8398cc780c9f9ec016645623b1191150b2a581702c68d972d756c1c0219c51c1

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Size

408KB
MD5

c520f96830d571349746855ed638806e
SHA1

0ba7f003afcd0d940db493664e4663f9a4fb6769
SHA256

8398cc780c9f9ec016645623b1191150b2a581702c68d972d756c1c0219c51c1
SHA512

6ad019c859e84e0ee0a2fae68f5e1066315b7fd02d3b329f9cf48e6837664c1a18b80aef463a57ee54450c9a60d519498fa8206182d5b00ba4bc5639344920cc
SSDEEP

3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGMldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00050000000120fa-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001226e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00060000000120fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48AC58B2-64FB-427d-9291-BE6A0182EA6F}\stubpath = "C:\\Windows\\{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe"	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D173B1-AB93-4c75-B2E6-886C711C2929}\stubpath = "C:\\Windows\\{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe"	{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CB59B1-EAD0-48d2-A559-69231257F087}	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94AEBB26-32A1-491e-9B1A-56B49378FC4C}\stubpath = "C:\\Windows\\{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe"	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BE2324-5FBD-4b39-B244-2596390B0972}	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}\stubpath = "C:\\Windows\\{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe"	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDC54DE9-EFC9-4175-8596-D316069BC452}	{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDC54DE9-EFC9-4175-8596-D316069BC452}\stubpath = "C:\\Windows\\{FDC54DE9-EFC9-4175-8596-D316069BC452}.exe"	{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48AC58B2-64FB-427d-9291-BE6A0182EA6F}	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}	{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94AEBB26-32A1-491e-9B1A-56B49378FC4C}	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}\stubpath = "C:\\Windows\\{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe"	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}\stubpath = "C:\\Windows\\{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe"	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}\stubpath = "C:\\Windows\\{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe"	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}\stubpath = "C:\\Windows\\{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe"	{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CB59B1-EAD0-48d2-A559-69231257F087}\stubpath = "C:\\Windows\\{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe"	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1BE2324-5FBD-4b39-B244-2596390B0972}\stubpath = "C:\\Windows\\{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe"	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D173B1-AB93-4c75-B2E6-886C711C2929}	{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe
2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe
2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe
2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe
2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe
1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe
2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe
640	{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe
2388	{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe
1328	{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe
2300	{FDC54DE9-EFC9-4175-8596-D316069BC452}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
File created	C:\Windows\{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe
File created	C:\Windows\{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe
File created	C:\Windows\{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe
File created	C:\Windows\{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe	{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe
File created	C:\Windows\{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe	{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe
File created	C:\Windows\{FDC54DE9-EFC9-4175-8596-D316069BC452}.exe	{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe
File created	C:\Windows\{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe
File created	C:\Windows\{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe
File created	C:\Windows\{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe
File created	C:\Windows\{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe
Token: SeIncBasePriorityPrivilege	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe
Token: SeIncBasePriorityPrivilege	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe
Token: SeIncBasePriorityPrivilege	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe
Token: SeIncBasePriorityPrivilege	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe
Token: SeIncBasePriorityPrivilege	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe
Token: SeIncBasePriorityPrivilege	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe
Token: SeIncBasePriorityPrivilege	640	{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe
Token: SeIncBasePriorityPrivilege	2388	{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe
Token: SeIncBasePriorityPrivilege	1328	{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2392	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	28
PID 2172 wrote to memory of 2392	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	28
PID 2172 wrote to memory of 2392	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	28
PID 2172 wrote to memory of 2392	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	28
PID 2172 wrote to memory of 2756	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	29
PID 2172 wrote to memory of 2756	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	29
PID 2172 wrote to memory of 2756	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	29
PID 2172 wrote to memory of 2756	2172	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	29
PID 2392 wrote to memory of 2816	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	30
PID 2392 wrote to memory of 2816	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	30
PID 2392 wrote to memory of 2816	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	30
PID 2392 wrote to memory of 2816	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	30
PID 2392 wrote to memory of 2772	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	31
PID 2392 wrote to memory of 2772	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	31
PID 2392 wrote to memory of 2772	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	31
PID 2392 wrote to memory of 2772	2392	{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe	31
PID 2816 wrote to memory of 2796	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	33
PID 2816 wrote to memory of 2796	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	33
PID 2816 wrote to memory of 2796	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	33
PID 2816 wrote to memory of 2796	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	33
PID 2816 wrote to memory of 2784	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	32
PID 2816 wrote to memory of 2784	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	32
PID 2816 wrote to memory of 2784	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	32
PID 2816 wrote to memory of 2784	2816	{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe	32
PID 2796 wrote to memory of 2888	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	36
PID 2796 wrote to memory of 2888	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	36
PID 2796 wrote to memory of 2888	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	36
PID 2796 wrote to memory of 2888	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	36
PID 2796 wrote to memory of 2872	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	37
PID 2796 wrote to memory of 2872	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	37
PID 2796 wrote to memory of 2872	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	37
PID 2796 wrote to memory of 2872	2796	{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe	37
PID 2888 wrote to memory of 2844	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	39
PID 2888 wrote to memory of 2844	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	39
PID 2888 wrote to memory of 2844	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	39
PID 2888 wrote to memory of 2844	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	39
PID 2888 wrote to memory of 2840	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	38
PID 2888 wrote to memory of 2840	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	38
PID 2888 wrote to memory of 2840	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	38
PID 2888 wrote to memory of 2840	2888	{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe	38
PID 2844 wrote to memory of 1904	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	40
PID 2844 wrote to memory of 1904	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	40
PID 2844 wrote to memory of 1904	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	40
PID 2844 wrote to memory of 1904	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	40
PID 2844 wrote to memory of 800	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	41
PID 2844 wrote to memory of 800	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	41
PID 2844 wrote to memory of 800	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	41
PID 2844 wrote to memory of 800	2844	{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe	41
PID 1904 wrote to memory of 2860	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	42
PID 1904 wrote to memory of 2860	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	42
PID 1904 wrote to memory of 2860	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	42
PID 1904 wrote to memory of 2860	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	42
PID 1904 wrote to memory of 548	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	43
PID 1904 wrote to memory of 548	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	43
PID 1904 wrote to memory of 548	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	43
PID 1904 wrote to memory of 548	1904	{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe	43
PID 2860 wrote to memory of 640	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	44
PID 2860 wrote to memory of 640	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	44
PID 2860 wrote to memory of 640	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	44
PID 2860 wrote to memory of 640	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	44
PID 2860 wrote to memory of 2916	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	45
PID 2860 wrote to memory of 2916	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	45
PID 2860 wrote to memory of 2916	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	45
PID 2860 wrote to memory of 2916	2860	{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe
  C:\Windows\{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe
    C:\Windows\{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{94AEB~1.EXE > nul
      4⤵
      PID:2784
  - - C:\Windows\{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe
      C:\Windows\{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe
        
        C:\Windows\{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB4C2~1.EXE > nul
        6⤵
        
        PID:2840
      - C:\Windows\{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe
        
        C:\Windows\{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe
        
        C:\Windows\{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe
        
        C:\Windows\{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe
        
        C:\Windows\{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe
        
        C:\Windows\{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe
        
        C:\Windows\{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\{FDC54DE9-EFC9-4175-8596-D316069BC452}.exe
        
        C:\Windows\{FDC54DE9-EFC9-4175-8596-D316069BC452}.exe
        12⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52D17~1.EXE > nul
        12⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59499~1.EXE > nul
        11⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48AC5~1.EXE > nul
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F80C5~1.EXE > nul
        9⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9DE9~1.EXE > nul
        8⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1BE2~1.EXE > nul
        7⤵
        
        PID:800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A81A~1.EXE > nul
        5⤵
        
        PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CB5~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{48AC58B2-64FB-427d-9291-BE6A0182EA6F}.exe

Filesize
408KB

MD5
cd13ff261ce77cda2c90c9675beb193d

SHA1
418a292e7ad2f784283d4f6f6ffbcfc5c5bf686d

SHA256
cc5c7aea5db8f116f23daf0f835fdac14eb986abb002f1b7fd15c92c5e324e68

SHA512
a7334323a9c74a4b83c04afee3f7da228a5c989b259155d594722f4e89371c056db3f3a7a35ac1a9f33171ded550f60c40b1978a94955d741313bbfad4520519

Download Submit
C:\Windows\{52D173B1-AB93-4c75-B2E6-886C711C2929}.exe

Filesize
408KB

MD5
3302efbca65745967b645ebaa6b997a3

SHA1
3b4c72aa8ff37f8c6798861f7111e5069881e23e

SHA256
31fed5ec7c208a586f6b24e811108fec67b6c690d9b9de567cc42f8a55082a29

SHA512
e548b33da22b48c6845a11b114fde0dfc8bbe20eed3e85a9ca4aece59a1d0e5e800175e39075a3c840b0c57e9627b77c416f7cf98d55c915dc2f60cebbaf0123

Download Submit
C:\Windows\{59499B7F-E4E4-4693-A9B8-B1F548D39BF0}.exe

Filesize
408KB

MD5
0a733a9c2ef85697824c8738f335db6e

SHA1
ede774af1d37ecea307da7cb9359dbd2f2d6a347

SHA256
59fa7070ff7b2d4f20eb8726c21034079a2b45d37c2212b345ad68eceeafcc44

SHA512
c9abeefacbaff67942ec1064d33007bf9dbde6ab24bad243dbc258000f1e7af9c292a26e1208933e55a0fe0369eb367eac05dce347d88b3693247fe434c03426

Download Submit
C:\Windows\{5A81A8BB-2366-4747-8AD3-FA0D5DBA53E9}.exe

Filesize
408KB

MD5
d8809577fc3f699f90c8a7d3fca5028d

SHA1
9e1add24b21817972bb92567e9f7dc1b28432f3e

SHA256
8a01bf2f76ff6d53db74c59427009ff5a1d8052b1a58ef9d306b1464761c5b53

SHA512
799ea93a409295f4d6af6c9a796343ba5c2ac3a9d5853c374b24e282aadc210c9142851c2fe9be99a94d14f6a6b211dee0f553331ebbc9e08d6266d0591448e4

Download Submit
C:\Windows\{94AEBB26-32A1-491e-9B1A-56B49378FC4C}.exe

Filesize
408KB

MD5
352d43bde9067ad1ee1fd3b194e121e7

SHA1
c03e57c66cc90e825565840ea402d9644b39d76e

SHA256
e4d8977ec99d139bced0e36b0fcae7e296c93720670596195a2f72008e93e5f8

SHA512
d1de6d202de3be48db886e88ad946086ae0a91f9526bb9515eebe02a7b86fc1e10a746d69fef8d3d06acef8af5444999dd4257c7392d891ef1f06c852cda26c8

Download Submit
C:\Windows\{A9DE9C0A-18EC-4e1a-A087-0A4BAA76135D}.exe

Filesize
408KB

MD5
0dfc79ba9ffce8a59f110ae48d384438

SHA1
20acaf8e99186fb17b579d5ffa6876e00afb56e9

SHA256
f185e7774088cb2e19c33984823e4c96d552fa957d220f4e54f56f400c691418

SHA512
dee2c4857fcca630a385053e76222c478a742f1fefd8730393293d7b1a57f400c44556c31be873b52cb044194d69d68c8c7933d0d787c257e843a8d47c82552e

Download Submit
C:\Windows\{B0CB59B1-EAD0-48d2-A559-69231257F087}.exe

Filesize
408KB

MD5
e3d0fbd028e2988de2ed939d0653ddc2

SHA1
f3ea62263f9027228da2495566bc9840bc3d92f8

SHA256
1ca45e49543a46ba266c2202192254332b74e6ba22c5670fc48cc530c1cb05c0

SHA512
d4e9dbaee9a5e4e047683fc5c18111fd6c54e2e0319e03f1d91b70589041000e1362657a806644a590e75afed10455b21197b8a40e2cf0f4f09d1c90a211ce81

Download Submit
C:\Windows\{DB4C2EE2-54BB-444d-8DF1-9790E2BE5FFB}.exe

Filesize
408KB

MD5
858ae07a814f6b6a71322f6b83b76bb9

SHA1
1731791021496a16d1a90f9984affacf59577b91

SHA256
e7c034ff10694f8e4f2fd5c47ac5fa7e96ee451d3578f177d93f2f2a05183cee

SHA512
df5aa428e64d55ad23033846508292680649b2eb851cecfa0640fe64e93e05e92d0548639ff1d01ed3a95e9331a164802f54bc27a43100113aa551113a549e74

Download Submit
C:\Windows\{E1BE2324-5FBD-4b39-B244-2596390B0972}.exe

Filesize
408KB

MD5
a146615248f11aa076bf15866c4d5fe2

SHA1
a70a37dc62128735deff2b606772c2779cf2e3dc

SHA256
251f19e9ac84ceaf593a92296219c1a680767c788c812ff52305e091da896c39

SHA512
ed841f0d27b5762f95de75ad5f2d71c95388f331499182ae9a66ed80bc2d23e4e944fdca942e7f2fa7a1d87bdcc7e0d901e9672a048c750c436d80855fe26c73

Download Submit
C:\Windows\{F80C5D3D-E1C9-4a2b-A3BD-04A24364A1EA}.exe

Filesize
408KB

MD5
d67723cb6896f29301249fab81620904

SHA1
0134eb74f72e0d32e2bd5f77e939e0dcde9ba5ab

SHA256
1f57c6b838080fbd87cd7035eec4f2c44ad76858f6ecc6afe6f614bb91bf6bae

SHA512
d5f9f5e17e49f7ff43f7c532d1cf844b958c5b6f34e6c2e412d40aa33830a1b0f339058907d74428f36bca4e4dbe4f2ce2da7bbb54a6aead756989ee76ccdf2c

Download Submit
C:\Windows\{FDC54DE9-EFC9-4175-8596-D316069BC452}.exe

Filesize
408KB

MD5
393ddc8694489c9c45e7a404ad9a6c12

SHA1
75dbbcf9292ea731b79eb877e7c970e07bb242e7

SHA256
ca761251b82d4f2ca2e97d8e4a57aae7a47b7607d90e50ce73404c050417f8bf

SHA512
c8ae6f7cb12e8d9545e1c3a074c2137ad670f7fec1d916f42b129cbeefba3278dc0d3e77313a1735f2983903af224dc8db6fe48cbcd22bc3cd1698bcb6904a06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads