27c5c1359062d74db18eb6016eeacf9353b1d947fb999970485418003498a246

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/02/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Size

408KB
MD5

9658e0d58bd8127d42e2598f9331ab02
SHA1

f37c3c2802f59b27cec19943f33576ab8663670d
SHA256

27c5c1359062d74db18eb6016eeacf9353b1d947fb999970485418003498a246
SHA512

a3ee60a013943f21de5c9d504b3d3ed9aadfe31db06c2c02cccbdcfaf36fe5b0ebe67ab5b4d72561e76f021eb0f0fe3065c011507296c28402c7f15e251861d3
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG1ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014120-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000141c0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014120-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000143ec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014120-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014120-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014120-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{900AEB06-583F-42fe-BFAC-2E36342BBC4B}	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}\stubpath = "C:\\Windows\\{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe"	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7097290-1F92-4b2a-862E-45FD0B9500EF}	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69C2E650-F2D6-49c2-A396-B7A6D47699BA}\stubpath = "C:\\Windows\\{69C2E650-F2D6-49c2-A396-B7A6D47699BA}.exe"	{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{900AEB06-583F-42fe-BFAC-2E36342BBC4B}\stubpath = "C:\\Windows\\{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe"	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}\stubpath = "C:\\Windows\\{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe"	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B79BAD-A1B6-4027-8BAB-54189F471914}	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A3180D0-DA26-49dd-8E81-C996DD323535}\stubpath = "C:\\Windows\\{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe"	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7097290-1F92-4b2a-862E-45FD0B9500EF}\stubpath = "C:\\Windows\\{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe"	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69C2E650-F2D6-49c2-A396-B7A6D47699BA}	{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}\stubpath = "C:\\Windows\\{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe"	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B79BAD-A1B6-4027-8BAB-54189F471914}\stubpath = "C:\\Windows\\{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe"	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A3180D0-DA26-49dd-8E81-C996DD323535}	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}\stubpath = "C:\\Windows\\{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe"	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41842829-E5FC-4d54-91BE-636691F2D655}	{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41842829-E5FC-4d54-91BE-636691F2D655}\stubpath = "C:\\Windows\\{41842829-E5FC-4d54-91BE-636691F2D655}.exe"	{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C01097B2-5539-472c-8B5C-2E8349A956B1}	{41842829-E5FC-4d54-91BE-636691F2D655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C01097B2-5539-472c-8B5C-2E8349A956B1}\stubpath = "C:\\Windows\\{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe"	{41842829-E5FC-4d54-91BE-636691F2D655}.exe

Executes dropped EXE 11 IoCs

pid	Process
2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe
2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe
2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe
2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe
936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe
1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe
2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe
1512	{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe
2924	{41842829-E5FC-4d54-91BE-636691F2D655}.exe
2252	{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe
280	{69C2E650-F2D6-49c2-A396-B7A6D47699BA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
File created	C:\Windows\{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe
File created	C:\Windows\{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe
File created	C:\Windows\{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe
File created	C:\Windows\{41842829-E5FC-4d54-91BE-636691F2D655}.exe	{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe
File created	C:\Windows\{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe	{41842829-E5FC-4d54-91BE-636691F2D655}.exe
File created	C:\Windows\{69C2E650-F2D6-49c2-A396-B7A6D47699BA}.exe	{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe
File created	C:\Windows\{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe
File created	C:\Windows\{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe
File created	C:\Windows\{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe
File created	C:\Windows\{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe
Token: SeIncBasePriorityPrivilege	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe
Token: SeIncBasePriorityPrivilege	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe
Token: SeIncBasePriorityPrivilege	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe
Token: SeIncBasePriorityPrivilege	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe
Token: SeIncBasePriorityPrivilege	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe
Token: SeIncBasePriorityPrivilege	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe
Token: SeIncBasePriorityPrivilege	1512	{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe
Token: SeIncBasePriorityPrivilege	2924	{41842829-E5FC-4d54-91BE-636691F2D655}.exe
Token: SeIncBasePriorityPrivilege	2252	{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2388	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	28
PID 2364 wrote to memory of 2388	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	28
PID 2364 wrote to memory of 2388	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	28
PID 2364 wrote to memory of 2388	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	28
PID 2364 wrote to memory of 1820	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	29
PID 2364 wrote to memory of 1820	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	29
PID 2364 wrote to memory of 1820	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	29
PID 2364 wrote to memory of 1820	2364	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	29
PID 2388 wrote to memory of 2580	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	30
PID 2388 wrote to memory of 2580	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	30
PID 2388 wrote to memory of 2580	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	30
PID 2388 wrote to memory of 2580	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	30
PID 2388 wrote to memory of 2664	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	31
PID 2388 wrote to memory of 2664	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	31
PID 2388 wrote to memory of 2664	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	31
PID 2388 wrote to memory of 2664	2388	{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe	31
PID 2580 wrote to memory of 2752	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	32
PID 2580 wrote to memory of 2752	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	32
PID 2580 wrote to memory of 2752	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	32
PID 2580 wrote to memory of 2752	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	32
PID 2580 wrote to memory of 2740	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	33
PID 2580 wrote to memory of 2740	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	33
PID 2580 wrote to memory of 2740	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	33
PID 2580 wrote to memory of 2740	2580	{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe	33
PID 2752 wrote to memory of 2528	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	36
PID 2752 wrote to memory of 2528	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	36
PID 2752 wrote to memory of 2528	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	36
PID 2752 wrote to memory of 2528	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	36
PID 2752 wrote to memory of 2492	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	37
PID 2752 wrote to memory of 2492	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	37
PID 2752 wrote to memory of 2492	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	37
PID 2752 wrote to memory of 2492	2752	{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe	37
PID 2528 wrote to memory of 936	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	38
PID 2528 wrote to memory of 936	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	38
PID 2528 wrote to memory of 936	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	38
PID 2528 wrote to memory of 936	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	38
PID 2528 wrote to memory of 2672	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	39
PID 2528 wrote to memory of 2672	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	39
PID 2528 wrote to memory of 2672	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	39
PID 2528 wrote to memory of 2672	2528	{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe	39
PID 936 wrote to memory of 1688	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	41
PID 936 wrote to memory of 1688	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	41
PID 936 wrote to memory of 1688	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	41
PID 936 wrote to memory of 1688	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	41
PID 936 wrote to memory of 1312	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	40
PID 936 wrote to memory of 1312	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	40
PID 936 wrote to memory of 1312	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	40
PID 936 wrote to memory of 1312	936	{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe	40
PID 1688 wrote to memory of 2436	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	43
PID 1688 wrote to memory of 2436	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	43
PID 1688 wrote to memory of 2436	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	43
PID 1688 wrote to memory of 2436	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	43
PID 1688 wrote to memory of 2780	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	42
PID 1688 wrote to memory of 2780	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	42
PID 1688 wrote to memory of 2780	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	42
PID 1688 wrote to memory of 2780	1688	{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe	42
PID 2436 wrote to memory of 1512	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	45
PID 2436 wrote to memory of 1512	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	45
PID 2436 wrote to memory of 1512	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	45
PID 2436 wrote to memory of 1512	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	45
PID 2436 wrote to memory of 1556	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	44
PID 2436 wrote to memory of 1556	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	44
PID 2436 wrote to memory of 1556	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	44
PID 2436 wrote to memory of 1556	2436	{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe
  C:\Windows\{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe
    C:\Windows\{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe
      C:\Windows\{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe
        
        C:\Windows\{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe
        
        C:\Windows\{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C52E2~1.EXE > nul
        7⤵
        
        PID:1312
        
        C:\Windows\{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe
        
        C:\Windows\{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A318~1.EXE > nul
        8⤵
        
        PID:2780
        
        C:\Windows\{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe
        
        C:\Windows\{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C41D3~1.EXE > nul
        9⤵
        
        PID:1556
        
        C:\Windows\{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe
        
        C:\Windows\{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7097~1.EXE > nul
        10⤵
        
        PID:2232
        
        C:\Windows\{41842829-E5FC-4d54-91BE-636691F2D655}.exe
        
        C:\Windows\{41842829-E5FC-4d54-91BE-636691F2D655}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41842~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe
        
        C:\Windows\{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0109~1.EXE > nul
        12⤵
        
        PID:584
        
        C:\Windows\{69C2E650-F2D6-49c2-A396-B7A6D47699BA}.exe
        
        C:\Windows\{69C2E650-F2D6-49c2-A396-B7A6D47699BA}.exe
        12⤵
        Executes dropped EXE
        
        PID:280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B79~1.EXE > nul
        6⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC86B~1.EXE > nul
        5⤵
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A144F~1.EXE > nul
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{900AE~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{41842829-E5FC-4d54-91BE-636691F2D655}.exe

Filesize
408KB

MD5
2064cc54600ec00e9edd544561b09e23

SHA1
1b3372bb38274680bdc0184899229b21cf47f127

SHA256
72943da1a0dc2d76de655eb84142a2beb87d28c392eecd1eaf7b0100dadbbf0b

SHA512
0f0608fe0ac1e4f65495dd8844013ffac2f3929f3d4c824b98a80b1013713dd313f88c045ee07e08201e5c6bf0d4b7d72654cebf79de4946ac690352221e5663

Download Submit
C:\Windows\{5A3180D0-DA26-49dd-8E81-C996DD323535}.exe

Filesize
408KB

MD5
f599c7420c769c7f8d6f1a3f5a2e7820

SHA1
02819d367671aa4e029bb1b1fce9dd9437a83083

SHA256
da8e8f763956ec1dec0dd59c874c8d8c52285fd2c8740c314ded392f8df22c58

SHA512
302c702482ee331bd6ab06e97e9aa47b325acb84f5e39b97ea4cea959797586efac5d33b20cc031379bb37d27b9d9c3fd6b5fa139a89e20a973a5369bcb3de7e

Download Submit
C:\Windows\{69C2E650-F2D6-49c2-A396-B7A6D47699BA}.exe

Filesize
408KB

MD5
faa866be6fd4963b646d4f776e76d4f8

SHA1
060a1a03f306e0ba200afcc6dc9d7b51101661e1

SHA256
36e7189bd9faf2cb5bef6c5cb72dfe16cc0076708aea1478004dbc581c150693

SHA512
61e3bb86668eb902d943161b91ebb5371fb051ef1daffecac9a8f69c94fcbeedc1b47fb2f0dbad56d50f247e8da4dfe4baa8b05af910982c02fe782fd64122a5

Download Submit
C:\Windows\{900AEB06-583F-42fe-BFAC-2E36342BBC4B}.exe

Filesize
408KB

MD5
a6fb2fcefd9056884b958219a4388f81

SHA1
680eb3f9505603f3b7345633e685a115bc2273a5

SHA256
afbd9cb553d8548cc5a3ab116423d90ea6ec4d010026eba6bfbededc3be92b35

SHA512
abd81c3c7d981a7289454c62406d5fee3eed3e7514e8d899da4bdb7ce76466122f36f2f6a380398bcb431b3c566e1f5c076d2f12bc01dd4f97ec1de945ee0c45

Download Submit
C:\Windows\{A144FE8A-89C7-440a-A61B-75DE6AF3CCBB}.exe

Filesize
408KB

MD5
52046979529815b9385e3da842b15298

SHA1
51fe529717f50ee55bc7b30a484566e4c13b3b63

SHA256
8d20ceb690e918eb7e20da4a89d098a0f1749159967e8ff03cc98f09dae6051b

SHA512
6d0833cbde2f9a8d4342cbfdf25df732d3ab8422a7d4d2ddf2e8066d9b3eadec67c6eacc4ae405a3003004138eead219818d824ba01984771daed9277a3c02c4

Download Submit
C:\Windows\{BC86B240-4758-4f7c-B296-9AE6FDEB50DF}.exe

Filesize
408KB

MD5
cd7aeaae20c32976ee240c4fc94ef94d

SHA1
f1a65f746245e5165a8a89ffd1a3b768af05ce4d

SHA256
dde529c8f2e5feabbe00f30c71d44042c1a63f190f3ab4bde35d215ec8558cca

SHA512
e9c39d9818203945a91b98c519563540fb7313efee16ce2a3ddcc2926924d9fdece22aaf5c0e45c97589af5e7728e1d771aa078e312fa09a66e22cfd186d074e

Download Submit
C:\Windows\{C01097B2-5539-472c-8B5C-2E8349A956B1}.exe

Filesize
408KB

MD5
e2374a77a2850d0cfe876da5ceb74660

SHA1
d40929e999fb0b017e99267f037c09a5c061133d

SHA256
fb0f510dd34751cfc688caa050a95dc04662421e86406fc1f472915936e6253a

SHA512
b75818fe71551c380470d29eb6eb25108b829ad11187926be43b51c4b594ff3b27b14b89097e599b9a6fc9c2b4995600ff27b2088b9165159548df6d79c05262

Download Submit
C:\Windows\{C41D3639-D3C5-4c2a-A7B2-CE67FFBF7B1E}.exe

Filesize
408KB

MD5
69e267c9515b87da9043c0aa8081417f

SHA1
eaa0eea16caf12e16772cb52393e89d7c9e9dcf9

SHA256
d9055e592c4805459145f9eccdf021acd3ceb62be545568668f7537c4ab84efe

SHA512
6b728771643223ce4b4f086a16ea737c889564585462d3fe2122d9192c58bf5e93f3e546f1209f31ad16e3dcab0120cd971c6eec525dae4acc0ab598c52bd636

Download Submit
C:\Windows\{C52E22F8-A26D-45b5-BD20-B62A3B6FC822}.exe

Filesize
408KB

MD5
52d366f6dc21a32d8620e59e4d101433

SHA1
92697715bf79bf3556ad29f67f67b292841d4fc0

SHA256
f83ce421e8919ac0584cdb0655e21e796f2dfa0ac43c8ee648749805a1ffe336

SHA512
7f12a1c151393cfd94a22f2529ddd6ca7796f370bead9078e1c1a58f2d5b39d7ca45a1450c6818a6f18640ee3a9d73183cbd8ba8d44d626a72b987835dfa4b48

Download Submit
C:\Windows\{D3B79BAD-A1B6-4027-8BAB-54189F471914}.exe

Filesize
408KB

MD5
6699b4704a298ab923bd72db68e73d48

SHA1
b4e20af6df62997ed8a9395931d4d91850cff95b

SHA256
4c812150f4f2bd3ddcb8ab15d0c9f7cda943b0ba4071c3538e94b4347b382ddf

SHA512
270b20a08fa0d3ac209171c84fa3d24365934d30ec223fc14479bb58dd15428c19a9709b7905c432f4be577cd4fd6508e3d818099c870c53d3a5bce4dacc0be5

Download Submit
C:\Windows\{F7097290-1F92-4b2a-862E-45FD0B9500EF}.exe

Filesize
408KB

MD5
467e5d194f32763ed1fcf25325993ff2

SHA1
0f3e2e5356b08e7a5bdda13fb466c1acc80e0ab5

SHA256
0e018703181c2b0f853dc05b2173ba79235e7d21cfed16f4f47781ef21f20138

SHA512
e80a47811d0dd79d3bebebf98b6df321a5db417ab7572b702a5ccc96142f429bcd35052bd8a85abac0ab5178bd960ec6835f74ba85d6c2e8d1a1d8d1f3db4d70

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads