cd65449ccf1542d18bc993b17e45973484af34efadd6f332f276fc44170b9d1e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe
Size

408KB
MD5

abc734a0c5b93bf79546dbdc5d75018b
SHA1

0028bb8708f385d19467ad0137d58d7537dbe2e0
SHA256

cd65449ccf1542d18bc993b17e45973484af34efadd6f332f276fc44170b9d1e
SHA512

970b4f2252b7e069871d1ece62a3cfb00af94ed88e5043478bdaa5c9610ea91867dd24d03c9e7c2bd05775b39cd9248fa7d86b2310b1d36dab71a152277b7e3c
SSDEEP

3072:CEGh0o1l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGvldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001227e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016ce0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000016ce9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016ce0-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016ce9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016ce0-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058B337F-C3B0-45e3-A613-C87EFB6C13EE}	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}\stubpath = "C:\\Windows\\{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe"	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3940D629-48E0-4973-804E-E79130CA3495}\stubpath = "C:\\Windows\\{3940D629-48E0-4973-804E-E79130CA3495}.exe"	{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76194862-209F-45ac-9ED0-11C75898964E}	{3940D629-48E0-4973-804E-E79130CA3495}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50E4207D-ABDB-42b8-A455-38EFDDD5E532}	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50E4207D-ABDB-42b8-A455-38EFDDD5E532}\stubpath = "C:\\Windows\\{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe"	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7787CCB1-5872-433c-8198-D76D0E916D56}	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7787CCB1-5872-433c-8198-D76D0E916D56}\stubpath = "C:\\Windows\\{7787CCB1-5872-433c-8198-D76D0E916D56}.exe"	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}	{76194862-209F-45ac-9ED0-11C75898964E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{656A559C-CA60-45fa-8F4D-DDC603C79917}\stubpath = "C:\\Windows\\{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe"	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{694C85DC-07B7-4860-AA7D-6377E4ACEB82}	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3940D629-48E0-4973-804E-E79130CA3495}	{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{656A559C-CA60-45fa-8F4D-DDC603C79917}	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058B337F-C3B0-45e3-A613-C87EFB6C13EE}\stubpath = "C:\\Windows\\{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe"	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76194862-209F-45ac-9ED0-11C75898964E}\stubpath = "C:\\Windows\\{76194862-209F-45ac-9ED0-11C75898964E}.exe"	{3940D629-48E0-4973-804E-E79130CA3495}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}\stubpath = "C:\\Windows\\{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}.exe"	{76194862-209F-45ac-9ED0-11C75898964E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}\stubpath = "C:\\Windows\\{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe"	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{694C85DC-07B7-4860-AA7D-6377E4ACEB82}\stubpath = "C:\\Windows\\{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe"	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}\stubpath = "C:\\Windows\\{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe"	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe
2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe
2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe
1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe
1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe
2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe
1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe
980	{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe
1528	{3940D629-48E0-4973-804E-E79130CA3495}.exe
2224	{76194862-209F-45ac-9ED0-11C75898964E}.exe
2096	{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}.exe	{76194862-209F-45ac-9ED0-11C75898964E}.exe
File created	C:\Windows\{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe
File created	C:\Windows\{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe
File created	C:\Windows\{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe
File created	C:\Windows\{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe
File created	C:\Windows\{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe
File created	C:\Windows\{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe
File created	C:\Windows\{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe
File created	C:\Windows\{3940D629-48E0-4973-804E-E79130CA3495}.exe	{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe
File created	C:\Windows\{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe
File created	C:\Windows\{76194862-209F-45ac-9ED0-11C75898964E}.exe	{3940D629-48E0-4973-804E-E79130CA3495}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe
Token: SeIncBasePriorityPrivilege	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe
Token: SeIncBasePriorityPrivilege	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe
Token: SeIncBasePriorityPrivilege	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe
Token: SeIncBasePriorityPrivilege	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe
Token: SeIncBasePriorityPrivilege	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe
Token: SeIncBasePriorityPrivilege	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe
Token: SeIncBasePriorityPrivilege	980	{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe
Token: SeIncBasePriorityPrivilege	1528	{3940D629-48E0-4973-804E-E79130CA3495}.exe
Token: SeIncBasePriorityPrivilege	2224	{76194862-209F-45ac-9ED0-11C75898964E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2932	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	28
PID 1920 wrote to memory of 2932	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	28
PID 1920 wrote to memory of 2932	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	28
PID 1920 wrote to memory of 2932	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	28
PID 1920 wrote to memory of 2768	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	29
PID 1920 wrote to memory of 2768	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	29
PID 1920 wrote to memory of 2768	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	29
PID 1920 wrote to memory of 2768	1920	2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe	29
PID 2932 wrote to memory of 2936	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	30
PID 2932 wrote to memory of 2936	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	30
PID 2932 wrote to memory of 2936	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	30
PID 2932 wrote to memory of 2936	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	30
PID 2932 wrote to memory of 2228	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	31
PID 2932 wrote to memory of 2228	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	31
PID 2932 wrote to memory of 2228	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	31
PID 2932 wrote to memory of 2228	2932	{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe	31
PID 2936 wrote to memory of 2460	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	34
PID 2936 wrote to memory of 2460	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	34
PID 2936 wrote to memory of 2460	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	34
PID 2936 wrote to memory of 2460	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	34
PID 2936 wrote to memory of 2884	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	35
PID 2936 wrote to memory of 2884	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	35
PID 2936 wrote to memory of 2884	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	35
PID 2936 wrote to memory of 2884	2936	{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe	35
PID 2460 wrote to memory of 1800	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	36
PID 2460 wrote to memory of 1800	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	36
PID 2460 wrote to memory of 1800	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	36
PID 2460 wrote to memory of 1800	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	36
PID 2460 wrote to memory of 324	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	37
PID 2460 wrote to memory of 324	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	37
PID 2460 wrote to memory of 324	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	37
PID 2460 wrote to memory of 324	2460	{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe	37
PID 1800 wrote to memory of 1088	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	38
PID 1800 wrote to memory of 1088	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	38
PID 1800 wrote to memory of 1088	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	38
PID 1800 wrote to memory of 1088	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	38
PID 1800 wrote to memory of 2692	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	39
PID 1800 wrote to memory of 2692	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	39
PID 1800 wrote to memory of 2692	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	39
PID 1800 wrote to memory of 2692	1800	{7787CCB1-5872-433c-8198-D76D0E916D56}.exe	39
PID 1088 wrote to memory of 2748	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	40
PID 1088 wrote to memory of 2748	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	40
PID 1088 wrote to memory of 2748	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	40
PID 1088 wrote to memory of 2748	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	40
PID 1088 wrote to memory of 996	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	41
PID 1088 wrote to memory of 996	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	41
PID 1088 wrote to memory of 996	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	41
PID 1088 wrote to memory of 996	1088	{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe	41
PID 2748 wrote to memory of 1988	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	42
PID 2748 wrote to memory of 1988	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	42
PID 2748 wrote to memory of 1988	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	42
PID 2748 wrote to memory of 1988	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	42
PID 2748 wrote to memory of 2020	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	43
PID 2748 wrote to memory of 2020	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	43
PID 2748 wrote to memory of 2020	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	43
PID 2748 wrote to memory of 2020	2748	{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe	43
PID 1988 wrote to memory of 980	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	44
PID 1988 wrote to memory of 980	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	44
PID 1988 wrote to memory of 980	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	44
PID 1988 wrote to memory of 980	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	44
PID 1988 wrote to memory of 108	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	45
PID 1988 wrote to memory of 108	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	45
PID 1988 wrote to memory of 108	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	45
PID 1988 wrote to memory of 108	1988	{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_abc734a0c5b93bf79546dbdc5d75018b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe
  C:\Windows\{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe
    C:\Windows\{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe
      C:\Windows\{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{7787CCB1-5872-433c-8198-D76D0E916D56}.exe
        
        C:\Windows\{7787CCB1-5872-433c-8198-D76D0E916D56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe
        
        C:\Windows\{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe
        
        C:\Windows\{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe
        
        C:\Windows\{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe
        
        C:\Windows\{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\{3940D629-48E0-4973-804E-E79130CA3495}.exe
        
        C:\Windows\{3940D629-48E0-4973-804E-E79130CA3495}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{76194862-209F-45ac-9ED0-11C75898964E}.exe
        
        C:\Windows\{76194862-209F-45ac-9ED0-11C75898964E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}.exe
        
        C:\Windows\{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76194~1.EXE > nul
        12⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3940D~1.EXE > nul
        11⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17B89~1.EXE > nul
        10⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BF0B~1.EXE > nul
        9⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{058B3~1.EXE > nul
        8⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{694C8~1.EXE > nul
        7⤵
        
        PID:996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7787C~1.EXE > nul
        6⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{656A5~1.EXE > nul
        5⤵
        
        PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50E42~1.EXE > nul
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6DAE~1.EXE > nul
    3⤵
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{058B337F-C3B0-45e3-A613-C87EFB6C13EE}.exe

Filesize
408KB

MD5
c888fb0e19dd03d3ce2cd709ef8bfd5f

SHA1
40e8538d5137051da1d11203ce312cd44942efc0

SHA256
24fded4641cb03711f092aba284f52c8aecfc7cc323cfe51885a63ce4afacfc5

SHA512
98535fa7c77fe7a4f0d73f0a2ae60a99bc112d3b953872559bc458495b8b319b8e32f76bfa111747da75fb8469377189ea64d36b241d3c2077e2a2fec92afb11

Download Submit
C:\Windows\{17B895E8-BDA2-4957-9701-C25C7E4E1EF1}.exe

Filesize
408KB

MD5
0ea11f59236f0b6c2565cb1c301e32fe

SHA1
884bb1d52ef3032e3d9d3b81b763468b816c72f1

SHA256
3f96d1b04a9ea5a3e46f627b5e313cbdb4caad848c241ab0e9094bd08ce177fb

SHA512
f0da737df505c4367d9536eb1d0956f01314da4679558564c4d3b5060be04128984730762ef6457244ce15af0bd10ed902517f1da6097ed1ffb6ffe9794c7fc9

Download Submit
C:\Windows\{3940D629-48E0-4973-804E-E79130CA3495}.exe

Filesize
408KB

MD5
3972ab3be375a0cdd5909b9f9eff985b

SHA1
a843b5df87259c54348208b35d84de9982a1bb42

SHA256
5720c0438855812b5c7c1bbafc8f012f3f2042efb6e8e6d95152a53442b1d302

SHA512
937759a1ace05f21a54c697a7065d002609adc8c5a51ba1bcc1e3724b25ca0df5ef15a1a20821dd5ef919b6576ffab373a91f3b4c08ae4df64321acd67cb3f29

Download Submit
C:\Windows\{50E4207D-ABDB-42b8-A455-38EFDDD5E532}.exe

Filesize
408KB

MD5
9b3acc10ac9572afb4c59099fb30265e

SHA1
b8a511985fd7d5cc8632b9b96989feeb100f8dc7

SHA256
fad23400481e76565e1a44c89ea5ba83a6f3323bb792529a755296161eebf387

SHA512
235d1173d29c42732620bb926c2f81c6e5279fc47117ccf02cc613e4d1011bda02cd0ddc6bb36b81ca2d101b208b8406cc608e2fe97c8a9e9031d9f079c924f5

Download Submit
C:\Windows\{656A559C-CA60-45fa-8F4D-DDC603C79917}.exe

Filesize
408KB

MD5
393a5676b22584e8157fc5ce0b4f1906

SHA1
17e8c4eb868a1ec8b04090d62417a8323a00b71d

SHA256
1a26f68ca5496d07a30e1c88534593ebf6bff810d9a4ada5070ff2b48447d9b9

SHA512
dc88108805ffd79d570624654f5e6f893e109313785e5b0e6d916610814a1240924c511cbf46515ab2a35c149b07effb4cb76f4266441a25963f87b4f067da9a

Download Submit
C:\Windows\{694C85DC-07B7-4860-AA7D-6377E4ACEB82}.exe

Filesize
408KB

MD5
72cc64dfd7158a2bfa807f069c213368

SHA1
68666dcc2e9edcba0cbe911994f1a272ba030458

SHA256
8a848a681dc42287c2b0574955555d9b191b68524810cee2347d2447ddbb8737

SHA512
f55e41cd764616b346b46aaedd040ecf190eaa2d834f8e610fe9ed71b31bffbe6af2aa286916ab13dc28333898143560b6a8580ad86f16e673ceed96c481440f

Download Submit
C:\Windows\{76194862-209F-45ac-9ED0-11C75898964E}.exe

Filesize
408KB

MD5
ccdbfb1a2578402f1dbbd4ca5def1a37

SHA1
34d03e30b7b4f1008b43dc9738491892418cb470

SHA256
1d448225abc55469195aed2353bc39d9a2c45f7cc3d5f118fa5ce0f6ef3f01e4

SHA512
afd9f49872f9ca645a97110d88e6042b5705f54ea9231f36a99d8e5ec1b366488a50ba320133004bd0bccd90f44d34d63c461f976c862ef721ba12189d7e24e8

Download Submit
C:\Windows\{7787CCB1-5872-433c-8198-D76D0E916D56}.exe

Filesize
408KB

MD5
edd1470dfd4987bfea340776fa18c23d

SHA1
a4757da6746a904423d7251cb2ef4bb2ee4bc310

SHA256
5973a25eacb40d531bd812c612d12d0145a1755720352728097a8f28d053d23b

SHA512
dff05bf9c61501de5b1a022c3b1a1a78ecbc7866ad76a8a8384808dfc3463a5f910e710f7e08d363b0f26cbdc16e265b9936468c02523b709e5146a31b83e637

Download Submit
C:\Windows\{895EC5B7-A8E0-4368-A964-6D25E6B7CBBD}.exe

Filesize
408KB

MD5
1f70a9cb590f27e81fe77180b9da1d48

SHA1
6e585b16bbe7d4a0ce28e713da94c407b1400855

SHA256
894585d84d17bcca205caf05b65ff6848f52053183dccd787763244990c3ab22

SHA512
722f97682196fd9b68bcd7d952c90dbbc92ed1b11f7eb1bdeea9df800158ff1e3ac05fdb0fc27d84e713a7661ae3b70a0aee71a73c89a5d8c8ba9d712f02e0d6

Download Submit
C:\Windows\{8BF0B03A-A2C8-4ce1-9AC7-FB3C387F444E}.exe

Filesize
408KB

MD5
45c3bc5955932c68dfda113d058249a3

SHA1
a9e9a4d68f874c269b11eb36610fe5d74340420f

SHA256
69c66ed4b6f7880daf60e776d24e6855ae9c9f21cce91769e47fb58d11265885

SHA512
c75125630a42c5bd69eee7f73e35be251696111017f69f659880e783d64664451c035292530c980037cc384ff7df4908c30ac0af4b5adf7105bd3f46468a3a38

Download Submit
C:\Windows\{C6DAE1E2-B9FD-4d5e-918A-06DD5AC86047}.exe

Filesize
408KB

MD5
3bef04036085af96772524cf90dc4c4a

SHA1
10b092d5c1f10025f3235b95e15a09cd8ba2f563

SHA256
f68716cafb4b8098d3297125f4bb37433c1461191c94d678071ce70213b35551

SHA512
69a0833d861b42ad2c90dce666963120bf7d5a2b805fb38ed77d055e81017c895d127945eb5a14ee3a7fa54ff93011bd94b9b34b8a4c9b8e640acbc004b96fdd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads