65bb51f51bc9c3e6afe8e98c414d93b45d25abed970c2aed13cae615cc66bb04

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 12:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe
Size

180KB
MD5

6e3f34199c5a28517d7ca915a7f3527c
SHA1

aa78f7fe40e090bd6ce201fe5acc9e7b751d44e2
SHA256

65bb51f51bc9c3e6afe8e98c414d93b45d25abed970c2aed13cae615cc66bb04
SHA512

fbcbd3fe28748f3f97d4091e7f07108edf6ffc3880eec8b0b2940913b6a6e844f890c110b52552ccb742b9720d60816b93ea8a6f61f88abaa6f0534e30b8d2a1
SSDEEP

3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014502-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB679C2-A73F-489d-A555-B1757FA08F2B}	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A013DC21-7B8E-44a6-8146-A761138856E6}\stubpath = "C:\\Windows\\{A013DC21-7B8E-44a6-8146-A761138856E6}.exe"	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1A64064-B109-40b2-9736-98D6876A7C6E}\stubpath = "C:\\Windows\\{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe"	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85609D70-DB91-4c58-9CD3-0324301194EB}	{DF810D14-BADB-4288-870B-D7234440D853}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{636939D0-9EB3-48c1-A455-48A95DE624A2}\stubpath = "C:\\Windows\\{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe"	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}	{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C67898-DFB8-4496-8868-3A5B21E09A2C}	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A013DC21-7B8E-44a6-8146-A761138856E6}	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF810D14-BADB-4288-870B-D7234440D853}	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF810D14-BADB-4288-870B-D7234440D853}\stubpath = "C:\\Windows\\{DF810D14-BADB-4288-870B-D7234440D853}.exe"	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85609D70-DB91-4c58-9CD3-0324301194EB}\stubpath = "C:\\Windows\\{85609D70-DB91-4c58-9CD3-0324301194EB}.exe"	{DF810D14-BADB-4288-870B-D7234440D853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}	{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}\stubpath = "C:\\Windows\\{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe"	{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AFD3D26-14BA-48ab-86FF-095963135F29}	{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB679C2-A73F-489d-A555-B1757FA08F2B}\stubpath = "C:\\Windows\\{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe"	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AFD3D26-14BA-48ab-86FF-095963135F29}\stubpath = "C:\\Windows\\{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe"	{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{636939D0-9EB3-48c1-A455-48A95DE624A2}	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}\stubpath = "C:\\Windows\\{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}.exe"	{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1A64064-B109-40b2-9736-98D6876A7C6E}	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABEFBD25-46B6-4b08-82A1-761D21965298}\stubpath = "C:\\Windows\\{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe"	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C67898-DFB8-4496-8868-3A5B21E09A2C}\stubpath = "C:\\Windows\\{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe"	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABEFBD25-46B6-4b08-82A1-761D21965298}	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe
2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe
2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe
2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe
2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe
1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe
1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe
772	{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe
2012	{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe
2320	{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe
1164	{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe
File created	C:\Windows\{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe
File created	C:\Windows\{DF810D14-BADB-4288-870B-D7234440D853}.exe	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe
File created	C:\Windows\{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe
File created	C:\Windows\{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe	{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe
File created	C:\Windows\{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}.exe	{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe
File created	C:\Windows\{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe
File created	C:\Windows\{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe
File created	C:\Windows\{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe
File created	C:\Windows\{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	{DF810D14-BADB-4288-870B-D7234440D853}.exe
File created	C:\Windows\{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe	{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe
Token: SeIncBasePriorityPrivilege	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe
Token: SeIncBasePriorityPrivilege	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe
Token: SeIncBasePriorityPrivilege	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe
Token: SeIncBasePriorityPrivilege	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe
Token: SeIncBasePriorityPrivilege	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe
Token: SeIncBasePriorityPrivilege	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe
Token: SeIncBasePriorityPrivilege	772	{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe
Token: SeIncBasePriorityPrivilege	2012	{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe
Token: SeIncBasePriorityPrivilege	2320	{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1300	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	28
PID 2416 wrote to memory of 1300	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	28
PID 2416 wrote to memory of 1300	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	28
PID 2416 wrote to memory of 1300	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	28
PID 2416 wrote to memory of 3036	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	29
PID 2416 wrote to memory of 3036	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	29
PID 2416 wrote to memory of 3036	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	29
PID 2416 wrote to memory of 3036	2416	2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe	29
PID 1300 wrote to memory of 2660	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	30
PID 1300 wrote to memory of 2660	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	30
PID 1300 wrote to memory of 2660	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	30
PID 1300 wrote to memory of 2660	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	30
PID 1300 wrote to memory of 2596	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	31
PID 1300 wrote to memory of 2596	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	31
PID 1300 wrote to memory of 2596	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	31
PID 1300 wrote to memory of 2596	1300	{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe	31
PID 2660 wrote to memory of 2796	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	32
PID 2660 wrote to memory of 2796	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	32
PID 2660 wrote to memory of 2796	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	32
PID 2660 wrote to memory of 2796	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	32
PID 2660 wrote to memory of 2488	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	33
PID 2660 wrote to memory of 2488	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	33
PID 2660 wrote to memory of 2488	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	33
PID 2660 wrote to memory of 2488	2660	{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe	33
PID 2796 wrote to memory of 2980	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	37
PID 2796 wrote to memory of 2980	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	37
PID 2796 wrote to memory of 2980	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	37
PID 2796 wrote to memory of 2980	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	37
PID 2796 wrote to memory of 1744	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	36
PID 2796 wrote to memory of 1744	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	36
PID 2796 wrote to memory of 1744	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	36
PID 2796 wrote to memory of 1744	2796	{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe	36
PID 2980 wrote to memory of 2828	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	38
PID 2980 wrote to memory of 2828	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	38
PID 2980 wrote to memory of 2828	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	38
PID 2980 wrote to memory of 2828	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	38
PID 2980 wrote to memory of 2960	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	39
PID 2980 wrote to memory of 2960	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	39
PID 2980 wrote to memory of 2960	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	39
PID 2980 wrote to memory of 2960	2980	{A013DC21-7B8E-44a6-8146-A761138856E6}.exe	39
PID 2828 wrote to memory of 1904	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	40
PID 2828 wrote to memory of 1904	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	40
PID 2828 wrote to memory of 1904	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	40
PID 2828 wrote to memory of 1904	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	40
PID 2828 wrote to memory of 1264	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	41
PID 2828 wrote to memory of 1264	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	41
PID 2828 wrote to memory of 1264	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	41
PID 2828 wrote to memory of 1264	2828	{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe	41
PID 1904 wrote to memory of 1660	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	42
PID 1904 wrote to memory of 1660	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	42
PID 1904 wrote to memory of 1660	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	42
PID 1904 wrote to memory of 1660	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	42
PID 1904 wrote to memory of 1568	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	43
PID 1904 wrote to memory of 1568	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	43
PID 1904 wrote to memory of 1568	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	43
PID 1904 wrote to memory of 1568	1904	{DF810D14-BADB-4288-870B-D7234440D853}.exe	43
PID 1660 wrote to memory of 772	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	44
PID 1660 wrote to memory of 772	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	44
PID 1660 wrote to memory of 772	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	44
PID 1660 wrote to memory of 772	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	44
PID 1660 wrote to memory of 2248	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	45
PID 1660 wrote to memory of 2248	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	45
PID 1660 wrote to memory of 2248	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	45
PID 1660 wrote to memory of 2248	1660	{85609D70-DB91-4c58-9CD3-0324301194EB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6e3f34199c5a28517d7ca915a7f3527c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe
  C:\Windows\{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe
    C:\Windows\{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe
      C:\Windows\{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB67~1.EXE > nul
        5⤵
        
        PID:1744
    - - C:\Windows\{A013DC21-7B8E-44a6-8146-A761138856E6}.exe
        
        C:\Windows\{A013DC21-7B8E-44a6-8146-A761138856E6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe
        
        C:\Windows\{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{DF810D14-BADB-4288-870B-D7234440D853}.exe
        
        C:\Windows\{DF810D14-BADB-4288-870B-D7234440D853}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{85609D70-DB91-4c58-9CD3-0324301194EB}.exe
        
        C:\Windows\{85609D70-DB91-4c58-9CD3-0324301194EB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe
        
        C:\Windows\{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63693~1.EXE > nul
        10⤵
        
        PID:2304
        
        C:\Windows\{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe
        
        C:\Windows\{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF37~1.EXE > nul
        11⤵
        
        PID:596
        
        C:\Windows\{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe
        
        C:\Windows\{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}.exe
        
        C:\Windows\{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AFD3~1.EXE > nul
        12⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85609~1.EXE > nul
        9⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF810~1.EXE > nul
        8⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1A64~1.EXE > nul
        7⤵
        
        PID:1264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A013D~1.EXE > nul
        6⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11C67~1.EXE > nul
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ABEFB~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11C67898-DFB8-4496-8868-3A5B21E09A2C}.exe

Filesize
180KB

MD5
ccfdf0cd12ee49cb6f7d6b0ffb89f92b

SHA1
19df8c43b33529f36675b647e5fa766866b287b4

SHA256
a66affd5573018eed683cb492da4791f8f0dbd03cb1b4cacebd49105b8804b11

SHA512
65c5346b5f0ef9149280a06b66573e922c744ae5cb45d398323230e93e10ff48db788655c9bb2cb0e003574b1df375127c1ba53864b634218aca46a57d01dace

Download Submit
C:\Windows\{1DB679C2-A73F-489d-A555-B1757FA08F2B}.exe

Filesize
180KB

MD5
c1058f1e05ecf6a2f8056a57aeebce68

SHA1
50d7128c6164a4b6df58580f66765891bfd508de

SHA256
9968e9fa12e0074a50c9d47749e69586ba09c89f56b88177f91ef74fe5bf46f2

SHA512
db9e7af963031ec8ac0cdd7c1ece5436226c163aa081452a428dfc6da38b3cb750fc744fccc07bf617e3f9fac568944c1fa677b5e6999bab540f34b2c9419f5f

Download Submit
C:\Windows\{636939D0-9EB3-48c1-A455-48A95DE624A2}.exe

Filesize
180KB

MD5
f9ffc16d28a8d1a67cffdd355818e5d7

SHA1
e186d78f4fc62d8cb566bc5877805d691fbafc90

SHA256
a879bdab9523a158092475c3c1207e5b1dcb345c18d6781b9a8bf2c7b8ebc6e3

SHA512
60ddfcb27428df914148f01987b36bb105ef401762d30d5fb886e107e0e6f3f667a34d83398ca177ae912694f228dddb0451bbe16b97b41a8fa6b93c092789e5

Download Submit
C:\Windows\{7AFD3D26-14BA-48ab-86FF-095963135F29}.exe

Filesize
180KB

MD5
979b55d107c6d3b82230f65bdf2519ba

SHA1
2d21ef8680175eff5f03b03ffd58d6cbe528ea97

SHA256
57c2b53fbf103de792d797f38209195f6d59b9efc1d8e177016d92af11e8a6cc

SHA512
c6b47ff6b5f881235c481ffbeda6f4e9b104ba8ad47d9c4bcfce267e7f20b7c7773986b12ec5ef2a792790c176e00fba2e2ddd9971268e33cd86a24650f09606

Download Submit
C:\Windows\{85609D70-DB91-4c58-9CD3-0324301194EB}.exe

Filesize
180KB

MD5
56a0e66991a030b708d40d91a84a862e

SHA1
8b0667479527b969de020dd2bde41b24d89c6952

SHA256
94413be1f31c90b80ce33d1d915f1a41427e7a58d1b3d94b2e5e7d2748d076ef

SHA512
a390e5d8646f389a8c467ac9fac3285fb2273c08c074154aa9cbf972ea073a31b1d68d102a38488a72d36c485317ef558d840dbcb9ff3879ff1dd04004bda77b

Download Submit
C:\Windows\{9DF37C3C-D7AD-4781-AF14-D33D7B68A82A}.exe

Filesize
180KB

MD5
bf704f96ed1e1dd79db092745b4a12bb

SHA1
661985d76e0d52a8bf25d6af31931cfb37224188

SHA256
3875a6718948fd651508f1a7fd0c62d540046ee04c1b7bf80b86899b882ca897

SHA512
7a2cfd3f325b8c1bf911aa26d2ea425e872aff437105654bb67b7de73af4d5e114c13d82b8ae263e3cdba8ada0e19cecc3fadf68bf8ad00e99bf395dc9f18a93

Download Submit
C:\Windows\{A013DC21-7B8E-44a6-8146-A761138856E6}.exe

Filesize
180KB

MD5
f59425427d2790eebe8bfc0213892dc4

SHA1
455dbc2aa1a72328461a96da71491869de764e8f

SHA256
59242ab87f6f22d355e0d0d6aef956e53919c4b82044cbdc0d481ac0b913dd40

SHA512
25160d59e211aaade2643f35dcb2a804359b78bf18aa455fbdd7af1c0f4b3343b2d92960f46f96a6625fb364bee6e11924818f01588cc21020e29f70a630e1ef

Download Submit
C:\Windows\{ABEFBD25-46B6-4b08-82A1-761D21965298}.exe

Filesize
180KB

MD5
1899830c4d4a73d01d43817e76749891

SHA1
70adf9d8240d66e57e8f94dabcb546a3c5f2055d

SHA256
ad984f4fa3714ceaf8e222d7d72ab8c0e7dab5d70bd46a2c1ad2bb93f64fa22c

SHA512
9fec62edbf1b882e9c833f1db056d4e317710992cf829eab685db576da366865742f98def08cf569ffe8e7eca211bd545c5cc58657eec152b510a0115227d528

Download Submit
C:\Windows\{C1A64064-B109-40b2-9736-98D6876A7C6E}.exe

Filesize
180KB

MD5
4e865f07e4a81f4d92b86feb52b44845

SHA1
6e3bef118be7c6305edd7717e14aab0c33cdc1fd

SHA256
fe4613478fb5772e653541b1de597102402f5614aa96bad2aeac34d9c8f1ae16

SHA512
32b501586053b247d9437afacd53e9761c6087101f328359125bd1b18ebd5f05f798ba7da4052bded24b97e4c09eba11dd71d355dfd65f15c52fb4be80922c3d

Download Submit
C:\Windows\{DF810D14-BADB-4288-870B-D7234440D853}.exe

Filesize
180KB

MD5
1ea3aaff4fd7e91cef1f4c77da545585

SHA1
2fe67fcd026be15f13ef70b8c1f69cb55ebc212b

SHA256
71075a826f2fcff7488f945cd3b72c82f39c7fddf8d4d9b8c0b9a9c3fab50fee

SHA512
7a1750b559c40edfdf1c06ee753d8232ddeddd77d5b231e235f687c1e6ad8de47d06a56f9ee591e986e7e441b2f242ef4f71c2babe157226a07e5358e80ac68f

Download Submit
C:\Windows\{EEEB49B3-42CE-4777-9FA6-94AFB0C4DA6D}.exe

Filesize
180KB

MD5
0b509549617701e818cfdecb822052ab

SHA1
e25b00f37d9d190e582409d5be0142587bb56233

SHA256
2caa532a82fc65688a26b4c4d643ed6f0723ef36801202fd1ca79e77f4304705

SHA512
4fa3832abab737d66e67ea7968d7b1b2f392330109d80715ec4d7a85824c2fd4ffa571f03237332db8eb7b6b44bb3c5c21658822e9f76cbc1249af018be87505

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads