ad7176b090703b5d0f62a10fe044f913046df6db94291ac10bd77c5fc15125fc

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe
Size

344KB
MD5

8c13cbf63e4a3a6b129b8386712a5951
SHA1

5111f7d0124f278032de5024af4551a0c5ce9a97
SHA256

ad7176b090703b5d0f62a10fe044f913046df6db94291ac10bd77c5fc15125fc
SHA512

5fa91715e6a343174dc3f2275441f80a6c11ce6f61c5000737c9d18b620b9f1127a5af9ec35d79eae7d319050b171f7ea02767c6013092f100a45cca8c4a3c78
SSDEEP

3072:mEGh0oclEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGqlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122f0-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000149f5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015018-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122f0-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122f0-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122f0-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F62021B1-B4E4-45bd-B287-F7641EF85352}	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}\stubpath = "C:\\Windows\\{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe"	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A65E85-71A4-4788-A7BB-116D28CFC61B}\stubpath = "C:\\Windows\\{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe"	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F0760A-0F75-4461-91CC-46178780DF47}	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F0760A-0F75-4461-91CC-46178780DF47}\stubpath = "C:\\Windows\\{78F0760A-0F75-4461-91CC-46178780DF47}.exe"	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A65E85-71A4-4788-A7BB-116D28CFC61B}	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65CD589-259D-4c53-8860-ED902EBFFBF0}\stubpath = "C:\\Windows\\{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe"	{78F0760A-0F75-4461-91CC-46178780DF47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2F47E32-1201-4f39-A3E3-3213FF698063}	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F62021B1-B4E4-45bd-B287-F7641EF85352}\stubpath = "C:\\Windows\\{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe"	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}	{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{017F4908-CD14-4fb1-8D7C-1A67044CE19C}	{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBB395D9-C165-4c88-8DAC-147CBC714181}	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBB395D9-C165-4c88-8DAC-147CBC714181}\stubpath = "C:\\Windows\\{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe"	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}\stubpath = "C:\\Windows\\{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe"	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65CD589-259D-4c53-8860-ED902EBFFBF0}	{78F0760A-0F75-4461-91CC-46178780DF47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{017F4908-CD14-4fb1-8D7C-1A67044CE19C}\stubpath = "C:\\Windows\\{017F4908-CD14-4fb1-8D7C-1A67044CE19C}.exe"	{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2F47E32-1201-4f39-A3E3-3213FF698063}\stubpath = "C:\\Windows\\{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe"	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}	{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}\stubpath = "C:\\Windows\\{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe"	{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}\stubpath = "C:\\Windows\\{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe"	{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe
2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe
2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe
2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe
2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe
1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe
2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe
1456	{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe
3028	{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe
1864	{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe
1480	{017F4908-CD14-4fb1-8D7C-1A67044CE19C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe
File created	C:\Windows\{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	{78F0760A-0F75-4461-91CC-46178780DF47}.exe
File created	C:\Windows\{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe
File created	C:\Windows\{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe
File created	C:\Windows\{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe
File created	C:\Windows\{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe	{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe
File created	C:\Windows\{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe	{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe
File created	C:\Windows\{017F4908-CD14-4fb1-8D7C-1A67044CE19C}.exe	{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe
File created	C:\Windows\{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe
File created	C:\Windows\{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe
File created	C:\Windows\{78F0760A-0F75-4461-91CC-46178780DF47}.exe	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe
Token: SeIncBasePriorityPrivilege	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe
Token: SeIncBasePriorityPrivilege	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe
Token: SeIncBasePriorityPrivilege	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe
Token: SeIncBasePriorityPrivilege	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe
Token: SeIncBasePriorityPrivilege	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe
Token: SeIncBasePriorityPrivilege	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe
Token: SeIncBasePriorityPrivilege	1456	{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe
Token: SeIncBasePriorityPrivilege	3028	{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe
Token: SeIncBasePriorityPrivilege	1864	{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2172	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	28
PID 756 wrote to memory of 2172	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	28
PID 756 wrote to memory of 668	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	29
PID 756 wrote to memory of 668	756	2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe	29
PID 2172 wrote to memory of 2596	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	30
PID 2172 wrote to memory of 2596	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	30
PID 2172 wrote to memory of 2596	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	30
PID 2172 wrote to memory of 2596	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	30
PID 2172 wrote to memory of 2660	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	31
PID 2172 wrote to memory of 2660	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	31
PID 2172 wrote to memory of 2660	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	31
PID 2172 wrote to memory of 2660	2172	{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe	31
PID 2596 wrote to memory of 2460	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	32
PID 2596 wrote to memory of 2460	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	32
PID 2596 wrote to memory of 2460	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	32
PID 2596 wrote to memory of 2460	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	32
PID 2596 wrote to memory of 2892	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	33
PID 2596 wrote to memory of 2892	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	33
PID 2596 wrote to memory of 2892	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	33
PID 2596 wrote to memory of 2892	2596	{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe	33
PID 2460 wrote to memory of 2524	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	36
PID 2460 wrote to memory of 2524	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	36
PID 2460 wrote to memory of 2524	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	36
PID 2460 wrote to memory of 2524	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	36
PID 2460 wrote to memory of 2824	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	37
PID 2460 wrote to memory of 2824	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	37
PID 2460 wrote to memory of 2824	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	37
PID 2460 wrote to memory of 2824	2460	{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe	37
PID 2524 wrote to memory of 2168	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	38
PID 2524 wrote to memory of 2168	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	38
PID 2524 wrote to memory of 2168	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	38
PID 2524 wrote to memory of 2168	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	38
PID 2524 wrote to memory of 2520	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	39
PID 2524 wrote to memory of 2520	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	39
PID 2524 wrote to memory of 2520	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	39
PID 2524 wrote to memory of 2520	2524	{78F0760A-0F75-4461-91CC-46178780DF47}.exe	39
PID 2168 wrote to memory of 1972	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	40
PID 2168 wrote to memory of 1972	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	40
PID 2168 wrote to memory of 1972	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	40
PID 2168 wrote to memory of 1972	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	40
PID 2168 wrote to memory of 2852	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	41
PID 2168 wrote to memory of 2852	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	41
PID 2168 wrote to memory of 2852	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	41
PID 2168 wrote to memory of 2852	2168	{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe	41
PID 1972 wrote to memory of 2776	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	42
PID 1972 wrote to memory of 2776	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	42
PID 1972 wrote to memory of 2776	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	42
PID 1972 wrote to memory of 2776	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	42
PID 1972 wrote to memory of 2864	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	43
PID 1972 wrote to memory of 2864	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	43
PID 1972 wrote to memory of 2864	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	43
PID 1972 wrote to memory of 2864	1972	{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe	43
PID 2776 wrote to memory of 1456	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	44
PID 2776 wrote to memory of 1456	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	44
PID 2776 wrote to memory of 1456	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	44
PID 2776 wrote to memory of 1456	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	44
PID 2776 wrote to memory of 1524	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	45
PID 2776 wrote to memory of 1524	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	45
PID 2776 wrote to memory of 1524	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	45
PID 2776 wrote to memory of 1524	2776	{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_8c13cbf63e4a3a6b129b8386712a5951_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe
  C:\Windows\{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe
    C:\Windows\{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe
      C:\Windows\{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{78F0760A-0F75-4461-91CC-46178780DF47}.exe
        
        C:\Windows\{78F0760A-0F75-4461-91CC-46178780DF47}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe
        
        C:\Windows\{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe
        
        C:\Windows\{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe
        
        C:\Windows\{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe
        
        C:\Windows\{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe
        
        C:\Windows\{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe
        
        C:\Windows\{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{017F4908-CD14-4fb1-8D7C-1A67044CE19C}.exe
        
        C:\Windows\{017F4908-CD14-4fb1-8D7C-1A67044CE19C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3759A~1.EXE > nul
        12⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61E79~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F8C3~1.EXE > nul
        10⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2F47~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6202~1.EXE > nul
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C65CD~1.EXE > nul
        7⤵
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78F07~1.EXE > nul
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26A65~1.EXE > nul
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51C7D~1.EXE > nul
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EBB39~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{017F4908-CD14-4fb1-8D7C-1A67044CE19C}.exe

Filesize
344KB

MD5
0ffe052a36f38eaf30ba2aadd939878d

SHA1
97cdd17a8e6c216b3d23fb12cfb72677c1a8fc71

SHA256
4117bb2ab4c218fdb292819a8255c674ec4b376b66f40c12e5b89679d70f7385

SHA512
b5dda99604620596830746efe18980bf1f69859fc155930eb0768b826571e8d87ade36890554ce49ab7e766d62c3994aad66929ef613bb1fe990895400e23f1a

Download Submit
C:\Windows\{26A65E85-71A4-4788-A7BB-116D28CFC61B}.exe

Filesize
344KB

MD5
e77cd29863cd996b5759c20b2d666185

SHA1
ab51070e321e2138443a02e5a7f513eb62330384

SHA256
b18105a6bb72e230302c0de736bd041d5deef5a5669c28201463ef722b318471

SHA512
860c615f157f2f0d469ac291798a6c50f19834ba612a31fed03bb4cede113659ed584910001e3bfc3e5dafbf3bf9345610f6acdf3e02e74a90007b8beccb9d75

Download Submit
C:\Windows\{3759ABA3-D8FA-46d4-8272-95B9BB7A085F}.exe

Filesize
344KB

MD5
e452bce31f7f9cf1938deb109b920451

SHA1
dbaa5f1a4857c7d91cbbc859887422cf7661a5b7

SHA256
1b916ebae9ba70c5fe9966a8980d0593c342178bc32a37436628b1d6cb809c32

SHA512
485e8b0634c9350670b2a14431744a14e913e7d1c47f6ae6d1ae7179ce22262beaee8094e9fceb93e5bea1c847c72b9449a983ea43e3a2a7d2457f983eb67ca9

Download Submit
C:\Windows\{51C7DCEB-3FE9-4551-AE5C-7CAE2577F402}.exe

Filesize
344KB

MD5
289159398318b83a7a78cc2606454a77

SHA1
1eebb4df1848ef70efdf32cd85436c90bfd9fefc

SHA256
54f99850702efbcc46b376d1fbaa0f042074872ca0c9e4f9866d8408318f4600

SHA512
6b57ff01303ef39015c773de595e6631fae30c03660614abd03162dd9807a0f4699d4f75e6bf0c32c05b3d72ab0e918be98fe1b605e8b617ee9eb4da176db2cd

Download Submit
C:\Windows\{61E7927A-9B72-4d4f-8C1C-0FAA3D612920}.exe

Filesize
344KB

MD5
65ed09b04798f523223610e78dcef9de

SHA1
6f5d628ffa8e51aba0c63eaaec695f3781f5dac5

SHA256
6fb76a71655b406bd368cd3f31ecf30a7e56a63489262651de148704074f905a

SHA512
023621d188ea99c9b2a1e4bb792deaba81862edd64e24657c15751972ee8ff1c01e90fe45836a7fcc2cda1df83b30216826fddc1daf53904aed8657a77ad7e7d

Download Submit
C:\Windows\{78F0760A-0F75-4461-91CC-46178780DF47}.exe

Filesize
344KB

MD5
c9e9ccdf5ba3f8ba0b82af076ec68256

SHA1
c1c153d7925e1b28a293d29bcfea2d16e32ea751

SHA256
9efae6818aea36b391cc53d855f1da7cd9227f5bb523432620787fb57dc2c70a

SHA512
c71da84151c29a8fcf84617e976471753a722c53ef579b305a333c1dce6f64cf6e97592be562a87cb4653f84d0e375bf6d19e87143da304b63405065f66f1ccc

Download Submit
C:\Windows\{7F8C3DAC-EC09-4598-AD62-60C4010F15C4}.exe

Filesize
344KB

MD5
2439383551226f295db0713fa6696a00

SHA1
84f83116d58b246ced32b99ef248d46ae4d8d7e2

SHA256
1cbec352a06456af37ad1d9b057617ee087763c2e064f903680b7caa98b9feb1

SHA512
b7dd85f75dfb327431f325365a8e4d7b9702fc6ea38bd03b335993a244a93dc87fe6ec550265b87902cf65e183a04c53e176bd59317483cf843589c9a8186748

Download Submit
C:\Windows\{C2F47E32-1201-4f39-A3E3-3213FF698063}.exe

Filesize
344KB

MD5
f460ac17ccf1e975cc5f923672815f34

SHA1
efe5e24b8113a3bc36cd66b1db1efe22af32fa4a

SHA256
6314d495392ddd53ba083222c0518c2092b200df6b8417d420742f63d4c3cb9d

SHA512
39c5f1a5d7c9bdf143219119d6f1af7e9684efab829f22a933c11ce86ca240debfe0d6795c4428724338eb0675a37dad9efdeaa0c81d87cfe295612cef2eeed1

Download Submit
C:\Windows\{C65CD589-259D-4c53-8860-ED902EBFFBF0}.exe

Filesize
344KB

MD5
1d12000a7dcfb676d8819a0d5659f41c

SHA1
e5046c6cbdd21c2691190763b0293589bb9965ee

SHA256
24d5886a0bae51138b3175d58356f478664e6b353fb6da1267c787ad4818e603

SHA512
cca1818946c667a5f6e1f1b12a2c002c70a98b05d451751c50d796930053f8187bcf061d732852af99649a25af85f3d6e6dde4524632b6f4ef419a5051c48fc4

Download Submit
C:\Windows\{EBB395D9-C165-4c88-8DAC-147CBC714181}.exe

Filesize
344KB

MD5
31c40e089ae0ff80781301edb7155971

SHA1
ff71d8107a8479291c9d365f119bc164b46dd2e8

SHA256
704a8d0621fc32f9debb788d28a4379ec8555e764e5ef1d18bcc7a1e2e6fa666

SHA512
759c0e7987eaa33d2a212d4d83bc9e1b58dba89fd3ab602aa9dbeb8592efcbde8b582ed68fe074cdcc31d8d9797e5fea9f7c22e1157ea2a2472963e98aba0743

Download Submit
C:\Windows\{F62021B1-B4E4-45bd-B287-F7641EF85352}.exe

Filesize
344KB

MD5
920446880e9ff84201d5830eaf9bee2a

SHA1
3537d2556e664898d916af1b2d4142d25492181f

SHA256
b6e2f35a3d59c9b401f0ebbfdadb090773603673d346c6d003653a4edf63ab0d

SHA512
218940341c4ac0ef58e906bc913b801d7d7961e64aee49cd9da9febdddd495e8431f06353f52180d590512a5c029d5e43af49e42d9009d1ddd0ef178f10a9620

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads