4004dc82dab14b273b8234556c7786482a4e4702045cce3eafa3b3befd5cf31e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Size

408KB
MD5

3d9887811fde67e9f59b564f07e0d419
SHA1

3142be4b863c77fe4e9d8614f3cf3b1eb4f16e99
SHA256

4004dc82dab14b273b8234556c7786482a4e4702045cce3eafa3b3befd5cf31e
SHA512

30f67050a0377c43eb7d5710f1944eb38b72057bb444c2cb134fde540814a971523547dbe1eebb8586c626fccb370601831016b2640613c875778de45bf4afd7
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGbldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001470b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014e5a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001470b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015023-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001470b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001470b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001470b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C35D464-BFB8-463f-B196-66172E0422F9}\stubpath = "C:\\Windows\\{9C35D464-BFB8-463f-B196-66172E0422F9}.exe"	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}\stubpath = "C:\\Windows\\{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe"	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{373A81B5-9B57-44ba-8868-77B0002E4E0E}\stubpath = "C:\\Windows\\{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe"	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}\stubpath = "C:\\Windows\\{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe"	{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}\stubpath = "C:\\Windows\\{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe"	{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6901CA-6E25-449e-A868-0341BA15BD6A}	{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}\stubpath = "C:\\Windows\\{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe"	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E96935E-7853-41cd-A5DF-88DCA5EA057A}	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E96935E-7853-41cd-A5DF-88DCA5EA057A}\stubpath = "C:\\Windows\\{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe"	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E771AF0-BEA0-474e-A0D6-250680B37C5E}\stubpath = "C:\\Windows\\{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe"	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A1E5E99-E7F4-4112-9A3D-912B43B47129}	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A1E5E99-E7F4-4112-9A3D-912B43B47129}\stubpath = "C:\\Windows\\{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe"	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E771AF0-BEA0-474e-A0D6-250680B37C5E}	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{373A81B5-9B57-44ba-8868-77B0002E4E0E}	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCF32EB-1307-44f2-AD54-5786EFC780B4}	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCF32EB-1307-44f2-AD54-5786EFC780B4}\stubpath = "C:\\Windows\\{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe"	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}	{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6901CA-6E25-449e-A868-0341BA15BD6A}\stubpath = "C:\\Windows\\{0F6901CA-6E25-449e-A868-0341BA15BD6A}.exe"	{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C35D464-BFB8-463f-B196-66172E0422F9}	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}	{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe
2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe
2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe
1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe
2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe
1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe
1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe
1492	{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe
1248	{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe
2024	{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe
2792	{0F6901CA-6E25-449e-A868-0341BA15BD6A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
File created	C:\Windows\{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe
File created	C:\Windows\{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe
File created	C:\Windows\{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe	{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe
File created	C:\Windows\{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe	{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe
File created	C:\Windows\{0F6901CA-6E25-449e-A868-0341BA15BD6A}.exe	{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe
File created	C:\Windows\{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe
File created	C:\Windows\{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe
File created	C:\Windows\{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe
File created	C:\Windows\{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe
File created	C:\Windows\{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe
Token: SeIncBasePriorityPrivilege	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe
Token: SeIncBasePriorityPrivilege	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe
Token: SeIncBasePriorityPrivilege	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe
Token: SeIncBasePriorityPrivilege	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe
Token: SeIncBasePriorityPrivilege	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe
Token: SeIncBasePriorityPrivilege	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe
Token: SeIncBasePriorityPrivilege	1492	{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe
Token: SeIncBasePriorityPrivilege	1248	{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe
Token: SeIncBasePriorityPrivilege	2024	{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2128	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	28
PID 2292 wrote to memory of 2128	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	28
PID 2292 wrote to memory of 2128	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	28
PID 2292 wrote to memory of 2128	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	28
PID 2292 wrote to memory of 2532	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	29
PID 2292 wrote to memory of 2532	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	29
PID 2292 wrote to memory of 2532	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	29
PID 2292 wrote to memory of 2532	2292	2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe	29
PID 2128 wrote to memory of 2704	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	30
PID 2128 wrote to memory of 2704	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	30
PID 2128 wrote to memory of 2704	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	30
PID 2128 wrote to memory of 2704	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	30
PID 2128 wrote to memory of 2604	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	31
PID 2128 wrote to memory of 2604	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	31
PID 2128 wrote to memory of 2604	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	31
PID 2128 wrote to memory of 2604	2128	{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe	31
PID 2704 wrote to memory of 2680	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	32
PID 2704 wrote to memory of 2680	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	32
PID 2704 wrote to memory of 2680	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	32
PID 2704 wrote to memory of 2680	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	32
PID 2704 wrote to memory of 2556	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	33
PID 2704 wrote to memory of 2556	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	33
PID 2704 wrote to memory of 2556	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	33
PID 2704 wrote to memory of 2556	2704	{9C35D464-BFB8-463f-B196-66172E0422F9}.exe	33
PID 2680 wrote to memory of 1580	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	36
PID 2680 wrote to memory of 1580	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	36
PID 2680 wrote to memory of 1580	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	36
PID 2680 wrote to memory of 1580	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	36
PID 2680 wrote to memory of 2644	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	37
PID 2680 wrote to memory of 2644	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	37
PID 2680 wrote to memory of 2644	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	37
PID 2680 wrote to memory of 2644	2680	{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe	37
PID 1580 wrote to memory of 2848	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	38
PID 1580 wrote to memory of 2848	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	38
PID 1580 wrote to memory of 2848	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	38
PID 1580 wrote to memory of 2848	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	38
PID 1580 wrote to memory of 1588	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	39
PID 1580 wrote to memory of 1588	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	39
PID 1580 wrote to memory of 1588	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	39
PID 1580 wrote to memory of 1588	1580	{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe	39
PID 2848 wrote to memory of 1664	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	40
PID 2848 wrote to memory of 1664	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	40
PID 2848 wrote to memory of 1664	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	40
PID 2848 wrote to memory of 1664	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	40
PID 2848 wrote to memory of 1728	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	41
PID 2848 wrote to memory of 1728	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	41
PID 2848 wrote to memory of 1728	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	41
PID 2848 wrote to memory of 1728	2848	{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe	41
PID 1664 wrote to memory of 1636	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	42
PID 1664 wrote to memory of 1636	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	42
PID 1664 wrote to memory of 1636	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	42
PID 1664 wrote to memory of 1636	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	42
PID 1664 wrote to memory of 2640	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	43
PID 1664 wrote to memory of 2640	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	43
PID 1664 wrote to memory of 2640	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	43
PID 1664 wrote to memory of 2640	1664	{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe	43
PID 1636 wrote to memory of 1492	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	44
PID 1636 wrote to memory of 1492	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	44
PID 1636 wrote to memory of 1492	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	44
PID 1636 wrote to memory of 1492	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	44
PID 1636 wrote to memory of 1608	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	45
PID 1636 wrote to memory of 1608	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	45
PID 1636 wrote to memory of 1608	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	45
PID 1636 wrote to memory of 1608	1636	{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_3d9887811fde67e9f59b564f07e0d419_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe
  C:\Windows\{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\{9C35D464-BFB8-463f-B196-66172E0422F9}.exe
    C:\Windows\{9C35D464-BFB8-463f-B196-66172E0422F9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe
      C:\Windows\{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe
        
        C:\Windows\{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe
        
        C:\Windows\{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe
        
        C:\Windows\{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe
        
        C:\Windows\{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe
        
        C:\Windows\{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe
        
        C:\Windows\{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe
        
        C:\Windows\{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{0F6901CA-6E25-449e-A868-0341BA15BD6A}.exe
        
        C:\Windows\{0F6901CA-6E25-449e-A868-0341BA15BD6A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BB47~1.EXE > nul
        12⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD3C0~1.EXE > nul
        11⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABCF3~1.EXE > nul
        10⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{373A8~1.EXE > nul
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69B56~1.EXE > nul
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E771~1.EXE > nul
        7⤵
        
        PID:1728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E969~1.EXE > nul
        6⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A1E5~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9C35D~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{52E7F~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F6901CA-6E25-449e-A868-0341BA15BD6A}.exe

Filesize
408KB

MD5
beb7c896fd86ce6b6eed979f180f7786

SHA1
9fc990a90edec3cf350a3ac883e458512d9249d6

SHA256
fea8cd69cf37b5dde751ae4e4e8443974ee507aaa88e7b48be140a2b46271be7

SHA512
071e6b00bdc4b4c6dc94c4c69df8c0af45eee3fb6541c03a330b36bf218674e2741cc9fcd7f79e2800a885d16c21bcf265ae7a68ab4c94d36a57b10c688a4684

Download Submit
C:\Windows\{1A1E5E99-E7F4-4112-9A3D-912B43B47129}.exe

Filesize
408KB

MD5
48ef2730d2dec57445451019cb07de86

SHA1
34e8ec0bd266408f4aa773d350810884713bc087

SHA256
4cdd65db3e6f864009f1ae1f92f470155392167389821b6a25d9ff52d0d72f17

SHA512
d5d2e739e2c03c9110cc69d386b09d7df18545d4f674e938c36009deae803f70072e05d1bfe325ec70263981ad4df0ebe33cd8eb74baca8766bdc86620987589

Download Submit
C:\Windows\{373A81B5-9B57-44ba-8868-77B0002E4E0E}.exe

Filesize
408KB

MD5
65a04f736a73cdc50a2a99f37969c7bb

SHA1
13d273e898006cade0f6cae10bdabf5ee795f9ba

SHA256
5a221fab0058f0997c5c3eecf2a5a3f35b7c2abe04f9e40b7ed974272e4dc07a

SHA512
337447dd382ec24d99810ebbfd39b8159c1c973e1670d4ab998d51f19912841e8d850e56f43593eb49c8369c804057dff76aea9f158f2e535484837e2ca43a4d

Download Submit
C:\Windows\{4E96935E-7853-41cd-A5DF-88DCA5EA057A}.exe

Filesize
408KB

MD5
d2a24dc944156ce5123f2c04e6553691

SHA1
7d43210a47bb4ff04e5a3aafdc1f54b6b4c9e354

SHA256
71a51ac728423de6cff545c37ae76a0e0ca1538a6dbf8040d449d96c2da4bf56

SHA512
2784a9277b88572ad7804a6e2b632ce4de11b97cc19446e51fed3aac5bda331e1fa8cc925501fd0db38a0ea98966c1fe0830ffeb3c0c8936b3b41cb779598341

Download Submit
C:\Windows\{52E7FDB0-CA0D-4bab-A4FE-681ECFF369CC}.exe

Filesize
408KB

MD5
2ebd563d35de3cb52f51bfe412a77837

SHA1
12e24486b2648ba162b4119535cc761bca7b579d

SHA256
43eb52e34a04ad6ed8204c00885f693bc159313398ae02259671a3780ff7038c

SHA512
525348294f86952cb864629f9a9419135b149ac14a981dfbf01904017d5c805df09b4401f3088af8a971e1c6db3896e5feadb3ee72c158e127a8b6612c4ab68d

Download Submit
C:\Windows\{69B56F7A-E21E-4b5c-930A-3AD42D3DD157}.exe

Filesize
408KB

MD5
54cafbc2b5bea8bbc9d8c55c4d771ffc

SHA1
d9685244f5b652bb5d3d78a6558641bf6b2ecff1

SHA256
23a6a8663714ac9fc10915319d17a07dc537948800fb8aed4b1dd55a845b9c1e

SHA512
b9dc271642670ea0d8534b92f7463340a921e9dfe1a175e86af0a50214ac2c9d6f241710a0c591021f30d5258f06aa33e9a966ef3eae4667e56ec2353bb8f298

Download Submit
C:\Windows\{7BB47CE3-0139-4f2a-B03E-3ECE3B46C1D9}.exe

Filesize
408KB

MD5
9f7e25d7c29f9218cd6565bef8ff4822

SHA1
0b07e3beaedf5ff94dac72506ee9998a8341c326

SHA256
1d9dbc86b00df237c08c639db6fe661428e321d06c65413bf89729855a3621a5

SHA512
5f613f60c7fbff8e8c2d68ad4ea51a522069d73544c8b2c62b656c8769abcd3f5179dae460a1800c91787c586509fc9d43bb8de27b09947d648574237903b1bc

Download Submit
C:\Windows\{9C35D464-BFB8-463f-B196-66172E0422F9}.exe

Filesize
408KB

MD5
186e7f9b507a0f267c326c880a167078

SHA1
145296c52513cde0114eaa3754b132467d6232c2

SHA256
c893a34197922c5e17335e301798da340c6aec1738922f02c7af11caf8856cd6

SHA512
653ce9f572f6d2332d5f7fa226c4c1d0aed785c7bdbc187ba4a6c5991ffb2f0b01d74414cb7ebf5b74fc13998a362bd633cfe9ad84a6d06bd0308d4232f8e209

Download Submit
C:\Windows\{9E771AF0-BEA0-474e-A0D6-250680B37C5E}.exe

Filesize
408KB

MD5
277b30f5f0a4115710e765e14b847204

SHA1
b3c4a16eefb63d90cb47b788419e2952fe3414cd

SHA256
8f5d32c3255e2a49ba252fe3ab4c052b725e02256363d2f913379b8328d9f0c4

SHA512
f1a89155fb9a144f551d54da4d9d8579905696b1f8516624026d73445b4492f36a96bf9d0f6eb8cb08e8104213485244712b5bea553976f2977a1d2341f043ed

Download Submit
C:\Windows\{ABCF32EB-1307-44f2-AD54-5786EFC780B4}.exe

Filesize
408KB

MD5
497ce1ca5195dc9a11e320c830eb1b55

SHA1
8ce07da6dec6828679c38e51721891b6bbd89971

SHA256
a1c426756a0b0f483f27c23e628cc2da2bf57f8bd2ec6a798ad3d464de8de701

SHA512
2d88d5dc9318c2fde3092933e49b39645f62d73fbcee12929598e6cf5c4f471b392702e1daa70bd1425873a6d95554989561297f36772300cf04a80a8ca2554c

Download Submit
C:\Windows\{AD3C0CC8-C3A4-4359-BA51-50C0921F048B}.exe

Filesize
408KB

MD5
339de83b3f6f00b4ddcc075883fbe4ce

SHA1
ad24af1f045f37d105b19c9ea5ed8d6ba93b4131

SHA256
f281acd50fa6f3b6f9458282bd86ec78e60cf7e0a2a840bb16a58d0592d559e0

SHA512
477fec69ae233323afb007c5108a40729c07e6d4d09573bb086316d353a404fa99ea7cb24781cebbc6cc52352f3e299662ff2655e18726d2ddb8ce3368d75174

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads