bc2cc765f6874385e37e9addd967240261af5958098bc009cc9b3f9cdbeaa01f

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe
Size

204KB
MD5

1bc2052b82fd5e7f2fc0107ffd3f4ff6
SHA1

7d127f1237073ab71eda1eae563c7f9712b08311
SHA256

bc2cc765f6874385e37e9addd967240261af5958098bc009cc9b3f9cdbeaa01f
SHA512

a7eb096e28c222af7ed246be36459369cc6c30936aa1611946f6e7405b311c1520673730fb179ca6e4e527b1ecd009939840ce5c3128c31afb249d86d994d683
SSDEEP

1536:1EGh0oEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oEl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001226d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014342-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001226d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014354-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001226d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001226d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001226d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}	{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}\stubpath = "C:\\Windows\\{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}.exe"	{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}\stubpath = "C:\\Windows\\{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe"	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2943E67-9C42-4799-9729-AC89B9B45E36}\stubpath = "C:\\Windows\\{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe"	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}\stubpath = "C:\\Windows\\{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe"	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC2863A3-2C99-4af2-9B28-F54F01268608}	{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}	{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC2863A3-2C99-4af2-9B28-F54F01268608}\stubpath = "C:\\Windows\\{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe"	{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}\stubpath = "C:\\Windows\\{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe"	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81CECB76-B581-4c97-94DB-0246DF2B3ADB}\stubpath = "C:\\Windows\\{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe"	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}\stubpath = "C:\\Windows\\{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe"	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81CECB76-B581-4c97-94DB-0246DF2B3ADB}	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07A911FB-8270-4525-8E08-4B482E06E35A}\stubpath = "C:\\Windows\\{07A911FB-8270-4525-8E08-4B482E06E35A}.exe"	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}\stubpath = "C:\\Windows\\{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe"	{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2943E67-9C42-4799-9729-AC89B9B45E36}	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}\stubpath = "C:\\Windows\\{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe"	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07A911FB-8270-4525-8E08-4B482E06E35A}	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe
2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe
2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe
1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe
2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe
752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe
1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe
832	{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe
2004	{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe
264	{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe
1724	{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe
File created	C:\Windows\{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe
File created	C:\Windows\{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe
File created	C:\Windows\{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe
File created	C:\Windows\{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe	{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe
File created	C:\Windows\{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe	{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe
File created	C:\Windows\{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}.exe	{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe
File created	C:\Windows\{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe
File created	C:\Windows\{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe
File created	C:\Windows\{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe
File created	C:\Windows\{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe
Token: SeIncBasePriorityPrivilege	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe
Token: SeIncBasePriorityPrivilege	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe
Token: SeIncBasePriorityPrivilege	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe
Token: SeIncBasePriorityPrivilege	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe
Token: SeIncBasePriorityPrivilege	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe
Token: SeIncBasePriorityPrivilege	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe
Token: SeIncBasePriorityPrivilege	832	{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe
Token: SeIncBasePriorityPrivilege	2004	{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe
Token: SeIncBasePriorityPrivilege	264	{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2572	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	28
PID 2740 wrote to memory of 2572	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	28
PID 2740 wrote to memory of 2572	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	28
PID 2740 wrote to memory of 2572	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	28
PID 2740 wrote to memory of 2664	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	29
PID 2740 wrote to memory of 2664	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	29
PID 2740 wrote to memory of 2664	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	29
PID 2740 wrote to memory of 2664	2740	2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe	29
PID 2572 wrote to memory of 2596	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	30
PID 2572 wrote to memory of 2596	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	30
PID 2572 wrote to memory of 2596	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	30
PID 2572 wrote to memory of 2596	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	30
PID 2572 wrote to memory of 2580	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	31
PID 2572 wrote to memory of 2580	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	31
PID 2572 wrote to memory of 2580	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	31
PID 2572 wrote to memory of 2580	2572	{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe	31
PID 2596 wrote to memory of 2632	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	32
PID 2596 wrote to memory of 2632	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	32
PID 2596 wrote to memory of 2632	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	32
PID 2596 wrote to memory of 2632	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	32
PID 2596 wrote to memory of 2716	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	33
PID 2596 wrote to memory of 2716	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	33
PID 2596 wrote to memory of 2716	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	33
PID 2596 wrote to memory of 2716	2596	{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe	33
PID 2632 wrote to memory of 1360	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	36
PID 2632 wrote to memory of 1360	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	36
PID 2632 wrote to memory of 1360	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	36
PID 2632 wrote to memory of 1360	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	36
PID 2632 wrote to memory of 1352	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	37
PID 2632 wrote to memory of 1352	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	37
PID 2632 wrote to memory of 1352	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	37
PID 2632 wrote to memory of 1352	2632	{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe	37
PID 1360 wrote to memory of 2760	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	38
PID 1360 wrote to memory of 2760	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	38
PID 1360 wrote to memory of 2760	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	38
PID 1360 wrote to memory of 2760	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	38
PID 1360 wrote to memory of 2564	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	39
PID 1360 wrote to memory of 2564	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	39
PID 1360 wrote to memory of 2564	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	39
PID 1360 wrote to memory of 2564	1360	{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe	39
PID 2760 wrote to memory of 752	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	40
PID 2760 wrote to memory of 752	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	40
PID 2760 wrote to memory of 752	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	40
PID 2760 wrote to memory of 752	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	40
PID 2760 wrote to memory of 1540	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	41
PID 2760 wrote to memory of 1540	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	41
PID 2760 wrote to memory of 1540	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	41
PID 2760 wrote to memory of 1540	2760	{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe	41
PID 752 wrote to memory of 1412	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	42
PID 752 wrote to memory of 1412	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	42
PID 752 wrote to memory of 1412	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	42
PID 752 wrote to memory of 1412	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	42
PID 752 wrote to memory of 1252	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	43
PID 752 wrote to memory of 1252	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	43
PID 752 wrote to memory of 1252	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	43
PID 752 wrote to memory of 1252	752	{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe	43
PID 1412 wrote to memory of 832	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	44
PID 1412 wrote to memory of 832	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	44
PID 1412 wrote to memory of 832	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	44
PID 1412 wrote to memory of 832	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	44
PID 1412 wrote to memory of 1688	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	45
PID 1412 wrote to memory of 1688	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	45
PID 1412 wrote to memory of 1688	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	45
PID 1412 wrote to memory of 1688	1412	{07A911FB-8270-4525-8E08-4B482E06E35A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_1bc2052b82fd5e7f2fc0107ffd3f4ff6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe
  C:\Windows\{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe
    C:\Windows\{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe
      C:\Windows\{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe
        
        C:\Windows\{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe
        
        C:\Windows\{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe
        
        C:\Windows\{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{07A911FB-8270-4525-8E08-4B482E06E35A}.exe
        
        C:\Windows\{07A911FB-8270-4525-8E08-4B482E06E35A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe
        
        C:\Windows\{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe
        
        C:\Windows\{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe
        
        C:\Windows\{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}.exe
        
        C:\Windows\{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEA25~1.EXE > nul
        12⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC286~1.EXE > nul
        11⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A697~1.EXE > nul
        10⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07A91~1.EXE > nul
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81CEC~1.EXE > nul
        8⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F01D~1.EXE > nul
        7⤵
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A25E8~1.EXE > nul
        6⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2943~1.EXE > nul
        5⤵
        
        PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CAF6~1.EXE > nul
      4⤵
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D45F4~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07A911FB-8270-4525-8E08-4B482E06E35A}.exe

Filesize
204KB

MD5
5c9444322c35a2d6de0b90f9c488ea0c

SHA1
20f6522e3232326b2d9d109594b45a01c9960714

SHA256
c8228aab7754408d25fcc3e122702db412c39ce990ff4bfffb15069b6e803380

SHA512
f1449ee5f4b28e7bf6b5a4634cd30317f824d6170fd6cd16b43e811cbaef7d35657364c3c924b4bb90ccf3e15da5e34be410f06f348463624dc6a7674225991f

Download Submit
C:\Windows\{0831C522-D9A9-4f5b-8B81-2E1DE4DE2A7F}.exe

Filesize
204KB

MD5
2589fdfa0570fd83da6bbeabb9ef6e01

SHA1
59f1ad75d19ca301b954305ba2f59eb543bb197d

SHA256
69a4542f48aa860b70cdf379403468bf5134eabefb47369316d7d080bc11520a

SHA512
31b0c98aa5f59e60de6fb660c43384be64acf9b0362a73a8eb5d79864cd3bcfed047b69c6d482175f2af5ea2f0816eafe89d387d798f4d3432935954ec1417fb

Download Submit
C:\Windows\{0F01D9A9-EDB6-4a43-B66A-B8AB32ECC980}.exe

Filesize
204KB

MD5
9697f79da9659da34f6b6c385071740d

SHA1
7d15b681918c6a281ad4830758cbffbebb6a8152

SHA256
09426ba766f1918045c9c02d8c3df44d9e0818325c7530b056d56cd8fd787188

SHA512
4b59449b09d92505ba272c12cb33b7fbe712bfd49ca5ae090cbbc7dd9d69b3022fc8a336b0c9d4bcfe1ec5e28e005e2e79d7018f6d654834a49e630572443f84

Download Submit
C:\Windows\{1A6973F0-46CD-4a73-A2D7-7CF28F8FCE69}.exe

Filesize
204KB

MD5
1db261d530912483fb81fdc08006c15f

SHA1
2798533de7787e6f337e6b636849ad73dbfa4c16

SHA256
8a37b11b6eb0669610e5d650e00fa9a0151faddffc9f8e0b0d80ca1f12094a8f

SHA512
00b5c3dfa08c3b370a10dd78234f303352b16092c8d0ca152764cff7e0a84841daba28a5799c4e484e1194b4ae4e44287ad1086c0739aa199762a934b5a73b7a

Download Submit
C:\Windows\{4CAF60DA-3981-4889-AAA2-94AB83BA74D1}.exe

Filesize
204KB

MD5
87525cf1d962e5e08bd195c4903b98b5

SHA1
d7a71b8bca709ab231212a0505440f576b7bec78

SHA256
fd5c1d066bd45e3ec0a52b2b1daf12a039359c85fa2e7a66579ffe84ec8c95dc

SHA512
e68f349cbab2d77a639105ca71d9998d367a633ec3870e74747000847253a57b85b3335573656fc8022f5bbfca6d3519aa20c4830ff78b0c2e19af7a76a59f2e

Download Submit
C:\Windows\{81CECB76-B581-4c97-94DB-0246DF2B3ADB}.exe

Filesize
204KB

MD5
b1db335a1fbe1033e01c30b40d912289

SHA1
061e9d2eab7241416d092b2af9dce9a694d5d105

SHA256
58d70efade14162181e77febdd94499163a757700eb051a88998459b0237f2f0

SHA512
df205b1c8217a09943ca60af73c170ccfd965316408d1289e44380a1c113bb851cbf274fe4c631e60b1dde345e887d502150581b6cbf73fa041810887a50f917

Download Submit
C:\Windows\{A25E8D0F-F255-4af1-83C7-8ECF2AFF51ED}.exe

Filesize
204KB

MD5
e8d275aa416a28e7fb50ac54f1d56d39

SHA1
495bb64fb756607cba968957a8482ad21cee6f56

SHA256
415aead5f025f1fd47a12d482c7d161a253fbb4cfa4fc8d82eab7352721f374a

SHA512
0ed08a1e89468abb8480ccb8664112c401a9762e42f3ffdca7f57357eabd99e8548cf4eae17970959f00e42bc198400d1e3b93c81b582e6a41005546f311ff4c

Download Submit
C:\Windows\{A2943E67-9C42-4799-9729-AC89B9B45E36}.exe

Filesize
204KB

MD5
df33eed757c6a6ece868cf497f7a5a0f

SHA1
84e64c93084d266c8be071fa8b5a510634f29747

SHA256
2abab58891bed6c1fdc155bd4065f7b415498d0485d54674eaebb9f95e7149e4

SHA512
94a0864e540d8538587052b76efb6bf1d64718b71681d7b76ae1a9d66681029d7ad2bc69c84480ab5acc4ee2fad5c6695293f83d4dec61fba4d2855ab3b9abd5

Download Submit
C:\Windows\{AEA25BDF-E6CF-49f7-89A9-C5F74796482D}.exe

Filesize
204KB

MD5
bd1b41128e3c6fa91f7afa4f07290075

SHA1
5f865c9b4bb0567fe867ea169a53a68ce12b22ea

SHA256
b9400a2f0324b43dd6537f3318b99bb89254e039e5adbf231fdde3563b0ae21d

SHA512
4f02f0ec8c795176c281c45b5e33210d8dd127c255836470a249813895a7b423eddb5b8bdd6312f2c9ccefb7c83e0ccc1d226ecbcb32ef5842625a5478cbb8d1

Download Submit
C:\Windows\{BC2863A3-2C99-4af2-9B28-F54F01268608}.exe

Filesize
204KB

MD5
4931820fd9883522d3e9bbb3c96a98ca

SHA1
255ee7153b2bcc9cde6c295aee2e0049d00c1ef3

SHA256
2f7e4936871f249bac6a2bbf5b821b4209a3a70ad0901b6c2fbcc4046ede96d2

SHA512
24d23f9870594e55b7df96cfb8b95188d9460e2ac173192e16f68587267b174ce3cec855e2ffb66f14737f22b044e1d72cc95f166c8d6574dd82ff9b954d56be

Download Submit
C:\Windows\{D45F4C9A-5DF4-4832-9B30-772F27FD6B81}.exe

Filesize
204KB

MD5
8ea77cb800958ec529734ac5beec290b

SHA1
c7e2e8c4e657d355b5ad807e24c1c9efcb38ee1e

SHA256
8b75d7c09925b694afef4bfda8f129b154c3fe3e20e1c3a8d68e78eabbbf086d

SHA512
de7a0c6ab2c76cbdfd8f68406e9b7220010dd8bcb4d173c795158e6187c82bd06e433c43e251d3f1e93666ff0acbda0e65944b3988580fd3df5e75171b70ca08

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads