8f0195a7f67e7c80ab653a106238413bcc692bf40db1433ce363348eb139abfe

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 07:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe
Size

372KB
MD5

54b0e4cc471c8cd4442b91ebc528f928
SHA1

f8ab3da7a42a67db3c3b1e7d1568b432744ab1a1
SHA256

8f0195a7f67e7c80ab653a106238413bcc692bf40db1433ce363348eb139abfe
SHA512

b0e9923233775009bf68a8fcd99a4a8ba3b4aaaf60aa19b3ec51d12c02b8317777b45ff0322037deaf9ca8c0aac686144ae6cb83ad049b79ef9ebb10c7d4496b
SSDEEP

3072:CEGh0oPlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGVlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000141c0-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000143ec-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000141c0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001447e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000141c0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000141c0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000141c0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{359003D4-E240-463e-B73B-291D2DA3CEA2}	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D375C45E-13CB-48c2-BACB-5A9390AB791B}	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D375C45E-13CB-48c2-BACB-5A9390AB791B}\stubpath = "C:\\Windows\\{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe"	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}\stubpath = "C:\\Windows\\{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe"	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}\stubpath = "C:\\Windows\\{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe"	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}\stubpath = "C:\\Windows\\{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe"	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}\stubpath = "C:\\Windows\\{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe"	{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{359003D4-E240-463e-B73B-291D2DA3CEA2}\stubpath = "C:\\Windows\\{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe"	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{820F5C04-4D4F-4f93-8576-06B7E319B11D}	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{820F5C04-4D4F-4f93-8576-06B7E319B11D}\stubpath = "C:\\Windows\\{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe"	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}\stubpath = "C:\\Windows\\{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe"	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}	{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}\stubpath = "C:\\Windows\\{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}.exe"	{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}\stubpath = "C:\\Windows\\{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe"	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B901F967-3164-4fb9-9A81-8A49FAE12814}	{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B901F967-3164-4fb9-9A81-8A49FAE12814}\stubpath = "C:\\Windows\\{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe"	{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}	{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe
2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe
2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe
2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe
2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe
2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe
2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe
1628	{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe
1092	{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe
2316	{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe
1480	{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe
File created	C:\Windows\{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe
File created	C:\Windows\{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe
File created	C:\Windows\{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe
File created	C:\Windows\{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe	{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe
File created	C:\Windows\{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}.exe	{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe
File created	C:\Windows\{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe
File created	C:\Windows\{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe
File created	C:\Windows\{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe
File created	C:\Windows\{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe	{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe
File created	C:\Windows\{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe
Token: SeIncBasePriorityPrivilege	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe
Token: SeIncBasePriorityPrivilege	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe
Token: SeIncBasePriorityPrivilege	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe
Token: SeIncBasePriorityPrivilege	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe
Token: SeIncBasePriorityPrivilege	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe
Token: SeIncBasePriorityPrivilege	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe
Token: SeIncBasePriorityPrivilege	1628	{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe
Token: SeIncBasePriorityPrivilege	1092	{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe
Token: SeIncBasePriorityPrivilege	2316	{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1792	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	28
PID 2784 wrote to memory of 1792	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	28
PID 2784 wrote to memory of 1792	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	28
PID 2784 wrote to memory of 1792	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	28
PID 2784 wrote to memory of 3056	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	29
PID 2784 wrote to memory of 3056	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	29
PID 2784 wrote to memory of 3056	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	29
PID 2784 wrote to memory of 3056	2784	2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe	29
PID 1792 wrote to memory of 2564	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	30
PID 1792 wrote to memory of 2564	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	30
PID 1792 wrote to memory of 2564	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	30
PID 1792 wrote to memory of 2564	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	30
PID 1792 wrote to memory of 2668	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	31
PID 1792 wrote to memory of 2668	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	31
PID 1792 wrote to memory of 2668	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	31
PID 1792 wrote to memory of 2668	1792	{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe	31
PID 2564 wrote to memory of 2864	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	32
PID 2564 wrote to memory of 2864	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	32
PID 2564 wrote to memory of 2864	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	32
PID 2564 wrote to memory of 2864	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	32
PID 2564 wrote to memory of 2496	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	33
PID 2564 wrote to memory of 2496	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	33
PID 2564 wrote to memory of 2496	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	33
PID 2564 wrote to memory of 2496	2564	{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe	33
PID 2864 wrote to memory of 2580	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	36
PID 2864 wrote to memory of 2580	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	36
PID 2864 wrote to memory of 2580	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	36
PID 2864 wrote to memory of 2580	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	36
PID 2864 wrote to memory of 2940	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	37
PID 2864 wrote to memory of 2940	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	37
PID 2864 wrote to memory of 2940	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	37
PID 2864 wrote to memory of 2940	2864	{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe	37
PID 2580 wrote to memory of 2528	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	38
PID 2580 wrote to memory of 2528	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	38
PID 2580 wrote to memory of 2528	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	38
PID 2580 wrote to memory of 2528	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	38
PID 2580 wrote to memory of 2820	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	39
PID 2580 wrote to memory of 2820	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	39
PID 2580 wrote to memory of 2820	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	39
PID 2580 wrote to memory of 2820	2580	{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe	39
PID 2528 wrote to memory of 2716	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	40
PID 2528 wrote to memory of 2716	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	40
PID 2528 wrote to memory of 2716	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	40
PID 2528 wrote to memory of 2716	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	40
PID 2528 wrote to memory of 2692	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	41
PID 2528 wrote to memory of 2692	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	41
PID 2528 wrote to memory of 2692	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	41
PID 2528 wrote to memory of 2692	2528	{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe	41
PID 2716 wrote to memory of 2800	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	42
PID 2716 wrote to memory of 2800	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	42
PID 2716 wrote to memory of 2800	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	42
PID 2716 wrote to memory of 2800	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	42
PID 2716 wrote to memory of 1848	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	43
PID 2716 wrote to memory of 1848	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	43
PID 2716 wrote to memory of 1848	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	43
PID 2716 wrote to memory of 1848	2716	{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe	43
PID 2800 wrote to memory of 1628	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	44
PID 2800 wrote to memory of 1628	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	44
PID 2800 wrote to memory of 1628	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	44
PID 2800 wrote to memory of 1628	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	44
PID 2800 wrote to memory of 1692	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	45
PID 2800 wrote to memory of 1692	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	45
PID 2800 wrote to memory of 1692	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	45
PID 2800 wrote to memory of 1692	2800	{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_54b0e4cc471c8cd4442b91ebc528f928_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe
  C:\Windows\{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe
    C:\Windows\{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe
      C:\Windows\{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe
        
        C:\Windows\{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe
        
        C:\Windows\{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe
        
        C:\Windows\{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe
        
        C:\Windows\{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe
        
        C:\Windows\{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe
        
        C:\Windows\{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe
        
        C:\Windows\{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}.exe
        
        C:\Windows\{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B901F~1.EXE > nul
        12⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8074~1.EXE > nul
        11⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A7ED~1.EXE > nul
        10⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C84E5~1.EXE > nul
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09529~1.EXE > nul
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70C6C~1.EXE > nul
        7⤵
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40CCE~1.EXE > nul
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D375C~1.EXE > nul
        5⤵
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{820F5~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{35900~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{095293A0-4370-4a4b-89CE-E8F1C0EEA25E}.exe

Filesize
372KB

MD5
12c4024526c2bac9f2a97298b11cd342

SHA1
2cd3d2e60ab74b20a02f92172363fc824552ffbe

SHA256
08eda446bde9e132706e64dd2a06d3168aaf1e403d8f2e27e622794cc1b1725b

SHA512
b45225b1f3abe931dac30a30e9410f4516a4d91819d5b0994715519dc82c5bc07e931c44336269979235bf8e0b41a8833fedff9562ddd4fe116cc590c4dd9a7e

Download Submit
C:\Windows\{1A7ED93B-BF0F-4cb1-9BB8-B5722584385E}.exe

Filesize
372KB

MD5
008ad8f5873bc9344c8067ae962649dd

SHA1
558c7c259e505bc2d8d2d2b8c3ead33483383bbe

SHA256
e66040904ebf113a7f818f2bb58c5e7e56c7726fb338feff1169e346156314e3

SHA512
be8bf463b642f83c745d3b38ff32eb563dc4fac517a13569ea47c94a9daca685c4e4bdc64f3f9dc5e18c4491d2e66c7946341b925b15ba1ace610ab921ade603

Download Submit
C:\Windows\{2F553BDD-B9A5-4791-8FC6-1F927B3A9C3E}.exe

Filesize
372KB

MD5
9bb130196ed3421c1223d1e9a343d762

SHA1
63aa25608d5284d1ea61959bc04fd0e667b4d4b6

SHA256
f0e024bf8c5995af47c4d599cbdded920f6898ec49f720022cc52c3d4e3ad6cc

SHA512
8122ffc42be95b538778f7e52dad654a8952e9b6e29379caf7f6d34244c0bd6a7f45d68d3a3af2a86da78501872835b6ba8256879fadb4276a63c1a517bff33b

Download Submit
C:\Windows\{359003D4-E240-463e-B73B-291D2DA3CEA2}.exe

Filesize
372KB

MD5
d2564e604678646156d4934fd177fc5f

SHA1
71c2f66daff83bf6937c07bb133cd785c85ff75c

SHA256
db1105dae3ff324435b5dbcdc1ac793ff72f60e8d79b140d08fc5e57165ac1fe

SHA512
4bc04edda586e889fe4318cab8b07621cdc133076881a42e551b20d931c1e27bf0c30fdb0162ef71f7e15e37f4895d790a75848d3a0ec582428b29b9d90ac615

Download Submit
C:\Windows\{40CCE0B9-3CA3-4d12-8F43-29D65ADCE6AE}.exe

Filesize
372KB

MD5
858a97249e1c49b90eef2205d9ac4228

SHA1
d485e9db8e537167cf8ed17b09167b4e0eea3ee9

SHA256
6b5af125903c3fd93184b6f22bb6d09394ce7cd258480c090a58d374c1d29caf

SHA512
6bfa41660acda510a14e065864252640ae685e85207be25c280d0b4e1412aa014bd1160206be2db706a854d1c9142a5d1a0085ee4f1d5f3b236a9167f744a145

Download Submit
C:\Windows\{70C6C364-B7B3-4eae-BEB0-2FBDACFAB3F5}.exe

Filesize
372KB

MD5
3ed1ee14b3336f52dd118586294fccb3

SHA1
9c85b10b42437c787473e818b23455ffac176c6e

SHA256
e0d0d923bd38442d5d5f66c9cc3f6fa53c95abad572c2346dcad37a74863ac51

SHA512
370f12b767860da6d72c0f65815446bfba95058fd175076ce0eb531ad898ae6bd924e01bf71a0accd144ed1f1a62f0ea5f23b2c193e9b0fee580dc242d641015

Download Submit
C:\Windows\{820F5C04-4D4F-4f93-8576-06B7E319B11D}.exe

Filesize
372KB

MD5
dc6d5d95e96df2ac2bd46d0f8972517f

SHA1
6aee8eac5f88d6c62de18a48ed4319c581bc8ae8

SHA256
7585dbf4dc4d6afe7604d144f2f2d123857682ed9f55dd36143df60b4113359b

SHA512
46a2079230019581bc2c7b8a3885b8e0707d90af2e8f7f2de898ac11a4053017eb498a7b9a30dc5cd5b7a241708aeb006ef706a96c221f4c05d5e597a9d2bfd2

Download Submit
C:\Windows\{B901F967-3164-4fb9-9A81-8A49FAE12814}.exe

Filesize
372KB

MD5
701c3d7bc9018ed1d2888d491009895e

SHA1
815b54866ed5835bc5786fca48deb1d42ba90fae

SHA256
0b0136f5b2e30311548b95798fed3e7f8826fd7b5fab07634f2a7a4b4c5da3b2

SHA512
65c8124f97e87c1318a6796e095f746214530d061cb3fae19c53ea17555623ff4913a266a13b910775efdc69a771a9e42fb5b126464d999054ca9febf700e41c

Download Submit
C:\Windows\{C8074A4B-ADBD-45c9-879A-4AB3BF7B618C}.exe

Filesize
372KB

MD5
1e8d58488896b29e6790250b1df48a13

SHA1
ff3a2d63901fbc6aa1bfabcabb94e76bce0093a7

SHA256
305d630dc3ef298b8e1f4f02d7133e6ee95626e22333ba2700a53fe83420890f

SHA512
c03b603b74235a0a8527dd9d5b0f67facc7862cdc5931caaba3162d0636b58bfb6923086a44606ebb9ba3b879937fed2dd49e21d4b0234fa5a437dbea15d25e2

Download Submit
C:\Windows\{C84E52A5-DBA9-467b-BDEF-F07F08E307DC}.exe

Filesize
372KB

MD5
32df61d228a453aad42a78cbbe9687b7

SHA1
ed2adac713b0696a29be53561af12e57eee664a4

SHA256
317d1e47ca582bde5a52c5a37e0ec283d0605617a220614ff43d8cab2ebb5bbe

SHA512
f94f687dc45d4ffe7d981bad4a13ff8597b974cd5616e48a7965966f91063a1ff88f69861d500ea1e660f9098d68f729f2a94792cea0fbd1848e06a3b0a72d5c

Download Submit
C:\Windows\{D375C45E-13CB-48c2-BACB-5A9390AB791B}.exe

Filesize
372KB

MD5
14fb6bf4b2f64f0e55e987060cc25e2e

SHA1
5a4c481bfa38e28d24196c0248f98a12bf283d19

SHA256
999d27b8eca6d4d31f19f1a786c333ee0b4540e8792c6a09ea3379bced0a334c

SHA512
338998c6a6dddb28ab287a9c5140cbd53e11643abd57a3b66e278fc054b2226062ec89851ea698217a31a7b4e22ef6f8bcc4e44f0e8c6b96c93e3edf289cbc99

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads