5fd9d10f207a56c1b22d90ab8f51ff5d47f72675eabdd79ff66d751ecf9fa524

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe
Size

168KB
MD5

415348c803d65dc7122c9d0d8a5e7939
SHA1

0c0a8346560e6e83767229c07551af77e626deba
SHA256

5fd9d10f207a56c1b22d90ab8f51ff5d47f72675eabdd79ff66d751ecf9fa524
SHA512

dea35bf970ff8e0fcc817da68a45c17388b993895cb3e486e6e3f321c9c0cd721daac9bce565c68aad21b4e99767a0540260c50814e294b326ed234388659843
SSDEEP

1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015653-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015cae-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4548C9AD-5ECF-4367-88D5-D0E014786899}	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E0A702-80E5-4379-A15A-B9345C544996}\stubpath = "C:\\Windows\\{18E0A702-80E5-4379-A15A-B9345C544996}.exe"	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}\stubpath = "C:\\Windows\\{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe"	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E133EC5-3828-401e-B2AF-4ED345DEE126}\stubpath = "C:\\Windows\\{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe"	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}\stubpath = "C:\\Windows\\{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}.exe"	{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4548C9AD-5ECF-4367-88D5-D0E014786899}\stubpath = "C:\\Windows\\{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe"	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}\stubpath = "C:\\Windows\\{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe"	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EAD652A-3269-4715-96D7-05BE54273494}	{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}	{5EAD652A-3269-4715-96D7-05BE54273494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}	{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EAD652A-3269-4715-96D7-05BE54273494}\stubpath = "C:\\Windows\\{5EAD652A-3269-4715-96D7-05BE54273494}.exe"	{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA2074F-1E28-450d-9785-37612CC4C7D6}	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA2074F-1E28-450d-9785-37612CC4C7D6}\stubpath = "C:\\Windows\\{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe"	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E0A702-80E5-4379-A15A-B9345C544996}	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D11116-91C8-4b50-9686-6DC547F338A9}	{18E0A702-80E5-4379-A15A-B9345C544996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D11116-91C8-4b50-9686-6DC547F338A9}\stubpath = "C:\\Windows\\{38D11116-91C8-4b50-9686-6DC547F338A9}.exe"	{18E0A702-80E5-4379-A15A-B9345C544996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}\stubpath = "C:\\Windows\\{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe"	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E133EC5-3828-401e-B2AF-4ED345DEE126}	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}\stubpath = "C:\\Windows\\{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe"	{5EAD652A-3269-4715-96D7-05BE54273494}.exe

Deletes itself 1 IoCs

pid	Process
2964	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe
2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe
2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe
2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe
2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe
2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe
1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe
2420	{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe
2124	{5EAD652A-3269-4715-96D7-05BE54273494}.exe
2152	{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe
1048	{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe
File created	C:\Windows\{5EAD652A-3269-4715-96D7-05BE54273494}.exe	{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe
File created	C:\Windows\{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe	{5EAD652A-3269-4715-96D7-05BE54273494}.exe
File created	C:\Windows\{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}.exe	{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe
File created	C:\Windows\{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe
File created	C:\Windows\{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	{18E0A702-80E5-4379-A15A-B9345C544996}.exe
File created	C:\Windows\{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe
File created	C:\Windows\{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe
File created	C:\Windows\{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe
File created	C:\Windows\{18E0A702-80E5-4379-A15A-B9345C544996}.exe	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe
File created	C:\Windows\{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe
Token: SeIncBasePriorityPrivilege	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe
Token: SeIncBasePriorityPrivilege	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe
Token: SeIncBasePriorityPrivilege	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe
Token: SeIncBasePriorityPrivilege	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe
Token: SeIncBasePriorityPrivilege	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe
Token: SeIncBasePriorityPrivilege	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe
Token: SeIncBasePriorityPrivilege	2420	{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe
Token: SeIncBasePriorityPrivilege	2124	{5EAD652A-3269-4715-96D7-05BE54273494}.exe
Token: SeIncBasePriorityPrivilege	2152	{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2060	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	28
PID 2864 wrote to memory of 2060	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	28
PID 2864 wrote to memory of 2060	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	28
PID 2864 wrote to memory of 2060	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	28
PID 2864 wrote to memory of 2964	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	29
PID 2864 wrote to memory of 2964	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	29
PID 2864 wrote to memory of 2964	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	29
PID 2864 wrote to memory of 2964	2864	2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe	29
PID 2060 wrote to memory of 2816	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	30
PID 2060 wrote to memory of 2816	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	30
PID 2060 wrote to memory of 2816	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	30
PID 2060 wrote to memory of 2816	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	30
PID 2060 wrote to memory of 1988	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	31
PID 2060 wrote to memory of 1988	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	31
PID 2060 wrote to memory of 1988	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	31
PID 2060 wrote to memory of 1988	2060	{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe	31
PID 2816 wrote to memory of 2480	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	32
PID 2816 wrote to memory of 2480	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	32
PID 2816 wrote to memory of 2480	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	32
PID 2816 wrote to memory of 2480	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	32
PID 2816 wrote to memory of 2468	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	33
PID 2816 wrote to memory of 2468	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	33
PID 2816 wrote to memory of 2468	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	33
PID 2816 wrote to memory of 2468	2816	{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe	33
PID 2480 wrote to memory of 2488	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	36
PID 2480 wrote to memory of 2488	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	36
PID 2480 wrote to memory of 2488	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	36
PID 2480 wrote to memory of 2488	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	36
PID 2480 wrote to memory of 1640	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	37
PID 2480 wrote to memory of 1640	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	37
PID 2480 wrote to memory of 1640	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	37
PID 2480 wrote to memory of 1640	2480	{18E0A702-80E5-4379-A15A-B9345C544996}.exe	37
PID 2488 wrote to memory of 2716	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	38
PID 2488 wrote to memory of 2716	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	38
PID 2488 wrote to memory of 2716	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	38
PID 2488 wrote to memory of 2716	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	38
PID 2488 wrote to memory of 2536	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	39
PID 2488 wrote to memory of 2536	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	39
PID 2488 wrote to memory of 2536	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	39
PID 2488 wrote to memory of 2536	2488	{38D11116-91C8-4b50-9686-6DC547F338A9}.exe	39
PID 2716 wrote to memory of 2180	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	40
PID 2716 wrote to memory of 2180	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	40
PID 2716 wrote to memory of 2180	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	40
PID 2716 wrote to memory of 2180	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	40
PID 2716 wrote to memory of 304	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	41
PID 2716 wrote to memory of 304	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	41
PID 2716 wrote to memory of 304	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	41
PID 2716 wrote to memory of 304	2716	{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe	41
PID 2180 wrote to memory of 1888	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	42
PID 2180 wrote to memory of 1888	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	42
PID 2180 wrote to memory of 1888	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	42
PID 2180 wrote to memory of 1888	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	42
PID 2180 wrote to memory of 1740	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	43
PID 2180 wrote to memory of 1740	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	43
PID 2180 wrote to memory of 1740	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	43
PID 2180 wrote to memory of 1740	2180	{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe	43
PID 1888 wrote to memory of 2420	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	44
PID 1888 wrote to memory of 2420	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	44
PID 1888 wrote to memory of 2420	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	44
PID 1888 wrote to memory of 2420	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	44
PID 1888 wrote to memory of 904	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	45
PID 1888 wrote to memory of 904	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	45
PID 1888 wrote to memory of 904	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	45
PID 1888 wrote to memory of 904	1888	{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_415348c803d65dc7122c9d0d8a5e7939_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe
  C:\Windows\{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe
    C:\Windows\{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\{18E0A702-80E5-4379-A15A-B9345C544996}.exe
      C:\Windows\{18E0A702-80E5-4379-A15A-B9345C544996}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\{38D11116-91C8-4b50-9686-6DC547F338A9}.exe
        
        C:\Windows\{38D11116-91C8-4b50-9686-6DC547F338A9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe
        
        C:\Windows\{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe
        
        C:\Windows\{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe
        
        C:\Windows\{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe
        
        C:\Windows\{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{5EAD652A-3269-4715-96D7-05BE54273494}.exe
        
        C:\Windows\{5EAD652A-3269-4715-96D7-05BE54273494}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe
        
        C:\Windows\{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}.exe
        
        C:\Windows\{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}.exe
        12⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7C9F~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EAD6~1.EXE > nul
        11⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CD7F~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12EA7~1.EXE > nul
        9⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E133~1.EXE > nul
        8⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B78EA~1.EXE > nul
        7⤵
        
        PID:304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38D11~1.EXE > nul
        6⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18E0A~1.EXE > nul
        5⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4548C~1.EXE > nul
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA20~1.EXE > nul
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12EA7BF4-BBF5-495a-970D-CDAB2C8A00B4}.exe

Filesize
168KB

MD5
87df080f5c434628eec065b6f203c3f1

SHA1
0796aad2c5484017058e928cf60e684b2a021d83

SHA256
44de39e5c863ab30e29b85fae393e5bae654d20c16fc04bd2d5493a858bff4a2

SHA512
7cfd38b9cf557dd86732d7a3d50e8fd181cb020c2fb62f7823355cb839e0ead93a08cc1d63d22332d8ac12f911ea9b428173c4e9c5849467e4854ee14961d2a5

Download Submit
C:\Windows\{18E0A702-80E5-4379-A15A-B9345C544996}.exe

Filesize
168KB

MD5
55ef29bbd0d846ab5d345ee196c11ab8

SHA1
d6f538237dad1b9ef2d03af64a080283e247924c

SHA256
7cd2e573dbdafde2a4fe4f6e309ea93acce4942c59355597645c2577ec31375c

SHA512
95aab43b5e9f1c534580f974c93f593e9cc9518756a532aa0529ca9005acb5b20b1f610719dc9f3b4f7fe9f157d45201ef266adc30ccbfb6fa569ae9a98adc37

Download Submit
C:\Windows\{38D11116-91C8-4b50-9686-6DC547F338A9}.exe

Filesize
168KB

MD5
4d87be08286ad6dd2b21c9c4b6418ed6

SHA1
5183f50e7adc3d77d5fb0c114c68f1b845e2c847

SHA256
48603dae0d4584fc60a8e3b35c67ff3f42f1ef83edb3901e3dd25a0463b0c933

SHA512
1b9a96c2153fe546dda16ac0c2d979bc387b0d955bd80ea87fcdbc4d4614cb71ca32dd557cfe1005c67c391d5251e55865c7477d9a106b059e5631c5bb80e668

Download Submit
C:\Windows\{4548C9AD-5ECF-4367-88D5-D0E014786899}.exe

Filesize
168KB

MD5
08f6c232f22c80faeca5dc90bb386ab6

SHA1
9f178c5dddb12f1e198290373e4d945b9ea708f6

SHA256
aa05ede179d5bdd6d9b4b1237331c7e633a02749e51ccf1976902d28f8a64e75

SHA512
1bcf2df40a620111f3c3077e6e675b54481aedeea8e997c9d333a0b6daf03a8ed4fd1e70185fb7d36716cc95e082cb1c39fe209bd7dfc015e8f58f32b28ad786

Download Submit
C:\Windows\{5EAD652A-3269-4715-96D7-05BE54273494}.exe

Filesize
168KB

MD5
a3116d95e5f32c14206612b99b5eb88e

SHA1
9107d55c7923e7deb9fa48e21c661703aab380ad

SHA256
e55f93b61ac4de47c04a94942547a70e21e39b34122d658113aaf366f39f4052

SHA512
e25af9ea1e8db65eb845084858d966dca4d6d305814f08ecce0a00f260995303be0c7f47646f48604c98a05c7fdc2b873a40ca6cd11e869754c37508e1979240

Download Submit
C:\Windows\{89BD3E3B-A9CF-42d5-90F1-56D513CC0DE2}.exe

Filesize
168KB

MD5
01eca887ea413f93d1d616f424bdace7

SHA1
9426a5fa2e3e415b8cb19a5d9d165a7e4a170a23

SHA256
b664adfaec6d6b4389667cdf47d1679cdcf1d0c99a01428af5e744ebe4706131

SHA512
39e2020cb5aaf135b5fde968c07ac0cf8e3fc26fcc64ffd7e6fd8437c9628432ca763ab9b8ba4b5aa0940d821b0d04750d78324e56d14f3d90e1a3a395752dfa

Download Submit
C:\Windows\{9CD7F4D8-55E2-418b-9B25-BBBE2E9E9E61}.exe

Filesize
168KB

MD5
9f35c9b78e22f75107f7b1b2314ba754

SHA1
91600d14343dfd4bd4aa4a98314e95a01034b253

SHA256
2206b21b087772e36bfbc466099313d8d481d0324a366601b1e9e624c10c51e1

SHA512
9c453d6a0345ecdb4add0a4939b3fef54ec3180067d65363502fb863167350fc76343d157eb9a618d0b5121044296df386a846b6523b4d54da161b8b157bd716

Download Submit
C:\Windows\{9E133EC5-3828-401e-B2AF-4ED345DEE126}.exe

Filesize
168KB

MD5
8fc333b244d6da531915d6bcc051b9c1

SHA1
d64ecd524dc68c0c68e610fb6b6e84339237df86

SHA256
8862c08e76bcfcb06dc2558b0dde03e2ce23eea80a5ab2d30f1c49cae787a509

SHA512
386f4f41194cfb455c4f2d527425cda722adf3b531faf6b1d39b3bb871c5115c9c9433d13946ca5b849d2719dc44825451a27d51057b91e841ae907121ce2433

Download Submit
C:\Windows\{B78EAE2D-4A82-4f3d-8D91-F85C116E8523}.exe

Filesize
168KB

MD5
e951609f016c0638c5edf4bcd72184a7

SHA1
2fd52d50afd9bd212e4e557dfe6c1f299fd5b1ea

SHA256
31ec7aaae38a7f5362d0edd04420ed34ea4f9296db90fb0ae70048417346731a

SHA512
a3a5b83f5466e55e4157e064b0d601bb72c42be3cc4865ab2b2f75c4d08a995ecfd9a709c0c9083778db8ff34bcb1483810113b9a60a626015aff326ee5fb35f

Download Submit
C:\Windows\{BAA2074F-1E28-450d-9785-37612CC4C7D6}.exe

Filesize
168KB

MD5
5f175d3410469c3040dd4ba3dae377fc

SHA1
cc973b40710c23202d6147209af4cf2aa8099e16

SHA256
db4b32674c9f9562590ef25e830b5981e0bea234169430f0b1ebba1be3b497e3

SHA512
112434fd183d7aad95c9c36c72c5544770794cf0e8278c5ed76454ddf18c4ef7aa7db63a70a133989fa5ac6edb37354950324c473ee5552bfb20e6e2dc899ee4

Download Submit
C:\Windows\{C7C9FA13-9FA4-4168-957D-FE3B66235D9F}.exe

Filesize
168KB

MD5
96cab1cf2b578084e92b1b03b5ded983

SHA1
d4eafaff65f741ba3ef7f4d58fcd4da9c90074cb

SHA256
79f2ad1c0ae8c8bdefcc724de0497644c77c4b36961fa00e6fcdaf30764f1e65

SHA512
b9fb926f89be60f67641578972c8437b84d0518f8178e82ffae07d2d300581237e33e323746ddc1bdf546443d71ae257f48f403af7d78bcaa3c94dd46bac09d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads