ffdedd4d5c15beafb0cf018b71e159340300c7df31a0face94b95022f81a4f18

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Size

204KB
MD5

691ef980cd9dcbabb34ef666a8ae7c76
SHA1

659ecc1d4020b865c0547fa4625e5e45056e9b81
SHA256

ffdedd4d5c15beafb0cf018b71e159340300c7df31a0face94b95022f81a4f18
SHA512

0d10685fe381194581e1701c9ffa52d7e668cdf9d48fc5356a5884eab223bbfded7e730dda2878d22c8479755538e426cc49bf08263ec55f94ddb7220012a9d9
SSDEEP

1536:1EGh0oDGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oql1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012284-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001225a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001225a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}\stubpath = "C:\\Windows\\{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe"	{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06045425-9BDF-4561-98CA-6C22E8C3E452}\stubpath = "C:\\Windows\\{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe"	{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1316B177-AE11-40c5-926B-81C40FA316ED}	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1316B177-AE11-40c5-926B-81C40FA316ED}\stubpath = "C:\\Windows\\{1316B177-AE11-40c5-926B-81C40FA316ED}.exe"	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BE6BA42-1A48-4666-AB63-32181F9CE373}\stubpath = "C:\\Windows\\{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe"	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592EEA4D-087F-4288-A424-1B3D4A7916A1}\stubpath = "C:\\Windows\\{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe"	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F820761D-A0A0-4754-9BAB-B4585036C4D0}\stubpath = "C:\\Windows\\{F820761D-A0A0-4754-9BAB-B4585036C4D0}.exe"	{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}	{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06045425-9BDF-4561-98CA-6C22E8C3E452}	{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}\stubpath = "C:\\Windows\\{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe"	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592EEA4D-087F-4288-A424-1B3D4A7916A1}	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}\stubpath = "C:\\Windows\\{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe"	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F820761D-A0A0-4754-9BAB-B4585036C4D0}	{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}\stubpath = "C:\\Windows\\{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe"	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFE46E09-4071-42e5-A732-3807D0B94618}	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFE46E09-4071-42e5-A732-3807D0B94618}\stubpath = "C:\\Windows\\{BFE46E09-4071-42e5-A732-3807D0B94618}.exe"	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}\stubpath = "C:\\Windows\\{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe"	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BE6BA42-1A48-4666-AB63-32181F9CE373}	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe

Executes dropped EXE 11 IoCs

pid	Process
2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe
2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe
2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe
2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe
2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe
1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe
2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe
1620	{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe
2292	{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe
1068	{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe
584	{F820761D-A0A0-4754-9BAB-B4585036C4D0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
File created	C:\Windows\{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe
File created	C:\Windows\{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe
File created	C:\Windows\{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe
File created	C:\Windows\{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe	{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe
File created	C:\Windows\{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe	{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe
File created	C:\Windows\{F820761D-A0A0-4754-9BAB-B4585036C4D0}.exe	{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe
File created	C:\Windows\{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe
File created	C:\Windows\{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe
File created	C:\Windows\{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe
File created	C:\Windows\{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe
Token: SeIncBasePriorityPrivilege	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe
Token: SeIncBasePriorityPrivilege	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe
Token: SeIncBasePriorityPrivilege	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe
Token: SeIncBasePriorityPrivilege	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe
Token: SeIncBasePriorityPrivilege	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe
Token: SeIncBasePriorityPrivilege	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe
Token: SeIncBasePriorityPrivilege	1620	{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe
Token: SeIncBasePriorityPrivilege	2292	{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe
Token: SeIncBasePriorityPrivilege	1068	{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2348	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	28
PID 1684 wrote to memory of 2348	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	28
PID 1684 wrote to memory of 2348	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	28
PID 1684 wrote to memory of 2348	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	28
PID 1684 wrote to memory of 2856	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	29
PID 1684 wrote to memory of 2856	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	29
PID 1684 wrote to memory of 2856	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	29
PID 1684 wrote to memory of 2856	1684	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	29
PID 2348 wrote to memory of 2300	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	30
PID 2348 wrote to memory of 2300	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	30
PID 2348 wrote to memory of 2300	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	30
PID 2348 wrote to memory of 2300	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	30
PID 2348 wrote to memory of 2888	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	31
PID 2348 wrote to memory of 2888	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	31
PID 2348 wrote to memory of 2888	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	31
PID 2348 wrote to memory of 2888	2348	{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe	31
PID 2300 wrote to memory of 2756	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	33
PID 2300 wrote to memory of 2756	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	33
PID 2300 wrote to memory of 2756	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	33
PID 2300 wrote to memory of 2756	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	33
PID 2300 wrote to memory of 1924	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	32
PID 2300 wrote to memory of 1924	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	32
PID 2300 wrote to memory of 1924	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	32
PID 2300 wrote to memory of 1924	2300	{BFE46E09-4071-42e5-A732-3807D0B94618}.exe	32
PID 2756 wrote to memory of 2944	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	36
PID 2756 wrote to memory of 2944	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	36
PID 2756 wrote to memory of 2944	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	36
PID 2756 wrote to memory of 2944	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	36
PID 2756 wrote to memory of 2996	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	37
PID 2756 wrote to memory of 2996	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	37
PID 2756 wrote to memory of 2996	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	37
PID 2756 wrote to memory of 2996	2756	{1316B177-AE11-40c5-926B-81C40FA316ED}.exe	37
PID 2944 wrote to memory of 2148	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	39
PID 2944 wrote to memory of 2148	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	39
PID 2944 wrote to memory of 2148	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	39
PID 2944 wrote to memory of 2148	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	39
PID 2944 wrote to memory of 2780	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	38
PID 2944 wrote to memory of 2780	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	38
PID 2944 wrote to memory of 2780	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	38
PID 2944 wrote to memory of 2780	2944	{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe	38
PID 2148 wrote to memory of 1928	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	41
PID 2148 wrote to memory of 1928	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	41
PID 2148 wrote to memory of 1928	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	41
PID 2148 wrote to memory of 1928	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	41
PID 2148 wrote to memory of 1500	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	40
PID 2148 wrote to memory of 1500	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	40
PID 2148 wrote to memory of 1500	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	40
PID 2148 wrote to memory of 1500	2148	{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe	40
PID 1928 wrote to memory of 2836	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	42
PID 1928 wrote to memory of 2836	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	42
PID 1928 wrote to memory of 2836	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	42
PID 1928 wrote to memory of 2836	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	42
PID 1928 wrote to memory of 2924	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	43
PID 1928 wrote to memory of 2924	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	43
PID 1928 wrote to memory of 2924	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	43
PID 1928 wrote to memory of 2924	1928	{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe	43
PID 2836 wrote to memory of 1620	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	44
PID 2836 wrote to memory of 1620	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	44
PID 2836 wrote to memory of 1620	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	44
PID 2836 wrote to memory of 1620	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	44
PID 2836 wrote to memory of 1348	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	45
PID 2836 wrote to memory of 1348	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	45
PID 2836 wrote to memory of 1348	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	45
PID 2836 wrote to memory of 1348	2836	{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe
  C:\Windows\{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\{BFE46E09-4071-42e5-A732-3807D0B94618}.exe
    C:\Windows\{BFE46E09-4071-42e5-A732-3807D0B94618}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BFE46~1.EXE > nul
      4⤵
      PID:1924
  - - C:\Windows\{1316B177-AE11-40c5-926B-81C40FA316ED}.exe
      C:\Windows\{1316B177-AE11-40c5-926B-81C40FA316ED}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe
        
        C:\Windows\{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED93~1.EXE > nul
        6⤵
        
        PID:2780
      - C:\Windows\{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe
        
        C:\Windows\{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BE6B~1.EXE > nul
        7⤵
        
        PID:1500
        
        C:\Windows\{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe
        
        C:\Windows\{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe
        
        C:\Windows\{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe
        
        C:\Windows\{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe
        
        C:\Windows\{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe
        
        C:\Windows\{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\{F820761D-A0A0-4754-9BAB-B4585036C4D0}.exe
        
        C:\Windows\{F820761D-A0A0-4754-9BAB-B4585036C4D0}.exe
        12⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06045~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81AE9~1.EXE > nul
        11⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8D4~1.EXE > nul
        10⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{592EE~1.EXE > nul
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB2A~1.EXE > nul
        8⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1316B~1.EXE > nul
        5⤵
        
        PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E604~1.EXE > nul
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06045425-9BDF-4561-98CA-6C22E8C3E452}.exe

Filesize
204KB

MD5
bdbaca5a4ffad080253506d093bbda1b

SHA1
d6f94e13ef97a1eedd4d9dae5e92587d19575e26

SHA256
6e321170d049b77d86592d46c8189fb4141bdeed1074a0ceae6c28c50117c7be

SHA512
275cc9e26d00758e3e16a178243a3168a88f47405246c193f2bca603cddc7948dea1ae9fe5fc93e2ee08bf27d08f8f50a393f6dc0fb887b2a09f37b89a1ea6ee

Download Submit
C:\Windows\{1316B177-AE11-40c5-926B-81C40FA316ED}.exe

Filesize
204KB

MD5
ec6c488eefeb027bccb91e058d233285

SHA1
ba59cb446886763e3d9bdd0f20703dde12289bf6

SHA256
5f94d961076d07ab7091bfb33e016d88a34402c23d02581d6b8362ff178f1f92

SHA512
f0fc93b05d431f97d933ec9700a9bb27e62ad00a794b734e94582e72ef1107bdbb6a3de2c83071f20f66371d60abd992838542f8474879587552f2892ff4fcac

Download Submit
C:\Windows\{3BE6BA42-1A48-4666-AB63-32181F9CE373}.exe

Filesize
204KB

MD5
223d42834aef0bb5bb789358ee503a50

SHA1
39891b15a344487c1594d4d2e552369d4d4e9705

SHA256
696ee673124d04d120525a58a79d54f15d7630e1b8c2d19f18b5017198b61689

SHA512
4b05d497b04a434af18cbae02ae703ec838c771a8ca246413cf53f846eb358accb07008103e38c4a1ed63bfecae8aa343d69d71b99c0b2c4a326e040feaba234

Download Submit
C:\Windows\{4FB2A193-08DA-4efd-8CFB-CDE6D548AB6A}.exe

Filesize
204KB

MD5
a571dd78b46911461fb3929e1c09188a

SHA1
d1ead82d3f6d5328e1f55cb5e5daf6baa40fc59d

SHA256
4ddde1118c05a62ffdc502ec5ccb51fd9cabb78e5268eacecce0717dd9c0c32f

SHA512
44a6d088e31082338ce8ae1aa75319aa0b87c3392d7eaa1587ce4c7bf91eef980524a644c0f1cbc478a20c614750c702cd1c9465ceef8ee016ef0960cb6dd445

Download Submit
C:\Windows\{592EEA4D-087F-4288-A424-1B3D4A7916A1}.exe

Filesize
204KB

MD5
38c45839302a98ad81b3e99bb81398bb

SHA1
145efddde7c2aed060cf6afe55b5fad25aa62965

SHA256
5f949da2035d2c73dd869eedb70d88dd65761cd371b7d72e0b41d9f6c6e7d28a

SHA512
93ee3c729712dde27038151e432005e2ce423f8fd79d6ae9e7602e1e64fac2b2b9f7f59c5d559c3f2e81da2914f0d1e23dbbc409c15e117cdae04a464bbcdec4

Download Submit
C:\Windows\{6E60416F-BDA9-4f11-8F1B-0D9F7387EDFA}.exe

Filesize
204KB

MD5
49e082593c70a96f6fd7ecc79fdd22ee

SHA1
a09d6db9b2f59620145c8b36280b6447ac3c992c

SHA256
0f520fb2533c51dfe41cdbf45d69e0fa003bcdd53efa9b80cb81ee1ed4befd1e

SHA512
0646e57415f148ccd5e0d25ef91b59280d790fdee3e17c8a30f71c0f6e7ed66801957a11133656ee7e6b6e798135e0623c351b03ff11acd21c809ff3ea492a34

Download Submit
C:\Windows\{6ED93EE4-48FA-4bac-B5FA-E0D103CA5950}.exe

Filesize
204KB

MD5
6409af7fba79763c15ff7b48a5c69cc6

SHA1
23993aae6cd66dc266d21488455d9627531539c6

SHA256
6da0be53b909e23be26ec9bc371c2a134890f48dbfe8dd41e88370dd154a1720

SHA512
b5d96730dd6d0e2d5d1d308d7f21aad1f2406eaf55844564a855d1ffcf2627bd0cbf32f2393fd43729e98d441f035141ce8f09485f39a4a74a5a3c2c93921cae

Download Submit
C:\Windows\{81AE94A3-9FD9-40d8-9FD6-487E9A6B31F5}.exe

Filesize
204KB

MD5
7be29ed8767ac4293b085a534e21e75a

SHA1
1ee037ccfd1a70139c404d3e524205f91ec32e49

SHA256
16954d12a072211bae9e47d186b3cdbf50f4abf97f2593c8a3c53419052924b0

SHA512
11de0e2cd268999ef94ca8a615f0e7ba42e60e950246e94f7a0750e4df38a80f9b2fc6bf76747fa9de58c4bcf4262937855181f7a850a345df38849d84498ce2

Download Submit
C:\Windows\{9B8D4A69-B8BA-45c2-968B-26D1CC3C10CA}.exe

Filesize
204KB

MD5
fc2498c66c3f1ad5b0f34abda060ad72

SHA1
9955c07341c003da7127ed767a7ff26e907a70c8

SHA256
ad3fe4f9275386113515f618de2841152914cf7ec90d7f24a75619d22a246bb4

SHA512
8aa1e465ca4d91e7b05545974c7f902c6c35310e49a359d94c448154caeaed5f873de6d64155c7758a028c787b2eb3f8407a7acfb1c870b95b5bea73cbda9eae

Download Submit
C:\Windows\{BFE46E09-4071-42e5-A732-3807D0B94618}.exe

Filesize
204KB

MD5
7b7043be9b46d6c97e5f7f719b6fa9e2

SHA1
56ede4ae797eca49f61629708d67b0e3d51d974b

SHA256
5ed5d75bd2ae1cb9cec23db04b017ad096186634f5e59981f6457bdb37c2d5fe

SHA512
aec6821c5879f56b463a60a7c04e83a42a18f0c16f4fb043bdf823caedf150d183d8def0cc20fe5f3c3bfc8074146af9c49d4e2a8a78b4fab2e5708e7f88ce5b

Download Submit
C:\Windows\{F820761D-A0A0-4754-9BAB-B4585036C4D0}.exe

Filesize
204KB

MD5
d133d7c3c6b2ae7e9c71cdd9906b6ed1

SHA1
dc9a3385999a8786b5dfff150b2f67c6a7588fa8

SHA256
1878628706d655b996b1879358bd35e1319fea570ef7f8dd1f7e5e5b1660f0c7

SHA512
6f5da9b9121db68d726c4e781680f6916e6750eaf24a941f68f0866df9d1f9a601c656e82f179759854f45d9f9ffb2d8bdfd52873e3d97306c50628175f2e6fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads