4cb8088aea9bb8f7052f2b636035d8bbfbd537edb6c45e1bca22d522f29cc090

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe
Size

344KB
MD5

5840edcc7926b21561dbe297512923f2
SHA1

ca97ecca402449e311e324eec2e4e3b74583ac4e
SHA256

4cb8088aea9bb8f7052f2b636035d8bbfbd537edb6c45e1bca22d522f29cc090
SHA512

550473e26ad87bec3e872b284eae3f5fb90072b243f40268e5451959cfe6a476df42f6a2c0ce06282bcfd6ba0c1e439be185d0e9115d932192d15b6842fe79a4
SSDEEP

3072:mEGh0onlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG1lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012279-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000013362-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012279-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001340e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012279-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012279-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012279-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750E61F4-D593-497d-8B23-CE3021788C1A}	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6099B6C3-9498-4bb6-A9A2-0857174D0153}\stubpath = "C:\\Windows\\{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe"	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}	{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCD69233-9203-4732-BA40-93705521F673}\stubpath = "C:\\Windows\\{FCD69233-9203-4732-BA40-93705521F673}.exe"	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}\stubpath = "C:\\Windows\\{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe"	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11855C7A-1E6E-4be5-A86D-28104C60F5B9}	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5013D7D-C9A9-49c5-A908-09E41595CFF0}	{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83123CA1-C4BB-47ac-A5BF-38112AF691E9}	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C01590-C812-44e3-8A7B-80F1944F8CC9}\stubpath = "C:\\Windows\\{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe"	{FCD69233-9203-4732-BA40-93705521F673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{750E61F4-D593-497d-8B23-CE3021788C1A}\stubpath = "C:\\Windows\\{750E61F4-D593-497d-8B23-CE3021788C1A}.exe"	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6099B6C3-9498-4bb6-A9A2-0857174D0153}	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790D1E08-D2FB-4e59-AC71-1E329814EA7B}	{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790D1E08-D2FB-4e59-AC71-1E329814EA7B}\stubpath = "C:\\Windows\\{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe"	{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11855C7A-1E6E-4be5-A86D-28104C60F5B9}\stubpath = "C:\\Windows\\{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe"	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5013D7D-C9A9-49c5-A908-09E41595CFF0}\stubpath = "C:\\Windows\\{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe"	{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83123CA1-C4BB-47ac-A5BF-38112AF691E9}\stubpath = "C:\\Windows\\{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe"	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCD69233-9203-4732-BA40-93705521F673}	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C01590-C812-44e3-8A7B-80F1944F8CC9}	{FCD69233-9203-4732-BA40-93705521F673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}\stubpath = "C:\\Windows\\{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe"	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}\stubpath = "C:\\Windows\\{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}.exe"	{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe
2744	{FCD69233-9203-4732-BA40-93705521F673}.exe
2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe
2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe
2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe
1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe
1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe
2420	{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe
2104	{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe
2764	{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe
1292	{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe
File created	C:\Windows\{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe
File created	C:\Windows\{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe
File created	C:\Windows\{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe	{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe
File created	C:\Windows\{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe	{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe
File created	C:\Windows\{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}.exe	{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe
File created	C:\Windows\{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe
File created	C:\Windows\{FCD69233-9203-4732-BA40-93705521F673}.exe	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe
File created	C:\Windows\{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	{FCD69233-9203-4732-BA40-93705521F673}.exe
File created	C:\Windows\{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe
File created	C:\Windows\{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe
Token: SeIncBasePriorityPrivilege	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe
Token: SeIncBasePriorityPrivilege	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe
Token: SeIncBasePriorityPrivilege	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe
Token: SeIncBasePriorityPrivilege	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe
Token: SeIncBasePriorityPrivilege	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe
Token: SeIncBasePriorityPrivilege	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe
Token: SeIncBasePriorityPrivilege	2420	{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe
Token: SeIncBasePriorityPrivilege	2104	{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe
Token: SeIncBasePriorityPrivilege	2764	{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2948	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	28
PID 3000 wrote to memory of 2948	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	28
PID 3000 wrote to memory of 2948	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	28
PID 3000 wrote to memory of 2948	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	28
PID 3000 wrote to memory of 2620	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	29
PID 3000 wrote to memory of 2620	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	29
PID 3000 wrote to memory of 2620	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	29
PID 3000 wrote to memory of 2620	3000	2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe	29
PID 2948 wrote to memory of 2744	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	30
PID 2948 wrote to memory of 2744	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	30
PID 2948 wrote to memory of 2744	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	30
PID 2948 wrote to memory of 2744	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	30
PID 2948 wrote to memory of 2652	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	31
PID 2948 wrote to memory of 2652	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	31
PID 2948 wrote to memory of 2652	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	31
PID 2948 wrote to memory of 2652	2948	{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe	31
PID 2744 wrote to memory of 2896	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	32
PID 2744 wrote to memory of 2896	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	32
PID 2744 wrote to memory of 2896	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	32
PID 2744 wrote to memory of 2896	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	32
PID 2744 wrote to memory of 2708	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	33
PID 2744 wrote to memory of 2708	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	33
PID 2744 wrote to memory of 2708	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	33
PID 2744 wrote to memory of 2708	2744	{FCD69233-9203-4732-BA40-93705521F673}.exe	33
PID 2896 wrote to memory of 2248	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	36
PID 2896 wrote to memory of 2248	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	36
PID 2896 wrote to memory of 2248	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	36
PID 2896 wrote to memory of 2248	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	36
PID 2896 wrote to memory of 2156	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	37
PID 2896 wrote to memory of 2156	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	37
PID 2896 wrote to memory of 2156	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	37
PID 2896 wrote to memory of 2156	2896	{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe	37
PID 2248 wrote to memory of 2928	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	38
PID 2248 wrote to memory of 2928	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	38
PID 2248 wrote to memory of 2928	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	38
PID 2248 wrote to memory of 2928	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	38
PID 2248 wrote to memory of 2940	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	39
PID 2248 wrote to memory of 2940	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	39
PID 2248 wrote to memory of 2940	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	39
PID 2248 wrote to memory of 2940	2248	{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe	39
PID 2928 wrote to memory of 1608	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	40
PID 2928 wrote to memory of 1608	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	40
PID 2928 wrote to memory of 1608	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	40
PID 2928 wrote to memory of 1608	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	40
PID 2928 wrote to memory of 2332	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	41
PID 2928 wrote to memory of 2332	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	41
PID 2928 wrote to memory of 2332	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	41
PID 2928 wrote to memory of 2332	2928	{750E61F4-D593-497d-8B23-CE3021788C1A}.exe	41
PID 1608 wrote to memory of 1528	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	42
PID 1608 wrote to memory of 1528	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	42
PID 1608 wrote to memory of 1528	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	42
PID 1608 wrote to memory of 1528	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	42
PID 1608 wrote to memory of 1500	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	43
PID 1608 wrote to memory of 1500	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	43
PID 1608 wrote to memory of 1500	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	43
PID 1608 wrote to memory of 1500	1608	{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe	43
PID 1528 wrote to memory of 2420	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	44
PID 1528 wrote to memory of 2420	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	44
PID 1528 wrote to memory of 2420	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	44
PID 1528 wrote to memory of 2420	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	44
PID 1528 wrote to memory of 1264	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	45
PID 1528 wrote to memory of 1264	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	45
PID 1528 wrote to memory of 1264	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	45
PID 1528 wrote to memory of 1264	1528	{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5840edcc7926b21561dbe297512923f2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe
  C:\Windows\{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{FCD69233-9203-4732-BA40-93705521F673}.exe
    C:\Windows\{FCD69233-9203-4732-BA40-93705521F673}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe
      C:\Windows\{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe
        
        C:\Windows\{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\{750E61F4-D593-497d-8B23-CE3021788C1A}.exe
        
        C:\Windows\{750E61F4-D593-497d-8B23-CE3021788C1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe
        
        C:\Windows\{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe
        
        C:\Windows\{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe
        
        C:\Windows\{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe
        
        C:\Windows\{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe
        
        C:\Windows\{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}.exe
        
        C:\Windows\{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5013~1.EXE > nul
        12⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{790D1~1.EXE > nul
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11855~1.EXE > nul
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78DA5~1.EXE > nul
        9⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6099B~1.EXE > nul
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{750E6~1.EXE > nul
        7⤵
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9523F~1.EXE > nul
        6⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C01~1.EXE > nul
        5⤵
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FCD69~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83123~1.EXE > nul
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11855C7A-1E6E-4be5-A86D-28104C60F5B9}.exe

Filesize
344KB

MD5
22e124d2b0d35697d54ff5b85d629265

SHA1
0396d7191a667a2e5b6967be663e650bc2fb4d86

SHA256
2cc60ead2a85e57a17193312dbde16503fa749e9a3e33893c08feab3de2f4c1e

SHA512
1c877b2f0c249b456ac1fa228f4471371acd5a15f8a72678a3d8814feacd56a2e2433039384baea035f64802929f52734e7682a19f2ad3a0f16b99a9908d5f17

Download Submit
C:\Windows\{6099B6C3-9498-4bb6-A9A2-0857174D0153}.exe

Filesize
344KB

MD5
680179fc0e604ffaaf01db71c0fce6ef

SHA1
27dd43dd064f8426b969d87a6b05b5ff80605f3f

SHA256
d72508cace686a56eff9ab39460bb2bda47f004d0ca4bc66b82a92397d7be6e7

SHA512
e4236870ca5cf0d8f98eda6596f3c8a8ba92544e16838bbcef27817721efab0899d551c52ba49620c0ae9f41c4528521541d11709c73c773548d6534dba3e407

Download Submit
C:\Windows\{750E61F4-D593-497d-8B23-CE3021788C1A}.exe

Filesize
344KB

MD5
fa4d73b4f697a2783ac632c2c2f55a55

SHA1
044e4191388ad62d28eeba0c2128ac447c010c0c

SHA256
577696d4a456596e16a1ae446abe23e92761dee3696705bb7249a35228e4b9ae

SHA512
ed32567876aae8feac84b7171d02543196927ae7d338a97e2f32aeca711cc2df8bfa70087849bfb49c6b77dd095f9be62ea117b7f2bf9f08fa3f6cc4ed8466a8

Download Submit
C:\Windows\{78DA5DD9-E9D8-4bba-ABD6-BEE8B1FE8EBC}.exe

Filesize
344KB

MD5
f3236cf78bb7509157dcbb9fcdb21909

SHA1
9d4e32c21ae3ccd653748ba4528b46021c306b60

SHA256
aafb99bebae0c1b90a24c5e5cb07c7136a3eaadb2bc47e2c449d03dab3e55776

SHA512
3ea079d17e9d28278182ff4398df6565c6e97fee481a3cc20782c2debcf73f7d32d0774bfc298d67bb03f6434740b64aac24e5c74f3fcdf68dde8d97d71bc897

Download Submit
C:\Windows\{790D1E08-D2FB-4e59-AC71-1E329814EA7B}.exe

Filesize
344KB

MD5
904ecf9db207249191e2c7f9c0552e95

SHA1
92939591804f10393bbb8e8d30800235a311bd31

SHA256
b6f27ee76f34a35e21d5dd7a0792d15e2cea1f0def4416c297c565bab0e9dc6c

SHA512
194a2c1ce6af040b85a3d28295ed92c0c6f688148c6ee44506dd083b2923c93fc32d26ae1a47d5f33289ae4b73089fe8115aa257b00e20fa0855c6334b7a49b1

Download Submit
C:\Windows\{83123CA1-C4BB-47ac-A5BF-38112AF691E9}.exe

Filesize
344KB

MD5
1cc87806dfe03dfed4f0d52fdad6cd39

SHA1
34b079f9b24b597aa6d98e515032c8d4c86a66b5

SHA256
627c97dc8b48b9e98a85c867a2d6511bb6dedd6d5911c9abbe3d36fdeff7324a

SHA512
9a842d50f12dced37348c0de739254eb0436f19451e6ca7ed53d82461d3a2135546c464f7db034ef02c76b60907b7e2a2133c3dc86c2337e44b520ccbf19eddc

Download Submit
C:\Windows\{894C6A1B-B7C7-4ecb-8E92-A8FADE0BF3C5}.exe

Filesize
344KB

MD5
5c9d5b913646441d60afc0743c2f939b

SHA1
1e70cc17b572033cf04cb0fdc21934924ea9182f

SHA256
83c3a5949a64c759fc2c26e6411c7cd6aef0e662a1a7b968812b512b879318a2

SHA512
1ed847104ca1b6f151e24437389c99f097b1b6252a023fe70ae0d2f0b02c554937776e0bbd14f8c5b33357e8fdcaa52ffa4bd84c2f34a9c8bb334e6828616838

Download Submit
C:\Windows\{9523FAE9-98E9-4f19-9231-B5EE1C9ADB54}.exe

Filesize
344KB

MD5
e7797ee06072858033c2ed0ef67a2f5b

SHA1
cefeeddaa27e70cb2e5582e93bb1081171edf8b6

SHA256
379aa7eaa79ef164fb7623353f35b09ce81c39dd60ee4d22ac3cc8848888d99f

SHA512
a970187cdcec64ccf8ab0f14c72e9cb230060031361d05275aea85a0100538277058137a181cf5a21405eca90daaf3e39cad1e755a9e457b62e674dfc3822962

Download Submit
C:\Windows\{A5013D7D-C9A9-49c5-A908-09E41595CFF0}.exe

Filesize
344KB

MD5
5f8c3c388ad113e9d5080877298a3819

SHA1
590327b425112087232e1a9db9cb3c58856a9602

SHA256
6e9a0de87f1bab37361d4340a380c68dc12388ebe78e7b17a2ee04fee8d34e74

SHA512
6994f0c8b70fd2c356826ec69e02128c5308213c941c89d6c290a6f3ec553c476aa9b687ba987850ce07f9317a4b0e1fd06146fccc8086c5278d361ae31b7536

Download Submit
C:\Windows\{A7C01590-C812-44e3-8A7B-80F1944F8CC9}.exe

Filesize
344KB

MD5
675d92f43379f18f67ef4418280770f0

SHA1
6654b7007154fad9a037ddbb780e8d68d4761d84

SHA256
5876a34aa6986487ed5ec6885b0c5a0f6aa96b5847df62cbc8e96377b5184e0c

SHA512
0f403c7d7cc69bc898cb180c8594734e703d0c60b387cc8faea3421c6c8becd0be36eb9e4cf458f92b01232b7621bf32e9d5bc4a58c1a3f3f7c956ded6cf3e99

Download Submit
C:\Windows\{FCD69233-9203-4732-BA40-93705521F673}.exe

Filesize
344KB

MD5
acddc216ac29a6ad6ec280a04fb17217

SHA1
74c8171198f073b82147ae7ad27e186e2b4519d7

SHA256
8cd38ed9522e9400e3df863b762fd4d661d4ac9c83adc3ea5fa7f35505b8a432

SHA512
c1a296c78c95003e130a7035c75c62dae533f59560e6ffde0a56b919340d0a4f2aa5e680cf8b00bda96acebda1d9e9c9c319c2178e4411225c0515cad7d0c5cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads