9b024334379e699787aa9aa2e30da03f7b1c2d2a5be77f740ee2771eaaf56e34

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Size

344KB
MD5

d31e57d544baf0ba8710f0189b7ef119
SHA1

edb0408897673736fa8d3a2abc67ea2f0658b1e4
SHA256

9b024334379e699787aa9aa2e30da03f7b1c2d2a5be77f740ee2771eaaf56e34
SHA512

30453a207fd3448fc1bbd94360a41bef4cb27ca54572af0bb3a73a47abf4ad36e6f65fa778f93dab3c10c5021aa75cd7c863c3501bf995af93c1998873c3e45e
SSDEEP

3072:mEGh0o5lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001230f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001233a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001230f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a00000001233a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b00000001233a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003c00000001233a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003d00000001233a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FFA37A0-6C78-43aa-8592-AFEC746B1066}\stubpath = "C:\\Windows\\{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe"	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}\stubpath = "C:\\Windows\\{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe"	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}\stubpath = "C:\\Windows\\{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe"	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9400A6EA-D515-4e17-90D5-DF6457B8696A}\stubpath = "C:\\Windows\\{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe"	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD99B16C-6182-4ff8-A370-FB121E27B872}	{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FFA37A0-6C78-43aa-8592-AFEC746B1066}	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60D5CDA3-0040-49e3-91C5-7EA43291141F}	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9400A6EA-D515-4e17-90D5-DF6457B8696A}	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}\stubpath = "C:\\Windows\\{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe"	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53889010-EEFC-4f3e-BC11-12BD404C249E}\stubpath = "C:\\Windows\\{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe"	{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD99B16C-6182-4ff8-A370-FB121E27B872}\stubpath = "C:\\Windows\\{FD99B16C-6182-4ff8-A370-FB121E27B872}.exe"	{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60D5CDA3-0040-49e3-91C5-7EA43291141F}\stubpath = "C:\\Windows\\{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe"	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}	{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}\stubpath = "C:\\Windows\\{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe"	{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53889010-EEFC-4f3e-BC11-12BD404C249E}	{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5228CA41-7047-419e-BAAF-7C9FE6F2E332}	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5228CA41-7047-419e-BAAF-7C9FE6F2E332}\stubpath = "C:\\Windows\\{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe"	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}\stubpath = "C:\\Windows\\{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe"	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe
2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe
2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe
2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe
2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe
292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe
1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe
2032	{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe
2764	{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe
2904	{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe
1404	{FD99B16C-6182-4ff8-A370-FB121E27B872}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe
File created	C:\Windows\{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe	{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe
File created	C:\Windows\{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe
File created	C:\Windows\{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe
File created	C:\Windows\{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe
File created	C:\Windows\{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe
File created	C:\Windows\{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe	{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe
File created	C:\Windows\{FD99B16C-6182-4ff8-A370-FB121E27B872}.exe	{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe
File created	C:\Windows\{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
File created	C:\Windows\{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe
File created	C:\Windows\{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe
Token: SeIncBasePriorityPrivilege	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe
Token: SeIncBasePriorityPrivilege	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe
Token: SeIncBasePriorityPrivilege	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe
Token: SeIncBasePriorityPrivilege	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe
Token: SeIncBasePriorityPrivilege	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe
Token: SeIncBasePriorityPrivilege	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe
Token: SeIncBasePriorityPrivilege	2032	{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe
Token: SeIncBasePriorityPrivilege	2764	{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe
Token: SeIncBasePriorityPrivilege	2904	{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2872	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	28
PID 2908 wrote to memory of 2872	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	28
PID 2908 wrote to memory of 2872	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	28
PID 2908 wrote to memory of 2872	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	28
PID 2908 wrote to memory of 3040	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	29
PID 2908 wrote to memory of 3040	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	29
PID 2908 wrote to memory of 3040	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	29
PID 2908 wrote to memory of 3040	2908	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	29
PID 2872 wrote to memory of 2196	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	30
PID 2872 wrote to memory of 2196	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	30
PID 2872 wrote to memory of 2196	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	30
PID 2872 wrote to memory of 2196	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	30
PID 2872 wrote to memory of 2796	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	31
PID 2872 wrote to memory of 2796	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	31
PID 2872 wrote to memory of 2796	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	31
PID 2872 wrote to memory of 2796	2872	{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe	31
PID 2196 wrote to memory of 2292	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	32
PID 2196 wrote to memory of 2292	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	32
PID 2196 wrote to memory of 2292	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	32
PID 2196 wrote to memory of 2292	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	32
PID 2196 wrote to memory of 2668	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	33
PID 2196 wrote to memory of 2668	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	33
PID 2196 wrote to memory of 2668	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	33
PID 2196 wrote to memory of 2668	2196	{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe	33
PID 2292 wrote to memory of 2424	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	34
PID 2292 wrote to memory of 2424	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	34
PID 2292 wrote to memory of 2424	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	34
PID 2292 wrote to memory of 2424	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	34
PID 2292 wrote to memory of 2880	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	35
PID 2292 wrote to memory of 2880	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	35
PID 2292 wrote to memory of 2880	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	35
PID 2292 wrote to memory of 2880	2292	{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe	35
PID 2424 wrote to memory of 2612	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	38
PID 2424 wrote to memory of 2612	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	38
PID 2424 wrote to memory of 2612	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	38
PID 2424 wrote to memory of 2612	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	38
PID 2424 wrote to memory of 2716	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	39
PID 2424 wrote to memory of 2716	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	39
PID 2424 wrote to memory of 2716	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	39
PID 2424 wrote to memory of 2716	2424	{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe	39
PID 2612 wrote to memory of 292	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	40
PID 2612 wrote to memory of 292	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	40
PID 2612 wrote to memory of 292	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	40
PID 2612 wrote to memory of 292	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	40
PID 2612 wrote to memory of 1588	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	41
PID 2612 wrote to memory of 1588	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	41
PID 2612 wrote to memory of 1588	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	41
PID 2612 wrote to memory of 1588	2612	{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe	41
PID 292 wrote to memory of 1552	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	42
PID 292 wrote to memory of 1552	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	42
PID 292 wrote to memory of 1552	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	42
PID 292 wrote to memory of 1552	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	42
PID 292 wrote to memory of 1372	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	43
PID 292 wrote to memory of 1372	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	43
PID 292 wrote to memory of 1372	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	43
PID 292 wrote to memory of 1372	292	{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe	43
PID 1552 wrote to memory of 2032	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	44
PID 1552 wrote to memory of 2032	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	44
PID 1552 wrote to memory of 2032	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	44
PID 1552 wrote to memory of 2032	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	44
PID 1552 wrote to memory of 2732	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	45
PID 1552 wrote to memory of 2732	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	45
PID 1552 wrote to memory of 2732	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	45
PID 1552 wrote to memory of 2732	1552	{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe
  C:\Windows\{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe
    C:\Windows\{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe
      C:\Windows\{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe
        
        C:\Windows\{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe
        
        C:\Windows\{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe
        
        C:\Windows\{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe
        
        C:\Windows\{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe
        
        C:\Windows\{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe
        
        C:\Windows\{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe
        
        C:\Windows\{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\{FD99B16C-6182-4ff8-A370-FB121E27B872}.exe
        
        C:\Windows\{FD99B16C-6182-4ff8-A370-FB121E27B872}.exe
        12⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53889~1.EXE > nul
        12⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38AAD~1.EXE > nul
        11⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D57D~1.EXE > nul
        10⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9400A~1.EXE > nul
        9⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CECF4~1.EXE > nul
        8⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CB32~1.EXE > nul
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60D5C~1.EXE > nul
        6⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2CC9~1.EXE > nul
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7FFA3~1.EXE > nul
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5228C~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{38AADEF1-52E6-48aa-A2B4-9D9A855C1D7F}.exe

Filesize
344KB

MD5
d36271e768716406e08052c54d2fc6e3

SHA1
3a738ff7882797a67c5ddaeec9ab349e9872a493

SHA256
8a00f7c1bb60ebb02054c4dcc5be2fbdf8f36919eb85ff7cec0016e74b776550

SHA512
c4da72d8e8011cdb96c74ce3c7e752f7d00632c8867d4244e18be8706a7e0a7cc45f9a69e02510a26d5792e1189d6ca5ca1d5bd4d271a9e2f9000df268e79598

Download Submit
C:\Windows\{3CB32AB0-7DD4-44d0-AC35-80BFD4E129BA}.exe

Filesize
344KB

MD5
aa9b8c4a60bd36869131165b2d8833e2

SHA1
6a2c484a32493b3a725e0dd02510c2fbe7f2eb2e

SHA256
ece6536e3906e30551924ca5f9dead55703fc0da4f4e4d21f02f9a176519212b

SHA512
9d80da051bd9fe65838cac4bcedd0f64ac7cd60b1f89e4c6ecbb47731735bbb0d4c3aa71a60b4f787d52147b6f8b9da1a64883c41851ecbfc366053f9d8dbaa7

Download Submit
C:\Windows\{4D57D68B-8C23-4654-A96C-B560C9A7B4C2}.exe

Filesize
344KB

MD5
c89f121921c68d11cdf5ac288a1810db

SHA1
64d0bee4ff05f3a0b39bec12b7196076ff4de2b6

SHA256
63bd043118ac6ad0f3d6a073203d4261ca76d562b44c0c834c9f6a4a15d6f376

SHA512
18a803f9da7c05bdf2e0a064bef1509e8a974e2a8662d2d7bbb609b1f08a203a039970edd3e77d5c90b19396e3351798ff56ff6a8698ff0e954025059d0ef525

Download Submit
C:\Windows\{5228CA41-7047-419e-BAAF-7C9FE6F2E332}.exe

Filesize
344KB

MD5
3a5ef617fb5796a401b377b3b6ff4586

SHA1
9296f74338c3f2b81038f2cd86f0d5ff5e016abf

SHA256
cbcbe3ebae316d8d9eb1598b79ca1b38d43985f757817e9f678d0b1a9af4f64a

SHA512
5b9080e65b739edb183d61c44ad0e1722ab6f9f393814608f5684abf64a031e6f89af4ee69dca5a69100f80dcc483afe1be3f598844296aa1573cb56cfe968de

Download Submit
C:\Windows\{53889010-EEFC-4f3e-BC11-12BD404C249E}.exe

Filesize
344KB

MD5
0ba634a57a5c1776e93b9bb09db668cb

SHA1
5b81ecf49edbf10b90c1c4b5893238a0acdf7e48

SHA256
b4809430ff63f3601297e6e7ae344aee7eb44e5215e082549bbbaa8896e5882f

SHA512
c6f529e4175a196e810c7f9b9ddabdf1c74fd2157ba3a1be3f5073475ebad9ba872443c959c57fbbadb5b5208c3164021215b132099be11ddccf1dca6ece1664

Download Submit
C:\Windows\{60D5CDA3-0040-49e3-91C5-7EA43291141F}.exe

Filesize
344KB

MD5
139d7b520ba0161d498d8c551a3c27a9

SHA1
ce99b70d0d199c3d5f4c5c50f7dde0ded8db07b5

SHA256
7f9e15de81c4cb5f7bfa54ad4385cca9e172507755ff2690569627d283555c27

SHA512
83dc97707cd962e5bc0d55bf09c00d35d88e1d36da249a412ea3f9603a5bb2cacfc8b76f008b64600d89ea641cf923402bcad309764481dc8a733b5ad3abc030

Download Submit
C:\Windows\{7FFA37A0-6C78-43aa-8592-AFEC746B1066}.exe

Filesize
344KB

MD5
0e2d1dcf86683ce715d48d4eb313b29c

SHA1
3b23a0cbbe5b04636e0d605669584b93dab4b50e

SHA256
aa8cbcf3e940a277712e0a817863b85d954ec9316ca65bc024fafe5a1ed24fa2

SHA512
c9a414de7b8e9c1f4080ad810db2df495df0bb1ba343c0127f756625ffa95c891a367c094ec5aaa41804349ab6e769827dba7e3e9eec665802dc70b1882e1f29

Download Submit
C:\Windows\{9400A6EA-D515-4e17-90D5-DF6457B8696A}.exe

Filesize
344KB

MD5
5a6eb03c61eabf77ec271554164b2f74

SHA1
883eea48b0031873b5a0dc20a4de174514fbbf0a

SHA256
bd262c417c57dad8425612b3a1b8280ae8ed771d00b01e515d33b4cae164c96c

SHA512
2f4a230919ad3ed040387ee4784ed78c297c647f842fc1700226e926ea385cddf59c229b2118106bfb3dc71c8925e96b6280842a4481f8a9ebe67c3e0584e9b4

Download Submit
C:\Windows\{CECF495B-BBFF-4c47-B91B-ED54AAA1C5D5}.exe

Filesize
344KB

MD5
8f5d2c4490468cb5b97c29dd77f425d8

SHA1
37bde5464733fd0ab667157a207d8ea5d5dd3cf1

SHA256
52db0c837e8c558a0cbbc6a21c1837f75c9f7a04cefcf4d65719806f9de7d441

SHA512
12f3d7999d14c92231ac4444e95e2361088f7def0fdbae39a594af595b04d15d4c0602544f5068dcef98dc6aecd287fd8e039ee69564269168bea4ea359e07a8

Download Submit
C:\Windows\{F2CC9965-4E0D-409b-88B8-FC1931BB4E2F}.exe

Filesize
344KB

MD5
f3cbb6fd5478c56b87a08f661427860d

SHA1
77edb2b6e81e5bf76488cb61130cd3b406d4151e

SHA256
4662cae16c742ef24dcf0e9b96e1c618b31b5b32e05a1970fb960d4363bad0c4

SHA512
69f79b3a00805be4ce319fa3124b6049007577fb85020015955febfc8012067a3277dc9f13641c8ba253d596fcad6105f35bda902864da715e683e36cfc29312

Download Submit
C:\Windows\{FD99B16C-6182-4ff8-A370-FB121E27B872}.exe

Filesize
344KB

MD5
7926141113fdd211bb6d915cbbec1125

SHA1
af1bc97010ebaa29f17363279efe30af0b1651d2

SHA256
c0fd5d89c838df0b4d2fa95da0cf087b065f5b634287e3797b043f3f9c28cd97

SHA512
668cae604fb5e7f954c4a3552ac60ed35e8a5e18f143a0059157c36d2b8071cb816b55b7d223a513d45393af54ea9ce75781b97b75e3739a06d5946b8e06d995

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads