f56e889f5a1ab10e0818783fda20537a16606315248b11d3538f332ad165c672

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Size

192KB
MD5

2672467ba8137c37b4de80fbb81b7bae
SHA1

ccadbcfbe9d091de71a907c44fa330564d6fafcd
SHA256

f56e889f5a1ab10e0818783fda20537a16606315248b11d3538f332ad165c672
SHA512

b7b5fe37302cd06566f97c78df944827e845c0fc0fb17ebf344f42f21c8d4db3ce2bc95960d97eb967ad9169ba75ec02f6c31ecf07b9b3b363f2e2f3a37a8b97
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o1l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001232b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001232b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000013a13-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001232b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001232b-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001232b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}\stubpath = "C:\\Windows\\{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe"	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}	{34F8E3F8-7073-4f43-B158-994691342E62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}	{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}\stubpath = "C:\\Windows\\{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe"	{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB51658C-4792-405e-9A76-0EA86934246F}\stubpath = "C:\\Windows\\{DB51658C-4792-405e-9A76-0EA86934246F}.exe"	{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}\stubpath = "C:\\Windows\\{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe"	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9282E2-9979-454c-8D95-20E1DAD45CB3}	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F8E3F8-7073-4f43-B158-994691342E62}	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F43D68B-53ED-4738-9DA9-EE77114888EF}	{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB51658C-4792-405e-9A76-0EA86934246F}	{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F8E3F8-7073-4f43-B158-994691342E62}\stubpath = "C:\\Windows\\{34F8E3F8-7073-4f43-B158-994691342E62}.exe"	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}\stubpath = "C:\\Windows\\{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe"	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB9282E2-9979-454c-8D95-20E1DAD45CB3}\stubpath = "C:\\Windows\\{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe"	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}\stubpath = "C:\\Windows\\{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe"	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED125E5A-61DB-4c45-AF66-8C064D237376}	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED125E5A-61DB-4c45-AF66-8C064D237376}\stubpath = "C:\\Windows\\{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe"	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}\stubpath = "C:\\Windows\\{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe"	{34F8E3F8-7073-4f43-B158-994691342E62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F43D68B-53ED-4738-9DA9-EE77114888EF}\stubpath = "C:\\Windows\\{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe"	{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe

Executes dropped EXE 11 IoCs

pid	Process
3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe
2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe
2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe
2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe
2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe
1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe
1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe
1636	{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe
2248	{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe
2268	{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe
580	{DB51658C-4792-405e-9A76-0EA86934246F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DB51658C-4792-405e-9A76-0EA86934246F}.exe	{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe
File created	C:\Windows\{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
File created	C:\Windows\{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe
File created	C:\Windows\{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe
File created	C:\Windows\{34F8E3F8-7073-4f43-B158-994691342E62}.exe	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe
File created	C:\Windows\{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe	{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe
File created	C:\Windows\{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe
File created	C:\Windows\{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe
File created	C:\Windows\{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe
File created	C:\Windows\{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe	{34F8E3F8-7073-4f43-B158-994691342E62}.exe
File created	C:\Windows\{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe	{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe
Token: SeIncBasePriorityPrivilege	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe
Token: SeIncBasePriorityPrivilege	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe
Token: SeIncBasePriorityPrivilege	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe
Token: SeIncBasePriorityPrivilege	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe
Token: SeIncBasePriorityPrivilege	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe
Token: SeIncBasePriorityPrivilege	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe
Token: SeIncBasePriorityPrivilege	1636	{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe
Token: SeIncBasePriorityPrivilege	2248	{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe
Token: SeIncBasePriorityPrivilege	2268	{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3048	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	28
PID 2976 wrote to memory of 3048	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	28
PID 2976 wrote to memory of 3048	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	28
PID 2976 wrote to memory of 3048	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	28
PID 2976 wrote to memory of 2712	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	29
PID 2976 wrote to memory of 2712	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	29
PID 2976 wrote to memory of 2712	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	29
PID 2976 wrote to memory of 2712	2976	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	29
PID 3048 wrote to memory of 2848	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	30
PID 3048 wrote to memory of 2848	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	30
PID 3048 wrote to memory of 2848	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	30
PID 3048 wrote to memory of 2848	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	30
PID 3048 wrote to memory of 2764	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	31
PID 3048 wrote to memory of 2764	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	31
PID 3048 wrote to memory of 2764	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	31
PID 3048 wrote to memory of 2764	3048	{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe	31
PID 2848 wrote to memory of 2888	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	32
PID 2848 wrote to memory of 2888	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	32
PID 2848 wrote to memory of 2888	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	32
PID 2848 wrote to memory of 2888	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	32
PID 2848 wrote to memory of 2644	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	33
PID 2848 wrote to memory of 2644	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	33
PID 2848 wrote to memory of 2644	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	33
PID 2848 wrote to memory of 2644	2848	{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe	33
PID 2888 wrote to memory of 2440	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	37
PID 2888 wrote to memory of 2440	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	37
PID 2888 wrote to memory of 2440	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	37
PID 2888 wrote to memory of 2440	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	37
PID 2888 wrote to memory of 1896	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	36
PID 2888 wrote to memory of 1896	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	36
PID 2888 wrote to memory of 1896	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	36
PID 2888 wrote to memory of 1896	2888	{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe	36
PID 2440 wrote to memory of 2356	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	39
PID 2440 wrote to memory of 2356	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	39
PID 2440 wrote to memory of 2356	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	39
PID 2440 wrote to memory of 2356	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	39
PID 2440 wrote to memory of 552	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	38
PID 2440 wrote to memory of 552	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	38
PID 2440 wrote to memory of 552	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	38
PID 2440 wrote to memory of 552	2440	{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe	38
PID 2356 wrote to memory of 1924	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	40
PID 2356 wrote to memory of 1924	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	40
PID 2356 wrote to memory of 1924	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	40
PID 2356 wrote to memory of 1924	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	40
PID 2356 wrote to memory of 1512	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	41
PID 2356 wrote to memory of 1512	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	41
PID 2356 wrote to memory of 1512	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	41
PID 2356 wrote to memory of 1512	2356	{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe	41
PID 1924 wrote to memory of 1044	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	42
PID 1924 wrote to memory of 1044	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	42
PID 1924 wrote to memory of 1044	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	42
PID 1924 wrote to memory of 1044	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	42
PID 1924 wrote to memory of 2680	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	43
PID 1924 wrote to memory of 2680	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	43
PID 1924 wrote to memory of 2680	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	43
PID 1924 wrote to memory of 2680	1924	{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe	43
PID 1044 wrote to memory of 1636	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	45
PID 1044 wrote to memory of 1636	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	45
PID 1044 wrote to memory of 1636	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	45
PID 1044 wrote to memory of 1636	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	45
PID 1044 wrote to memory of 1684	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	44
PID 1044 wrote to memory of 1684	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	44
PID 1044 wrote to memory of 1684	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	44
PID 1044 wrote to memory of 1684	1044	{34F8E3F8-7073-4f43-B158-994691342E62}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe
  C:\Windows\{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe
    C:\Windows\{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe
      C:\Windows\{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB928~1.EXE > nul
        5⤵
        
        PID:1896
    - - C:\Windows\{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe
        
        C:\Windows\{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29158~1.EXE > nul
        6⤵
        
        PID:552
      - C:\Windows\{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe
        
        C:\Windows\{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe
        
        C:\Windows\{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{34F8E3F8-7073-4f43-B158-994691342E62}.exe
        
        C:\Windows\{34F8E3F8-7073-4f43-B158-994691342E62}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F8E~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe
        
        C:\Windows\{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D7C8~1.EXE > nul
        10⤵
        
        PID:1240
        
        C:\Windows\{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe
        
        C:\Windows\{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe
        
        C:\Windows\{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F43D~1.EXE > nul
        12⤵
        
        PID:1652
        
        C:\Windows\{DB51658C-4792-405e-9A76-0EA86934246F}.exe
        
        C:\Windows\{DB51658C-4792-405e-9A76-0EA86934246F}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19319~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED125~1.EXE > nul
        8⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F0E~1.EXE > nul
        7⤵
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1ADFA~1.EXE > nul
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D360A~1.EXE > nul
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F43D68B-53ED-4738-9DA9-EE77114888EF}.exe

Filesize
192KB

MD5
8eea2c53965fb0a682773171bb02ae5b

SHA1
df8308d54fbedf51295c39c4684f19e8207901c5

SHA256
d3f13f1ee8d71a2f2f842567f2fd87523874396371237d336a82b857476ac8d2

SHA512
c90579ee2392c099ca1af268bbdf6522f105da06a445ff786ba4297d366e6f6daf0afa0febfffdfa7ac685dadb60eb5b810cefd79251a9f28597a2e61065c689

Download Submit
C:\Windows\{19319BBD-CC20-4a12-9AF9-D2CE4E4E3B59}.exe

Filesize
192KB

MD5
db88c250ad89610a8cfba6f4d72764c3

SHA1
f2df0cb7987474cd5ffe4ba7830c0629619a5877

SHA256
f3bcf5ec1518f0558248d9c74c8f20e274b7252ec77c219f7300095ef86ad683

SHA512
4c03b5fe3c8c1fb882ba10e09484bc093bcc2f8f1a86ad77cf1e25a13a56543e0b1eacbd765020cdbe095de188ad1352f673405a5bf20ebc76f384640bde0653

Download Submit
C:\Windows\{1ADFAF75-AA5D-4ec1-8C81-1B9667767C41}.exe

Filesize
192KB

MD5
2b6ee5bec28245077b12c54c035eff36

SHA1
b18f76a99ce7700a9d4168363675aac5c32d1d12

SHA256
5c73cf130f905a46c043293863adea0efe0e35b9938cd4c387fc5a54b113c041

SHA512
d051090561401006df529c0d47332825d2232f2afe605ab11a36578096a36e1a8102db4869b9d4e3a9d0350552b65bebecdbfd82143f579f03c4b0956e20d895

Download Submit
C:\Windows\{291582CC-4C20-49f7-A4C1-D6C9DBA90FD3}.exe

Filesize
192KB

MD5
aeb53c18f72cf0dbed8f8ba17bbeb4f2

SHA1
1c73d9ec435b348a1f09bd8143ba2ab82724118d

SHA256
b76cf21f3819e4751369a7d3a276fc4e59cfc141b8f7f31a1e05f4ed5024a213

SHA512
d5490878910b324d102a5015cc6d72584a37584a8383a8947155921f1f8deeacc8e77d0580d9a035c8e5efb113a063add3bedb1a0cba17429cf0ef4d3c880dc6

Download Submit
C:\Windows\{34F8E3F8-7073-4f43-B158-994691342E62}.exe

Filesize
192KB

MD5
df785bfc909feee0a1cdd76a09fed00c

SHA1
44a2bb15fd0c108d8f698ae825de0e6cc85afa5f

SHA256
37b19ac3e48777ccc63429ec2bc5ff0cd7c05ce982c266fbe8514bab26c8cbfe

SHA512
f9e6ec214722337170d7b2f55f6c0c1796fba529ce76a8d07cffab7715cf4dd8eeb6e111d6d6252fc700bc54899a68653307802bd6cbf2bec0b90d5fe6dc486f

Download Submit
C:\Windows\{9D7C8BDC-136E-40ec-9EAD-76DBA08319AC}.exe

Filesize
192KB

MD5
bec60983d28641b8160d9a7507bc87b7

SHA1
64d9d0a881450878e844af508feb46cd315526e7

SHA256
764c5cf0bc3c7a23dd6c1bf572bc5380d28682ca740376d0d487ab785ea97dd2

SHA512
f3653e1c0755320c5614a9989100a7c14404f9542753e291b6bf2c91fe7cd06b924454c76932e00a47c8f5dd5998b85f071d7cf889f8b60777f6263a0b0bfff0

Download Submit
C:\Windows\{BB9282E2-9979-454c-8D95-20E1DAD45CB3}.exe

Filesize
192KB

MD5
674c6fdfcdb0677064cf0a4cd7b28fdd

SHA1
84283d074c5211580d76a75c5ef055e635bab112

SHA256
6f837769469ed572b2d1c53c698d8f1fa093c6b999b7aa3f511c5d5e713bb904

SHA512
cfcac492235db7b9e00f928a0d44c40173ba23eb94f9bb4916b38ee5c815dbd3d5cfd3066e436c193159882d672aa9c2212c40356a1f83771f6ab334045574cb

Download Submit
C:\Windows\{D360A538-7CEC-4b6f-93F6-3BD2A6199F6B}.exe

Filesize
192KB

MD5
f02b92dd6dac8c984e98993cd7be513b

SHA1
bd888cb2a3bf6ec7e8d333ce39b28b326cbe486c

SHA256
1934311c7398ebffcdaaefc211c2b3e72f03cd3ffe9b008cab31466636b517af

SHA512
277419fbc4642ad4b3672c713ea9a3f5e43a2f77503b63d0e4e830b98b1ec585933b61d595547fe28d02159a95cc9a02de554aaec4669423ee71036f3499b679

Download Submit
C:\Windows\{D5F0E9A3-72C8-4ff2-8BB9-EAA43685D766}.exe

Filesize
192KB

MD5
d934c09c8d05bf3a75ddbc587328178b

SHA1
95b344cea9c6101d6be02f17e951e16637708b03

SHA256
73c936c8302d149d22149c2a9610dd28a572b57e42fe11792ce0812afc006726

SHA512
7a1f626f20aa9a6ce67832c7bd72d0b4a03547bb156bab5906fdc005e3e818824d263b63304e3d709d9bf08896d5baa37d08467b6f29fbf6ade22f1685fb3f60

Download Submit
C:\Windows\{DB51658C-4792-405e-9A76-0EA86934246F}.exe

Filesize
192KB

MD5
1ee59feab2a57e00527781c6b9d6ff44

SHA1
164ca6dd4c6394254f23184c50aee48952816077

SHA256
311aa90df3523ccacc29f91b27687c5f0528b23216dbf3d3359a22c059c4fcd2

SHA512
5545a2ed5767a3c6e71923cfb186728644a0f71b9693797a8ea892bee8df67ccc065cf2aef3ce8d6ee4e60191b239c976007b6161f6924d9369f2300e06907f9

Download Submit
C:\Windows\{ED125E5A-61DB-4c45-AF66-8C064D237376}.exe

Filesize
192KB

MD5
03ba57c1749f521b18ff60527d1832af

SHA1
862ebb5c364988263ef1353dd7b685d0f2a48070

SHA256
ca8151b1747c65f69a283c68ecc6a8bb8b64f6ced422bb9e1c21b41f2cc17c95

SHA512
98cebb058e06fa6fe437101134433f50d8c62350c4a5104ec984149a9a68f14fb8255d92dfc837bef711af416b92865ed7d8b9602a1188730d97e6bce86a32e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads