a7ce0c73939272c6b16a4389ea29866b12245067edd0b144146a5683ea2a362e

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Size

197KB
MD5

75605c9b00bc24631d7add5b78b244eb
SHA1

92c2b394891342e5e3ac858e7d380b669710c07e
SHA256

a7ce0c73939272c6b16a4389ea29866b12245067edd0b144146a5683ea2a362e
SHA512

ea35002f32ac31a450da55f3047ad045060607d48e2eca3e11d60207db7714cf4c4d8c65045e938c79187f6e4a71bb01df000fec66980c77fde19ca6a196d239
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGllEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012253-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001227d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016ace-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016c0e-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016c1e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016c0e-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016c1e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000016c0e-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016c1e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000016c0e-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}\stubpath = "C:\\Windows\\{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe"	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34D7E863-BB19-4239-821D-BB6C75973518}	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34D7E863-BB19-4239-821D-BB6C75973518}\stubpath = "C:\\Windows\\{34D7E863-BB19-4239-821D-BB6C75973518}.exe"	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}\stubpath = "C:\\Windows\\{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe"	{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{515979BF-D365-404c-9151-E36D6656195B}	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9416A55-0BEE-43f1-A25F-C483A150A205}\stubpath = "C:\\Windows\\{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe"	{34D7E863-BB19-4239-821D-BB6C75973518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A76267-C997-4ff6-96D6-FEE1579C9E30}\stubpath = "C:\\Windows\\{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe"	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BECD0BA-C6C2-482f-9712-7391E4287D2C}	{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}\stubpath = "C:\\Windows\\{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe"	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}	{515979BF-D365-404c-9151-E36D6656195B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}	{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BECD0BA-C6C2-482f-9712-7391E4287D2C}\stubpath = "C:\\Windows\\{3BECD0BA-C6C2-482f-9712-7391E4287D2C}.exe"	{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{515979BF-D365-404c-9151-E36D6656195B}\stubpath = "C:\\Windows\\{515979BF-D365-404c-9151-E36D6656195B}.exe"	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9416A55-0BEE-43f1-A25F-C483A150A205}	{34D7E863-BB19-4239-821D-BB6C75973518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}\stubpath = "C:\\Windows\\{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe"	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D1EB5B-580E-498d-BDB1-CA52132F3176}	{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D1EB5B-580E-498d-BDB1-CA52132F3176}\stubpath = "C:\\Windows\\{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe"	{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}\stubpath = "C:\\Windows\\{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe"	{515979BF-D365-404c-9151-E36D6656195B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A76267-C997-4ff6-96D6-FEE1579C9E30}	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe
2528	{515979BF-D365-404c-9151-E36D6656195B}.exe
2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe
2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe
2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe
1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe
1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe
576	{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe
1192	{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe
2040	{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe
3048	{3BECD0BA-C6C2-482f-9712-7391E4287D2C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	{515979BF-D365-404c-9151-E36D6656195B}.exe
File created	C:\Windows\{34D7E863-BB19-4239-821D-BB6C75973518}.exe	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe
File created	C:\Windows\{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe
File created	C:\Windows\{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe	{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe
File created	C:\Windows\{3BECD0BA-C6C2-482f-9712-7391E4287D2C}.exe	{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe
File created	C:\Windows\{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
File created	C:\Windows\{515979BF-D365-404c-9151-E36D6656195B}.exe	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe
File created	C:\Windows\{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe
File created	C:\Windows\{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	{34D7E863-BB19-4239-821D-BB6C75973518}.exe
File created	C:\Windows\{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe
File created	C:\Windows\{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe	{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe
Token: SeIncBasePriorityPrivilege	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe
Token: SeIncBasePriorityPrivilege	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe
Token: SeIncBasePriorityPrivilege	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe
Token: SeIncBasePriorityPrivilege	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe
Token: SeIncBasePriorityPrivilege	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe
Token: SeIncBasePriorityPrivilege	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe
Token: SeIncBasePriorityPrivilege	576	{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe
Token: SeIncBasePriorityPrivilege	1192	{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe
Token: SeIncBasePriorityPrivilege	2040	{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3000	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	28
PID 2340 wrote to memory of 3000	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	28
PID 2340 wrote to memory of 3000	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	28
PID 2340 wrote to memory of 3000	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	28
PID 2340 wrote to memory of 2996	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	29
PID 2340 wrote to memory of 2996	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	29
PID 2340 wrote to memory of 2996	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	29
PID 2340 wrote to memory of 2996	2340	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	29
PID 3000 wrote to memory of 2528	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	30
PID 3000 wrote to memory of 2528	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	30
PID 3000 wrote to memory of 2528	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	30
PID 3000 wrote to memory of 2528	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	30
PID 3000 wrote to memory of 2252	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	31
PID 3000 wrote to memory of 2252	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	31
PID 3000 wrote to memory of 2252	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	31
PID 3000 wrote to memory of 2252	3000	{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe	31
PID 2528 wrote to memory of 2436	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	34
PID 2528 wrote to memory of 2436	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	34
PID 2528 wrote to memory of 2436	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	34
PID 2528 wrote to memory of 2436	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	34
PID 2528 wrote to memory of 1668	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	35
PID 2528 wrote to memory of 1668	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	35
PID 2528 wrote to memory of 1668	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	35
PID 2528 wrote to memory of 1668	2528	{515979BF-D365-404c-9151-E36D6656195B}.exe	35
PID 2436 wrote to memory of 2384	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	36
PID 2436 wrote to memory of 2384	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	36
PID 2436 wrote to memory of 2384	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	36
PID 2436 wrote to memory of 2384	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	36
PID 2436 wrote to memory of 524	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	37
PID 2436 wrote to memory of 524	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	37
PID 2436 wrote to memory of 524	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	37
PID 2436 wrote to memory of 524	2436	{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe	37
PID 2384 wrote to memory of 2816	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	38
PID 2384 wrote to memory of 2816	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	38
PID 2384 wrote to memory of 2816	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	38
PID 2384 wrote to memory of 2816	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	38
PID 2384 wrote to memory of 2840	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	39
PID 2384 wrote to memory of 2840	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	39
PID 2384 wrote to memory of 2840	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	39
PID 2384 wrote to memory of 2840	2384	{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe	39
PID 2816 wrote to memory of 1948	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	40
PID 2816 wrote to memory of 1948	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	40
PID 2816 wrote to memory of 1948	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	40
PID 2816 wrote to memory of 1948	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	40
PID 2816 wrote to memory of 1540	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	41
PID 2816 wrote to memory of 1540	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	41
PID 2816 wrote to memory of 1540	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	41
PID 2816 wrote to memory of 1540	2816	{34D7E863-BB19-4239-821D-BB6C75973518}.exe	41
PID 1948 wrote to memory of 1976	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	42
PID 1948 wrote to memory of 1976	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	42
PID 1948 wrote to memory of 1976	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	42
PID 1948 wrote to memory of 1976	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	42
PID 1948 wrote to memory of 2624	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	43
PID 1948 wrote to memory of 2624	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	43
PID 1948 wrote to memory of 2624	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	43
PID 1948 wrote to memory of 2624	1948	{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe	43
PID 1976 wrote to memory of 576	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	44
PID 1976 wrote to memory of 576	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	44
PID 1976 wrote to memory of 576	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	44
PID 1976 wrote to memory of 576	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	44
PID 1976 wrote to memory of 1720	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	45
PID 1976 wrote to memory of 1720	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	45
PID 1976 wrote to memory of 1720	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	45
PID 1976 wrote to memory of 1720	1976	{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe
  C:\Windows\{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\{515979BF-D365-404c-9151-E36D6656195B}.exe
    C:\Windows\{515979BF-D365-404c-9151-E36D6656195B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe
      C:\Windows\{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe
        
        C:\Windows\{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\{34D7E863-BB19-4239-821D-BB6C75973518}.exe
        
        C:\Windows\{34D7E863-BB19-4239-821D-BB6C75973518}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe
        
        C:\Windows\{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe
        
        C:\Windows\{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe
        
        C:\Windows\{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe
        
        C:\Windows\{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe
        
        C:\Windows\{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{3BECD0BA-C6C2-482f-9712-7391E4287D2C}.exe
        
        C:\Windows\{3BECD0BA-C6C2-482f-9712-7391E4287D2C}.exe
        12⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05D1E~1.EXE > nul
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94E1B~1.EXE > nul
        11⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA0D6~1.EXE > nul
        10⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A76~1.EXE > nul
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9416~1.EXE > nul
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34D7E~1.EXE > nul
        7⤵
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B89DA~1.EXE > nul
        6⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44DCB~1.EXE > nul
        5⤵
        
        PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51597~1.EXE > nul
      4⤵
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75830~1.EXE > nul
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05D1EB5B-580E-498d-BDB1-CA52132F3176}.exe

Filesize
197KB

MD5
9e45b6e2f4fe281fec76ae339c047cb3

SHA1
d3dd2a65f48acaa42ab6534d860516a470216818

SHA256
0664077fc6ecee1840cfe159ea3f06461a9789d36c57bad56ca02f35c9f12690

SHA512
dec8b75e2d23a3e0d48d6d6624fa679f895774150413d7738af2ad7da83afdb27b2d7dfb7275ba7ecc06ba681122fb05265e4b53864eae92ff63c489f22c1f0a

Download Submit
C:\Windows\{34D7E863-BB19-4239-821D-BB6C75973518}.exe

Filesize
197KB

MD5
4d7d0db8c6fe1f41aa0e333a344ef524

SHA1
a6fa61f756de68336474555fee8ed54a04c3cfeb

SHA256
2e8d2a43f1f3b6590b1cdba29cc46feafdfb088956920ee1e1617d9ba967b914

SHA512
476b7a244ab26cc0e42f77037e528b006e7a46f4a2840c52d6b3a259a61faead4b4173b4933ef6f0917192fd503c8008c7ad8d8c51f20ef963604deb4c2aa318

Download Submit
C:\Windows\{3BECD0BA-C6C2-482f-9712-7391E4287D2C}.exe

Filesize
197KB

MD5
51b46c26f14bc175c878c68e615e780f

SHA1
ca3d681210faba38e96c56d75864a9ec7ca7a11f

SHA256
1dfeb0a0e5afc9b8a4d0cc1aa5083c90917774f883c12ef85ccced01fd52851e

SHA512
97abe955feaf3e9de8d07693845886a43d0cef8ad7fe884e6abb5fdcc89bd03d04bb58e4bee9212a1d34891901ff95d94fdd2240c1d1f47fbff4d298beaaab09

Download Submit
C:\Windows\{44DCB34E-EC68-41ff-9A39-A0BF8A5058B1}.exe

Filesize
197KB

MD5
b3d525cf7b06652bc5c43e4bbdeb4bc1

SHA1
504895c121c6e09624e6709c9dd4a8db50ffbdc6

SHA256
c2df6640528b4dba6a2ff94e0f5006096629e59279529687b084d34e719441a3

SHA512
fe5cc774bff5e3a74587973b949adfb8a846e622cd7c16a1a4c57d42027c467800961bc9e672b9b5106bafd691b68367ef607d1377ac7cdf1ed8e8339784e9ef

Download Submit
C:\Windows\{515979BF-D365-404c-9151-E36D6656195B}.exe

Filesize
197KB

MD5
a35cb61db20566de66f0e580adffe5c6

SHA1
03be88ee1633f4585c2e4a6a555078502e769fa1

SHA256
2b4f4bb7a11b24286f9839b91b14e672c767acc1e266d6e017bc561edfef5839

SHA512
d0ba09f6715e6a08752a9dbba7fea44e49ce0f6ac807099d3a8d11653de0e7fded530c23ef31faa28c1a6e435f714ff33c7fa4ea9d61af9eb149b8fbb518412f

Download Submit
C:\Windows\{758309EC-4CF3-4c5b-98F7-CF30F5C1AE51}.exe

Filesize
197KB

MD5
5d06e2a0ee8697ab132a17749fe2eea2

SHA1
96a12c629bddac0f8fe4228d3c05358bbb7705f1

SHA256
ed0f7fddee2fd9d7f635c0cc61892583ab21b3a6edc08b82d47667d54c35c28b

SHA512
683b7d49093c07479d14e5b9df8d6933c8b6bcfecb7ee7ab7ac38a76388872ec11e5486c3f7a0bb12ef896629e97e21f7951f6ad2ef9e0b9547acf2170359b32

Download Submit
C:\Windows\{94E1BEEE-C278-483e-8DEE-84A60AA7F2D8}.exe

Filesize
197KB

MD5
a824aa5c7c40f564ccbcd621b74354c4

SHA1
b5fe2a1f4e017a4722df88844d2d01224e3ba9c7

SHA256
3f16405b15e5fea34e1bf820111061fbc7e8cfcec5518db1b8153e0953de519a

SHA512
78c52a05a16d924c43eb50cb932591b95c153b257f75546b00017ba9b1dfd15e388073db28138a5497587c99379f156494964866250bacce1bc4f9e331adfd73

Download Submit
C:\Windows\{A1A76267-C997-4ff6-96D6-FEE1579C9E30}.exe

Filesize
197KB

MD5
cb5fe217a100b10e29d6ff0253f3a0fb

SHA1
4d50d1f07abcdc6d77448833a452e2613f280460

SHA256
ae964ab6254328b17164678c8b867b13dc129429a2d0b00fdc19e364911ff337

SHA512
3803d75d4e75edd7c8133eb40b6659aaa52023c06672d3b9dbfc52925ec36205fa3c77fbbd3b3a16e8ac7997bc8d48f4afaa456b842b092a4a67e3b1eac259a1

Download Submit
C:\Windows\{A9416A55-0BEE-43f1-A25F-C483A150A205}.exe

Filesize
197KB

MD5
7a9d2b316326d664af42499c854390ad

SHA1
5d7025ffe6b0b2f16f83781434660d4c440c303e

SHA256
5b7aebe0eba155317f46e31ae64d2067ff21b0c89daf6db68ded63f8d97ffb47

SHA512
e452c9e3aa2cc7d02aa65bb787bf1935da00962a83477c0e8778580a89eb3b630d3891c599e2d55d15f6e3618a6192f813f9dc2a5b69040c36a203e6ffdb78e0

Download Submit
C:\Windows\{B89DADFA-36F2-4ee6-ACA3-F702863C1B59}.exe

Filesize
197KB

MD5
a731e3ee47c251cbf85270eb5e6b69e8

SHA1
ddd27d989ab729c163ef6892e7275f72c6949744

SHA256
8371b1da5b7bd6d354fca310dda44585da0a005c755921bdbf8e6b23c9982191

SHA512
e3b472ee725908fc206ae13f6ebcdbd84e0f6de78bb5d2c5be4a3c18851ebe02413e49b3a8c61317d75f0645650e667f0ab882228eb8011f0a1afd96c4ceb283

Download Submit
C:\Windows\{CA0D61FE-EC4C-4434-B2BF-F7BAA6DE8C74}.exe

Filesize
197KB

MD5
7f6c09bc3960dbb6da209bbfd2f21d78

SHA1
834ac879f5b9676ca1b74a1498faceb863200784

SHA256
f2ccd5f02fec10d0a385c85ecd663ed10807dce3a4d5d35415333f26b3afc2e4

SHA512
3e03a5065689c865aa7529a9cf3498202c69dd052345ec8cbe7817901dd737782bc7e34e7359f302cc59a363193a0a4f6371de21fb10d3ca11433caa058b4aa8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads