f9a1d05084f3cf7b5426b6aeaa217a212a00b39c36f119dae1748357b5c51926

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe
Size

372KB
MD5

6be4a03c7f67dbf3e7aac06d0650dc24
SHA1

8a471f03c22afb9911ee56955f73d64a90f981c1
SHA256

f9a1d05084f3cf7b5426b6aeaa217a212a00b39c36f119dae1748357b5c51926
SHA512

1d8e90f9a6b785ddffdf89c1cb21eafdba73f428fc98b18eac265d8f3e96e854cfad7bce2b3441fd9f04773c6c430bc2ad5a4deb30bdb4f0111f0191d5a2896f
SSDEEP

3072:CEGh0oGmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGhl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012261-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c85-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000010f1d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}\stubpath = "C:\\Windows\\{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe"	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA11E77F-29EF-4d31-87EB-68DD429591E4}\stubpath = "C:\\Windows\\{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe"	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766253AA-88A7-439f-8216-06A600D2804E}	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E405FA-C90F-41f1-A0A8-76C4D3392353}	{C87608A8-2911-4270-91C1-6385B7249937}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E405FA-C90F-41f1-A0A8-76C4D3392353}\stubpath = "C:\\Windows\\{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe"	{C87608A8-2911-4270-91C1-6385B7249937}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}\stubpath = "C:\\Windows\\{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe"	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E7100F7-EFB3-487d-B457-86036BA73DFA}	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}\stubpath = "C:\\Windows\\{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe"	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766253AA-88A7-439f-8216-06A600D2804E}\stubpath = "C:\\Windows\\{766253AA-88A7-439f-8216-06A600D2804E}.exe"	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8597CD3-7975-49d7-AD8B-DCF337E2709D}\stubpath = "C:\\Windows\\{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe"	{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}	{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E7100F7-EFB3-487d-B457-86036BA73DFA}\stubpath = "C:\\Windows\\{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe"	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA11E77F-29EF-4d31-87EB-68DD429591E4}	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}\stubpath = "C:\\Windows\\{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe"	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C87608A8-2911-4270-91C1-6385B7249937}	{766253AA-88A7-439f-8216-06A600D2804E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C87608A8-2911-4270-91C1-6385B7249937}\stubpath = "C:\\Windows\\{C87608A8-2911-4270-91C1-6385B7249937}.exe"	{766253AA-88A7-439f-8216-06A600D2804E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8597CD3-7975-49d7-AD8B-DCF337E2709D}	{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}\stubpath = "C:\\Windows\\{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}.exe"	{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe
2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe
2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe
2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe
1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe
2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe
1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe
868	{C87608A8-2911-4270-91C1-6385B7249937}.exe
1236	{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe
2904	{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe
2028	{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe	{C87608A8-2911-4270-91C1-6385B7249937}.exe
File created	C:\Windows\{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe
File created	C:\Windows\{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe
File created	C:\Windows\{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe
File created	C:\Windows\{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe
File created	C:\Windows\{C87608A8-2911-4270-91C1-6385B7249937}.exe	{766253AA-88A7-439f-8216-06A600D2804E}.exe
File created	C:\Windows\{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe
File created	C:\Windows\{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe
File created	C:\Windows\{766253AA-88A7-439f-8216-06A600D2804E}.exe	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe
File created	C:\Windows\{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe	{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe
File created	C:\Windows\{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}.exe	{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe
Token: SeIncBasePriorityPrivilege	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe
Token: SeIncBasePriorityPrivilege	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe
Token: SeIncBasePriorityPrivilege	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe
Token: SeIncBasePriorityPrivilege	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe
Token: SeIncBasePriorityPrivilege	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe
Token: SeIncBasePriorityPrivilege	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe
Token: SeIncBasePriorityPrivilege	868	{C87608A8-2911-4270-91C1-6385B7249937}.exe
Token: SeIncBasePriorityPrivilege	1236	{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe
Token: SeIncBasePriorityPrivilege	2904	{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1900	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	28
PID 2512 wrote to memory of 1900	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	28
PID 2512 wrote to memory of 1900	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	28
PID 2512 wrote to memory of 1900	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	28
PID 2512 wrote to memory of 3020	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	29
PID 2512 wrote to memory of 3020	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	29
PID 2512 wrote to memory of 3020	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	29
PID 2512 wrote to memory of 3020	2512	2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe	29
PID 1900 wrote to memory of 2648	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	30
PID 1900 wrote to memory of 2648	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	30
PID 1900 wrote to memory of 2648	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	30
PID 1900 wrote to memory of 2648	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	30
PID 1900 wrote to memory of 2124	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	31
PID 1900 wrote to memory of 2124	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	31
PID 1900 wrote to memory of 2124	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	31
PID 1900 wrote to memory of 2124	1900	{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe	31
PID 2648 wrote to memory of 2952	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	35
PID 2648 wrote to memory of 2952	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	35
PID 2648 wrote to memory of 2952	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	35
PID 2648 wrote to memory of 2952	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	35
PID 2648 wrote to memory of 1708	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	34
PID 2648 wrote to memory of 1708	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	34
PID 2648 wrote to memory of 1708	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	34
PID 2648 wrote to memory of 1708	2648	{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe	34
PID 2952 wrote to memory of 2552	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	36
PID 2952 wrote to memory of 2552	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	36
PID 2952 wrote to memory of 2552	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	36
PID 2952 wrote to memory of 2552	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	36
PID 2952 wrote to memory of 2620	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	37
PID 2952 wrote to memory of 2620	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	37
PID 2952 wrote to memory of 2620	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	37
PID 2952 wrote to memory of 2620	2952	{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe	37
PID 2552 wrote to memory of 1120	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	38
PID 2552 wrote to memory of 1120	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	38
PID 2552 wrote to memory of 1120	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	38
PID 2552 wrote to memory of 1120	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	38
PID 2552 wrote to memory of 1928	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	39
PID 2552 wrote to memory of 1928	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	39
PID 2552 wrote to memory of 1928	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	39
PID 2552 wrote to memory of 1928	2552	{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe	39
PID 1120 wrote to memory of 2468	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	40
PID 1120 wrote to memory of 2468	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	40
PID 1120 wrote to memory of 2468	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	40
PID 1120 wrote to memory of 2468	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	40
PID 1120 wrote to memory of 1520	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	41
PID 1120 wrote to memory of 1520	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	41
PID 1120 wrote to memory of 1520	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	41
PID 1120 wrote to memory of 1520	1120	{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe	41
PID 2468 wrote to memory of 1088	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	42
PID 2468 wrote to memory of 1088	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	42
PID 2468 wrote to memory of 1088	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	42
PID 2468 wrote to memory of 1088	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	42
PID 2468 wrote to memory of 2384	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	43
PID 2468 wrote to memory of 2384	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	43
PID 2468 wrote to memory of 2384	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	43
PID 2468 wrote to memory of 2384	2468	{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe	43
PID 1088 wrote to memory of 868	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	45
PID 1088 wrote to memory of 868	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	45
PID 1088 wrote to memory of 868	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	45
PID 1088 wrote to memory of 868	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	45
PID 1088 wrote to memory of 2544	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	44
PID 1088 wrote to memory of 2544	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	44
PID 1088 wrote to memory of 2544	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	44
PID 1088 wrote to memory of 2544	1088	{766253AA-88A7-439f-8216-06A600D2804E}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_6be4a03c7f67dbf3e7aac06d0650dc24_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe
  C:\Windows\{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe
    C:\Windows\{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{993DB~1.EXE > nul
      4⤵
      PID:1708
  - - C:\Windows\{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe
      C:\Windows\{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe
        
        C:\Windows\{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe
        
        C:\Windows\{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe
        
        C:\Windows\{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{766253AA-88A7-439f-8216-06A600D2804E}.exe
        
        C:\Windows\{766253AA-88A7-439f-8216-06A600D2804E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76625~1.EXE > nul
        9⤵
        
        PID:2544
        
        C:\Windows\{C87608A8-2911-4270-91C1-6385B7249937}.exe
        
        C:\Windows\{C87608A8-2911-4270-91C1-6385B7249937}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8760~1.EXE > nul
        10⤵
        
        PID:1340
        
        C:\Windows\{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe
        
        C:\Windows\{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97E40~1.EXE > nul
        11⤵
        
        PID:2856
        
        C:\Windows\{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe
        
        C:\Windows\{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8597~1.EXE > nul
        12⤵
        
        PID:2940
        
        C:\Windows\{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}.exe
        
        C:\Windows\{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2C75~1.EXE > nul
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA11E~1.EXE > nul
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E56A3~1.EXE > nul
        6⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E710~1.EXE > nul
        5⤵
        
        PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F33AF~1.EXE > nul
    3⤵
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E7100F7-EFB3-487d-B457-86036BA73DFA}.exe

Filesize
372KB

MD5
df6629b35cfdcc288368fb584522c6b6

SHA1
fcb7c9ac9513ccd8ceea077802b1e5396d91b081

SHA256
a77c2a1fdcb5e3c495dd4ab58d801fb9c374c8a79c50ab31c926c55ca69f78f8

SHA512
2a72add7d1ca5321a3ab98d55e550d4c3003861bdec5ffbcb37c361dfe170911a558b8907b7e04bb8ed6a67eeb8cabe1699e7731fe8d9d10cc84f00cea95e716

Download Submit
C:\Windows\{766253AA-88A7-439f-8216-06A600D2804E}.exe

Filesize
372KB

MD5
6c7867e03426be5a351b0cc1f877d12a

SHA1
93e4eb853435840ee9e684793e320052ab76db8a

SHA256
31a56745dd60404029c7f645718518494ee95e0b8a62fefa145fb081b2227828

SHA512
83a4c3e3051d1bd5179e8fc1a2477f96a0ef09362b378844e8df9f216d1f864fdda67ec1d242c56e487304b4235097ec3dcf89b5cfe3ea9756d081ac635dae81

Download Submit
C:\Windows\{78C0A74B-2AB7-46cf-B1C1-6F20389E319A}.exe

Filesize
372KB

MD5
1054cf543ae0f8cd0be8f17bc1fe87a8

SHA1
2b7282b7879d10bfe0adc7976607b7c82f5b9419

SHA256
f4a6d5989a670c202b82b0dac63f3244f6bd8a1e0e39c3a3487faa746aaf2ea0

SHA512
4edf84cf504b173ff7386bcc2694b16623a1de4a0f83852ee44eb0de2456f3651b6cf6cebd966c6283905df33ef93c0af7e1bb19f42df8debd0507c3850c62d9

Download Submit
C:\Windows\{97E405FA-C90F-41f1-A0A8-76C4D3392353}.exe

Filesize
372KB

MD5
c69e0e4f573123c4433086c41a80b8c6

SHA1
e8ab43ddb0669c7c412020aa30816c38cbc6c989

SHA256
6364c8898a0d84749952281207ed50c156d0c90c133a5f7235ee3e6485b105fb

SHA512
fd9b1c76a4bd14b2953ffc813b25160a578414545828a6eb9b3b4705d1761ce6ddd2996f52a4382ceb5626fc8810cae04fbee27033c38b17fdfc4812b8ee0684

Download Submit
C:\Windows\{993DBD8A-CC16-45cc-8D65-C63BBB5BDEFB}.exe

Filesize
372KB

MD5
56089ea0a897758ea2f86e5060f42b89

SHA1
1866a1f1b892e40d05ce3c2608c1da2b5adeb3ca

SHA256
334f76b1187e82189089dd0331e1aa5445458dd88a4c089ac2af3fc5b1c7f555

SHA512
002e255e3873eefadfdd191fb287f922dd0a146f0f17020ab983b330e0d94d83d84f64128e72872dd78dc6d23a881c0ce65dfa99be0f6bc1488e7be20131923f

Download Submit
C:\Windows\{A8597CD3-7975-49d7-AD8B-DCF337E2709D}.exe

Filesize
372KB

MD5
efe1e5666034b992896746aac804fa67

SHA1
251c3efd7977734ef2e5bcf9142bb8edf030ca59

SHA256
a016ad1bc11b034fae4223eaa93eab0eb46b34487d63328554b3020269de4d8e

SHA512
05e7f0a80e9d4cd516458b6887b579f30f11620c2ae0ae200c0efd7eed6c000e18b5f2c0958df963d3c84be130cc711749f64e958007a32597844a54e8b4bcb1

Download Submit
C:\Windows\{C2C7562B-3BED-4997-AF76-AB3823A2DBBA}.exe

Filesize
372KB

MD5
a02e71782e944b9a3eeab79683948a86

SHA1
048749aa520b394f584b2264ccbd1ab66411943c

SHA256
f39246597f34d587247dcc95c3ce8ecce9cd43ba5bdb81d97716d74e5b291e57

SHA512
7108e9f0810654cbd33a6a31b177ae92029f398dbfae4071d38ab9a34665c0425e3145c6007a704cb481fd87775aab783e99414d7ebd9dd90b744b484538523f

Download Submit
C:\Windows\{C87608A8-2911-4270-91C1-6385B7249937}.exe

Filesize
372KB

MD5
d4580c6a8a3ebf4dd0b13d58f85afa0b

SHA1
88c8794bab11224cbe150e837dfa3a4bcb546953

SHA256
ead037512e3336f84eb755ca2a8b92b89a1a7804b148001acda5a41277e66e08

SHA512
f663378239bc3121e78debba02bd040477a9f4658c5c3a3d1b0d5c5a44fee51be159d74b6f8d96f9afb9c5de05ece299e8d149c8f38519f583575f9c5cb731a7

Download Submit
C:\Windows\{E56A3EAF-1674-4ade-B0C7-2537B4A1862D}.exe

Filesize
372KB

MD5
c54028c18847a8462f633adc3800f385

SHA1
e50b0206055afc4403e82a086a15731535464db2

SHA256
fe1dce7072b2285a53bbdbfa7729534327c337d4ff14f6ac676108e5e896dba8

SHA512
7c94db73ade7549b44a8e9b494e7215a2944944a7c5d2b1046273781388439500e2979453f4a834de1f89a11436ec6b273012f0a3c83a24bf19d8bb64837cb06

Download Submit
C:\Windows\{F33AFB70-F3CC-482d-A3B2-4CF6FC4E1976}.exe

Filesize
372KB

MD5
39761c8ac6d352d2fc1b36c3f2ecf7fe

SHA1
44711ce0de32236e94858a67a820e5ca0480dc37

SHA256
6bb95526350c70663318e3e15a9ebea906d4e6ee41496fcfb8caf69d16878300

SHA512
0c9864ff8de9350cd81ddc8451db8af23101341e615365eba50ccea3ea3de6d3a4ed5333e5dcbcc3e713ce56f20f832341f1f2637e02eb8cb36588240ff10aee

Download Submit
C:\Windows\{FA11E77F-29EF-4d31-87EB-68DD429591E4}.exe

Filesize
372KB

MD5
c253409b16d82b8bfaf1d1ff9c16e282

SHA1
b4d92c280747542b98d6bd4cb82bbbcb59b84692

SHA256
5c2c821ce70ee6abbd6cbd13b7a6cdc6c8825a2d944d7f40325afb1c101be9cf

SHA512
4f0af870aca81ba57eba15169898e826700142aaba77ac848b08a74690ea8068437289548e154307f62ddbd45f1df293fb847d53f9524b3a689c5f9ed7b89ae7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads