899d5898ef32ba0d6fda899a5116e639c343ddddb133295eed08281310f4dfc4

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Size

168KB
MD5

6fbd82e183a0204539b0ba786056ed3e
SHA1

d803ed86a3551780ae0d535b6e00db61b67befa1
SHA256

899d5898ef32ba0d6fda899a5116e639c343ddddb133295eed08281310f4dfc4
SHA512

4bc6b8411451f41dc975d143560b38aead617f0ee7edca62cc6d6102053e17741fccd409cfb0e3e8af55c4cb43a148eaf29e0ec3d7144773f00dcaef19b1a133
SSDEEP

1536:1EGh0oWlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oWlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001222a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000015364-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000015364-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015364-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015364-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015364-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5AA29D8-7794-4adf-88EA-F57AD5C31892}	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5AA29D8-7794-4adf-88EA-F57AD5C31892}\stubpath = "C:\\Windows\\{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe"	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D6498E7-81C1-40ef-AD30-516C0C6D271D}	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3428A8C-BA57-4d45-AD34-46F4ED12E086}\stubpath = "C:\\Windows\\{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe"	{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D6498E7-81C1-40ef-AD30-516C0C6D271D}\stubpath = "C:\\Windows\\{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe"	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}\stubpath = "C:\\Windows\\{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe"	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86785DF4-2B41-4d09-9851-A6D9A491BDDA}\stubpath = "C:\\Windows\\{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe"	{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4441A50D-E241-4bd5-BF9F-50798CA511A7}\stubpath = "C:\\Windows\\{4441A50D-E241-4bd5-BF9F-50798CA511A7}.exe"	{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB1252CC-8E38-429f-BCA7-05FF62B94633}	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}\stubpath = "C:\\Windows\\{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe"	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}\stubpath = "C:\\Windows\\{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe"	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86785DF4-2B41-4d09-9851-A6D9A491BDDA}	{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3428A8C-BA57-4d45-AD34-46F4ED12E086}	{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}\stubpath = "C:\\Windows\\{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe"	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB1252CC-8E38-429f-BCA7-05FF62B94633}\stubpath = "C:\\Windows\\{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe"	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}\stubpath = "C:\\Windows\\{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe"	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4441A50D-E241-4bd5-BF9F-50798CA511A7}	{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe

Executes dropped EXE 11 IoCs

pid	Process
2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe
2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe
2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe
564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe
1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe
2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe
1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe
1480	{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe
1572	{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe
372	{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe
528	{4441A50D-E241-4bd5-BF9F-50798CA511A7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe	{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe
File created	C:\Windows\{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe
File created	C:\Windows\{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe
File created	C:\Windows\{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe
File created	C:\Windows\{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe
File created	C:\Windows\{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe	{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe
File created	C:\Windows\{4441A50D-E241-4bd5-BF9F-50798CA511A7}.exe	{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe
File created	C:\Windows\{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
File created	C:\Windows\{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe
File created	C:\Windows\{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe
File created	C:\Windows\{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe
Token: SeIncBasePriorityPrivilege	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe
Token: SeIncBasePriorityPrivilege	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe
Token: SeIncBasePriorityPrivilege	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe
Token: SeIncBasePriorityPrivilege	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe
Token: SeIncBasePriorityPrivilege	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe
Token: SeIncBasePriorityPrivilege	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe
Token: SeIncBasePriorityPrivilege	1480	{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe
Token: SeIncBasePriorityPrivilege	1572	{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe
Token: SeIncBasePriorityPrivilege	372	{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2608	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	28
PID 1288 wrote to memory of 2608	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	28
PID 1288 wrote to memory of 2608	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	28
PID 1288 wrote to memory of 2608	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	28
PID 1288 wrote to memory of 2992	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	29
PID 1288 wrote to memory of 2992	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	29
PID 1288 wrote to memory of 2992	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	29
PID 1288 wrote to memory of 2992	1288	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	29
PID 2608 wrote to memory of 2512	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	32
PID 2608 wrote to memory of 2512	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	32
PID 2608 wrote to memory of 2512	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	32
PID 2608 wrote to memory of 2512	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	32
PID 2608 wrote to memory of 2888	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	33
PID 2608 wrote to memory of 2888	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	33
PID 2608 wrote to memory of 2888	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	33
PID 2608 wrote to memory of 2888	2608	{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe	33
PID 2512 wrote to memory of 2444	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	35
PID 2512 wrote to memory of 2444	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	35
PID 2512 wrote to memory of 2444	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	35
PID 2512 wrote to memory of 2444	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	35
PID 2512 wrote to memory of 2500	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	34
PID 2512 wrote to memory of 2500	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	34
PID 2512 wrote to memory of 2500	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	34
PID 2512 wrote to memory of 2500	2512	{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe	34
PID 2444 wrote to memory of 564	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	36
PID 2444 wrote to memory of 564	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	36
PID 2444 wrote to memory of 564	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	36
PID 2444 wrote to memory of 564	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	36
PID 2444 wrote to memory of 680	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	37
PID 2444 wrote to memory of 680	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	37
PID 2444 wrote to memory of 680	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	37
PID 2444 wrote to memory of 680	2444	{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe	37
PID 564 wrote to memory of 1128	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	38
PID 564 wrote to memory of 1128	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	38
PID 564 wrote to memory of 1128	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	38
PID 564 wrote to memory of 1128	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	38
PID 564 wrote to memory of 1796	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	39
PID 564 wrote to memory of 1796	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	39
PID 564 wrote to memory of 1796	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	39
PID 564 wrote to memory of 1796	564	{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe	39
PID 1128 wrote to memory of 2712	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	40
PID 1128 wrote to memory of 2712	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	40
PID 1128 wrote to memory of 2712	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	40
PID 1128 wrote to memory of 2712	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	40
PID 1128 wrote to memory of 2620	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	41
PID 1128 wrote to memory of 2620	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	41
PID 1128 wrote to memory of 2620	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	41
PID 1128 wrote to memory of 2620	1128	{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe	41
PID 2712 wrote to memory of 1820	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	42
PID 2712 wrote to memory of 1820	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	42
PID 2712 wrote to memory of 1820	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	42
PID 2712 wrote to memory of 1820	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	42
PID 2712 wrote to memory of 644	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	43
PID 2712 wrote to memory of 644	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	43
PID 2712 wrote to memory of 644	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	43
PID 2712 wrote to memory of 644	2712	{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe	43
PID 1820 wrote to memory of 1480	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	44
PID 1820 wrote to memory of 1480	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	44
PID 1820 wrote to memory of 1480	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	44
PID 1820 wrote to memory of 1480	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	44
PID 1820 wrote to memory of 1300	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	45
PID 1820 wrote to memory of 1300	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	45
PID 1820 wrote to memory of 1300	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	45
PID 1820 wrote to memory of 1300	1820	{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe
  C:\Windows\{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe
    C:\Windows\{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB125~1.EXE > nul
      4⤵
      PID:2500
  - - C:\Windows\{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe
      C:\Windows\{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe
        
        C:\Windows\{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe
        
        C:\Windows\{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe
        
        C:\Windows\{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe
        
        C:\Windows\{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe
        
        C:\Windows\{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ECDF~1.EXE > nul
        10⤵
        
        PID:1456
        
        C:\Windows\{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe
        
        C:\Windows\{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe
        
        C:\Windows\{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\{4441A50D-E241-4bd5-BF9F-50798CA511A7}.exe
        
        C:\Windows\{4441A50D-E241-4bd5-BF9F-50798CA511A7}.exe
        12⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3428~1.EXE > nul
        12⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86785~1.EXE > nul
        11⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DDF8~1.EXE > nul
        9⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44081~1.EXE > nul
        8⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D649~1.EXE > nul
        7⤵
        
        PID:2620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5AA2~1.EXE > nul
        6⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81D69~1.EXE > nul
        5⤵
        
        PID:680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67AB0~1.EXE > nul
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3DDF85F4-FAB8-4b53-9F9C-27CCD4A35303}.exe

Filesize
168KB

MD5
91f9ec611e76bcd67c44041b66c09220

SHA1
34b78f3eb1a01a7ecca7d37a9507a12c6abb57a6

SHA256
d428a40941297f85b06dfbeba694b4b4a3e420a453d9009595c3453f2dfdd431

SHA512
7f459e63bb083ea76d24c5252dfa5347ee4b06b88b36ae0791736659536fa8daecb424d4e4b624eb9ccd276117db49f0e6756626690df373a7b38b0e6a7d62bf

Download Submit
C:\Windows\{44081D2B-E5C7-425f-9B79-00BFE2E2CD40}.exe

Filesize
168KB

MD5
b4de55d60c43e975079e823f68349569

SHA1
44c9e3211263fdfe393cdbcefe9640c58b4b2e94

SHA256
53444b61519119dcc3ba94d6ebde6ddaada00afd85d60ae69d60091e197183e5

SHA512
4694f59714bf937151c32f8936444c3a19181d9cbcd75bf0b8a01348901ba128330106459afa5a13b7ab16caa990ad6d893db37061ecf189104827325d97dcf2

Download Submit
C:\Windows\{4441A50D-E241-4bd5-BF9F-50798CA511A7}.exe

Filesize
168KB

MD5
3c4c09f654404f9d1f94f5fe18faa661

SHA1
3453d58fdb5db0738f5ce0edcd951aa9e541eca1

SHA256
d774bf6c7f70497867c3571d898fdb02a2fb5a7219a78e95ba2557fec48c2cb1

SHA512
0de09dd881aea1a90766a9a975e33eb027b60da68b9a56cbd2cf8b514058182d6d5a4ba4ba3d09b14610eb8d3a5e048eac7e9d0db9da58cf0f610fe81f39ac21

Download Submit
C:\Windows\{4ECDF9B8-402C-4538-B7BB-E38844B83EBF}.exe

Filesize
168KB

MD5
5d294321a9833a7614de17acc8170a77

SHA1
1f8544da639d9abdea6c05b2865cba41bb3e1617

SHA256
e8d0da33f223229e6993532b64d3c695b43a631cc31bcd8958cc754ae8c75d9a

SHA512
ba287e9087ab6012eb349ac9feb71295c8dc5de647b1bbab1fa906e5f529eb7a95efb2c35bc090a8e611554b2597a33a6311077e58d91b19f874676424b15cd3

Download Submit
C:\Windows\{5D6498E7-81C1-40ef-AD30-516C0C6D271D}.exe

Filesize
168KB

MD5
ad521d65bf9b763a905599404d2c382a

SHA1
5f7ce991cfb36e8b163dc8d09ef9f708fe1a1068

SHA256
a321811342e1c1ee51f9f79d034e85a3fe5da4657a841f0ec762f9e8c61bc2a5

SHA512
af860ee7cd9c6ce24d1e484ba06b5587bd467c8f807307f5b21a7f384292424b192d3e9cc6bb0b390527efbead26b66c6f26ef268ed88a87e83cfa6c0308c397

Download Submit
C:\Windows\{67AB0834-F1ED-4f8f-80F2-5DB12E77A3B1}.exe

Filesize
168KB

MD5
a6afe120257fd2e8e108b8b1c1614db6

SHA1
74f776917bfad18469b2fdc735b32c9befb870b8

SHA256
5be14cfef81f54b966f7464d940609177bb2ad40b06f60cd76f3a6f17fdc5048

SHA512
4ed70ae118a1ff905151f0c3616477f1d651d4a52c0fe0b3b5f4f77f5b26f2352e706dc3c72ef4cad6a3535f01a480a3d4b780e53d47798e7d22277b089cf747

Download Submit
C:\Windows\{81D694E9-00F8-49cb-BBF3-67C80EDA6EED}.exe

Filesize
168KB

MD5
2fd1baac620fb9f0ff76ef791812f820

SHA1
430ebc6f505e06e901bf121b67b9d879332c5fac

SHA256
a150c7b2d3a048a29709b0fe0e826844793b8443f9a079507261ad17109dee2e

SHA512
a348a9065d2ad9807b8ba00eb47e37070b28bbb469c3138f9deae2bb5eda39ea3ab890efa25cdf71ad860c08150704d7260eb558ca0f9c445285e5c28cc7b1a8

Download Submit
C:\Windows\{86785DF4-2B41-4d09-9851-A6D9A491BDDA}.exe

Filesize
168KB

MD5
c2a24965a76b9151a522996bda10ecb6

SHA1
c0d5dd4bd51dce45bd1a744342b7543e67d8dbbb

SHA256
acd1be4ed107522e4d86b6f49f694042757890243240c682ec95ede3bd571eaf

SHA512
545d6c32add0e4e3e61487ac3af198bb57d46c241b8e38d1223f83b977c50e76e68ba609a8ed0ebd3b44bf97420743a1e09385098449d8580b2e8fac155fa038

Download Submit
C:\Windows\{A3428A8C-BA57-4d45-AD34-46F4ED12E086}.exe

Filesize
168KB

MD5
560c682dca497914d85269e974684c37

SHA1
eb88200f0f58423ef206ff9fa03b3b9a1b8659dd

SHA256
1a4f536b116df77b0c19aef7efbb0c42761c522c8fac27b6b4eda4731f80f671

SHA512
fe3a4544295a2bb8b034e99eb7e6c655093d8a1327121e936329b52e70545b3e7f46d4e81ec098774bb45247a4c1e1eadff3d56ac8f784b66955a8879a99ab2e

Download Submit
C:\Windows\{C5AA29D8-7794-4adf-88EA-F57AD5C31892}.exe

Filesize
168KB

MD5
e776d7aa9be487c90599bc613fca1f86

SHA1
57efcda75d225a3ce8288dfaa20d78a14e369ca6

SHA256
ccacae00190d9e27aba633a4dee0ff105a4cd9b61cf9721cd282db8d21c5333a

SHA512
9e5e5c68a35ed162e8665be20adb8108d196f397bfefc2c1665a2ea27193bfd8d47f7a2036d925c371ae5c65d66f3211c84e7892855e84ff2ff42d757273f4b6

Download Submit
C:\Windows\{EB1252CC-8E38-429f-BCA7-05FF62B94633}.exe

Filesize
168KB

MD5
f0d721c1ed95713254c469321d8d8d51

SHA1
cad1604c0aa1fef8f32277f831c7c6e82498f4d8

SHA256
cdb2cf392059009b1e3343eec420b329dab0c5f2605c4fc5ab8af919130e6f9b

SHA512
aa0f309925080652e79ab991379ceab5de5a5627c7c658aaee9edfdd66d4605a44c21ae16a04816dd4fa7d47f1aec68a69aee60f421ed2dd527bf80acb7f5163

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads