1fc583205a7cd041e146411c4714f665a94cbeacacf0b680dee743062e05d9f3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe
Size

372KB
MD5

c2c514d7f2b142f038b25b5e7ad460be
SHA1

6f809d95c1b94b4e70e6a08d1912ca84363c94cd
SHA256

1fc583205a7cd041e146411c4714f665a94cbeacacf0b680dee743062e05d9f3
SHA512

d8d7d8d7c84b97206ac55a8cd156df17588dc8d71abb788dff31ffd78a5601dda46ffe7060938847f77fd58c7b4760d0dd3c6ab9d64096c99741bb265d36c85f
SSDEEP

3072:CEGh0ogmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGjl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012235-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c5b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002600000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002700000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002800000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39D7A708-BF89-481e-9286-BC802B91D54F}	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34613C43-2528-436f-965F-360F17C75BAB}\stubpath = "C:\\Windows\\{34613C43-2528-436f-965F-360F17C75BAB}.exe"	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56B794B-404A-4442-87E6-1430C049358F}	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DAA088A-7C33-44d1-B485-464CCC115729}	{45C757FE-30B7-4a08-9149-C9C76706E072}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DAA088A-7C33-44d1-B485-464CCC115729}\stubpath = "C:\\Windows\\{2DAA088A-7C33-44d1-B485-464CCC115729}.exe"	{45C757FE-30B7-4a08-9149-C9C76706E072}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}\stubpath = "C:\\Windows\\{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe"	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57ACAADC-28B0-441b-A85A-7F15EBB95596}	{34613C43-2528-436f-965F-360F17C75BAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57ACAADC-28B0-441b-A85A-7F15EBB95596}\stubpath = "C:\\Windows\\{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe"	{34613C43-2528-436f-965F-360F17C75BAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56B794B-404A-4442-87E6-1430C049358F}\stubpath = "C:\\Windows\\{E56B794B-404A-4442-87E6-1430C049358F}.exe"	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD84E76-4931-4da6-AE21-4C817FAAFD01}	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34613C43-2528-436f-965F-360F17C75BAB}	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C757FE-30B7-4a08-9149-C9C76706E072}\stubpath = "C:\\Windows\\{45C757FE-30B7-4a08-9149-C9C76706E072}.exe"	{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD84E76-4931-4da6-AE21-4C817FAAFD01}\stubpath = "C:\\Windows\\{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe"	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39D7A708-BF89-481e-9286-BC802B91D54F}\stubpath = "C:\\Windows\\{39D7A708-BF89-481e-9286-BC802B91D54F}.exe"	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}\stubpath = "C:\\Windows\\{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe"	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}\stubpath = "C:\\Windows\\{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe"	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C2471E1-E8E0-4631-AD4F-070241C3CB28}	{E56B794B-404A-4442-87E6-1430C049358F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C2471E1-E8E0-4631-AD4F-070241C3CB28}\stubpath = "C:\\Windows\\{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe"	{E56B794B-404A-4442-87E6-1430C049358F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C757FE-30B7-4a08-9149-C9C76706E072}	{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe
2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe
2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe
1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe
2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe
2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe
544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe
568	{E56B794B-404A-4442-87E6-1430C049358F}.exe
1700	{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe
2472	{45C757FE-30B7-4a08-9149-C9C76706E072}.exe
3052	{2DAA088A-7C33-44d1-B485-464CCC115729}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe
File created	C:\Windows\{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe
File created	C:\Windows\{34613C43-2528-436f-965F-360F17C75BAB}.exe	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe
File created	C:\Windows\{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe
File created	C:\Windows\{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe
File created	C:\Windows\{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe	{E56B794B-404A-4442-87E6-1430C049358F}.exe
File created	C:\Windows\{45C757FE-30B7-4a08-9149-C9C76706E072}.exe	{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe
File created	C:\Windows\{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe
File created	C:\Windows\{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	{34613C43-2528-436f-965F-360F17C75BAB}.exe
File created	C:\Windows\{E56B794B-404A-4442-87E6-1430C049358F}.exe	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe
File created	C:\Windows\{2DAA088A-7C33-44d1-B485-464CCC115729}.exe	{45C757FE-30B7-4a08-9149-C9C76706E072}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe
Token: SeIncBasePriorityPrivilege	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe
Token: SeIncBasePriorityPrivilege	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe
Token: SeIncBasePriorityPrivilege	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe
Token: SeIncBasePriorityPrivilege	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe
Token: SeIncBasePriorityPrivilege	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe
Token: SeIncBasePriorityPrivilege	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe
Token: SeIncBasePriorityPrivilege	568	{E56B794B-404A-4442-87E6-1430C049358F}.exe
Token: SeIncBasePriorityPrivilege	1700	{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe
Token: SeIncBasePriorityPrivilege	2472	{45C757FE-30B7-4a08-9149-C9C76706E072}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1864	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	28
PID 2108 wrote to memory of 1864	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	28
PID 2108 wrote to memory of 1864	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	28
PID 2108 wrote to memory of 1864	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	28
PID 2108 wrote to memory of 2520	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	29
PID 2108 wrote to memory of 2520	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	29
PID 2108 wrote to memory of 2520	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	29
PID 2108 wrote to memory of 2520	2108	2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe	29
PID 1864 wrote to memory of 2508	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	30
PID 1864 wrote to memory of 2508	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	30
PID 1864 wrote to memory of 2508	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	30
PID 1864 wrote to memory of 2508	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	30
PID 1864 wrote to memory of 2772	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	31
PID 1864 wrote to memory of 2772	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	31
PID 1864 wrote to memory of 2772	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	31
PID 1864 wrote to memory of 2772	1864	{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe	31
PID 2508 wrote to memory of 2428	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	34
PID 2508 wrote to memory of 2428	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	34
PID 2508 wrote to memory of 2428	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	34
PID 2508 wrote to memory of 2428	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	34
PID 2508 wrote to memory of 2496	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	35
PID 2508 wrote to memory of 2496	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	35
PID 2508 wrote to memory of 2496	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	35
PID 2508 wrote to memory of 2496	2508	{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe	35
PID 2428 wrote to memory of 1092	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	36
PID 2428 wrote to memory of 1092	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	36
PID 2428 wrote to memory of 1092	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	36
PID 2428 wrote to memory of 1092	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	36
PID 2428 wrote to memory of 324	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	37
PID 2428 wrote to memory of 324	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	37
PID 2428 wrote to memory of 324	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	37
PID 2428 wrote to memory of 324	2428	{39D7A708-BF89-481e-9286-BC802B91D54F}.exe	37
PID 1092 wrote to memory of 2692	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	38
PID 1092 wrote to memory of 2692	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	38
PID 1092 wrote to memory of 2692	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	38
PID 1092 wrote to memory of 2692	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	38
PID 1092 wrote to memory of 2708	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	39
PID 1092 wrote to memory of 2708	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	39
PID 1092 wrote to memory of 2708	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	39
PID 1092 wrote to memory of 2708	1092	{34613C43-2528-436f-965F-360F17C75BAB}.exe	39
PID 2692 wrote to memory of 2736	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	40
PID 2692 wrote to memory of 2736	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	40
PID 2692 wrote to memory of 2736	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	40
PID 2692 wrote to memory of 2736	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	40
PID 2692 wrote to memory of 304	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	41
PID 2692 wrote to memory of 304	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	41
PID 2692 wrote to memory of 304	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	41
PID 2692 wrote to memory of 304	2692	{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe	41
PID 2736 wrote to memory of 544	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	42
PID 2736 wrote to memory of 544	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	42
PID 2736 wrote to memory of 544	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	42
PID 2736 wrote to memory of 544	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	42
PID 2736 wrote to memory of 1984	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	43
PID 2736 wrote to memory of 1984	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	43
PID 2736 wrote to memory of 1984	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	43
PID 2736 wrote to memory of 1984	2736	{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe	43
PID 544 wrote to memory of 568	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	44
PID 544 wrote to memory of 568	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	44
PID 544 wrote to memory of 568	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	44
PID 544 wrote to memory of 568	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	44
PID 544 wrote to memory of 2436	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	45
PID 544 wrote to memory of 2436	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	45
PID 544 wrote to memory of 2436	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	45
PID 544 wrote to memory of 2436	544	{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe
  C:\Windows\{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe
    C:\Windows\{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{39D7A708-BF89-481e-9286-BC802B91D54F}.exe
      C:\Windows\{39D7A708-BF89-481e-9286-BC802B91D54F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\{34613C43-2528-436f-965F-360F17C75BAB}.exe
        
        C:\Windows\{34613C43-2528-436f-965F-360F17C75BAB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe
        
        C:\Windows\{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe
        
        C:\Windows\{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe
        
        C:\Windows\{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{E56B794B-404A-4442-87E6-1430C049358F}.exe
        
        C:\Windows\{E56B794B-404A-4442-87E6-1430C049358F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe
        
        C:\Windows\{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\{45C757FE-30B7-4a08-9149-C9C76706E072}.exe
        
        C:\Windows\{45C757FE-30B7-4a08-9149-C9C76706E072}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{2DAA088A-7C33-44d1-B485-464CCC115729}.exe
        
        C:\Windows\{2DAA088A-7C33-44d1-B485-464CCC115729}.exe
        12⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45C75~1.EXE > nul
        12⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C247~1.EXE > nul
        11⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E56B7~1.EXE > nul
        10⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED69F~1.EXE > nul
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA9A6~1.EXE > nul
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57ACA~1.EXE > nul
        7⤵
        
        PID:304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34613~1.EXE > nul
        6⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39D7A~1.EXE > nul
        5⤵
        
        PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B9A0~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD84~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B9A0E9A-0D82-436e-AFC3-54EF8036F940}.exe

Filesize
372KB

MD5
56fade5e7c51403f380993711f1be1b4

SHA1
6acc312c4009631a837a4cff45a3a450db0f6352

SHA256
dfb8147a65f4527bb515fef1661b8ed2581ad3fd8b55102a3b8c2ff33c232f38

SHA512
9cfaa4b1ffd25250f04136936153787986d45bfcf4a6b6829fc544c4f75e0492b25881039f0e8f8d79d7296ad888ddcc64c97cd5bf34c3dabfd165513704692c

Download Submit
C:\Windows\{1CD84E76-4931-4da6-AE21-4C817FAAFD01}.exe

Filesize
372KB

MD5
e577e621df491b8476d16838498af8c3

SHA1
5332ec5d73d24aa6f0fb90d14567d48f783110ee

SHA256
6119be6b07583ee823219a2018e8f3382d6cea96758683a74ad04e9ee5ead07c

SHA512
3ac5ef476e94d1da6df1b640fd1f3f51a807587190f7a5a3fc9b53cccfa156d11d9849f49a03954661192c040347160d66dfdbf99e4027a47e792481fd4eb4dc

Download Submit
C:\Windows\{2DAA088A-7C33-44d1-B485-464CCC115729}.exe

Filesize
372KB

MD5
12697c821a1a28134c240ffe66efb2a5

SHA1
909d2c9b41d6b3e4800d61fe02e411caa464f7b6

SHA256
86df8c922f71c5779293567a613387ff754c5339b92de2c78d3b8f95013c0c17

SHA512
43c0c852fefc7163d6e61a0dca738745ecce096b9c5fe911737d175078e193d754a83be640aac571930e7de6c074c729dca8f51abdc2967ca0c5b71102f28189

Download Submit
C:\Windows\{34613C43-2528-436f-965F-360F17C75BAB}.exe

Filesize
372KB

MD5
18d0009bac43988b963443e3f2da1cab

SHA1
fb5db42b94537039648722b802e8f57668c8a441

SHA256
2f10c86b7141d8615863ff3fdfca227297dce58b9751efe055cb87b1ed39c294

SHA512
3d95f8e5fa9d4247afb6586c1a6e1a4f3da6bcd6e1356070701375579fcf4e84365ffedc2019bf67f42722aabfa6df8e6b18f2d95d15e95ae0e3f3a465867db3

Download Submit
C:\Windows\{39D7A708-BF89-481e-9286-BC802B91D54F}.exe

Filesize
372KB

MD5
087f5e6eb75cf5f4987cbbca78ca686c

SHA1
adcb5a5113ad910c0d164e1886059a7fb8dd5c5b

SHA256
adb2cfba1fd8950ea1d3e8f6ad468841141b57a96b9524fef876d25721f6e52a

SHA512
ad283cf411267252240d5e10047275c5617719fd10eef6eb923225b26529187a141b4eda15d36d046170712af91f52be9332652c33061ab9af0ac99e1b5e0c07

Download Submit
C:\Windows\{45C757FE-30B7-4a08-9149-C9C76706E072}.exe

Filesize
372KB

MD5
7d7a47d777b1826a463a19316d741da0

SHA1
edbc1fb06e29a8f12125e2572480ddb2b862e778

SHA256
3d6e8decf0f727117dfe135af4d66119565d42778d5b3dbb480b51cf22934bc9

SHA512
3b07616f1de4eed649749861742a1b8fd56cb560409914e8a16ef2f26223664cd67c9e34b553722ee948b5d729197ce992afee37c6c23c6dce0fe5d68af49e1c

Download Submit
C:\Windows\{57ACAADC-28B0-441b-A85A-7F15EBB95596}.exe

Filesize
372KB

MD5
590b18296f4df5e2673b56170329d1d6

SHA1
bf734d71fb818cce2336704e9cca5ca4ed0aa29b

SHA256
f880fb7b75cd4d57c8ad68fc1d28a4da98663e6926d90c5d19f30a073ac1f284

SHA512
cb0a0096fbfdb4fa89fc717d00d222f9d4a7ee90f3b9258c6d1a7a12d9311371308aa5b3932744ce3724d828319234d89991120c8752a17cc08e2e7d04e45123

Download Submit
C:\Windows\{8C2471E1-E8E0-4631-AD4F-070241C3CB28}.exe

Filesize
372KB

MD5
7d218c1d786e50b059d1fa12ea439665

SHA1
9a2bffde9b681086e67fe50cf3ce8045f28c41d3

SHA256
ecba6740593841cad9169e2dba0096a42aa850429d66469377dd9a2411cee065

SHA512
528a767616e6ed065163b6d15b1f91080716af815ca8cef047368e7e5982eb60b1b76336073e39014acb8af0fef92c64a8677c71c0839d63e0f27e06e134d72e

Download Submit
C:\Windows\{DA9A6463-17BC-43d6-8AAE-1CC1D420DF5B}.exe

Filesize
372KB

MD5
6286a603ff67fb6539928406c2e4fc9b

SHA1
492c501845764242736b120531df188e13118d9d

SHA256
69761587825e2ecbda41e5ddd88969430589f10df96ceb9779314540b020a267

SHA512
4d6210f5874f275957e522c0b6fb9bc14d743079cf668a87f778f493596782534a909e62eb66060653db678947da67450214020d1f470bf8f22438beffca78a4

Download Submit
C:\Windows\{E56B794B-404A-4442-87E6-1430C049358F}.exe

Filesize
372KB

MD5
4590e31d38b195f2615376e55844f550

SHA1
efa77cde06ccb5ced5cc3df645311157feba7b56

SHA256
3b8467557f8f265b9456e09e5b4e4e47dcc9fecafa548e6e5c0cfa4d8783c401

SHA512
6758db480e64bd5d019e7890c1b7618c59bb57e8b2307f7a8dd983fd38e3352493a5b01ece6cf01b24220800b5550e9ba0ca9602dafb7099c5979ddb22383104

Download Submit
C:\Windows\{ED69FCBA-D4D5-4af5-9AD6-A72FDA960674}.exe

Filesize
372KB

MD5
8508c5091b4fa55d3f0bab6af3d60276

SHA1
2e51c81a5666dd8516d45f46b0a1ea0e61f075a1

SHA256
5d4fa92f75a618da533d2168558cd39e8da872b4bf4cc5b27c958b32597e5b3d

SHA512
315c305bfab9def27c9f7bd9d9dc6a376982a254098486fe8f7786ab1df1599ec4f0dbcc5244dacf1776aa2491377e55f535f27cc3a005e0a7ecbb4b376a8f80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads