4b7d8a2737d39247e1cd858b2b5db348d7e236e11f5e18a43ceb888c409df6ef

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Size

344KB
MD5

8e9b385c64ee616c194650116e451269
SHA1

3a7925d84cc6b09566c12d435a507aa50d338f60
SHA256

4b7d8a2737d39247e1cd858b2b5db348d7e236e11f5e18a43ceb888c409df6ef
SHA512

70e8309214949aafb2732c3f62654370a8a28d106306ffe1d7654e055a7a795b9dca5a0467f8ffebd18a303f8d7c7b4ef978d61045e248937e0fb7a0b93ddf3f
SSDEEP

3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGMlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012279-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000013362-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012279-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001340e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012279-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012279-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012279-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}	{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}	{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3B10981-CC5C-4f07-B4E2-9F2533A96323}	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F8B6732-DB4E-4793-BA49-972922B19880}	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A714C2D1-BABC-4c36-970F-344C63A5C2CD}	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22F08D84-9AF5-465c-98E6-D6390283CF3A}\stubpath = "C:\\Windows\\{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe"	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}	{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}\stubpath = "C:\\Windows\\{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe"	{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}\stubpath = "C:\\Windows\\{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe"	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3B10981-CC5C-4f07-B4E2-9F2533A96323}\stubpath = "C:\\Windows\\{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe"	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F8B6732-DB4E-4793-BA49-972922B19880}\stubpath = "C:\\Windows\\{8F8B6732-DB4E-4793-BA49-972922B19880}.exe"	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}\stubpath = "C:\\Windows\\{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe"	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}\stubpath = "C:\\Windows\\{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe"	{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22F08D84-9AF5-465c-98E6-D6390283CF3A}	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}\stubpath = "C:\\Windows\\{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe"	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}\stubpath = "C:\\Windows\\{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe"	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A714C2D1-BABC-4c36-970F-344C63A5C2CD}\stubpath = "C:\\Windows\\{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe"	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}\stubpath = "C:\\Windows\\{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}.exe"	{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe
2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe
2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe
3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe
2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe
2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe
1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe
1684	{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe
468	{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe
380	{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe
752	{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe
File created	C:\Windows\{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe
File created	C:\Windows\{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}.exe	{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe
File created	C:\Windows\{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
File created	C:\Windows\{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe
File created	C:\Windows\{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe
File created	C:\Windows\{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe
File created	C:\Windows\{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe
File created	C:\Windows\{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe
File created	C:\Windows\{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe	{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe
File created	C:\Windows\{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe	{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe
Token: SeIncBasePriorityPrivilege	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe
Token: SeIncBasePriorityPrivilege	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe
Token: SeIncBasePriorityPrivilege	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe
Token: SeIncBasePriorityPrivilege	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe
Token: SeIncBasePriorityPrivilege	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe
Token: SeIncBasePriorityPrivilege	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe
Token: SeIncBasePriorityPrivilege	1684	{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe
Token: SeIncBasePriorityPrivilege	468	{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe
Token: SeIncBasePriorityPrivilege	380	{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2948	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	28
PID 3000 wrote to memory of 2948	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	28
PID 3000 wrote to memory of 2948	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	28
PID 3000 wrote to memory of 2948	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	28
PID 3000 wrote to memory of 2620	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	29
PID 3000 wrote to memory of 2620	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	29
PID 3000 wrote to memory of 2620	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	29
PID 3000 wrote to memory of 2620	3000	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	29
PID 2948 wrote to memory of 2824	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	30
PID 2948 wrote to memory of 2824	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	30
PID 2948 wrote to memory of 2824	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	30
PID 2948 wrote to memory of 2824	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	30
PID 2948 wrote to memory of 2672	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	31
PID 2948 wrote to memory of 2672	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	31
PID 2948 wrote to memory of 2672	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	31
PID 2948 wrote to memory of 2672	2948	{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe	31
PID 2824 wrote to memory of 2756	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	32
PID 2824 wrote to memory of 2756	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	32
PID 2824 wrote to memory of 2756	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	32
PID 2824 wrote to memory of 2756	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	32
PID 2824 wrote to memory of 2776	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	33
PID 2824 wrote to memory of 2776	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	33
PID 2824 wrote to memory of 2776	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	33
PID 2824 wrote to memory of 2776	2824	{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe	33
PID 2756 wrote to memory of 3036	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	36
PID 2756 wrote to memory of 3036	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	36
PID 2756 wrote to memory of 3036	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	36
PID 2756 wrote to memory of 3036	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	36
PID 2756 wrote to memory of 3052	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	37
PID 2756 wrote to memory of 3052	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	37
PID 2756 wrote to memory of 3052	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	37
PID 2756 wrote to memory of 3052	2756	{8F8B6732-DB4E-4793-BA49-972922B19880}.exe	37
PID 3036 wrote to memory of 2876	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	38
PID 3036 wrote to memory of 2876	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	38
PID 3036 wrote to memory of 2876	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	38
PID 3036 wrote to memory of 2876	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	38
PID 3036 wrote to memory of 2924	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	39
PID 3036 wrote to memory of 2924	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	39
PID 3036 wrote to memory of 2924	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	39
PID 3036 wrote to memory of 2924	3036	{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe	39
PID 2876 wrote to memory of 2772	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	40
PID 2876 wrote to memory of 2772	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	40
PID 2876 wrote to memory of 2772	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	40
PID 2876 wrote to memory of 2772	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	40
PID 2876 wrote to memory of 1848	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	41
PID 2876 wrote to memory of 1848	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	41
PID 2876 wrote to memory of 1848	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	41
PID 2876 wrote to memory of 1848	2876	{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe	41
PID 2772 wrote to memory of 1548	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	42
PID 2772 wrote to memory of 1548	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	42
PID 2772 wrote to memory of 1548	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	42
PID 2772 wrote to memory of 1548	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	42
PID 2772 wrote to memory of 1428	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	43
PID 2772 wrote to memory of 1428	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	43
PID 2772 wrote to memory of 1428	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	43
PID 2772 wrote to memory of 1428	2772	{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe	43
PID 1548 wrote to memory of 1684	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	44
PID 1548 wrote to memory of 1684	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	44
PID 1548 wrote to memory of 1684	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	44
PID 1548 wrote to memory of 1684	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	44
PID 1548 wrote to memory of 1316	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	45
PID 1548 wrote to memory of 1316	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	45
PID 1548 wrote to memory of 1316	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	45
PID 1548 wrote to memory of 1316	1548	{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe
  C:\Windows\{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe
    C:\Windows\{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{8F8B6732-DB4E-4793-BA49-972922B19880}.exe
      C:\Windows\{8F8B6732-DB4E-4793-BA49-972922B19880}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe
        
        C:\Windows\{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe
        
        C:\Windows\{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe
        
        C:\Windows\{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe
        
        C:\Windows\{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe
        
        C:\Windows\{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe
        
        C:\Windows\{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe
        
        C:\Windows\{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}.exe
        
        C:\Windows\{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}.exe
        12⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E65CB~1.EXE > nul
        12⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5C9C~1.EXE > nul
        11⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B17~1.EXE > nul
        10⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22F08~1.EXE > nul
        9⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A714C~1.EXE > nul
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEE7~1.EXE > nul
        7⤵
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D896~1.EXE > nul
        6⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F8B6~1.EXE > nul
        5⤵
        
        PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B10~1.EXE > nul
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{285FA~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19E6A950-4C54-4f57-B2DE-9767C83BCD7D}.exe

Filesize
344KB

MD5
d484d6ff61c36bc252d372789090056e

SHA1
d6af61e685b9b6e8ed236240342835f286e0ca16

SHA256
2a4773cf1a2c02f5d86c1aeb583cfefc0d5793d0b370abb20d27ffca21b45aca

SHA512
608243b385e12e59cb1c961681c5dc5a33ada01c9628ac1d3fc724f74bdb190582c588727fabccd268b2230a9c499bbd565fc40c635d947090458f7c0b807135

Download Submit
C:\Windows\{22F08D84-9AF5-465c-98E6-D6390283CF3A}.exe

Filesize
344KB

MD5
d911628c78823ca1611d18fa760328e6

SHA1
592418eaf00565ccdddb1cc2efd6322e905b3210

SHA256
58dd0d40ed585d56edaeefd49464d33f32da004a8acbf2657208aa33d9a6ae17

SHA512
69338df5c69298abde0d870a75861c37f1c6840694b22afdd30147f7b3cb6a2bdff972036096cb5ad92bdbd6a7da483c46ac9e1dba57aa546f222e807a01ed01

Download Submit
C:\Windows\{285FAD9C-1CAB-4d17-A56D-A3737EC5A457}.exe

Filesize
344KB

MD5
0b935ae6c7068d2553a333e5cbe86456

SHA1
2fc644ebb61901d77866feeedc1f93b206a1e5c2

SHA256
4456fa94714027ce38c03ca187f151ed138f2a453aa958b288de0a0e6cc5e2b2

SHA512
67ba9f91bb6034817a37d99d311f3b24d386ca00ba74c2a7e74cfae554f869b8e33c7f9814efe9b813301b06390536181bcead24556fd47a929c872a8300dd10

Download Submit
C:\Windows\{8F8B6732-DB4E-4793-BA49-972922B19880}.exe

Filesize
344KB

MD5
7883c9178cff24ab9ea34d96e036f13a

SHA1
07e4af89b843acf2ff0faeaf3b27f5676454a4d6

SHA256
338f4942ecaae70e3a302fb4a523f3ad944a2fba49bca070d97d5a97f34ecc9a

SHA512
642c15f7d9906fcb2a494a49ab19eba5347e872a8a0a9ca59d3576f99a93b889d99fbb86544017255e5b9f2596ef55ad5f7e6615af1d069b82c54fc3ff0b72e7

Download Submit
C:\Windows\{9D896D3F-DBE9-4219-918B-A3AB5DB6D65B}.exe

Filesize
344KB

MD5
2cfeb872d91106ee95df5e035b6fb70f

SHA1
23bb66b255ee4609bef8aa7daad126f82712e643

SHA256
d371b618936ecff9fdbe110228e83ba4939ead824307518dc1cc230692f9a9ec

SHA512
06c50412790aa67d65cca00c9dbb4cfaa3625e25a7a6b17a3b85e9774e051b5bd7bddb7e115eb45963708ef8a9f7abd30301a9ce67ad1e4750da4a9ff2ff7151

Download Submit
C:\Windows\{A3B10981-CC5C-4f07-B4E2-9F2533A96323}.exe

Filesize
344KB

MD5
f3e146e8bff166dbf4181e6de5f358ad

SHA1
4f1a5a2abf748013970286574c2597a63f87a52b

SHA256
66fa92a32e8c4a658e1800a0da70534e3e2cd473ec4322a262a17e4a54a3116a

SHA512
6fab97fbbf66aff1436e581d978120efc4c92c42eec213a765754a8b79be319bce495712b5ba971bcb4961457970ce13720bc6f0997620ceb04fb04db28fced9

Download Submit
C:\Windows\{A714C2D1-BABC-4c36-970F-344C63A5C2CD}.exe

Filesize
344KB

MD5
d9444b8a49e3cf0eb87838f0c0812011

SHA1
e1749c3815c1e5d097ebfb2dcb4604766abb9e0e

SHA256
002668eb2f81ec46c4bd7d65fd4ed4d464b4cfce024a73ff3d9d551485ea64b1

SHA512
14e7798a7dc301d1c57ec9bf9e08eb3172a190eaf98a831a78738f8413062b2deef3a562912b903eaef059132d616e10b903b73841f54e639b87920d15158d77

Download Submit
C:\Windows\{C9B179F4-43C3-4dd0-AAC3-DE7E04A88519}.exe

Filesize
344KB

MD5
c03e28cdd671fe449f43067d961a7e7b

SHA1
e1d9b1e833daa7b6419e91dca789ad0b09d89594

SHA256
fa0672d8f9411fb4570a5faaf310249b51f8b16f5b5eb43eff78a0bede4ec602

SHA512
54923d660022113dc9a6091aa85f498393a69a15302d5eac0db8d3bb71acccfdd8d7831c3ec90a9c185632c60c966ab94f76408509c8a0fef905339ebd05d7ec

Download Submit
C:\Windows\{DFEE77E7-847E-4968-AD4A-EF97F60BFFAA}.exe

Filesize
344KB

MD5
6469d49f47899d7017320cc339eaa114

SHA1
fe47bc62f5bf15e3dc514819010cb443b82b1cae

SHA256
5d8fc04920ff519ec8bccbc7412ca74ff4361c54e24c8cdec32e7c621dbb6b01

SHA512
64b84f663c174999ea3e96466d9eec6ac0807653ada82102eda84ed7f692072b946429ac41cac3a5be964450d3dea0f2e75b3585d8ae289b37db57d6c071962e

Download Submit
C:\Windows\{E65CB5BB-7010-42f5-85A8-6A9E51B2EC0C}.exe

Filesize
344KB

MD5
6b513fed540fc9fe2293aa632ad77c9b

SHA1
bdb92e710255e0794fdf8e896865542487177f5c

SHA256
40c5c1483fe085b70d9f46bee9c9c68c464568811f31f200d3938d40c7039f06

SHA512
e27dd46d6868d569a4b6e5bc305abea01680b865402074dff40c0d9a4c718c0cbf1ac746dbc4fb947b94228aca00b2d24103d07f9ed2b434ebf7fccdb2b1a202

Download Submit
C:\Windows\{F5C9C757-9CFD-44c9-B3C3-645AC28961C5}.exe

Filesize
344KB

MD5
bb9e88313b7c9494db37265dc1a0d688

SHA1
c64437126c9a82541f91d460aba8ada21befd8a2

SHA256
17e02ffae9aa2d8874762887a47b16cb96eeb7c322644db10b5124aa092af3f7

SHA512
057d433563304dd729199c4ba5e93c517c1f0bd4b46d0833db5b0358a9beef475fba4f55138d4ea443cd7b015a10cc4a5e3d795c2ecdda7fe34db3a158dabbc1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads