66fe3726a85eb757f7504633880f8df344ca92524519167f1cf62f86cc477a89

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Size

408KB
MD5

28cdddfa524bf1f88aafa9dc90ed29da
SHA1

a78d204116a6e3a412e260fb249b68d2e3695723
SHA256

66fe3726a85eb757f7504633880f8df344ca92524519167f1cf62f86cc477a89
SHA512

5155d81963fddbe0639be2f91bbc6fbd2454ccf378c1ae69541fc73c6ee5f1c2f185d6ca706fffb0e6e784e12b31889ad9c10a52aefad049f0ff574df43b3a2c
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGuldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014120-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000141c0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014120-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000143ec-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014120-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014120-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014120-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}\stubpath = "C:\\Windows\\{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe"	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB8A6C02-5607-42bf-9CFB-031AEA731B81}\stubpath = "C:\\Windows\\{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe"	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{052F3B97-E8DA-42df-BE61-6AE87F68C883}	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}	{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}\stubpath = "C:\\Windows\\{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe"	{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C466C4-8E4E-429d-9F61-48E0671E2A44}\stubpath = "C:\\Windows\\{43C466C4-8E4E-429d-9F61-48E0671E2A44}.exe"	{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}\stubpath = "C:\\Windows\\{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe"	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}\stubpath = "C:\\Windows\\{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe"	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}	{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C466C4-8E4E-429d-9F61-48E0671E2A44}	{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9D88D48-7C70-432f-9926-8421B48447D8}	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB8A6C02-5607-42bf-9CFB-031AEA731B81}	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}\stubpath = "C:\\Windows\\{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe"	{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9D88D48-7C70-432f-9926-8421B48447D8}\stubpath = "C:\\Windows\\{A9D88D48-7C70-432f-9926-8421B48447D8}.exe"	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{722C84AB-C469-49fe-837D-AB8976AA7B3C}	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{722C84AB-C469-49fe-837D-AB8976AA7B3C}\stubpath = "C:\\Windows\\{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe"	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{052F3B97-E8DA-42df-BE61-6AE87F68C883}\stubpath = "C:\\Windows\\{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe"	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}\stubpath = "C:\\Windows\\{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe"	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe
2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe
3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe
2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe
1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe
1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe
1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe
1528	{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe
2968	{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe
844	{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe
1028	{43C466C4-8E4E-429d-9F61-48E0671E2A44}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe
File created	C:\Windows\{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe
File created	C:\Windows\{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe
File created	C:\Windows\{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe	{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe
File created	C:\Windows\{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
File created	C:\Windows\{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe
File created	C:\Windows\{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe
File created	C:\Windows\{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe
File created	C:\Windows\{43C466C4-8E4E-429d-9F61-48E0671E2A44}.exe	{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe
File created	C:\Windows\{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe
File created	C:\Windows\{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe	{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe
Token: SeIncBasePriorityPrivilege	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe
Token: SeIncBasePriorityPrivilege	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe
Token: SeIncBasePriorityPrivilege	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe
Token: SeIncBasePriorityPrivilege	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe
Token: SeIncBasePriorityPrivilege	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe
Token: SeIncBasePriorityPrivilege	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe
Token: SeIncBasePriorityPrivilege	1528	{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe
Token: SeIncBasePriorityPrivilege	2968	{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe
Token: SeIncBasePriorityPrivilege	844	{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2224	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	28
PID 2356 wrote to memory of 2224	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	28
PID 2356 wrote to memory of 2224	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	28
PID 2356 wrote to memory of 2224	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	28
PID 2356 wrote to memory of 2416	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	29
PID 2356 wrote to memory of 2416	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	29
PID 2356 wrote to memory of 2416	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	29
PID 2356 wrote to memory of 2416	2356	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	29
PID 2224 wrote to memory of 2592	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	30
PID 2224 wrote to memory of 2592	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	30
PID 2224 wrote to memory of 2592	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	30
PID 2224 wrote to memory of 2592	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	30
PID 2224 wrote to memory of 2656	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	31
PID 2224 wrote to memory of 2656	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	31
PID 2224 wrote to memory of 2656	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	31
PID 2224 wrote to memory of 2656	2224	{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe	31
PID 2592 wrote to memory of 3032	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	32
PID 2592 wrote to memory of 3032	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	32
PID 2592 wrote to memory of 3032	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	32
PID 2592 wrote to memory of 3032	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	32
PID 2592 wrote to memory of 2484	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	33
PID 2592 wrote to memory of 2484	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	33
PID 2592 wrote to memory of 2484	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	33
PID 2592 wrote to memory of 2484	2592	{A9D88D48-7C70-432f-9926-8421B48447D8}.exe	33
PID 3032 wrote to memory of 2524	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	36
PID 3032 wrote to memory of 2524	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	36
PID 3032 wrote to memory of 2524	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	36
PID 3032 wrote to memory of 2524	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	36
PID 3032 wrote to memory of 2812	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	37
PID 3032 wrote to memory of 2812	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	37
PID 3032 wrote to memory of 2812	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	37
PID 3032 wrote to memory of 2812	3032	{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe	37
PID 2524 wrote to memory of 1220	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	38
PID 2524 wrote to memory of 1220	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	38
PID 2524 wrote to memory of 1220	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	38
PID 2524 wrote to memory of 1220	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	38
PID 2524 wrote to memory of 1672	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	39
PID 2524 wrote to memory of 1672	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	39
PID 2524 wrote to memory of 1672	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	39
PID 2524 wrote to memory of 1672	2524	{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe	39
PID 1220 wrote to memory of 1668	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	41
PID 1220 wrote to memory of 1668	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	41
PID 1220 wrote to memory of 1668	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	41
PID 1220 wrote to memory of 1668	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	41
PID 1220 wrote to memory of 1476	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	40
PID 1220 wrote to memory of 1476	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	40
PID 1220 wrote to memory of 1476	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	40
PID 1220 wrote to memory of 1476	1220	{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe	40
PID 1668 wrote to memory of 1604	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	42
PID 1668 wrote to memory of 1604	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	42
PID 1668 wrote to memory of 1604	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	42
PID 1668 wrote to memory of 1604	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	42
PID 1668 wrote to memory of 1864	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	43
PID 1668 wrote to memory of 1864	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	43
PID 1668 wrote to memory of 1864	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	43
PID 1668 wrote to memory of 1864	1668	{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe	43
PID 1604 wrote to memory of 1528	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	45
PID 1604 wrote to memory of 1528	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	45
PID 1604 wrote to memory of 1528	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	45
PID 1604 wrote to memory of 1528	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	45
PID 1604 wrote to memory of 1624	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	44
PID 1604 wrote to memory of 1624	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	44
PID 1604 wrote to memory of 1624	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	44
PID 1604 wrote to memory of 1624	1604	{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe
  C:\Windows\{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\{A9D88D48-7C70-432f-9926-8421B48447D8}.exe
    C:\Windows\{A9D88D48-7C70-432f-9926-8421B48447D8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe
      C:\Windows\{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe
        
        C:\Windows\{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe
        
        C:\Windows\{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFC83~1.EXE > nul
        7⤵
        
        PID:1476
        
        C:\Windows\{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe
        
        C:\Windows\{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe
        
        C:\Windows\{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{052F3~1.EXE > nul
        9⤵
        
        PID:1624
        
        C:\Windows\{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe
        
        C:\Windows\{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe
        
        C:\Windows\{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe
        
        C:\Windows\{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\{43C466C4-8E4E-429d-9F61-48E0671E2A44}.exe
        
        C:\Windows\{43C466C4-8E4E-429d-9F61-48E0671E2A44}.exe
        12⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D5C~1.EXE > nul
        12⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB82B~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C3DE~1.EXE > nul
        10⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB8A6~1.EXE > nul
        8⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{722C8~1.EXE > nul
        6⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BFB1~1.EXE > nul
        5⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9D88~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3DD93~1.EXE > nul
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{052F3B97-E8DA-42df-BE61-6AE87F68C883}.exe

Filesize
408KB

MD5
86f8511a94a0b70e959ec5ffa1cfeb7b

SHA1
7c4992b3d40aaceb79ea3c204f914f9c6e85ea45

SHA256
74ced95637ab7b62fe93011da80839408772bf75828793c94c280fb270c9b462

SHA512
5237d13d427d46338797afc27bd0fa169277155acaf0dd9873f69d0db45fcb2106fde960c669f2a19c31eca6d2fe972b6d1d79edef021c4924beb29ffb8a8415

Download Submit
C:\Windows\{3DD939F1-FF9B-45d8-96A7-17D34FC6732A}.exe

Filesize
408KB

MD5
7e6e18ffac6b84be0b213e9e3bc17508

SHA1
8311b11e891e120e819820b224454a77cd5e2400

SHA256
a32c7d8f20180b1e4f23d628c4c3befd73084500911abcbdd3a284152d701f09

SHA512
ebe217587aa9e3964fea5320f19183d87419f59ead2f729ef3ed419fbbba7decc6fdb3fd37eff773323606c0611dd8811426142a99f07a6cdf3418f990058107

Download Submit
C:\Windows\{43C466C4-8E4E-429d-9F61-48E0671E2A44}.exe

Filesize
408KB

MD5
7b90052581f7482cb1825583e6828f0d

SHA1
67c108c4ebd1c1dcd9b4a1a9fda4dc2ab947c70f

SHA256
c8f80726a5904e242b389f60b82e6b41ed668c5f6fcf9d52a616b1d2d9291768

SHA512
0026703c5e04325d0661b23c97eaf684e2c5e99ab588b64f377d815ba26ec42efcb5c82c4e29b9637ad05fb8d53f23e8fd9658b56020ae4c1b1a0480f7c2b056

Download Submit
C:\Windows\{6C3DEE37-0CFD-4aa8-90C1-95A585B17630}.exe

Filesize
408KB

MD5
ab1afdbf1c11de65897cf0379bc6f2cc

SHA1
92ef1ab68a046864ef27bf11b8fbccd7c4d16b8f

SHA256
8a37622ed7a860c8e5a16a211971c1eefeeb759c944f7b2d500b2c7f8058172b

SHA512
90a927d8fc949c613ef4a6b8e1eabb9caae16e66f9ba96b184d4eb12e98e1dfad7dfaeed186cf3c5c465139843d09d08962781ef1f6f2635d741905565e4b16a

Download Submit
C:\Windows\{722C84AB-C469-49fe-837D-AB8976AA7B3C}.exe

Filesize
408KB

MD5
12e414c44d4cf8705d695d911a3cfe8a

SHA1
ae90c98d0e07018f2feb556fc1af65e2a35eff5d

SHA256
c8daf6b6623369c0716c685b2fe09ba73a5bccd143b44954eb626f7727215c0f

SHA512
6522cf0583af04fa3855052df21d65b573898515b12a429fdd7007a916f801e14192209b642b493e115d1f0b02d22bce846a6bfeaaba0355dc23cc8030a1a86f

Download Submit
C:\Windows\{7BFB19C9-9A7F-4092-A7B1-B06A942AE315}.exe

Filesize
408KB

MD5
7e7a12eef210b3511d7d96345ad16f87

SHA1
76fdcbe0349bcde0d5d0618156470546fb3ce1f8

SHA256
4deac6b852470b1c3e3780ad8836e62ae777cad93f2f9f30b4dd4241b8103187

SHA512
9bcfad10c591039202b1cd97276c56ca89b5ff6f291bf9d1237ca683d017e88dd8e8c8f7b51a4935727837ec884a856b0b673898346882d86c6604120c873457

Download Submit
C:\Windows\{A9D88D48-7C70-432f-9926-8421B48447D8}.exe

Filesize
408KB

MD5
70046355ea44ea90397f2c539ce4fe53

SHA1
0edb73f7a12f8b653b17b7bba856bfb3d46a7fd5

SHA256
3df1322f30a2bbcd630e9b5787b3e554251d4a9e1cbd4daeb6aaa341a939b1fc

SHA512
c478ed4771cc84b4c9a36d96de48e207d27e2fc9b5ec90f5157359640d789099516b8a8f90f83be84b25ada17324814c4628ff016f194d22da2d361cd46b84a7

Download Submit
C:\Windows\{AB8A6C02-5607-42bf-9CFB-031AEA731B81}.exe

Filesize
408KB

MD5
7a094979cdb79745c6ec9b3e06d5d1f8

SHA1
25f2dff05c21bca9cca7c97544938f36e9cb24ab

SHA256
66a3bee1866b651fd75f0d188de854ce7a437ee9581fed67587df0da1c9f3162

SHA512
b3af95167071da9aa66618cc7989c657dddc7369adcfe84e70f5f9ec31e0942d155973042298861ce51cbf776ea2c9234486e5e27c5c895f5b04739625048292

Download Submit
C:\Windows\{AFC83AF4-B269-4a7f-8848-E2C9BF105B0E}.exe

Filesize
408KB

MD5
0309b280e24242f6c26053d845478683

SHA1
a3ba227b2f54111b6815d90d1a9c5b89b981ff1b

SHA256
16f1eb19c51a87f22c309097a44e5537196836dc6453a9105fe66e2e1e15e2c0

SHA512
376d1ac775f5753a0d5f3b246ca0f4a33852c50b02d94bb91fbc7d48b80e30488f9ba932b79444d7a20baf29520be0ed7dce804c74902059e38a45ee1a13d035

Download Submit
C:\Windows\{BB82B028-5573-4b95-90BC-F3A1FF5F56C2}.exe

Filesize
408KB

MD5
a51109d8882fe4ec8d70b27e1847de4b

SHA1
751a75e23ca56fe26a18100580b5b3de1c0fd483

SHA256
e8c523e2efe02bd8ce0c09ca8312e25a7dc5e4d810e762dde46663c6406f6161

SHA512
e09da40ec2773f201f5248cd68dffd5d1b2abe8b58377b66e8b4969e349c5af946bb160a401f3037cfd2ce25c446ac902229149ed0b42715e97ff731de204b54

Download Submit
C:\Windows\{E2D5C0F6-F684-493e-9168-2EC08DAFE46E}.exe

Filesize
408KB

MD5
4efd5a7ed9ef37be11ea69c9e40662a2

SHA1
85924743f7a4516c128f553b3c23f029537d399c

SHA256
4fe3cfb55b8f55bda55962d2ce07417687c80460225bf63700486e742543cd72

SHA512
86eb9d64b74c1608e01bc05fa6c8ad6a26799991bd45e80d189f27087092403ffafb21676bac73442383c19a106d16f40dd7742790f87404490bd3e362fbc74d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads