65dfe93f9ae2492bdbf77a9dc610971d6fa431aa7a2660463893e2bf566c5178

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe
Size

408KB
MD5

e6a4ee78c5550985322b380aa761b815
SHA1

917f1e3b88f00dfb3e04c04cfb1722cd2b2a49fc
SHA256

65dfe93f9ae2492bdbf77a9dc610971d6fa431aa7a2660463893e2bf566c5178
SHA512

3e06710b57016a9246d39a3f35e7ee9041e5a4f828120916682220499e95e2c0dacf0b8c001a495c58d884b83e510254b06f71f1fc00a912e658c519d65a9460
SSDEEP

3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012255-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014e5a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012255-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015b13-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012255-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012255-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012255-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}\stubpath = "C:\\Windows\\{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe"	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}\stubpath = "C:\\Windows\\{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe"	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F988D2-7241-4610-9D0B-AB4574192DD3}	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAE67D74-3363-4329-8D81-A9C2308BF064}	{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}\stubpath = "C:\\Windows\\{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe"	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E2CD47-7023-4f02-8278-D6FFA7013E54}	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{187E1762-2608-49e9-9193-5153D5D56E5B}	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{187E1762-2608-49e9-9193-5153D5D56E5B}\stubpath = "C:\\Windows\\{187E1762-2608-49e9-9193-5153D5D56E5B}.exe"	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E2CD47-7023-4f02-8278-D6FFA7013E54}\stubpath = "C:\\Windows\\{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe"	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}	{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F988D2-7241-4610-9D0B-AB4574192DD3}\stubpath = "C:\\Windows\\{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe"	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}\stubpath = "C:\\Windows\\{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe"	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}\stubpath = "C:\\Windows\\{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe"	{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAE67D74-3363-4329-8D81-A9C2308BF064}\stubpath = "C:\\Windows\\{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe"	{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1081CCF-7E57-4312-A08E-F76DEB885BCD}	{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1081CCF-7E57-4312-A08E-F76DEB885BCD}\stubpath = "C:\\Windows\\{C1081CCF-7E57-4312-A08E-F76DEB885BCD}.exe"	{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}\stubpath = "C:\\Windows\\{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe"	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe
2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe
2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe
2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe
2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe
292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe
1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe
2928	{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe
2036	{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe
540	{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe
1416	{C1081CCF-7E57-4312-A08E-F76DEB885BCD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe
File created	C:\Windows\{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe
File created	C:\Windows\{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe	{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe
File created	C:\Windows\{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe
File created	C:\Windows\{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe
File created	C:\Windows\{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe
File created	C:\Windows\{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe	{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe
File created	C:\Windows\{C1081CCF-7E57-4312-A08E-F76DEB885BCD}.exe	{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe
File created	C:\Windows\{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe
File created	C:\Windows\{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe
File created	C:\Windows\{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe
Token: SeIncBasePriorityPrivilege	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe
Token: SeIncBasePriorityPrivilege	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe
Token: SeIncBasePriorityPrivilege	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe
Token: SeIncBasePriorityPrivilege	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe
Token: SeIncBasePriorityPrivilege	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe
Token: SeIncBasePriorityPrivilege	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe
Token: SeIncBasePriorityPrivilege	2928	{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe
Token: SeIncBasePriorityPrivilege	2036	{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe
Token: SeIncBasePriorityPrivilege	540	{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3020	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	28
PID 2992 wrote to memory of 3020	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	28
PID 2992 wrote to memory of 3020	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	28
PID 2992 wrote to memory of 3020	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	28
PID 2992 wrote to memory of 2556	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	29
PID 2992 wrote to memory of 2556	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	29
PID 2992 wrote to memory of 2556	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	29
PID 2992 wrote to memory of 2556	2992	2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe	29
PID 3020 wrote to memory of 2052	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	30
PID 3020 wrote to memory of 2052	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	30
PID 3020 wrote to memory of 2052	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	30
PID 3020 wrote to memory of 2052	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	30
PID 3020 wrote to memory of 2720	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	31
PID 3020 wrote to memory of 2720	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	31
PID 3020 wrote to memory of 2720	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	31
PID 3020 wrote to memory of 2720	3020	{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe	31
PID 2052 wrote to memory of 2180	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	32
PID 2052 wrote to memory of 2180	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	32
PID 2052 wrote to memory of 2180	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	32
PID 2052 wrote to memory of 2180	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	32
PID 2052 wrote to memory of 108	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	33
PID 2052 wrote to memory of 108	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	33
PID 2052 wrote to memory of 108	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	33
PID 2052 wrote to memory of 108	2052	{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe	33
PID 2180 wrote to memory of 2500	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	36
PID 2180 wrote to memory of 2500	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	36
PID 2180 wrote to memory of 2500	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	36
PID 2180 wrote to memory of 2500	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	36
PID 2180 wrote to memory of 2632	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	37
PID 2180 wrote to memory of 2632	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	37
PID 2180 wrote to memory of 2632	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	37
PID 2180 wrote to memory of 2632	2180	{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe	37
PID 2500 wrote to memory of 2792	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	38
PID 2500 wrote to memory of 2792	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	38
PID 2500 wrote to memory of 2792	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	38
PID 2500 wrote to memory of 2792	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	38
PID 2500 wrote to memory of 1520	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	39
PID 2500 wrote to memory of 1520	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	39
PID 2500 wrote to memory of 1520	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	39
PID 2500 wrote to memory of 1520	2500	{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe	39
PID 2792 wrote to memory of 292	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	40
PID 2792 wrote to memory of 292	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	40
PID 2792 wrote to memory of 292	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	40
PID 2792 wrote to memory of 292	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	40
PID 2792 wrote to memory of 780	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	41
PID 2792 wrote to memory of 780	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	41
PID 2792 wrote to memory of 780	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	41
PID 2792 wrote to memory of 780	2792	{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe	41
PID 292 wrote to memory of 1420	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	43
PID 292 wrote to memory of 1420	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	43
PID 292 wrote to memory of 1420	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	43
PID 292 wrote to memory of 1420	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	43
PID 292 wrote to memory of 2396	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	42
PID 292 wrote to memory of 2396	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	42
PID 292 wrote to memory of 2396	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	42
PID 292 wrote to memory of 2396	292	{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe	42
PID 1420 wrote to memory of 2928	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	44
PID 1420 wrote to memory of 2928	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	44
PID 1420 wrote to memory of 2928	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	44
PID 1420 wrote to memory of 2928	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	44
PID 1420 wrote to memory of 1248	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	45
PID 1420 wrote to memory of 1248	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	45
PID 1420 wrote to memory of 1248	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	45
PID 1420 wrote to memory of 1248	1420	{187E1762-2608-49e9-9193-5153D5D56E5B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_e6a4ee78c5550985322b380aa761b815_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe
  C:\Windows\{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe
    C:\Windows\{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe
      C:\Windows\{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe
        
        C:\Windows\{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe
        
        C:\Windows\{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe
        
        C:\Windows\{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED4BD~1.EXE > nul
        8⤵
        
        PID:2396
        
        C:\Windows\{187E1762-2608-49e9-9193-5153D5D56E5B}.exe
        
        C:\Windows\{187E1762-2608-49e9-9193-5153D5D56E5B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe
        
        C:\Windows\{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe
        
        C:\Windows\{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe
        
        C:\Windows\{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{C1081CCF-7E57-4312-A08E-F76DEB885BCD}.exe
        
        C:\Windows\{C1081CCF-7E57-4312-A08E-F76DEB885BCD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAE67~1.EXE > nul
        12⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D80CD~1.EXE > nul
        11⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19E2C~1.EXE > nul
        10⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{187E1~1.EXE > nul
        9⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E3D1~1.EXE > nul
        7⤵
        
        PID:780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72CBE~1.EXE > nul
        6⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CABB~1.EXE > nul
        5⤵
        
        PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A20D8~1.EXE > nul
      4⤵
      PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{34F98~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{187E1762-2608-49e9-9193-5153D5D56E5B}.exe

Filesize
408KB

MD5
e850e3c77c831be7f9cd40df87589c1f

SHA1
81e01dc64b28294deb53b7c67b4d52308cd1aa45

SHA256
ff6ca425da41daece6c23cd1696daba321484e6eb6cad5ab676a1bcdd0e4f4f1

SHA512
4d79e2c2a5c1567783634c96f1a7c50632e3a623edc53f07a40300ebdf395ef10245669339115583bf9ede731263dc6c645abadc546ed3e3480b447c6c1267c5

Download Submit
C:\Windows\{19E2CD47-7023-4f02-8278-D6FFA7013E54}.exe

Filesize
408KB

MD5
837ba81b19663b76bd5838a3fd641ccc

SHA1
b1df6001d2e8c55f7d402d30cd683740f4b44702

SHA256
3bcebf78a76c57e477d8bc36c2c70e8ac4b0d30234a48cc001292795cafffcdc

SHA512
f1f8ea12f1ccab9aca37cd442312d64f88f2e1bb6abc9d90753c0d6fac926504e3744f3410e15b971806bdee113c6d9bd64320cfaff976abbb0e632f0527d27a

Download Submit
C:\Windows\{1CABBB65-9D2C-41f3-A2E7-47D869BDB27D}.exe

Filesize
408KB

MD5
b58fefa4e64a98c91c1aae4fe22f1f7c

SHA1
c477b6786dc90fbec656cc7d1e3bfab88103673a

SHA256
82f9509ec8869853bdb7f42e97b91d3dc3d79fd1ccc809693627327d9c73b459

SHA512
0c9ccd4b57901b9d5aa6e9845eba2531b3e3bd8332de7a4c3b8601d670122106387308c2437e72463cac2b2ee239ac2fb6e446ab40921a4e7a6da42d53f6a456

Download Submit
C:\Windows\{34F988D2-7241-4610-9D0B-AB4574192DD3}.exe

Filesize
408KB

MD5
e2afe52a06910fd63246a90e2da13198

SHA1
512db1e350237cd727be3c8143a8dbfb35102094

SHA256
072ac2d9d3e210edaef8a26f10cf628a39d0f5ab6b51fc34e0deedcc3a4d8ed5

SHA512
8c9ff599d1a2f78dff01d1c2852af35ef647f323a8af5ac9db89ad8918f0fae09d79eda611edc5579c829f31af28ed866decd7e97cc393fd0c2d9ab9cfbe7460

Download Submit
C:\Windows\{5E3D1753-CA1E-4314-A7B5-7811BD4CC7EF}.exe

Filesize
408KB

MD5
a41f2b049abdf82c9cd244cad7f6a66a

SHA1
82762aa997277a374ee0bb35089d88e0a50ea5e8

SHA256
bd2d4c6fcf12cf9394d7867897cb5317a018817f31c983846e9c28cbc1b5b9b8

SHA512
98367a2b7a328ee84571f032d6dc6f892995aba1e8314f763cf76d7913e44c2d72f58b171e57dd5765d3646f1167447607e3d2d69911c98b161f360182f67051

Download Submit
C:\Windows\{72CBE9C0-B83B-4c4f-A2E3-38C347A5EE33}.exe

Filesize
408KB

MD5
2c59e79f8191d913da86a5862efcdccb

SHA1
8e103b676c4053b8da7d5520488efb686dae2f08

SHA256
5192f73916c0581c074974257f3c81ee44bda9b270e7ce78eb93615b5c0a9353

SHA512
e37ac756ad77fdd7c88c8a65605cdbd7e9c343d54317b4fdc73bd4c122b31ce18d9308ded47871a4ffd2895a673766eb3964bf569c5970d3633dbdac580e9b8d

Download Submit
C:\Windows\{A20D87F0-25C8-49a8-A8B4-2919B5BB26BF}.exe

Filesize
408KB

MD5
c9f555d993d3c7345849b1fa4f15a1bb

SHA1
bfa7b437f2e215f580115aea7a9ef7136cf4f44a

SHA256
912490b8c2ed8d43ec3555d69050d7250b947e4fb48dde3545906038b309b8d9

SHA512
6f0772fe00c2d16db6d8cd7827e6146a0f0f5c1649c2ade5b2f815f7f313d40b43698b919668e69c344158e83321f4e9a6b755a357bf6733bf0186ffdcb20000

Download Submit
C:\Windows\{C1081CCF-7E57-4312-A08E-F76DEB885BCD}.exe

Filesize
408KB

MD5
520b5ef0669d39c5ab4c3d897bac0138

SHA1
dc4c2a3be800e01e1d5cc7282567635e3495ad43

SHA256
d0de9624f9b9d282e09e1eb114a721e231cf361f93bcb5ed32d163934ea52c54

SHA512
ab6ed9221206079fa402dbd47b7fd5b65ed7f72a4c3582aa545d3af2d063f913cc4f4aac3b88aecc21e0aaa6886276456800be29c07eeae37d0722a04a90e67f

Download Submit
C:\Windows\{CAE67D74-3363-4329-8D81-A9C2308BF064}.exe

Filesize
408KB

MD5
9366857054cf73154d4dba87f560280d

SHA1
ac012ada647d6b7fa8f156deaf16b3d3278b617e

SHA256
ac80750401112718729111442dbba045d247526fae9ac6f8508a5d828d95231a

SHA512
df5b2ac060a71dbc9a9afd65d8d01199814dcf60654b58e26a5d525d67a795524c5d0a09d5d0759c5b8f8b3fc8097e0739deca0fcaefd483bba048ccded74f57

Download Submit
C:\Windows\{D80CD3D0-AB2B-4b9c-A507-B116B429CFF5}.exe

Filesize
408KB

MD5
da05ac5931a5abf0359228e0f13a8cb2

SHA1
7d2f5d93ebc2e7817fb60a7b5b1076a7e7b9f785

SHA256
a9aad96cf7a617534b0758f44f6a0963388acc452b9a746aa8cd1ed92b290e33

SHA512
06363d142298886f339638a7ca08b7dd82979e7406879779cb711f00fb82325ab55a31b4a8fc02860ed17378054ce88285f36c5a857b3919bfcf55f29e98d143

Download Submit
C:\Windows\{ED4BD4D5-BD0C-46ab-80CF-03172BA9370F}.exe

Filesize
408KB

MD5
59b9bdad2bc1c8f6fb3af5c054ad02f6

SHA1
8c57c4cee1a39925ac2d2fd9217ce9d07fab8f4b

SHA256
b7000e50b2b3baedd34269385c43a64b9fc8ea70f9edacce250fec209eec731c

SHA512
04c7c230deed48227fd220a4180f2fb039355792e9be29ad8e6d378040916bf79c5299474d5b796cc651be2a05ab12b10aadd8717ab8de17143d9d122d7a9277

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads