d123adee4fb8542703a07c71c3f6c1b211a157ad2e21d2164ab988f753cece03

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Size

344KB
MD5

ba35306ca555582e0af9679beb877cae
SHA1

dc8e44ee00412be9474eb6bdbb4b45d8c96d4cf3
SHA256

d123adee4fb8542703a07c71c3f6c1b211a157ad2e21d2164ab988f753cece03
SHA512

2da0b38d6c361983f35d4de553bf3db3331b3ffbaf3b73d25ca098de94522ab7a81105e96eb26d440303742083bd5a6b2c6a83671dea3fa4623d8203392a869e
SSDEEP

3072:mEGh0oLlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGFlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001228a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000015c9b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001228a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000015ca9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001228a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001228a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001228a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}\stubpath = "C:\\Windows\\{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe"	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}\stubpath = "C:\\Windows\\{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe"	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{926D35E9-D2C9-463b-BE40-185C37C7A874}\stubpath = "C:\\Windows\\{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe"	{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366E96AE-7285-43f3-A380-CA8C4B1280AD}	{590FB56C-4F03-427e-9674-722C57BA6E82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366E96AE-7285-43f3-A380-CA8C4B1280AD}\stubpath = "C:\\Windows\\{366E96AE-7285-43f3-A380-CA8C4B1280AD}.exe"	{590FB56C-4F03-427e-9674-722C57BA6E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08003F40-A78D-408d-B5C6-EBA358C1470A}\stubpath = "C:\\Windows\\{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe"	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{926D35E9-D2C9-463b-BE40-185C37C7A874}	{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{590FB56C-4F03-427e-9674-722C57BA6E82}	{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3B58C4-94E0-46ab-9057-996B9010E04A}\stubpath = "C:\\Windows\\{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe"	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{590FB56C-4F03-427e-9674-722C57BA6E82}\stubpath = "C:\\Windows\\{590FB56C-4F03-427e-9674-722C57BA6E82}.exe"	{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}\stubpath = "C:\\Windows\\{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe"	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}\stubpath = "C:\\Windows\\{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe"	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3B58C4-94E0-46ab-9057-996B9010E04A}	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}\stubpath = "C:\\Windows\\{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe"	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}\stubpath = "C:\\Windows\\{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe"	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08003F40-A78D-408d-B5C6-EBA358C1470A}	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe
2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe
2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe
2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe
1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe
1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe
1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe
2156	{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe
2552	{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe
2216	{590FB56C-4F03-427e-9674-722C57BA6E82}.exe
1560	{366E96AE-7285-43f3-A380-CA8C4B1280AD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe
File created	C:\Windows\{590FB56C-4F03-427e-9674-722C57BA6E82}.exe	{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe
File created	C:\Windows\{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe
File created	C:\Windows\{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe
File created	C:\Windows\{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe
File created	C:\Windows\{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe
File created	C:\Windows\{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe	{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe
File created	C:\Windows\{366E96AE-7285-43f3-A380-CA8C4B1280AD}.exe	{590FB56C-4F03-427e-9674-722C57BA6E82}.exe
File created	C:\Windows\{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
File created	C:\Windows\{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe
File created	C:\Windows\{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe
Token: SeIncBasePriorityPrivilege	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe
Token: SeIncBasePriorityPrivilege	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe
Token: SeIncBasePriorityPrivilege	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe
Token: SeIncBasePriorityPrivilege	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe
Token: SeIncBasePriorityPrivilege	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe
Token: SeIncBasePriorityPrivilege	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe
Token: SeIncBasePriorityPrivilege	2156	{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe
Token: SeIncBasePriorityPrivilege	2552	{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe
Token: SeIncBasePriorityPrivilege	2216	{590FB56C-4F03-427e-9674-722C57BA6E82}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2992	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	28
PID 2300 wrote to memory of 2992	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	28
PID 2300 wrote to memory of 2992	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	28
PID 2300 wrote to memory of 2992	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	28
PID 2300 wrote to memory of 2556	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	29
PID 2300 wrote to memory of 2556	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	29
PID 2300 wrote to memory of 2556	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	29
PID 2300 wrote to memory of 2556	2300	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	29
PID 2992 wrote to memory of 2744	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	30
PID 2992 wrote to memory of 2744	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	30
PID 2992 wrote to memory of 2744	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	30
PID 2992 wrote to memory of 2744	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	30
PID 2992 wrote to memory of 2604	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	31
PID 2992 wrote to memory of 2604	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	31
PID 2992 wrote to memory of 2604	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	31
PID 2992 wrote to memory of 2604	2992	{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe	31
PID 2744 wrote to memory of 2496	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	32
PID 2744 wrote to memory of 2496	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	32
PID 2744 wrote to memory of 2496	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	32
PID 2744 wrote to memory of 2496	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	32
PID 2744 wrote to memory of 2484	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	33
PID 2744 wrote to memory of 2484	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	33
PID 2744 wrote to memory of 2484	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	33
PID 2744 wrote to memory of 2484	2744	{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe	33
PID 2496 wrote to memory of 2908	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	36
PID 2496 wrote to memory of 2908	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	36
PID 2496 wrote to memory of 2908	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	36
PID 2496 wrote to memory of 2908	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	36
PID 2496 wrote to memory of 2356	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	37
PID 2496 wrote to memory of 2356	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	37
PID 2496 wrote to memory of 2356	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	37
PID 2496 wrote to memory of 2356	2496	{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe	37
PID 2908 wrote to memory of 1348	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	38
PID 2908 wrote to memory of 1348	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	38
PID 2908 wrote to memory of 1348	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	38
PID 2908 wrote to memory of 1348	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	38
PID 2908 wrote to memory of 2532	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	39
PID 2908 wrote to memory of 2532	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	39
PID 2908 wrote to memory of 2532	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	39
PID 2908 wrote to memory of 2532	2908	{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe	39
PID 1348 wrote to memory of 1856	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	40
PID 1348 wrote to memory of 1856	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	40
PID 1348 wrote to memory of 1856	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	40
PID 1348 wrote to memory of 1856	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	40
PID 1348 wrote to memory of 2420	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	41
PID 1348 wrote to memory of 2420	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	41
PID 1348 wrote to memory of 2420	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	41
PID 1348 wrote to memory of 2420	1348	{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe	41
PID 1856 wrote to memory of 1216	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	42
PID 1856 wrote to memory of 1216	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	42
PID 1856 wrote to memory of 1216	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	42
PID 1856 wrote to memory of 1216	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	42
PID 1856 wrote to memory of 1872	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	43
PID 1856 wrote to memory of 1872	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	43
PID 1856 wrote to memory of 1872	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	43
PID 1856 wrote to memory of 1872	1856	{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe	43
PID 1216 wrote to memory of 2156	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	44
PID 1216 wrote to memory of 2156	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	44
PID 1216 wrote to memory of 2156	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	44
PID 1216 wrote to memory of 2156	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	44
PID 1216 wrote to memory of 1428	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	45
PID 1216 wrote to memory of 1428	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	45
PID 1216 wrote to memory of 1428	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	45
PID 1216 wrote to memory of 1428	1216	{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe
  C:\Windows\{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe
    C:\Windows\{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe
      C:\Windows\{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe
        
        C:\Windows\{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe
        
        C:\Windows\{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe
        
        C:\Windows\{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe
        
        C:\Windows\{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe
        
        C:\Windows\{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe
        
        C:\Windows\{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\{590FB56C-4F03-427e-9674-722C57BA6E82}.exe
        
        C:\Windows\{590FB56C-4F03-427e-9674-722C57BA6E82}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{366E96AE-7285-43f3-A380-CA8C4B1280AD}.exe
        
        C:\Windows\{366E96AE-7285-43f3-A380-CA8C4B1280AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{590FB~1.EXE > nul
        12⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{926D3~1.EXE > nul
        11⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52FEC~1.EXE > nul
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC60~1.EXE > nul
        9⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3B5~1.EXE > nul
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{311D5~1.EXE > nul
        7⤵
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C75~1.EXE > nul
        6⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77FA6~1.EXE > nul
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08003~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7915C~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08003F40-A78D-408d-B5C6-EBA358C1470A}.exe

Filesize
344KB

MD5
d6f81b1e0096ba66d92e809e861dfa31

SHA1
7ecc3afcb5c8a53bb293bac03a20f064af00933e

SHA256
7feb93fbc31f6ad3764eb69a3ad9aa1086ba5b6caf002b0a6704e04ee8941a5b

SHA512
24886153b1bff3cbfefa4a7c9c3e6d2b28e1251e474653812741ce05f8af900349a3e110284ecc2ee604d712cfba3a430a9676bc855bdfb0c0987ec9b93de6d8

Download Submit
C:\Windows\{311D5B6F-E8D6-43e6-A357-C97FCCF07BD5}.exe

Filesize
344KB

MD5
98bdebbffde16d3ce132d2fa8085d9c1

SHA1
834b791d6d4f434df9af2b5d2165e8aa3060cf7c

SHA256
4b7b6b39404376b074efbc27ab01da9109dd6e9847e33f968254a1e1741e493f

SHA512
a0f8d1078411709c9f446a1738144158514e73fd9e12550be01b95dd4459317668483e9b9db154eee5a56c22680d26b8553323a4b0408893d85d2e7da1afa222

Download Submit
C:\Windows\{366E96AE-7285-43f3-A380-CA8C4B1280AD}.exe

Filesize
344KB

MD5
7636f65f98b22dafaf13f8b13ae33604

SHA1
48577fd01852c0318aefe3e2c1dca9a05e5b0a41

SHA256
86c69a83996e0abcb85b15077493bbdb6da2226316fbc2bab2b50e6f011fd226

SHA512
10c9c3140b1e381e77264ada093313b492352e52797973f4646b3d0e3fce37b52d3a3027a2da30149844e24ed7b65e98e419c5991247a748e31af7a3e37aeaee

Download Submit
C:\Windows\{4E3B58C4-94E0-46ab-9057-996B9010E04A}.exe

Filesize
344KB

MD5
62416e47688a70321a65cfbd10eb70de

SHA1
38ecd0cebbf7a60c0bcedd096a229105306503e6

SHA256
51e6910b5e8c03730282c02aca331564e636c2176fe080b33a81427287ee768d

SHA512
81c0844fd2cb30cf6b9d9256a4aa7f2bf1b1c7cf242edeab37065883c42b6a082838e84a6c54a150d826fabf861fdbbf065ad29e3eeedc159f3f72d089cfbf4a

Download Submit
C:\Windows\{4EC602CC-FA1C-4dde-A6AC-C72D8CBE1264}.exe

Filesize
344KB

MD5
c645f476cb22a3d988cb8d581371989c

SHA1
6d6829806ede550c2bc97e424b3227b5d44fab4c

SHA256
7dccb156cf5324ff22009d9607c592b5e44d786bebf03f5bf76ffee163bdae8d

SHA512
71b52c40d0620974dd256ea86135c5b8f12b7bc7a057379904ccae5450ce195f15a56b9e275410c845911543987ec5cbc5b68a9578e1fa89bb3a9cf21b047430

Download Submit
C:\Windows\{52FEC49E-5788-44eb-AF4A-93E6B0C6CF95}.exe

Filesize
344KB

MD5
b7478e1ec654a26e34f53fb1dacfbb99

SHA1
206f27efdb3c885b6c382d9ac4eadc2225d3aed6

SHA256
054a0a41340345e0a374bc9be5febdcfbd54f335663dfd28e20926db0ff4349b

SHA512
51357e638d08f3f9efdde3eb5e8071e7f55f8d5b6f6f75bb83bbe09c2c8a4f1410efa4226223368150611f9119d0d571cc70a6580e348af36233bc03a8a4018f

Download Submit
C:\Windows\{590FB56C-4F03-427e-9674-722C57BA6E82}.exe

Filesize
344KB

MD5
8e002b0eca4facd238b9fe9b57859a60

SHA1
d1c8abc060100d7f800d2f0942ba7f3d7f8395f5

SHA256
bf7bb05c7c39f65057235d0a63c370aa83099a68d9e8030f18a885907e6b2fe6

SHA512
ce8db2e7e3748a2a91d54b455fb493bda479f9cdc9df2709238bfb8a804c239c2f90263d3babf20c5d2e1e34a1b86fe1bb6b27760fc89772cccdba8b690079f0

Download Submit
C:\Windows\{77FA6CC4-2BA9-422c-A4D3-119DA85009FD}.exe

Filesize
344KB

MD5
4b194fdba25c9c9aeca3fea6d04a56ca

SHA1
696fcecc51fa4ff1352327fe46ab50342a7c876d

SHA256
47e7e3d3d7f7009de455963201011fe856ff9daf12c58a13473aeb9306cbb9c1

SHA512
97d2d6b34ba0cc00df5138e42816fe60cbef87a62b32ad22ce6695a20f2ac904a342279f7f06ad2d388b60344c6ca95a661db9dfa2fd323d516c72e9b9014e6c

Download Submit
C:\Windows\{7915C3E0-2D2A-4c9d-9512-9454BCBAF749}.exe

Filesize
344KB

MD5
9022333677ad002a7317c7b3c72c540a

SHA1
20490019ee8980411bb37cab32689cfad3bcccd1

SHA256
4bbaaa37a4171e1196b5a2fffc7bb60297152a51b27496dceb16b8246c44f51d

SHA512
09cd425c99af80a09b4395561fa20f087c233a137cf522b24e3719f6fca0ba589be9633149ba2e1db09bba5ee1b891da689eb75eb60495042b0efe5b2623495c

Download Submit
C:\Windows\{926D35E9-D2C9-463b-BE40-185C37C7A874}.exe

Filesize
344KB

MD5
801b94d9682faa2dddde3463b1f01c42

SHA1
4d82c0a54728d3378d123efb4e275dffddd1b323

SHA256
5b9fffff6f469cea801de783d5b5ba3a6eb19e49b6dec0932f9463269c51a5de

SHA512
1063972e8920b6f28d4925baee2cfaa79297179f79d592a34ccd45c72ec62b9bda4d780e8ef90d4562259d54952c90832212c5419ab667080fccc041cb143620

Download Submit
C:\Windows\{A1C7595B-B11A-4c82-94A8-7A790FB7F0ED}.exe

Filesize
344KB

MD5
5c69b6e32e545310c0cc732db78bda1f

SHA1
b0baeeb2349b15f43cf0afb93f19e07e7ce58c65

SHA256
8df089495e03995d9c46cc543940c3be8960603877d28f7a2044e1a2316de44e

SHA512
e3c204b0eb1c93eca7805ebf218f8e9aff93b65e2edbf11143d7d05b51c0519a871e86c24a674d3e8a747853fc67718b5fd94ef33d3ffe8dfbe1cb4de5cd58ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads