53ea4235f02cf81067ed12e5c614c9a2e503632eb8601484412de770da03ae70

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/02/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Size

180KB
MD5

e781313969b78840fadeee43cbf0fc66
SHA1

34f3c89f2b3b5843b2f4afcb32b9cd0d6625f2f5
SHA256

53ea4235f02cf81067ed12e5c614c9a2e503632eb8601484412de770da03ae70
SHA512

227f59bb015f7dd71104ea58a114cc781c39bc0369c5b8d4b29d5262ff577437dcd0716ec8b1ac7c5a5d0f2d6616dbc4034838fe9f406c9c487aeacb6c6153fe
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001468c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00370000000170ef-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000010f1d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}\stubpath = "C:\\Windows\\{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe"	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720E545C-88D9-435f-A1B2-711865B7FD77}	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720E545C-88D9-435f-A1B2-711865B7FD77}\stubpath = "C:\\Windows\\{720E545C-88D9-435f-A1B2-711865B7FD77}.exe"	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4307E122-7E22-4a47-AB88-6F0033B57663}	{628BF168-D698-47ef-867A-0C6A05189034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35270A49-539F-48db-8DC3-441F89CE161E}\stubpath = "C:\\Windows\\{35270A49-539F-48db-8DC3-441F89CE161E}.exe"	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBA473A1-6CC7-4076-A123-398EAA821DE7}	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{621799E7-009B-4edf-93EC-CC321F40CB16}\stubpath = "C:\\Windows\\{621799E7-009B-4edf-93EC-CC321F40CB16}.exe"	{720E545C-88D9-435f-A1B2-711865B7FD77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{628BF168-D698-47ef-867A-0C6A05189034}	{621799E7-009B-4edf-93EC-CC321F40CB16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FCA325F-60C5-446d-84AD-944CE2102D8E}\stubpath = "C:\\Windows\\{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe"	{35270A49-539F-48db-8DC3-441F89CE161E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EF8145-7A10-4e35-80DA-545B4BC2476A}\stubpath = "C:\\Windows\\{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe"	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBA473A1-6CC7-4076-A123-398EAA821DE7}\stubpath = "C:\\Windows\\{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe"	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{621799E7-009B-4edf-93EC-CC321F40CB16}	{720E545C-88D9-435f-A1B2-711865B7FD77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FCA325F-60C5-446d-84AD-944CE2102D8E}	{35270A49-539F-48db-8DC3-441F89CE161E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}\stubpath = "C:\\Windows\\{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe"	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{628BF168-D698-47ef-867A-0C6A05189034}\stubpath = "C:\\Windows\\{628BF168-D698-47ef-867A-0C6A05189034}.exe"	{621799E7-009B-4edf-93EC-CC321F40CB16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4307E122-7E22-4a47-AB88-6F0033B57663}\stubpath = "C:\\Windows\\{4307E122-7E22-4a47-AB88-6F0033B57663}.exe"	{628BF168-D698-47ef-867A-0C6A05189034}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35270A49-539F-48db-8DC3-441F89CE161E}	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}\stubpath = "C:\\Windows\\{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe"	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88EF8145-7A10-4e35-80DA-545B4BC2476A}	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe
2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe
1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe
1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe
1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe
2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe
792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe
2132	{720E545C-88D9-435f-A1B2-711865B7FD77}.exe
1644	{621799E7-009B-4edf-93EC-CC321F40CB16}.exe
2380	{628BF168-D698-47ef-867A-0C6A05189034}.exe
3040	{4307E122-7E22-4a47-AB88-6F0033B57663}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe
File created	C:\Windows\{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe
File created	C:\Windows\{720E545C-88D9-435f-A1B2-711865B7FD77}.exe	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe
File created	C:\Windows\{621799E7-009B-4edf-93EC-CC321F40CB16}.exe	{720E545C-88D9-435f-A1B2-711865B7FD77}.exe
File created	C:\Windows\{628BF168-D698-47ef-867A-0C6A05189034}.exe	{621799E7-009B-4edf-93EC-CC321F40CB16}.exe
File created	C:\Windows\{4307E122-7E22-4a47-AB88-6F0033B57663}.exe	{628BF168-D698-47ef-867A-0C6A05189034}.exe
File created	C:\Windows\{35270A49-539F-48db-8DC3-441F89CE161E}.exe	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
File created	C:\Windows\{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	{35270A49-539F-48db-8DC3-441F89CE161E}.exe
File created	C:\Windows\{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe
File created	C:\Windows\{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe
File created	C:\Windows\{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe
Token: SeIncBasePriorityPrivilege	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe
Token: SeIncBasePriorityPrivilege	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe
Token: SeIncBasePriorityPrivilege	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe
Token: SeIncBasePriorityPrivilege	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe
Token: SeIncBasePriorityPrivilege	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe
Token: SeIncBasePriorityPrivilege	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe
Token: SeIncBasePriorityPrivilege	2132	{720E545C-88D9-435f-A1B2-711865B7FD77}.exe
Token: SeIncBasePriorityPrivilege	1644	{621799E7-009B-4edf-93EC-CC321F40CB16}.exe
Token: SeIncBasePriorityPrivilege	2380	{628BF168-D698-47ef-867A-0C6A05189034}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2788	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	28
PID 2060 wrote to memory of 2788	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	28
PID 2060 wrote to memory of 2788	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	28
PID 2060 wrote to memory of 2788	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	28
PID 2060 wrote to memory of 2780	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	29
PID 2060 wrote to memory of 2780	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	29
PID 2060 wrote to memory of 2780	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	29
PID 2060 wrote to memory of 2780	2060	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	29
PID 2788 wrote to memory of 2600	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	30
PID 2788 wrote to memory of 2600	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	30
PID 2788 wrote to memory of 2600	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	30
PID 2788 wrote to memory of 2600	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	30
PID 2788 wrote to memory of 2872	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	31
PID 2788 wrote to memory of 2872	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	31
PID 2788 wrote to memory of 2872	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	31
PID 2788 wrote to memory of 2872	2788	{35270A49-539F-48db-8DC3-441F89CE161E}.exe	31
PID 2600 wrote to memory of 1824	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	35
PID 2600 wrote to memory of 1824	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	35
PID 2600 wrote to memory of 1824	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	35
PID 2600 wrote to memory of 1824	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	35
PID 2600 wrote to memory of 1888	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	34
PID 2600 wrote to memory of 1888	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	34
PID 2600 wrote to memory of 1888	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	34
PID 2600 wrote to memory of 1888	2600	{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe	34
PID 1824 wrote to memory of 1348	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	36
PID 1824 wrote to memory of 1348	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	36
PID 1824 wrote to memory of 1348	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	36
PID 1824 wrote to memory of 1348	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	36
PID 1824 wrote to memory of 1652	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	37
PID 1824 wrote to memory of 1652	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	37
PID 1824 wrote to memory of 1652	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	37
PID 1824 wrote to memory of 1652	1824	{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe	37
PID 1348 wrote to memory of 1432	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	38
PID 1348 wrote to memory of 1432	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	38
PID 1348 wrote to memory of 1432	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	38
PID 1348 wrote to memory of 1432	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	38
PID 1348 wrote to memory of 1648	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	39
PID 1348 wrote to memory of 1648	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	39
PID 1348 wrote to memory of 1648	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	39
PID 1348 wrote to memory of 1648	1348	{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe	39
PID 1432 wrote to memory of 2856	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	40
PID 1432 wrote to memory of 2856	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	40
PID 1432 wrote to memory of 2856	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	40
PID 1432 wrote to memory of 2856	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	40
PID 1432 wrote to memory of 2184	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	41
PID 1432 wrote to memory of 2184	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	41
PID 1432 wrote to memory of 2184	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	41
PID 1432 wrote to memory of 2184	1432	{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe	41
PID 2856 wrote to memory of 792	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	42
PID 2856 wrote to memory of 792	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	42
PID 2856 wrote to memory of 792	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	42
PID 2856 wrote to memory of 792	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	42
PID 2856 wrote to memory of 2852	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	43
PID 2856 wrote to memory of 2852	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	43
PID 2856 wrote to memory of 2852	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	43
PID 2856 wrote to memory of 2852	2856	{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe	43
PID 792 wrote to memory of 2132	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	44
PID 792 wrote to memory of 2132	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	44
PID 792 wrote to memory of 2132	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	44
PID 792 wrote to memory of 2132	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	44
PID 792 wrote to memory of 1096	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	45
PID 792 wrote to memory of 1096	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	45
PID 792 wrote to memory of 1096	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	45
PID 792 wrote to memory of 1096	792	{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\{35270A49-539F-48db-8DC3-441F89CE161E}.exe
  C:\Windows\{35270A49-539F-48db-8DC3-441F89CE161E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe
    C:\Windows\{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1FCA3~1.EXE > nul
      4⤵
      PID:1888
  - - C:\Windows\{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe
      C:\Windows\{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe
        
        C:\Windows\{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe
        
        C:\Windows\{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe
        
        C:\Windows\{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe
        
        C:\Windows\{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{720E545C-88D9-435f-A1B2-711865B7FD77}.exe
        
        C:\Windows\{720E545C-88D9-435f-A1B2-711865B7FD77}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{720E5~1.EXE > nul
        10⤵
        
        PID:2364
        
        C:\Windows\{621799E7-009B-4edf-93EC-CC321F40CB16}.exe
        
        C:\Windows\{621799E7-009B-4edf-93EC-CC321F40CB16}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{628BF168-D698-47ef-867A-0C6A05189034}.exe
        
        C:\Windows\{628BF168-D698-47ef-867A-0C6A05189034}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{4307E122-7E22-4a47-AB88-6F0033B57663}.exe
        
        C:\Windows\{4307E122-7E22-4a47-AB88-6F0033B57663}.exe
        12⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{628BF~1.EXE > nul
        12⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62179~1.EXE > nul
        11⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6505~1.EXE > nul
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBA47~1.EXE > nul
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88EF8~1.EXE > nul
        7⤵
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE5CD~1.EXE > nul
        6⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B597~1.EXE > nul
        5⤵
        
        PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{35270~1.EXE > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FCA325F-60C5-446d-84AD-944CE2102D8E}.exe

Filesize
180KB

MD5
ef7cd4b950ebf5cd12e1d45b6ed96dfc

SHA1
208ec717ef6eed71630bc5e4abf41157c7ba9ff5

SHA256
b6805a21237ed39ac2fd63bba6fb053cf6f4f34e226139f2ee35920c0ec96ac0

SHA512
8133ed4ac609d58ac176a1c62e4817c57d01e1087f943dd785c861c085c785d00216c32270c7d014d83ef64687e5d08f27534b64dc174fa3bb47c32296c520d0

Download Submit
C:\Windows\{35270A49-539F-48db-8DC3-441F89CE161E}.exe

Filesize
180KB

MD5
b3a5b7762f3373eef49bd1b2822b7a99

SHA1
8cc5c1f3bcf180aea42b5bf168ba8fbd59c2b83f

SHA256
332d25b28f8732510e4738df7932d62fa6f3e91c8591245144302261f1a35b48

SHA512
f8f0f68076fc7976bd075635eba993ae62f93f97f2b6f2290866bbef31cafd172b88aeb6321ddfe0a17157b27b8eef46c57fd3e4559e1e3d3113dfe2dc1070d4

Download Submit
C:\Windows\{4307E122-7E22-4a47-AB88-6F0033B57663}.exe

Filesize
180KB

MD5
1150913de12204074208ef84d4b8038b

SHA1
9534c210d97368e2061b867c1d439f11009a8ecc

SHA256
a26661732c1e9b162440e060cb21d1167dc419032945c1fceabddca8c53c6374

SHA512
11b41527c04a844f9c4543737c4bc2285574065fca321e9575c863017b0990c3afdc0517eb2636261cb06540994414352891fb84a5168d81f7e17a4904f8e77f

Download Submit
C:\Windows\{621799E7-009B-4edf-93EC-CC321F40CB16}.exe

Filesize
180KB

MD5
0f9db21ec485b8267e29805e54b6b268

SHA1
0dc1d2811e212f1ddfd7078319b3136e08eb7c6d

SHA256
202251be78adfbf3396c600fddb3670b978095c427063781cda8c091d1f560b8

SHA512
0e338a11ae35723b6116ca8f7c120e5772dee136a9870b4f3422a5754e73c3fd8bbcb8d5ae15efbf768b9fded305c590833ae127a51e4b50ebedcca93a734369

Download Submit
C:\Windows\{628BF168-D698-47ef-867A-0C6A05189034}.exe

Filesize
180KB

MD5
ccaed4119eaf55fec4ceee7fa3d95fce

SHA1
92a91165c55dbcb248c41d87053e90566b9b99d0

SHA256
12d2cd4aa5dd7d70cf7e971ce94ba015256dad27782c1839c740ae47feb90d5a

SHA512
1a9cd3edcc51bf0400561ae4b82ebe297cac91d4107230ca341ab5ded09d79bf817eff752568a64d52eba2b2255bb1a2a856caf7410f3a7afadd67f727f3aa1c

Download Submit
C:\Windows\{720E545C-88D9-435f-A1B2-711865B7FD77}.exe

Filesize
180KB

MD5
412435b17dfafed02c3f6320a83a6bc9

SHA1
b3092875603d2f12ce230596cdfd6577f2391c3d

SHA256
9b22ef0f63109846c10a5501d0f94fcfaa4b738fb6f3699027609f71fb14dd08

SHA512
7a6ad6774e194485f4520a34bd71e649517dd1ecd53fcf3a20610473960255baab2e56edf1b4abb09ee5567aa0fade4533c4c07a0410f45ad1d8030ab322931d

Download Submit
C:\Windows\{88EF8145-7A10-4e35-80DA-545B4BC2476A}.exe

Filesize
180KB

MD5
16bd6658f627e83c5d00329e9c45efa0

SHA1
3a7f0df905d9f1412a4482c8d079c80e8324b036

SHA256
2db75693544632140407c4ce69b1a25cb5fab93e0b6148b246565b0758f45bde

SHA512
c3236c7e4fabeedb974a94e6d5f45c152acf420187440f870f125c51422daf86d42afeb79a8541234a736b060de1b87beeb78d5af74951b8b852107e54cd9a64

Download Submit
C:\Windows\{9B597FED-22F0-4fbb-BC2A-503AF90C3FE5}.exe

Filesize
180KB

MD5
c73d4cd32fa04eddaa0e296dda7d9ccb

SHA1
605646629f6da7cb13026bda2410f919f55fd82b

SHA256
59116bfe9dbcc69ddf8525da33dc483cfea7b71c28c6fd56fab6be3432027774

SHA512
4a444d8dc5158b4719c3f858372cec0916e5931409d2918c78d6e490e3ec3d11f0850eebc71ae8c53c320d080b856de1895db09091a3b1ddb281897fd84a2fb2

Download Submit
C:\Windows\{C65059DC-2224-4a43-8C6E-DD27DEBED2EC}.exe

Filesize
180KB

MD5
a4980d70e293b0c13f478608dfef84a9

SHA1
aae312f31737a9661537474dec5c2843b77e0f30

SHA256
0444c4afe93e71016d167298a7fa33afc17138440770018aafdb257c227c0d08

SHA512
136f5da76f0454017bf30805bec69003a752ed3d438af20f72d02636f03c29cb9bca580805c1660b1dee6c34fdff14529ecf497b81252855bb7bb1d12e36b302

Download Submit
C:\Windows\{CE5CDBFA-64DE-4e8e-BAF5-E8B1CCDDD11B}.exe

Filesize
180KB

MD5
8ce8e1946f9065a7371fc9879222a127

SHA1
db58f1f91a08136390cfedf394e613b452ae5c0f

SHA256
6c215d5ffdf7733ca83c884c9bef8162a065a68cdf3d0f4de6c22c86616ab0d7

SHA512
0b2b68c7a587f74a4fef15e1c588658d35f36bfaad9b11a5c75a99a9f7af10e1e3265b6c5f65a6c6436ff24223f2476864e7b6c135d3bf34eff82b23d3782196

Download Submit
C:\Windows\{DBA473A1-6CC7-4076-A123-398EAA821DE7}.exe

Filesize
180KB

MD5
774fd2caa2ee99b86bcef1177555ef9d

SHA1
987a5859854543275776b61ffcda4620afe84e82

SHA256
a97bf3de1a24065d3ea31985907ff95be80f866680409ba07aa798f1323ad1e3

SHA512
da805201384b26b4fb9965034d75489dfe5600676ca08a0c1088721f8026adaa2f9c8eb2130ce374c4dcc3ff9cefdbc65cfe4bf964740554577ad2f2818a1b01

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads