f61ecd53abc1436811fb4d81056a68b71698160b90c95f9981ad5cc18b99877a

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
Size

168KB
MD5

49c30108063ffaf9b1267fc4c8d87375
SHA1

f5fff7e4d50a12d4e66dfe8c4cc2dcfc14649835
SHA256

f61ecd53abc1436811fb4d81056a68b71698160b90c95f9981ad5cc18b99877a
SHA512

26650dd996f5549566d22a150c1048ed5e70c69eba6b9e65c9a9d505f9df5c961de89b3b7bc30e8853c9f4f987d7dafdf55909f81707fed7dbc67953e739eaf2
SSDEEP

1536:1EGh0oqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122d5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000133cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000133d5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A3AA84-86FE-4bde-872F-9E849948B9C9}	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}\stubpath = "C:\\Windows\\{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe"	{063144ED-017F-4302-AB2A-A92691E58145}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5221861B-8510-46ab-A4A5-8A335B149396}	{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}\stubpath = "C:\\Windows\\{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe"	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{063144ED-017F-4302-AB2A-A92691E58145}	{3562DAD3-F425-4076-B790-6176734A7821}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}\stubpath = "C:\\Windows\\{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe"	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3973DAA-1A33-49fd-9E15-5E01EB17176D}\stubpath = "C:\\Windows\\{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe"	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF4E9B03-D546-4ccc-A783-161BD12760C7}	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF4E9B03-D546-4ccc-A783-161BD12760C7}\stubpath = "C:\\Windows\\{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe"	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}	{063144ED-017F-4302-AB2A-A92691E58145}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B173218-68BF-4859-B656-FC1F9D745F1F}\stubpath = "C:\\Windows\\{1B173218-68BF-4859-B656-FC1F9D745F1F}.exe"	{5221861B-8510-46ab-A4A5-8A335B149396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A3AA84-86FE-4bde-872F-9E849948B9C9}\stubpath = "C:\\Windows\\{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe"	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}\stubpath = "C:\\Windows\\{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe"	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5221861B-8510-46ab-A4A5-8A335B149396}\stubpath = "C:\\Windows\\{5221861B-8510-46ab-A4A5-8A335B149396}.exe"	{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B173218-68BF-4859-B656-FC1F9D745F1F}	{5221861B-8510-46ab-A4A5-8A335B149396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3973DAA-1A33-49fd-9E15-5E01EB17176D}	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0436E341-14E4-41bd-9CF5-44B11468337D}	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0436E341-14E4-41bd-9CF5-44B11468337D}\stubpath = "C:\\Windows\\{0436E341-14E4-41bd-9CF5-44B11468337D}.exe"	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3562DAD3-F425-4076-B790-6176734A7821}	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3562DAD3-F425-4076-B790-6176734A7821}\stubpath = "C:\\Windows\\{3562DAD3-F425-4076-B790-6176734A7821}.exe"	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{063144ED-017F-4302-AB2A-A92691E58145}\stubpath = "C:\\Windows\\{063144ED-017F-4302-AB2A-A92691E58145}.exe"	{3562DAD3-F425-4076-B790-6176734A7821}.exe

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe
2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe
2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe
2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe
1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe
1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe
652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe
1968	{3562DAD3-F425-4076-B790-6176734A7821}.exe
2356	{063144ED-017F-4302-AB2A-A92691E58145}.exe
2860	{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe
1952	{5221861B-8510-46ab-A4A5-8A335B149396}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe
File created	C:\Windows\{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe
File created	C:\Windows\{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe
File created	C:\Windows\{3562DAD3-F425-4076-B790-6176734A7821}.exe	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe
File created	C:\Windows\{063144ED-017F-4302-AB2A-A92691E58145}.exe	{3562DAD3-F425-4076-B790-6176734A7821}.exe
File created	C:\Windows\{5221861B-8510-46ab-A4A5-8A335B149396}.exe	{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe
File created	C:\Windows\{1B173218-68BF-4859-B656-FC1F9D745F1F}.exe	{5221861B-8510-46ab-A4A5-8A335B149396}.exe
File created	C:\Windows\{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
File created	C:\Windows\{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe
File created	C:\Windows\{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe
File created	C:\Windows\{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe
File created	C:\Windows\{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe	{063144ED-017F-4302-AB2A-A92691E58145}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe
Token: SeIncBasePriorityPrivilege	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe
Token: SeIncBasePriorityPrivilege	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe
Token: SeIncBasePriorityPrivilege	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe
Token: SeIncBasePriorityPrivilege	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe
Token: SeIncBasePriorityPrivilege	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe
Token: SeIncBasePriorityPrivilege	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe
Token: SeIncBasePriorityPrivilege	1968	{3562DAD3-F425-4076-B790-6176734A7821}.exe
Token: SeIncBasePriorityPrivilege	2356	{063144ED-017F-4302-AB2A-A92691E58145}.exe
Token: SeIncBasePriorityPrivilege	2860	{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2084	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	28
PID 2112 wrote to memory of 2084	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	28
PID 2112 wrote to memory of 2084	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	28
PID 2112 wrote to memory of 2084	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	28
PID 2112 wrote to memory of 2792	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	29
PID 2112 wrote to memory of 2792	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	29
PID 2112 wrote to memory of 2792	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	29
PID 2112 wrote to memory of 2792	2112	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	29
PID 2084 wrote to memory of 2680	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	30
PID 2084 wrote to memory of 2680	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	30
PID 2084 wrote to memory of 2680	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	30
PID 2084 wrote to memory of 2680	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	30
PID 2084 wrote to memory of 2664	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	31
PID 2084 wrote to memory of 2664	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	31
PID 2084 wrote to memory of 2664	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	31
PID 2084 wrote to memory of 2664	2084	{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe	31
PID 2680 wrote to memory of 2660	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	32
PID 2680 wrote to memory of 2660	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	32
PID 2680 wrote to memory of 2660	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	32
PID 2680 wrote to memory of 2660	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	32
PID 2680 wrote to memory of 2548	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	33
PID 2680 wrote to memory of 2548	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	33
PID 2680 wrote to memory of 2548	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	33
PID 2680 wrote to memory of 2548	2680	{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe	33
PID 2660 wrote to memory of 2608	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	36
PID 2660 wrote to memory of 2608	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	36
PID 2660 wrote to memory of 2608	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	36
PID 2660 wrote to memory of 2608	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	36
PID 2660 wrote to memory of 2832	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	37
PID 2660 wrote to memory of 2832	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	37
PID 2660 wrote to memory of 2832	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	37
PID 2660 wrote to memory of 2832	2660	{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe	37
PID 2608 wrote to memory of 1664	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	38
PID 2608 wrote to memory of 1664	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	38
PID 2608 wrote to memory of 1664	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	38
PID 2608 wrote to memory of 1664	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	38
PID 2608 wrote to memory of 2460	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	39
PID 2608 wrote to memory of 2460	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	39
PID 2608 wrote to memory of 2460	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	39
PID 2608 wrote to memory of 2460	2608	{0436E341-14E4-41bd-9CF5-44B11468337D}.exe	39
PID 1664 wrote to memory of 1548	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	40
PID 1664 wrote to memory of 1548	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	40
PID 1664 wrote to memory of 1548	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	40
PID 1664 wrote to memory of 1548	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	40
PID 1664 wrote to memory of 2024	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	41
PID 1664 wrote to memory of 2024	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	41
PID 1664 wrote to memory of 2024	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	41
PID 1664 wrote to memory of 2024	1664	{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe	41
PID 1548 wrote to memory of 652	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	42
PID 1548 wrote to memory of 652	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	42
PID 1548 wrote to memory of 652	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	42
PID 1548 wrote to memory of 652	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	42
PID 1548 wrote to memory of 1416	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	43
PID 1548 wrote to memory of 1416	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	43
PID 1548 wrote to memory of 1416	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	43
PID 1548 wrote to memory of 1416	1548	{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe	43
PID 652 wrote to memory of 1968	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	44
PID 652 wrote to memory of 1968	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	44
PID 652 wrote to memory of 1968	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	44
PID 652 wrote to memory of 1968	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	44
PID 652 wrote to memory of 1256	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	45
PID 652 wrote to memory of 1256	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	45
PID 652 wrote to memory of 1256	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	45
PID 652 wrote to memory of 1256	652	{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe
  C:\Windows\{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe
    C:\Windows\{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe
      C:\Windows\{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\{0436E341-14E4-41bd-9CF5-44B11468337D}.exe
        
        C:\Windows\{0436E341-14E4-41bd-9CF5-44B11468337D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe
        
        C:\Windows\{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe
        
        C:\Windows\{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe
        
        C:\Windows\{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{3562DAD3-F425-4076-B790-6176734A7821}.exe
        
        C:\Windows\{3562DAD3-F425-4076-B790-6176734A7821}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{063144ED-017F-4302-AB2A-A92691E58145}.exe
        
        C:\Windows\{063144ED-017F-4302-AB2A-A92691E58145}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe
        
        C:\Windows\{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{5221861B-8510-46ab-A4A5-8A335B149396}.exe
        
        C:\Windows\{5221861B-8510-46ab-A4A5-8A335B149396}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74ED3~1.EXE > nul
        12⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06314~1.EXE > nul
        11⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3562D~1.EXE > nul
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{949A2~1.EXE > nul
        9⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D90C~1.EXE > nul
        8⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF4E9~1.EXE > nul
        7⤵
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0436E~1.EXE > nul
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3973~1.EXE > nul
        5⤵
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A3A~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{53FAB~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0436E341-14E4-41bd-9CF5-44B11468337D}.exe

Filesize
168KB

MD5
451b9f7fef1390d9ab43cc0f1794f108

SHA1
b2e1bbdd9336d350b996ed5f6b38f734aa55141d

SHA256
9b6cc79df82df9b254e4c75666fe7cdf1484556b37cc250076e1b05ec248cf59

SHA512
a851d1ccdee5e120e07782b8e8ffbeab35a77fcbfce4ee3f442b7df18327b277155dc6e6831488649fe7953922b0562766306b49bb153aaf0ee7ddb4f0efa3f7

Download Submit
C:\Windows\{063144ED-017F-4302-AB2A-A92691E58145}.exe

Filesize
168KB

MD5
2aee93b685da04173146f8cb004b674c

SHA1
2119f2d88f4960aa10aa660dcca0ab9e7f0d169b

SHA256
5f520b43da8eb6908a928577c5aff90b5ddec6e65fa42a24e831a5fecd618e5c

SHA512
cdee454d44a3b586a92ba5c52e87d0898ef186c05428663ac9eca759b8f923f7e87a43a425aea4b07738e1435686465319f2724923495a47514d9df5936b9aac

Download Submit
C:\Windows\{3562DAD3-F425-4076-B790-6176734A7821}.exe

Filesize
168KB

MD5
52564ac09d69bb2b25dafe35b7c6474d

SHA1
da125f4dc9b2be8441cb628c6c253536500b1d35

SHA256
e4ab937ccb6725eeb94099317fd685fc1e6b45ec6e772c31077d6265097129c1

SHA512
2db3a7f550644081985e7a3fe0834e79a41a9f4a34e48a5b116736cb405ded34e0200446dba3e4dbb2e73d81223a1a5c60b7088ed95b98e8ef50869e06d814e5

Download Submit
C:\Windows\{5221861B-8510-46ab-A4A5-8A335B149396}.exe

Filesize
168KB

MD5
727029c536a69c90a57ea987ca728785

SHA1
8324c2179f59c48e162cd1542c0ade781800a39e

SHA256
3ddb33674ca59aadc9336e7c8804457e937c31c3a9bf8e847bb9d387c2263759

SHA512
0d7ae66e983b75eab51e33bc774894fc84b882be34338d8f84edf476bb3a0ad72a6b22feee42cce542b785f00cf84beb9e2ff3a08a21e959bb5af8f75502e733

Download Submit
C:\Windows\{53FABF71-3DEF-426b-B3CC-1B5245DE3FA3}.exe

Filesize
168KB

MD5
256e1c665b919ddc096df1675c18a97d

SHA1
fb07b9fcf765711873936e1c2895c5997738bb3a

SHA256
ea605f3291203fdd910452707b1bf5e68c87a00deda18a0111c66d5f8e588526

SHA512
548d8776d42dd3ad093be713c90b5dfdc0082494a3814a19e40e377d1e51cb17718d222eabf4e2091dd459dbdf2e143d4abcfc3c9d6518ae06a46a6de68fc3ce

Download Submit
C:\Windows\{74ED3090-0E13-43d9-85B1-1E7C0CB86BED}.exe

Filesize
168KB

MD5
435934f2551a017b3d3b9cf5539547b4

SHA1
f398e20545eca7ee81f84e45e4750a733df466d3

SHA256
8051d4d54bd8ce77d96fd3bb197570d1f9894dc27c73d0d56b8f9a10d07108a7

SHA512
91320fd20cfb21daaeb7ca9ff6bf532ee7b462c46be9e1f5212f7a0d79a93f2a20ff16bca57ca742e65edce5b9dfe1ef56eadfde7cf057d0184902e38bda1498

Download Submit
C:\Windows\{8D90C676-C2C3-4c94-AC25-82013BB6D6D1}.exe

Filesize
168KB

MD5
e15d44657cf7c5f0d703ba83ef6ddbbe

SHA1
4621d97f8ba83d8af99d63171f7d23ea9fa2ffdd

SHA256
69ea135d2dbe90ca54197968bc74d53c2ff722eb672512f072a5bdffed3f327e

SHA512
40728486d2a8ab40765de5718260b67d1dd179a69d81c29aa04a5fa8204ab94c4455d01a5c79916aa4bd8903e62ae8d7538bb653aad988c6c996d97b62f21832

Download Submit
C:\Windows\{949A293A-35E1-4548-A6E5-C6C5FBD7C35A}.exe

Filesize
168KB

MD5
93c30d7ce97414bea1ba7b669926c491

SHA1
8edb48fd22d8e447a540db8bcf865a245eab3c13

SHA256
6c72828d33709eecde7640daffc1ec6a0b1d6b16f9a5cadca47da3a04db5e601

SHA512
15e58e1c2c90b273a4bf9afbe77820b1e0b0f817087e9c2c1fb87312fad943baa82a70c6c6e459781b31e13e368953e9d61ee01dc67ac59dd1cfa28ce8a7290d

Download Submit
C:\Windows\{B3973DAA-1A33-49fd-9E15-5E01EB17176D}.exe

Filesize
168KB

MD5
23ad4279966feb095b9c7123087cfb35

SHA1
e8ccf30dcab8082bd763fecc925203e81dfc1099

SHA256
d96ec656a30457c1a2750e198f1431b03625adef626268010a4b043008becc3f

SHA512
d84d5fefeb53ffe79f997a43e96223a51e3b9d076b5543d84875f4c6e391ee448240dfa207f9f386e038424b57269254e2252aff7e3bf62e5090efd4307a48b5

Download Submit
C:\Windows\{D4A3AA84-86FE-4bde-872F-9E849948B9C9}.exe

Filesize
168KB

MD5
bf475a8869ef2914be4560684ee4e0fe

SHA1
dda38ad83d9dddbcae63f0d81cb41fed6462ac73

SHA256
d2e4c64df7626a37d94fb92cb2e0a3a96af5722bf8edda4246f2800b820d48a7

SHA512
73b16fdda6bfdd8bef8cdb73be996630a230d6444d1d203476444087a83b06b068315d1a38ebae8b63567653977434f40d1ac454e8bac8ef23c0435ba9c65eb1

Download Submit
C:\Windows\{FF4E9B03-D546-4ccc-A783-161BD12760C7}.exe

Filesize
168KB

MD5
f901f08553b74a85a5a7d4b6136a79d8

SHA1
f20f950df78f651270b02fa4bbe952b6904d4e79

SHA256
76c8b01cf289b6beff3f70000af1dd083ff8e3bff7b2501a5a7d215a750f4c2a

SHA512
f21b16bb60bac10a47e401679d4f7a0eeeb554408a1622c7ef5806f9143dbd569a5c8a6134884f7b5b54cacd39ec69e4e78b380edf88a8d7a4d0bce9874621b0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads