6dadb3c3bcf9ff028932aaa2a95e62fcd7292ff54c56647aced136422306dcb2

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Size

197KB
MD5

f427301dfc3c2af8d510edb9a9c29293
SHA1

5cf1e65e7c00c4687f8a02c7da0a0eeb7f12d8eb
SHA256

6dadb3c3bcf9ff028932aaa2a95e62fcd7292ff54c56647aced136422306dcb2
SHA512

957e9bb1f92d791028a1f19fa2bccf2effca155ed83b3ce7c006759b5bb3f2a7b903d13279001fbe987e71f959ec8303533b19831012a548d6d95d72b3efcae5
SSDEEP

3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012326-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001480e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012326-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014eb9-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012326-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012326-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012326-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{729F2B72-5BF1-4530-99F2-C31F43358B13}	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}\stubpath = "C:\\Windows\\{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe"	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49A18F7-31D3-4a87-BB65-A1F591D0806E}	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF570CC9-22A7-4269-A407-270EA1F3B788}\stubpath = "C:\\Windows\\{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe"	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}\stubpath = "C:\\Windows\\{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe"	{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}	{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{729F2B72-5BF1-4530-99F2-C31F43358B13}\stubpath = "C:\\Windows\\{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe"	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}\stubpath = "C:\\Windows\\{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe"	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82E94418-57E2-40c2-98E3-F3A4792D1F1C}	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82E94418-57E2-40c2-98E3-F3A4792D1F1C}\stubpath = "C:\\Windows\\{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe"	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}\stubpath = "C:\\Windows\\{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}.exe"	{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}\stubpath = "C:\\Windows\\{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe"	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49A18F7-31D3-4a87-BB65-A1F591D0806E}\stubpath = "C:\\Windows\\{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe"	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F834F0-557A-46e6-B415-07DEE7E49D2B}	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F834F0-557A-46e6-B415-07DEE7E49D2B}\stubpath = "C:\\Windows\\{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe"	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF570CC9-22A7-4269-A407-270EA1F3B788}	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04602D86-C1CE-48a8-B084-21CCD81B2702}	{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04602D86-C1CE-48a8-B084-21CCD81B2702}\stubpath = "C:\\Windows\\{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe"	{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}	{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe
2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe
2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe
1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe
2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe
1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe
1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe
2892	{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe
2908	{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe
1508	{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe
2372	{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe
File created	C:\Windows\{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe
File created	C:\Windows\{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe
File created	C:\Windows\{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe	{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe
File created	C:\Windows\{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}.exe	{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe
File created	C:\Windows\{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
File created	C:\Windows\{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe
File created	C:\Windows\{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe
File created	C:\Windows\{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe
File created	C:\Windows\{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe
File created	C:\Windows\{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe	{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe
Token: SeIncBasePriorityPrivilege	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe
Token: SeIncBasePriorityPrivilege	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe
Token: SeIncBasePriorityPrivilege	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe
Token: SeIncBasePriorityPrivilege	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe
Token: SeIncBasePriorityPrivilege	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe
Token: SeIncBasePriorityPrivilege	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe
Token: SeIncBasePriorityPrivilege	2892	{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe
Token: SeIncBasePriorityPrivilege	2908	{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe
Token: SeIncBasePriorityPrivilege	1508	{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2972	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	28
PID 2260 wrote to memory of 2972	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	28
PID 2260 wrote to memory of 2972	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	28
PID 2260 wrote to memory of 2972	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	28
PID 2260 wrote to memory of 3032	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	29
PID 2260 wrote to memory of 3032	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	29
PID 2260 wrote to memory of 3032	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	29
PID 2260 wrote to memory of 3032	2260	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	29
PID 2972 wrote to memory of 2544	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	30
PID 2972 wrote to memory of 2544	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	30
PID 2972 wrote to memory of 2544	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	30
PID 2972 wrote to memory of 2544	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	30
PID 2972 wrote to memory of 2696	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	31
PID 2972 wrote to memory of 2696	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	31
PID 2972 wrote to memory of 2696	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	31
PID 2972 wrote to memory of 2696	2972	{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe	31
PID 2544 wrote to memory of 2936	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	32
PID 2544 wrote to memory of 2936	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	32
PID 2544 wrote to memory of 2936	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	32
PID 2544 wrote to memory of 2936	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	32
PID 2544 wrote to memory of 2684	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	33
PID 2544 wrote to memory of 2684	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	33
PID 2544 wrote to memory of 2684	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	33
PID 2544 wrote to memory of 2684	2544	{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe	33
PID 2936 wrote to memory of 1480	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	36
PID 2936 wrote to memory of 1480	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	36
PID 2936 wrote to memory of 1480	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	36
PID 2936 wrote to memory of 1480	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	36
PID 2936 wrote to memory of 2464	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	37
PID 2936 wrote to memory of 2464	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	37
PID 2936 wrote to memory of 2464	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	37
PID 2936 wrote to memory of 2464	2936	{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe	37
PID 1480 wrote to memory of 2740	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	38
PID 1480 wrote to memory of 2740	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	38
PID 1480 wrote to memory of 2740	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	38
PID 1480 wrote to memory of 2740	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	38
PID 1480 wrote to memory of 2860	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	39
PID 1480 wrote to memory of 2860	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	39
PID 1480 wrote to memory of 2860	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	39
PID 1480 wrote to memory of 2860	1480	{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe	39
PID 2740 wrote to memory of 1556	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	40
PID 2740 wrote to memory of 1556	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	40
PID 2740 wrote to memory of 1556	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	40
PID 2740 wrote to memory of 1556	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	40
PID 2740 wrote to memory of 1532	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	41
PID 2740 wrote to memory of 1532	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	41
PID 2740 wrote to memory of 1532	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	41
PID 2740 wrote to memory of 1532	2740	{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe	41
PID 1556 wrote to memory of 1440	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	42
PID 1556 wrote to memory of 1440	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	42
PID 1556 wrote to memory of 1440	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	42
PID 1556 wrote to memory of 1440	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	42
PID 1556 wrote to memory of 1636	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	43
PID 1556 wrote to memory of 1636	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	43
PID 1556 wrote to memory of 1636	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	43
PID 1556 wrote to memory of 1636	1556	{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe	43
PID 1440 wrote to memory of 2892	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	44
PID 1440 wrote to memory of 2892	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	44
PID 1440 wrote to memory of 2892	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	44
PID 1440 wrote to memory of 2892	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	44
PID 1440 wrote to memory of 2828	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	45
PID 1440 wrote to memory of 2828	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	45
PID 1440 wrote to memory of 2828	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	45
PID 1440 wrote to memory of 2828	1440	{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe
  C:\Windows\{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe
    C:\Windows\{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe
      C:\Windows\{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe
        
        C:\Windows\{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe
        
        C:\Windows\{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe
        
        C:\Windows\{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe
        
        C:\Windows\{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe
        
        C:\Windows\{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe
        
        C:\Windows\{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe
        
        C:\Windows\{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}.exe
        
        C:\Windows\{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CCE8~1.EXE > nul
        12⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04602~1.EXE > nul
        11⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF570~1.EXE > nul
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A49A1~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82E94~1.EXE > nul
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCBE5~1.EXE > nul
        7⤵
        
        PID:1532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F29F4~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80F83~1.EXE > nul
        5⤵
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3FD33~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{729F2~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04602D86-C1CE-48a8-B084-21CCD81B2702}.exe

Filesize
197KB

MD5
0e1f017ed74e45f97412165664f5cb8a

SHA1
e19680d41f9053c7ad4da44276cb9e883d2891ce

SHA256
c2e6bd02c9f76f73f6a9fab5da52b69a312fd28bffa894dfb40a39e3c753dcbe

SHA512
cb5345a04f6cb4a5bbd46ab3183aa128187bf88e05dac46c6247324a37c83374aefa9f06ac8afc3813dbade6408abdeed3ce79111277e9b9921053bd45aacc83

Download Submit
C:\Windows\{100AF35E-B94D-465f-AA0F-3CBF36DEF2E4}.exe

Filesize
197KB

MD5
b2e8bd1d089d0f5954499bd502cbd54a

SHA1
7fe18eedb97a96fd2e9a49e7714b07d492e64672

SHA256
44343276c5be585e4de104810a0d1e43fe811f668032ed99b8c231b2d181b62b

SHA512
575a35a8ee473e71242f82ed7a7c0ef2ee4f8129d0c014364e5ce805be4a27ed87769b488777d968a526974ea3560705ce3d4f1bd14d7cd5b4b3718072e7fc91

Download Submit
C:\Windows\{3FD332F2-F1F1-4b47-B54F-249B6C71CB3F}.exe

Filesize
197KB

MD5
89f979b5f689ab3cd76202253e2d8fd4

SHA1
d06b216db921bad765f0f6eb2c1fe78703bb2d8f

SHA256
68b2b7d27b8bfa5e8ee9c11305165cbd300275fa330dc8936416fa326ecabad2

SHA512
2a2dfab409462a4f8e77b5ff6b8cccbf80d3ab290338f4d477ef0f2144c0b3345c3b13c4c2b71b2ab90b3fcbe18796ea755ccc0e9c94a18f38bf1131bd6d2d06

Download Submit
C:\Windows\{729F2B72-5BF1-4530-99F2-C31F43358B13}.exe

Filesize
197KB

MD5
0d89078723d35295b70884575db30b28

SHA1
206aa4e0f45ab5f2b3fde475bf70ae6981d236c5

SHA256
cba6139b4a8b6ab61c6158df04045ed3d48db666b33c50150f0e7ad5004ca2b9

SHA512
996bde24375a4a50f9ecd55bfb7b75389fd2302373afbd1f950a50cd2576df15d2d3eadcd0f1c925266ff9e5d2afd386a8b7660010dd25ec8a85ccf324ee1a90

Download Submit
C:\Windows\{80F834F0-557A-46e6-B415-07DEE7E49D2B}.exe

Filesize
197KB

MD5
77e3be4d8e76f93e1a51d40fc99ae664

SHA1
eeb88cc080044224b2edc926f5f7e2a5115ecd09

SHA256
d0fd361ee984442192dd9f0f360a8f749da5cbdf3fa98295b138b3ef1e7b26ef

SHA512
36bf547d3fa0bbc0f546196f20f4c5e392408c38a626d9858c5da55c74eb99ab0e1c878f89e8ef720d466899fac16b4e8fb6663cf7f4557d7792cc90f5387e00

Download Submit
C:\Windows\{82E94418-57E2-40c2-98E3-F3A4792D1F1C}.exe

Filesize
197KB

MD5
661ec893baec440c34e7b5120dc3cfb2

SHA1
3f88bdbcb767054da5e7b738971e3dea2f4f346a

SHA256
abfa6a6333d349465391c95ce9f4492ba7193c99f71f6b9dc2fc70ebe3269ded

SHA512
e036905b915912ad4fb2b84819af8deaa0f1b71928b548a0a468b34934fd32ec99e660aaa0a5daafe388c1f27d55e527b6043137e6eee05b650e2610283b21d4

Download Submit
C:\Windows\{8CCE8BD3-ABFC-4249-8E4F-2D7ED32D2381}.exe

Filesize
197KB

MD5
b77dd174cc8dab771853a8fe4ee017d2

SHA1
8e7d375ba0945e24570f67464cfaff0a1ad1351a

SHA256
2d153d0567203a7ded467e2e809cf9abfabfda1e89193461c3bba244e7891108

SHA512
23c57f88c1228797ba747f22ca0d2d2c1863383120113e47561c05b37165042d6152c4b85922db875f993e6c38d023a239f7157b23bde5981003ede7ec2dfb47

Download Submit
C:\Windows\{A49A18F7-31D3-4a87-BB65-A1F591D0806E}.exe

Filesize
197KB

MD5
f1e6985740d02f9dfddb54e1af427369

SHA1
00d96329dcba5d6df6ea0bb561616ce38ec72558

SHA256
5156e45b47f858495475ffdc442b9ef4cf64d47f700faf16311582aa884e066c

SHA512
9053a3cc97e0177247c21052a812f8fb02eb9dce2b84c022d2be388c30f687b308f379b627c6e9c1494de613640d63eecc3a9bcb9d8f8e175cab859088e33adc

Download Submit
C:\Windows\{BCBE51EE-8FF9-4d87-894A-7C57B89CD5C6}.exe

Filesize
197KB

MD5
6410ec0ded98f0800b0c9065e0ef2074

SHA1
d8040b3b564cc5c2bdb02c37d3eb83ab7ee2ef02

SHA256
bda8737dd39ded88dda34e06ded5f0bf997ff2f8b083a0379861c00c082b70ae

SHA512
0306c8f875b5da3b7b41d3bb9d9916f01c0bbf2fa375558da2aadf571fbd71fdffa030ce2716b83b71b3396301d4a86f871c943d4a8ba70755991b31e7c623da

Download Submit
C:\Windows\{BF570CC9-22A7-4269-A407-270EA1F3B788}.exe

Filesize
197KB

MD5
9162c1bb094f2912ec3bb24f116fd78a

SHA1
74a75fda710c3cb79cbec88251bd52a3e8d363fa

SHA256
47850763362e771ef9c24da0216fa89724fb72b9fa2c285eb43ef3926a3b7f16

SHA512
43af612b8a4cf77b02b325497e4e3b194c39dbe45256d9fb26989904098faa763cf4f90c255079afbd01d35f6e7ab68100c3861643e54301b08127ff6da0a329

Download Submit
C:\Windows\{F29F48F4-6429-4c59-9A5F-E70F5DFA13AC}.exe

Filesize
197KB

MD5
46f1cd93849703184517997b64c9cbc1

SHA1
6dbf007df49a240e5a091ccf864e5aebf9b04f00

SHA256
65af6cd8e98738107a505de2c10f395db2547a63c86f02fd35dfbb8739f6225d

SHA512
34cefcfe42feb72360cc4e2397b42fa79e63e3772d23ca8be8854ede5abcebdb0b0b544e62bb41da3635e469e62fc803ed2c0cffc4e598afc49d4aabf14a5de4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads