6106faba29992c3359e54dd8c090fefec00ad505f393c54088151402e4e06165

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe
Size

197KB
MD5

de0e781a0c15e4170dd892d1b19a7b50
SHA1

0870e8878eced1fc239c571df8f53d6e1695275b
SHA256

6106faba29992c3359e54dd8c090fefec00ad505f393c54088151402e4e06165
SHA512

0715005fe00e27c09ba963dce1f47b35e6b4891a170543aab05601935a2f7c5f98a1a20ded3fe185456db0144a7ccf455e3816c543bc30bfd82f273e53cf8005
SSDEEP

3072:jEGh0oel+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGAlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012329-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014ab5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012329-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003700000001508a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012329-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012329-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012329-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077B6A69-9F72-4de5-9C96-68843DFBD4F1}	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}\stubpath = "C:\\Windows\\{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe"	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}\stubpath = "C:\\Windows\\{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe"	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6541FB79-A3EE-4d48-885D-99EB175A4C6D}\stubpath = "C:\\Windows\\{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe"	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{981A8496-E449-4fba-96A1-6087AF89D44C}	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6541FB79-A3EE-4d48-885D-99EB175A4C6D}	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40976E7C-D302-4f19-BB5E-D7F5C54F818C}\stubpath = "C:\\Windows\\{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe"	{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}	{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}\stubpath = "C:\\Windows\\{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe"	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}\stubpath = "C:\\Windows\\{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe"	{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40976E7C-D302-4f19-BB5E-D7F5C54F818C}	{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{981A8496-E449-4fba-96A1-6087AF89D44C}\stubpath = "C:\\Windows\\{981A8496-E449-4fba-96A1-6087AF89D44C}.exe"	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}	{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}\stubpath = "C:\\Windows\\{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}.exe"	{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077B6A69-9F72-4de5-9C96-68843DFBD4F1}\stubpath = "C:\\Windows\\{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe"	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46340946-F65C-4001-81BE-F49DE3FF3FE5}	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46340946-F65C-4001-81BE-F49DE3FF3FE5}\stubpath = "C:\\Windows\\{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe"	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA9582C-E114-4ca0-BB18-A4032C7E6818}	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA9582C-E114-4ca0-BB18-A4032C7E6818}\stubpath = "C:\\Windows\\{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe"	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe
2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe
2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe
1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe
2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe
840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe
2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe
1772	{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe
2256	{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe
600	{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe
848	{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe
File created	C:\Windows\{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe
File created	C:\Windows\{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe
File created	C:\Windows\{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe	{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe
File created	C:\Windows\{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe	{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe
File created	C:\Windows\{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}.exe	{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe
File created	C:\Windows\{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe
File created	C:\Windows\{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe
File created	C:\Windows\{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe
File created	C:\Windows\{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe
File created	C:\Windows\{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe
Token: SeIncBasePriorityPrivilege	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe
Token: SeIncBasePriorityPrivilege	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe
Token: SeIncBasePriorityPrivilege	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe
Token: SeIncBasePriorityPrivilege	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe
Token: SeIncBasePriorityPrivilege	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe
Token: SeIncBasePriorityPrivilege	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe
Token: SeIncBasePriorityPrivilege	1772	{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe
Token: SeIncBasePriorityPrivilege	2256	{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe
Token: SeIncBasePriorityPrivilege	600	{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1648	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	28
PID 1448 wrote to memory of 1648	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	28
PID 1448 wrote to memory of 1648	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	28
PID 1448 wrote to memory of 1648	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	28
PID 1448 wrote to memory of 2760	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	29
PID 1448 wrote to memory of 2760	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	29
PID 1448 wrote to memory of 2760	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	29
PID 1448 wrote to memory of 2760	1448	2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe	29
PID 1648 wrote to memory of 2696	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	30
PID 1648 wrote to memory of 2696	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	30
PID 1648 wrote to memory of 2696	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	30
PID 1648 wrote to memory of 2696	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	30
PID 1648 wrote to memory of 2680	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	31
PID 1648 wrote to memory of 2680	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	31
PID 1648 wrote to memory of 2680	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	31
PID 1648 wrote to memory of 2680	1648	{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe	31
PID 2696 wrote to memory of 2824	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	32
PID 2696 wrote to memory of 2824	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	32
PID 2696 wrote to memory of 2824	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	32
PID 2696 wrote to memory of 2824	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	32
PID 2696 wrote to memory of 2620	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	33
PID 2696 wrote to memory of 2620	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	33
PID 2696 wrote to memory of 2620	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	33
PID 2696 wrote to memory of 2620	2696	{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe	33
PID 2824 wrote to memory of 1872	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	37
PID 2824 wrote to memory of 1872	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	37
PID 2824 wrote to memory of 1872	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	37
PID 2824 wrote to memory of 1872	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	37
PID 2824 wrote to memory of 1812	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	36
PID 2824 wrote to memory of 1812	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	36
PID 2824 wrote to memory of 1812	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	36
PID 2824 wrote to memory of 1812	2824	{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe	36
PID 1872 wrote to memory of 2780	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	38
PID 1872 wrote to memory of 2780	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	38
PID 1872 wrote to memory of 2780	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	38
PID 1872 wrote to memory of 2780	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	38
PID 1872 wrote to memory of 1284	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	39
PID 1872 wrote to memory of 1284	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	39
PID 1872 wrote to memory of 1284	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	39
PID 1872 wrote to memory of 1284	1872	{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe	39
PID 2780 wrote to memory of 840	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	40
PID 2780 wrote to memory of 840	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	40
PID 2780 wrote to memory of 840	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	40
PID 2780 wrote to memory of 840	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	40
PID 2780 wrote to memory of 2016	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	41
PID 2780 wrote to memory of 2016	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	41
PID 2780 wrote to memory of 2016	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	41
PID 2780 wrote to memory of 2016	2780	{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe	41
PID 840 wrote to memory of 2284	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	43
PID 840 wrote to memory of 2284	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	43
PID 840 wrote to memory of 2284	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	43
PID 840 wrote to memory of 2284	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	43
PID 840 wrote to memory of 1920	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	42
PID 840 wrote to memory of 1920	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	42
PID 840 wrote to memory of 1920	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	42
PID 840 wrote to memory of 1920	840	{981A8496-E449-4fba-96A1-6087AF89D44C}.exe	42
PID 2284 wrote to memory of 1772	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	44
PID 2284 wrote to memory of 1772	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	44
PID 2284 wrote to memory of 1772	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	44
PID 2284 wrote to memory of 1772	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	44
PID 2284 wrote to memory of 2212	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	45
PID 2284 wrote to memory of 2212	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	45
PID 2284 wrote to memory of 2212	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	45
PID 2284 wrote to memory of 2212	2284	{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_de0e781a0c15e4170dd892d1b19a7b50_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe
  C:\Windows\{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe
    C:\Windows\{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe
      C:\Windows\{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ABA5~1.EXE > nul
        5⤵
        
        PID:1812
    - - C:\Windows\{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe
        
        C:\Windows\{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe
        
        C:\Windows\{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{981A8496-E449-4fba-96A1-6087AF89D44C}.exe
        
        C:\Windows\{981A8496-E449-4fba-96A1-6087AF89D44C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{981A8~1.EXE > nul
        8⤵
        
        PID:1920
        
        C:\Windows\{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe
        
        C:\Windows\{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe
        
        C:\Windows\{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe
        
        C:\Windows\{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe
        
        C:\Windows\{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}.exe
        
        C:\Windows\{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}.exe
        12⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40976~1.EXE > nul
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58AB7~1.EXE > nul
        11⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3FCA~1.EXE > nul
        10⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6541F~1.EXE > nul
        9⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DA95~1.EXE > nul
        7⤵
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46340~1.EXE > nul
        6⤵
        
        PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA5F6~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{077B6~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{077B6A69-9F72-4de5-9C96-68843DFBD4F1}.exe

Filesize
197KB

MD5
cd43eb6715f8c2bfa98830f9de8fb762

SHA1
43e1e4d8fc18c2a87106e1dff0d733fae9450b39

SHA256
4f95aca0442c7969ba8f0a1f79d61de90c4f70e50b06ceacf6021b10bce430cf

SHA512
fbba2c666232c96cb061aded6cc6c56ac166e6adf88b8011370751399f8c9f1c0ada6a7428f5c2a0295834f9669f37360297b1d0fe8706be738398a35ed26bbf

Download Submit
C:\Windows\{21C4A2B7-F822-43fe-B8BC-1FFDFCB9E987}.exe

Filesize
197KB

MD5
3f8df1a0a37ec56667134007b7d9a2e9

SHA1
be69564aed522beedc2948cf137374967e9be0f0

SHA256
d0ccdc04d0062055771c6c25824e3cb2227d0873c7a3c166bffee2ca266f9563

SHA512
c0408d6fe85731b64d249c8a90999a5797b425403e9deba2f6b9d521d1be7c4db6dbe0fc73420a977310e71afdfba2e2c692047e2e9302737ecc9bc482a76971

Download Submit
C:\Windows\{40976E7C-D302-4f19-BB5E-D7F5C54F818C}.exe

Filesize
197KB

MD5
3f9752ca6301b28cc38158042e66f7fd

SHA1
c04e74e7c884f272a2079b626883ef3598ee5715

SHA256
ffe5d56a1b97d3dd75b03e43932b58d2efb443a112bf4099011712ede818a294

SHA512
7b9ffafac1481698987327b2a90d1556da5fcfd6b342a89c95a12b8c9f3c38d5d562d12772a4ef444c87c67114d1ca7cad45ab713d70921a6a69c39bf1e3a7b0

Download Submit
C:\Windows\{46340946-F65C-4001-81BE-F49DE3FF3FE5}.exe

Filesize
197KB

MD5
09d22f95c0f76b4a605de41710cf9d14

SHA1
f8579bf0413feca96da4d6dd746574d05826b44c

SHA256
7dd0736e99dd0f079916baaf3ce77a55d0f037166ed53c39d8048b238cf807b1

SHA512
9500bb420f05156a1c134505b8821075826b736c588e4532ff5d0d97ca9e9aaaa0896667ba962c44e44948cb4510ac7abb3e15b96bbeff2cf560bd78fa3d9161

Download Submit
C:\Windows\{58AB76A2-9DB4-4bcc-99B6-B10FA963E053}.exe

Filesize
197KB

MD5
d54cb2f49a49a8bda08b48bf76cebf55

SHA1
6f97a12a4531f8fa765b1aad20e8a08666d600a1

SHA256
4d69a02f138c9763026f6c7351e9f1398b565a3f3e73ece81c2ab8b98b568c72

SHA512
3e94483ccd31ee6b0252d0f8ecbd1fcb1071e5866f91ceafeaab0b423acf9c179cfd4da7bf0c7cff63a7f30c5985815b133f34beefaa875665ec1fe9d3d38f6e

Download Submit
C:\Windows\{6541FB79-A3EE-4d48-885D-99EB175A4C6D}.exe

Filesize
197KB

MD5
cdef3d83fa0a5a4223df62cedf40a6ed

SHA1
2f343b7934545557796d82fd7ee047c5f50abb93

SHA256
d751a81c9e5b05915335cdf4388d157d992dd61732377bcbe2055969ac8f33b0

SHA512
64b6adca9a9e165023c3264067f142ef647194ee742132303c5de6680c5700d770acad5d1b837c2979fd643d53914cc8875d894842bc30e7b6a875e5072c28b4

Download Submit
C:\Windows\{7ABA5AA2-5B3E-462c-B481-D1D5F92AD24F}.exe

Filesize
197KB

MD5
e3f1774bce20d09a0ac09f9ed4bb7f47

SHA1
f245509531f0c5785a2155cfc80e26069d369086

SHA256
a9ab65d677f2e8539bd632a1729278bc8fcc4715ede61823ee3e44853a0e9f91

SHA512
4126170246226a5c448f5cb6d949d5874e642fbf77fe10c0ce0827f8ad7a1c28ec53560f628a277e8dc52d45280dfc1231fb86572c663619462366c41d080305

Download Submit
C:\Windows\{8DA9582C-E114-4ca0-BB18-A4032C7E6818}.exe

Filesize
197KB

MD5
dfcd8a794d7b6a0a58229c2086cef1e8

SHA1
c3ca25c9b05b163d7726a643b89d3a81823e3d40

SHA256
313c94f6ced05886c9cbfc19f65ea7a7d3cba6b7bb0ae017acd579a754f09c69

SHA512
d29b8ad68e6cacb24c4b9bd221d97021e436a7c742d72198705e7f97a6cc7dc97f1f75a9724fd4453ff0ce23ef1f9e4fd389fc3f5a2df76886f3850b5fd86dc7

Download Submit
C:\Windows\{981A8496-E449-4fba-96A1-6087AF89D44C}.exe

Filesize
197KB

MD5
36761776d62895effc7fc0b80089db05

SHA1
8d85cfda8c8e2237f3a76626e012f60a60e331e2

SHA256
c4414b94bc44d8dde73e8d3c0fb6f515d239423c3dceca09424582351afce9c6

SHA512
2a7a419e11246f80d4de539276da22b748d7677bfb89a5bf789b608126d80e276b50d865a82f06a9b98891704bf135e761fd007c54f86582e3622c3472e6ba37

Download Submit
C:\Windows\{CA5F6C3A-ED48-4f0e-8884-BCB2082619D7}.exe

Filesize
197KB

MD5
b35252cae8852ba8898a87941871c922

SHA1
bd407905b2ddbdbe1b2e04207d3b6bc1030f6842

SHA256
7a758405238fd3c7f5d29cbfc47541cbea64c4a0aee96bc7764982fe85d34cbd

SHA512
20777f8a9e423809d1168f84abdef9bf7bb42e46edc7f7f18f6ea2afc03594d1fd4ff2b041b3df2499f0649529d2a556325eea2ce784217df727b95a1e741519

Download Submit
C:\Windows\{E3FCA4CC-90A7-4d16-9FBF-B5B2FDD4D91C}.exe

Filesize
197KB

MD5
7a47b44ece0423d9de7db1e6ad777bb4

SHA1
c5d4a6fe2da2fc827d75bf47d105fe7b01f41cb6

SHA256
16abe69358b849b18f29b0f9db8ee6a3530eadef79fa6d5edd22f7928e9352dd

SHA512
e4a146863149e4be1a49a265e7492b57c850e7c06ece6668ee0d0cb5a87bfed6d6a92473f0ac1ed8c484782d26a0f39097a5f8d27eb720eef7074446eeebc46f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads