exe"	{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}\stubpath = "C:\\Windows\\{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe"	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93A61E6C-16E2-4463-9033-E3FE8ED84C85}	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}\stubpath = "C:\\Windows\\{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe"	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe
2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe
2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe
2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe
940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe
1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe
1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe
2336	{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe
268	{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe
2684	{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe
2700	{C7D65577-A74D-4662-B67F-2A40EE1BC412}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C7D65577-A74D-4662-B67F-2A40EE1BC412}.exe	{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe
File created	C:\Windows\{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
File created	C:\Windows\{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe
File created	C:\Windows\{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe
File created	C:\Windows\{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe
File created	C:\Windows\{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe
File created	C:\Windows\{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe	{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe
File created	C:\Windows\{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe
File created	C:\Windows\{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe
File created	C:\Windows\{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe
File created	C:\Windows\{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe	{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe
Token: SeIncBasePriorityPrivilege	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe
Token: SeIncBasePriorityPrivilege	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe
Token: SeIncBasePriorityPrivilege	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe
Token: SeIncBasePriorityPrivilege	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe
Token: SeIncBasePriorityPrivilege	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe
Token: SeIncBasePriorityPrivilege	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe
Token: SeIncBasePriorityPrivilege	2336	{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe
Token: SeIncBasePriorityPrivilege	268	{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe
Token: SeIncBasePriorityPrivilege	2684	{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2296	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	28
PID 1640 wrote to memory of 2296	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	28
PID 1640 wrote to memory of 2296	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	28
PID 1640 wrote to memory of 2296	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	28
PID 1640 wrote to memory of 2816	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	29
PID 1640 wrote to memory of 2816	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	29
PID 1640 wrote to memory of 2816	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	29
PID 1640 wrote to memory of 2816	1640	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	29
PID 2296 wrote to memory of 2916	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	32
PID 2296 wrote to memory of 2916	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	32
PID 2296 wrote to memory of 2916	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	32
PID 2296 wrote to memory of 2916	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	32
PID 2296 wrote to memory of 2096	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	33
PID 2296 wrote to memory of 2096	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	33
PID 2296 wrote to memory of 2096	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	33
PID 2296 wrote to memory of 2096	2296	{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe	33
PID 2916 wrote to memory of 2772	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	34
PID 2916 wrote to memory of 2772	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	34
PID 2916 wrote to memory of 2772	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	34
PID 2916 wrote to memory of 2772	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	34
PID 2916 wrote to memory of 2616	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	35
PID 2916 wrote to memory of 2616	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	35
PID 2916 wrote to memory of 2616	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	35
PID 2916 wrote to memory of 2616	2916	{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe	35
PID 2772 wrote to memory of 2408	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	36
PID 2772 wrote to memory of 2408	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	36
PID 2772 wrote to memory of 2408	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	36
PID 2772 wrote to memory of 2408	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	36
PID 2772 wrote to memory of 2520	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	37
PID 2772 wrote to memory of 2520	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	37
PID 2772 wrote to memory of 2520	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	37
PID 2772 wrote to memory of 2520	2772	{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe	37
PID 2408 wrote to memory of 940	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	38
PID 2408 wrote to memory of 940	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	38
PID 2408 wrote to memory of 940	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	38
PID 2408 wrote to memory of 940	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	38
PID 2408 wrote to memory of 2460	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	39
PID 2408 wrote to memory of 2460	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	39
PID 2408 wrote to memory of 2460	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	39
PID 2408 wrote to memory of 2460	2408	{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe	39
PID 940 wrote to memory of 1260	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	40
PID 940 wrote to memory of 1260	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	40
PID 940 wrote to memory of 1260	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	40
PID 940 wrote to memory of 1260	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	40
PID 940 wrote to memory of 1044	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	41
PID 940 wrote to memory of 1044	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	41
PID 940 wrote to memory of 1044	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	41
PID 940 wrote to memory of 1044	940	{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe	41
PID 1260 wrote to memory of 1036	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	42
PID 1260 wrote to memory of 1036	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	42
PID 1260 wrote to memory of 1036	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	42
PID 1260 wrote to memory of 1036	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	42
PID 1260 wrote to memory of 1196	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	43
PID 1260 wrote to memory of 1196	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	43
PID 1260 wrote to memory of 1196	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	43
PID 1260 wrote to memory of 1196	1260	{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe	43
PID 1036 wrote to memory of 2336	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	44
PID 1036 wrote to memory of 2336	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	44
PID 1036 wrote to memory of 2336	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	44
PID 1036 wrote to memory of 2336	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	44
PID 1036 wrote to memory of 1348	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	45
PID 1036 wrote to memory of 1348	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	45
PID 1036 wrote to memory of 1348	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	45
PID 1036 wrote to memory of 1348	1036	{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe
  C:\Windows\{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe
    C:\Windows\{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe
      C:\Windows\{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe
        
        C:\Windows\{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe
        
        C:\Windows\{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe
        
        C:\Windows\{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe
        
        C:\Windows\{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe
        
        C:\Windows\{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe
        
        C:\Windows\{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe
        
        C:\Windows\{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\{C7D65577-A74D-4662-B67F-2A40EE1BC412}.exe
        
        C:\Windows\{C7D65577-A74D-4662-B67F-2A40EE1BC412}.exe
        12⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6463C~1.EXE > nul
        12⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E109B~1.EXE > nul
        11⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C838~1.EXE > nul
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37A3E~1.EXE > nul
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF56~1.EXE > nul
        8⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93A61~1.EXE > nul
        7⤵
        
        PID:1044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CDF3~1.EXE > nul
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDBD0~1.EXE > nul
        5⤵
        
        PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0D207~1.EXE > nul
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8E845~1.EXE > nul
    3⤵
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AF56535-2023-4da0-9613-C87C01CD5DC1}.exe

Filesize
408KB

MD5
99e3fbebd9d677d4c50dbd7ee87c1a34

SHA1
4ec931dadce25a8db53711edb278cbd830d870b4

SHA256
71e26d6fa65a3911cda92985b8c036c1be7f50b7097ef322ba6a28feddaf4e9c

SHA512
7bb994b9fa51692d76b9552ecf049a085ac37229ebfd2136fee8aa2d1cd72dfbafa95459b64ed87987799cf1242c94fe02ad7e7cfbc4e9fdf3278c9c53b50d9c

Download Submit
C:\Windows\{0D207B10-4215-41c8-BD98-459F2B6246DB}.exe

Filesize
408KB

MD5
311b3b2fcafc20a759ee20a4c58d6028

SHA1
c14770cd0d4c81110b5b8854c69492008ddc57dc

SHA256
d39e2f142713f97cc6a9da9b5bc0c4270f3d8cc369220531c836f4b7a55d4a01

SHA512
ac1325fdc1c7db0d06c2b8666329299f882a635551e9ce0f64c88b98c579aeba367cca8539b7d7b4e3c4d5b44d9065e28c59b05791a3e759fcba91e7c6c67f80

Download Submit
C:\Windows\{37A3E4F5-CCDB-44f6-82EF-36045AC586FF}.exe

Filesize
408KB

MD5
987496855fb300ce69d9bf35cffc0053

SHA1
2607f3b22484384358fb77d9c84ab01dca8efebb

SHA256
253cc4717fdf4c5a386bdc6ee5fd92bf46fcab45e89ca550808072f8559eb94a

SHA512
209525f69c474c2e9ec17e0d456b34d0f4de0acc75e9e3aaae568f20fff1d1577895354c23d01fbc454a6034e9288597285700d05863dab697dfd355ceb89841

Download Submit
C:\Windows\{4CDF37A9-A159-4a31-8F3B-2C96E51DAF5D}.exe

Filesize
408KB

MD5
48bf0a0b0dd7123cf074b6e467ca93e7

SHA1
a3ad6355fd858354c01bf0f31daf44aa6dcb6a55

SHA256
061fc5f755f0bb1421b5ba43553490e3eb64eeaaece6fe8d3ce69fa9fb79c761

SHA512
3db22ae949272424b84f946f34edc65ca5040bf0341bb842130b203db9fae6f3de2e618bf3a290e343b7db7c2612cafed01d4d673cd38a5a1d86b4f7246a8c04

Download Submit
C:\Windows\{6463CC2E-5BD4-4b3a-B68A-4D34F768E575}.exe

Filesize
408KB

MD5
6fdd0e984d3ce89bce8e79aa2c91c25b

SHA1
795ae00af89164004ae8babcafefbf51bdf90d31

SHA256
f75bfb429d76191557ff8e615229c19d1a19175b4eb5b92279cd537eba8da808

SHA512
847bc5e7cf3b7b047593beb517d13a45f6f6b37ce9b211df122095a3b68569cf0bc6f9bc43dab207fa0de0f82dca203613ee98036c2e79461a960d047198016d

Download Submit
C:\Windows\{8E845C3A-80F5-44c0-9F95-6B2EE17D4A1B}.exe

Filesize
408KB

MD5
e8821d16e52399ed2bd9814b38600869

SHA1
a5baa7ddf28ffcb5f9c6d8e8cb2dc0151e0d7d69

SHA256
7ef6c38510ce369093b177a1d449232847e0755b15dde30fcdf9b55979107940

SHA512
a4674aafb8c7e998c01f3bfcfb2e5a4d92b21bf3946ccd804d63ee466a9e1478bc9b5a388b3b1164b92b4525ff5380f669a27a9727971948e31cff7524d232fa

Download Submit
C:\Windows\{93A61E6C-16E2-4463-9033-E3FE8ED84C85}.exe

Filesize
408KB

MD5
cb4a765daa31bc4a9b74272d8d1d5cf9

SHA1
06d0afb32afdccd0b4d65543e34cd9a33d4578fc

SHA256
ba75e0c0851a7e1f6a273e23b100c8ca12e0542ee1fd85c9a3d7b29cc8184a48

SHA512
65b55da0d5a269f0d7899fee9d14d458844d41549e70fc6acdf93896aada5e516b77edf4065e923f26238e0b67ec51c44ec9f546d9815e8e147cf2a346e601b4

Download Submit
C:\Windows\{9C838243-7DA6-4f2e-AB02-60F9A63D6F42}.exe

Filesize
408KB

MD5
2b8950ad16be2b3d26899ccdde8b8a7e

SHA1
eca0323c714870c9f827ec67132c0a69a08436d5

SHA256
c6d8a2b0fb833e096aa3f0fbfefce21e218938dcb0b1c93fa73b09be45880264

SHA512
81f4156a2e5dd02f585b5bcb9c80b240cc7bf7486725307d8d518df5ebcfc8c9740afba120cd2d443c0b8979dfbd4e6b1a459d59fd881aa81c8c21526eeb1040

Download Submit
C:\Windows\{C7D65577-A74D-4662-B67F-2A40EE1BC412}.exe

Filesize
408KB

MD5
ae0fb8119508895256b1122c3696fd56

SHA1
9dbe9fd73ab0276ab87ad77583ea492a64c1d587

SHA256
9c4552796b2bd04569e7c9738c4a6fba47f9d040518e11c671d10a4fa9c47b56

SHA512
bb7d4a1045a39670987aada94917199a93f53fc94ef2839d3159c7ac2d3d944d3020013cf2724ee121d4b59e5dc5a18c302202c8545e66c2269ca3b71110329a

Download Submit
C:\Windows\{E109BF6F-7A29-4b3e-8D41-9899B73B4366}.exe

Filesize
408KB

MD5
3870e047b2c23994b1d01a650fee0702

SHA1
89fe84e775975568930118a07f87973051e31f07

SHA256
d1e19fe3e6e29f23b5790d47062b4cf05b8724d9063d7753cadc09af25e8b954

SHA512
73a48b02723f85591ef5cf3d72d2643ee2f13bd0b2951304ab71e7028efd761dd7998df48ee8bea6cd3bf7f3dd8a7b8c3c7cb5b41474ad583be6f836a657cc93

Download Submit
C:\Windows\{EDBD0575-DDFB-4e05-9414-B6EAA5444619}.exe

Filesize
408KB

MD5
9862e0d95a61148960ec8c6e3559cb1e

SHA1
80756a941a4308ea96bf6a99924c6f170d4a993f

SHA256
c3d636b5e67209c6b032e054bc618d1132693443f3dcb2b1f25340cbf06c5a33

SHA512
ec9225f10989c1c75b52c5720d2f136c56f9dac90f5bc002c221c17dc2eb606a0ce59b632191b78fd2ee0c746a9c45398fb6f7751aaf83cfe843098324db7d51

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads