f310d5adf956aa3e3705817be8a8b87621ca57f564fdf11cd105c743670c1282

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe
Size

197KB
MD5

5265c06bb8306f2281bac7ca6e8be549
SHA1

67358d53fe5a95a917ed30d9ffb4b3fbc2e6da00
SHA256

f310d5adf956aa3e3705817be8a8b87621ca57f564fdf11cd105c743670c1282
SHA512

ef08eb0723369e94f1fc09b50ef0da3b79c3bc80b26c77143cecb2bf8b0236a65896e760dc833f095270c4cd5c6e66607da389cf3490f0e0fc7682db414277ca
SSDEEP

3072:jEGh0oal+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012261-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000013a05-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012261-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012261-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012261-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012261-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012261-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B6D052-036C-4b14-B6DE-6E4B943BDA27}\stubpath = "C:\\Windows\\{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe"	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{390B7BF9-1572-4b0d-8535-430363E14233}	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}	{390B7BF9-1572-4b0d-8535-430363E14233}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F91018-4368-452c-9DFF-BE441052BD3D}	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}\stubpath = "C:\\Windows\\{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe"	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BA3789C-EC45-486a-9EC7-9D32AB573D29}	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BA3789C-EC45-486a-9EC7-9D32AB573D29}\stubpath = "C:\\Windows\\{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe"	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B6D052-036C-4b14-B6DE-6E4B943BDA27}	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}\stubpath = "C:\\Windows\\{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe"	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF378E36-B50A-4730-AA73-428B31DA9E19}	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F088499B-52D9-48c5-8F23-E45C605EDA2C}	{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D200BCAD-B40B-418d-950B-0730FF9B8979}	{3713FF56-A953-40f7-B259-02EA20C519C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}\stubpath = "C:\\Windows\\{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe"	{390B7BF9-1572-4b0d-8535-430363E14233}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF378E36-B50A-4730-AA73-428B31DA9E19}\stubpath = "C:\\Windows\\{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe"	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F088499B-52D9-48c5-8F23-E45C605EDA2C}\stubpath = "C:\\Windows\\{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe"	{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3713FF56-A953-40f7-B259-02EA20C519C2}\stubpath = "C:\\Windows\\{3713FF56-A953-40f7-B259-02EA20C519C2}.exe"	{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D200BCAD-B40B-418d-950B-0730FF9B8979}\stubpath = "C:\\Windows\\{D200BCAD-B40B-418d-950B-0730FF9B8979}.exe"	{3713FF56-A953-40f7-B259-02EA20C519C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{390B7BF9-1572-4b0d-8535-430363E14233}\stubpath = "C:\\Windows\\{390B7BF9-1572-4b0d-8535-430363E14233}.exe"	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18F91018-4368-452c-9DFF-BE441052BD3D}\stubpath = "C:\\Windows\\{18F91018-4368-452c-9DFF-BE441052BD3D}.exe"	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3713FF56-A953-40f7-B259-02EA20C519C2}	{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe

Executes dropped EXE 11 IoCs

pid	Process
1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe
2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe
2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe
2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe
1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe
2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe
1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe
576	{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe
2640	{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe
2644	{3713FF56-A953-40f7-B259-02EA20C519C2}.exe
3068	{D200BCAD-B40B-418d-950B-0730FF9B8979}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe
File created	C:\Windows\{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe
File created	C:\Windows\{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe
File created	C:\Windows\{D200BCAD-B40B-418d-950B-0730FF9B8979}.exe	{3713FF56-A953-40f7-B259-02EA20C519C2}.exe
File created	C:\Windows\{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe
File created	C:\Windows\{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe
File created	C:\Windows\{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe
File created	C:\Windows\{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe	{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe
File created	C:\Windows\{3713FF56-A953-40f7-B259-02EA20C519C2}.exe	{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe
File created	C:\Windows\{390B7BF9-1572-4b0d-8535-430363E14233}.exe	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe
File created	C:\Windows\{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	{390B7BF9-1572-4b0d-8535-430363E14233}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe
Token: SeIncBasePriorityPrivilege	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe
Token: SeIncBasePriorityPrivilege	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe
Token: SeIncBasePriorityPrivilege	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe
Token: SeIncBasePriorityPrivilege	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe
Token: SeIncBasePriorityPrivilege	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe
Token: SeIncBasePriorityPrivilege	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe
Token: SeIncBasePriorityPrivilege	576	{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe
Token: SeIncBasePriorityPrivilege	2640	{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe
Token: SeIncBasePriorityPrivilege	2644	{3713FF56-A953-40f7-B259-02EA20C519C2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1936	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	28
PID 2100 wrote to memory of 1936	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	28
PID 2100 wrote to memory of 1936	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	28
PID 2100 wrote to memory of 1936	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	28
PID 2100 wrote to memory of 2192	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	29
PID 2100 wrote to memory of 2192	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	29
PID 2100 wrote to memory of 2192	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	29
PID 2100 wrote to memory of 2192	2100	2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe	29
PID 1936 wrote to memory of 2388	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	30
PID 1936 wrote to memory of 2388	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	30
PID 1936 wrote to memory of 2388	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	30
PID 1936 wrote to memory of 2388	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	30
PID 1936 wrote to memory of 2548	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	31
PID 1936 wrote to memory of 2548	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	31
PID 1936 wrote to memory of 2548	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	31
PID 1936 wrote to memory of 2548	1936	{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe	31
PID 2388 wrote to memory of 2632	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	34
PID 2388 wrote to memory of 2632	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	34
PID 2388 wrote to memory of 2632	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	34
PID 2388 wrote to memory of 2632	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	34
PID 2388 wrote to memory of 2432	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	35
PID 2388 wrote to memory of 2432	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	35
PID 2388 wrote to memory of 2432	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	35
PID 2388 wrote to memory of 2432	2388	{390B7BF9-1572-4b0d-8535-430363E14233}.exe	35
PID 2632 wrote to memory of 2332	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	37
PID 2632 wrote to memory of 2332	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	37
PID 2632 wrote to memory of 2332	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	37
PID 2632 wrote to memory of 2332	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	37
PID 2632 wrote to memory of 2744	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	36
PID 2632 wrote to memory of 2744	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	36
PID 2632 wrote to memory of 2744	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	36
PID 2632 wrote to memory of 2744	2632	{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe	36
PID 2332 wrote to memory of 1628	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	39
PID 2332 wrote to memory of 1628	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	39
PID 2332 wrote to memory of 1628	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	39
PID 2332 wrote to memory of 1628	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	39
PID 2332 wrote to memory of 584	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	38
PID 2332 wrote to memory of 584	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	38
PID 2332 wrote to memory of 584	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	38
PID 2332 wrote to memory of 584	2332	{18F91018-4368-452c-9DFF-BE441052BD3D}.exe	38
PID 1628 wrote to memory of 2328	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	41
PID 1628 wrote to memory of 2328	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	41
PID 1628 wrote to memory of 2328	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	41
PID 1628 wrote to memory of 2328	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	41
PID 1628 wrote to memory of 2224	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	40
PID 1628 wrote to memory of 2224	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	40
PID 1628 wrote to memory of 2224	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	40
PID 1628 wrote to memory of 2224	1628	{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe	40
PID 2328 wrote to memory of 1668	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	42
PID 2328 wrote to memory of 1668	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	42
PID 2328 wrote to memory of 1668	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	42
PID 2328 wrote to memory of 1668	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	42
PID 2328 wrote to memory of 388	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	43
PID 2328 wrote to memory of 388	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	43
PID 2328 wrote to memory of 388	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	43
PID 2328 wrote to memory of 388	2328	{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe	43
PID 1668 wrote to memory of 576	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	45
PID 1668 wrote to memory of 576	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	45
PID 1668 wrote to memory of 576	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	45
PID 1668 wrote to memory of 576	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	45
PID 1668 wrote to memory of 1480	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	44
PID 1668 wrote to memory of 1480	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	44
PID 1668 wrote to memory of 1480	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	44
PID 1668 wrote to memory of 1480	1668	{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_5265c06bb8306f2281bac7ca6e8be549_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe
  C:\Windows\{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\{390B7BF9-1572-4b0d-8535-430363E14233}.exe
    C:\Windows\{390B7BF9-1572-4b0d-8535-430363E14233}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe
      C:\Windows\{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{337CE~1.EXE > nul
        5⤵
        
        PID:2744
    - - C:\Windows\{18F91018-4368-452c-9DFF-BE441052BD3D}.exe
        
        C:\Windows\{18F91018-4368-452c-9DFF-BE441052BD3D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F91~1.EXE > nul
        6⤵
        
        PID:584
      - C:\Windows\{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe
        
        C:\Windows\{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C2FB~1.EXE > nul
        7⤵
        
        PID:2224
        
        C:\Windows\{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe
        
        C:\Windows\{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe
        
        C:\Windows\{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BA37~1.EXE > nul
        9⤵
        
        PID:1480
        
        C:\Windows\{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe
        
        C:\Windows\{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe
        
        C:\Windows\{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{3713FF56-A953-40f7-B259-02EA20C519C2}.exe
        
        C:\Windows\{3713FF56-A953-40f7-B259-02EA20C519C2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{D200BCAD-B40B-418d-950B-0730FF9B8979}.exe
        
        C:\Windows\{D200BCAD-B40B-418d-950B-0730FF9B8979}.exe
        12⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3713F~1.EXE > nul
        12⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0884~1.EXE > nul
        11⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF378~1.EXE > nul
        10⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B224~1.EXE > nul
        8⤵
        
        PID:388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{390B7~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16B6D~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BA3789C-EC45-486a-9EC7-9D32AB573D29}.exe

Filesize
197KB

MD5
69715a2c605d8c38a0b41ca5dc6ac8f6

SHA1
a0c5508644e702478926e6f581f80680d288c624

SHA256
d141c1403f9560dba56646ac3921f49518d67da7aa737800f568be6b34145887

SHA512
66c8a80dd74df2cdbae195840a50cd2222a74a6f0d3b0af01261fcba811ef74d688cf29f4e90492052302c7814e43b87f7c9258be50c1a1f88ef778575bd1576

Download Submit
C:\Windows\{16B6D052-036C-4b14-B6DE-6E4B943BDA27}.exe

Filesize
197KB

MD5
81ed75f4db899ec1813bbeebc45fafc4

SHA1
8952d73ad759f192512cc9fb42e49dc076a72dba

SHA256
a07dec1dfa4166321cdb7f55fb6988ab3e2aff5f778b51df277981a95884800c

SHA512
121507652212c64bde14d3d42b13678121183d62e5f6cc59823217bbe02905364c25f17f8cfeff743962f9c71eadcccd98a455c07188dbafc12d226bad171c70

Download Submit
C:\Windows\{18F91018-4368-452c-9DFF-BE441052BD3D}.exe

Filesize
197KB

MD5
1471074ec87db1accd95712d1f431988

SHA1
88138c3940df5b14fcc09cda53c3972d0cb25999

SHA256
7e34dd5000683d07037a9566047d3a3bc13e9fa17662e323d6d31e37dda0fe99

SHA512
177dc101c35cac4fb8eb110da0bd3466a39e2c4a98c45e172f25d87b52ec5064358c9ffb1cad26d28de57c2f4513fa48aee36ce8c4acde043616d54e30cf2750

Download Submit
C:\Windows\{337CE2C0-67F0-4dae-892D-F2E6ACD0B7CA}.exe

Filesize
197KB

MD5
c857ecd45c3a13cb4eefcad177073c33

SHA1
af7f08208780a5df6c69541fe1332efa80a279f8

SHA256
875259155d61d8629ee71a0844f2a3f9806646c10fcc912033e3da9d2e83a880

SHA512
fa5a2b574355da731dd7ca2e2925494066a35b1f3455fdf688412640bf550d87a627e143fd4adc10ffc9585257e3b64b6f6fae60d149e9637c654e9c6867556d

Download Submit
C:\Windows\{3713FF56-A953-40f7-B259-02EA20C519C2}.exe

Filesize
197KB

MD5
4a1fb78bdf48cb3a83867c05dd7b59e4

SHA1
0d9743183e5fe248f626d5a34be327fe51de6bb5

SHA256
de688e356d7942ab6cb2c5e90d6a583c31ef777c8ef820bf304df07dcea84906

SHA512
9fafda00d980ffb6e884b2f82c4dbc30db9c62692755730b90cafcba44bb729d62ffbc3cc6eeba593764b9fcbf3463b4dce513f4f7b5947b3dcd87e04887074b

Download Submit
C:\Windows\{390B7BF9-1572-4b0d-8535-430363E14233}.exe

Filesize
197KB

MD5
c87196740dfad476242ab47cf79691db

SHA1
6a1987265ef3806e80c7331f8111fe498fa1b068

SHA256
0708b812d269676e018a86898895528dfdd2949eccb39716716e65d57cc84cf7

SHA512
2f186b25a3bef0b0556966e17937978af9199b871dc8a104d0ee88aea67f5e77077ffdd81d0043d89924f05a0637b6e55848e2b0a365b385c5de8b613f3ecfbe

Download Submit
C:\Windows\{3B224E58-A84F-433a-A6D8-5B23BB5D0B36}.exe

Filesize
197KB

MD5
12de713bb7602ce166371231a3a0e3dd

SHA1
112aa8863f5b95b1fb5d8c2bbd1ae322e982b0a8

SHA256
d7e5ffc3e5fa592d0280a6507d292ea9d3ed90a75824c4fedaf62eced4d2d76e

SHA512
81d313d2e4ee527699765aad53ad03d85a416fabb2f86a9ebd241b099fb570c601df52390bf5d735952e305ad63f8596a453fd5a7ed4cd0534678db355e6b183

Download Submit
C:\Windows\{9C2FB9BE-0DC6-4531-84FB-9A93235EE0F0}.exe

Filesize
197KB

MD5
0bdfac469bdf86bad05341952e5e13e2

SHA1
43e9c0360dc54e3c7249882c5071d9cdbe0f1b79

SHA256
dff06d3f09b432c1ead6fc48816f690b0f7c956f499f8b998edcf7fb3385dcf0

SHA512
ae797d33767db8faa48460ca4a52669b05ac2067817c056e1229f21215a5dac0c4fee55e4ce9b9a9bc799990286b3627a7536d07b93bc65a9dc336835de908f0

Download Submit
C:\Windows\{D200BCAD-B40B-418d-950B-0730FF9B8979}.exe

Filesize
197KB

MD5
b626ca8a276a004270ceae1bd80f9700

SHA1
1100a7f021fe72248a2ca5a5fa69b92c86d5889e

SHA256
a702ee6118a88f54ea00c56738c408da19e8a727ead226fc6474e034629d2f7d

SHA512
a8022ec8304e0234894120ab6786a3fcf5ab9daca74c592dde1213d6f0673b7922fb9f8ee5fad60ca8069f5feead838591652dd873b12a0eaac10395ee9d17d1

Download Submit
C:\Windows\{F088499B-52D9-48c5-8F23-E45C605EDA2C}.exe

Filesize
197KB

MD5
f1ca2717bdbdc347855975ebef5f3ff7

SHA1
91d6c95272f9cc11c8047be13365dcc5ab4699f3

SHA256
88ff92b4dbab7169c4119ba88808477037b9098a679ee91469389a4472c83aa8

SHA512
2c830cf8ba9667458b35f3423aeb8e096438d0b0c786fd832e10e6c7a48d5ead2a8cd5e0bacc6d316f62e2d164674568527c93d9ce849e49cac20fb789086c63

Download Submit
C:\Windows\{FF378E36-B50A-4730-AA73-428B31DA9E19}.exe

Filesize
197KB

MD5
64f79ee0a49c4f4ddd1a2ace8c9558fb

SHA1
da7ebc988325a36963620f6978405747707d6689

SHA256
00bc1eb2db626f221d679481d80a1df63b3583246d18f3076ff239a7ad53e848

SHA512
e445cd6d2e6cd5034eeb572ef132541a18ec158029d715e8cdf99ae626ea84417e517ef38548068017757186c1ef2bdb9ea41e77a221ac1614f0d1b3473701e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads