5ae09916c42d2d06c2c47d092d8631ad4119db9d26c1ba109c381a3205e5ba09

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe
Size

216KB
MD5

5277f5718a9a5c41ed4a324c2b2132fa
SHA1

f2fdc39b32d11b67fc86a122fc37b65a7491ff22
SHA256

5ae09916c42d2d06c2c47d092d8631ad4119db9d26c1ba109c381a3205e5ba09
SHA512

65d41485876a82b341a2cbbc18c4a61386868b865fdea27d95c5f71693c0a3c94a96613f58caa4c9859e6f96b72420dd4a22e349a87fbd70df40072faf7be695
SSDEEP

3072:jEGh0o0l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGelEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013ab9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001654a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44E5CF3-267C-4591-B554-AE83DD072AE9}\stubpath = "C:\\Windows\\{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe"	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A997FC7D-CECF-4cde-812E-C5170749E765}	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}\stubpath = "C:\\Windows\\{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe"	{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6196EDDB-BE54-4c77-9018-BFF243CE1373}\stubpath = "C:\\Windows\\{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe"	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EBF12D3-127D-41f7-B088-5B4916D92A94}	{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EBF12D3-127D-41f7-B088-5B4916D92A94}\stubpath = "C:\\Windows\\{1EBF12D3-127D-41f7-B088-5B4916D92A94}.exe"	{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44E5CF3-267C-4591-B554-AE83DD072AE9}	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88E01900-9DE7-4685-9789-37639E0CE5C0}	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88E01900-9DE7-4685-9789-37639E0CE5C0}\stubpath = "C:\\Windows\\{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe"	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3954E80D-D8A5-4403-9715-2C5F1D006F6B}	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3425493-88A2-43d3-983C-0BA6BB904705}\stubpath = "C:\\Windows\\{A3425493-88A2-43d3-983C-0BA6BB904705}.exe"	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99942460-61CB-4a75-AAFB-1F19B8283C76}	{A3425493-88A2-43d3-983C-0BA6BB904705}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}	{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6A45CB-9982-40b3-8424-FE8BC33BE843}\stubpath = "C:\\Windows\\{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe"	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6196EDDB-BE54-4c77-9018-BFF243CE1373}	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A997FC7D-CECF-4cde-812E-C5170749E765}\stubpath = "C:\\Windows\\{A997FC7D-CECF-4cde-812E-C5170749E765}.exe"	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99942460-61CB-4a75-AAFB-1F19B8283C76}\stubpath = "C:\\Windows\\{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe"	{A3425493-88A2-43d3-983C-0BA6BB904705}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6A45CB-9982-40b3-8424-FE8BC33BE843}	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3954E80D-D8A5-4403-9715-2C5F1D006F6B}\stubpath = "C:\\Windows\\{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe"	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}\stubpath = "C:\\Windows\\{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe"	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3425493-88A2-43d3-983C-0BA6BB904705}	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe
3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe
2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe
2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe
2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe
860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe
2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe
1120	{A3425493-88A2-43d3-983C-0BA6BB904705}.exe
2292	{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe
688	{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe
2844	{1EBF12D3-127D-41f7-B088-5B4916D92A94}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe	{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe
File created	C:\Windows\{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe
File created	C:\Windows\{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe
File created	C:\Windows\{A3425493-88A2-43d3-983C-0BA6BB904705}.exe	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe
File created	C:\Windows\{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe	{A3425493-88A2-43d3-983C-0BA6BB904705}.exe
File created	C:\Windows\{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe
File created	C:\Windows\{1EBF12D3-127D-41f7-B088-5B4916D92A94}.exe	{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe
File created	C:\Windows\{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe
File created	C:\Windows\{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe
File created	C:\Windows\{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe
File created	C:\Windows\{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe
Token: SeIncBasePriorityPrivilege	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe
Token: SeIncBasePriorityPrivilege	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe
Token: SeIncBasePriorityPrivilege	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe
Token: SeIncBasePriorityPrivilege	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe
Token: SeIncBasePriorityPrivilege	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe
Token: SeIncBasePriorityPrivilege	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe
Token: SeIncBasePriorityPrivilege	1120	{A3425493-88A2-43d3-983C-0BA6BB904705}.exe
Token: SeIncBasePriorityPrivilege	2292	{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe
Token: SeIncBasePriorityPrivilege	688	{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 380	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	28
PID 2088 wrote to memory of 380	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	28
PID 2088 wrote to memory of 380	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	28
PID 2088 wrote to memory of 380	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	28
PID 2088 wrote to memory of 2548	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	29
PID 2088 wrote to memory of 2548	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	29
PID 2088 wrote to memory of 2548	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	29
PID 2088 wrote to memory of 2548	2088	2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe	29
PID 380 wrote to memory of 3032	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	30
PID 380 wrote to memory of 3032	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	30
PID 380 wrote to memory of 3032	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	30
PID 380 wrote to memory of 3032	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	30
PID 380 wrote to memory of 2688	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	31
PID 380 wrote to memory of 2688	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	31
PID 380 wrote to memory of 2688	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	31
PID 380 wrote to memory of 2688	380	{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe	31
PID 3032 wrote to memory of 2568	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	32
PID 3032 wrote to memory of 2568	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	32
PID 3032 wrote to memory of 2568	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	32
PID 3032 wrote to memory of 2568	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	32
PID 3032 wrote to memory of 2628	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	33
PID 3032 wrote to memory of 2628	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	33
PID 3032 wrote to memory of 2628	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	33
PID 3032 wrote to memory of 2628	3032	{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe	33
PID 2568 wrote to memory of 2636	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	36
PID 2568 wrote to memory of 2636	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	36
PID 2568 wrote to memory of 2636	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	36
PID 2568 wrote to memory of 2636	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	36
PID 2568 wrote to memory of 2660	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	37
PID 2568 wrote to memory of 2660	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	37
PID 2568 wrote to memory of 2660	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	37
PID 2568 wrote to memory of 2660	2568	{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe	37
PID 2636 wrote to memory of 2744	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	38
PID 2636 wrote to memory of 2744	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	38
PID 2636 wrote to memory of 2744	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	38
PID 2636 wrote to memory of 2744	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	38
PID 2636 wrote to memory of 2884	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	39
PID 2636 wrote to memory of 2884	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	39
PID 2636 wrote to memory of 2884	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	39
PID 2636 wrote to memory of 2884	2636	{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe	39
PID 2744 wrote to memory of 860	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	40
PID 2744 wrote to memory of 860	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	40
PID 2744 wrote to memory of 860	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	40
PID 2744 wrote to memory of 860	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	40
PID 2744 wrote to memory of 2372	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	41
PID 2744 wrote to memory of 2372	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	41
PID 2744 wrote to memory of 2372	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	41
PID 2744 wrote to memory of 2372	2744	{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe	41
PID 860 wrote to memory of 2900	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	42
PID 860 wrote to memory of 2900	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	42
PID 860 wrote to memory of 2900	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	42
PID 860 wrote to memory of 2900	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	42
PID 860 wrote to memory of 2656	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	43
PID 860 wrote to memory of 2656	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	43
PID 860 wrote to memory of 2656	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	43
PID 860 wrote to memory of 2656	860	{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe	43
PID 2900 wrote to memory of 1120	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	44
PID 2900 wrote to memory of 1120	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	44
PID 2900 wrote to memory of 1120	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	44
PID 2900 wrote to memory of 1120	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	44
PID 2900 wrote to memory of 1984	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	45
PID 2900 wrote to memory of 1984	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	45
PID 2900 wrote to memory of 1984	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	45
PID 2900 wrote to memory of 1984	2900	{A997FC7D-CECF-4cde-812E-C5170749E765}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_5277f5718a9a5c41ed4a324c2b2132fa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe
  C:\Windows\{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe
    C:\Windows\{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe
      C:\Windows\{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe
        
        C:\Windows\{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe
        
        C:\Windows\{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe
        
        C:\Windows\{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\{A997FC7D-CECF-4cde-812E-C5170749E765}.exe
        
        C:\Windows\{A997FC7D-CECF-4cde-812E-C5170749E765}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{A3425493-88A2-43d3-983C-0BA6BB904705}.exe
        
        C:\Windows\{A3425493-88A2-43d3-983C-0BA6BB904705}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe
        
        C:\Windows\{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe
        
        C:\Windows\{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\{1EBF12D3-127D-41f7-B088-5B4916D92A94}.exe
        
        C:\Windows\{1EBF12D3-127D-41f7-B088-5B4916D92A94}.exe
        12⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9190D~1.EXE > nul
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99942~1.EXE > nul
        11⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3425~1.EXE > nul
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A997F~1.EXE > nul
        9⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6196E~1.EXE > nul
        8⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B17~1.EXE > nul
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3954E~1.EXE > nul
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88E01~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6A6A4~1.EXE > nul
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D44E5~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EBF12D3-127D-41f7-B088-5B4916D92A94}.exe

Filesize
216KB

MD5
f0bb0e6bd8604aa3197fa6c5a8ebc289

SHA1
863bcdcb2cefcd96f2202aff72816cb1d1b5d115

SHA256
39f56240842314020a9cef3a6299d97a54c7ab2accdd8c2151f1d7cfe55235fd

SHA512
56332d40073f4aab6fc1333fdf9652dd66fc77129da64e0b1cd83c5535612b933472b41ab424cc1dd99fe4ccb087dfcf99e565d0098a30531c2eb659975f86f4

Download Submit
C:\Windows\{3954E80D-D8A5-4403-9715-2C5F1D006F6B}.exe

Filesize
216KB

MD5
0b96aa3c708303315d21daffa3d98ee2

SHA1
6c74a77a61186923fd8430097d0a1004cb34dfc8

SHA256
13a672310e528cdc2ccce2d34fc6eec4f7b1ae92d55a47cf72a2029c4e5297b2

SHA512
f9396af5dc6cd2c7a6a7ab7e6c6c654c449d8535333a65cb0f9306355ba73c42dd61f9874f822db565d6f463c46fb91fbfbfc2e2262b191152fcf1464fec82e0

Download Submit
C:\Windows\{6196EDDB-BE54-4c77-9018-BFF243CE1373}.exe

Filesize
216KB

MD5
8c89894e0e54cdf5a5a6e4435cba3008

SHA1
eb5370f99d08cefcb032da1daa197574a06d6027

SHA256
43512fc1c6d5692de179fa43f0c27b44763260b379ed03ec6d41b8c823cbc505

SHA512
2a6f3fc857b6e6f49b4829ee0d560c5abe5abdc26eade16b1df46fc10867a6f4c13c567541f0bc515708a1b8cd07ab86b31fd5b1b117d19c7c23e5a10954a22d

Download Submit
C:\Windows\{6A6A45CB-9982-40b3-8424-FE8BC33BE843}.exe

Filesize
216KB

MD5
bd579c70286fd039e1fee51e41c26d97

SHA1
fda7dd12182fc70d0c23946e7143ebf8450009fe

SHA256
d86a7ded87a7f750f7a57bf7933a249d349c45592c54c6e67f2eb8510c0a36db

SHA512
698fe98bdf30c5ad225c8b098fe90c5c4f982e47f1c380650e9314691d05b668a4476ccfb31c72762a74e3afbe30258736a91179a49489023ffd46c6a708f539

Download Submit
C:\Windows\{88E01900-9DE7-4685-9789-37639E0CE5C0}.exe

Filesize
216KB

MD5
538eb9ea7dbbc378975b6b7ff4fecc65

SHA1
3b6b079756c8523cc0881ffb4abcf1d37194cb6a

SHA256
2b24ad90b8f7579009681044ac32825c67cb34ee64a265ae75217957d04fd4e5

SHA512
cc6b0b48039656a3c030a543fe017d53565ca15bd78ffddb7c6089c23df0eca9f85348ef428be3bba4d32ce5db1be4475901c69e499ae2a31db4b88d09989797

Download Submit
C:\Windows\{9190DBB4-0D0A-40d9-9602-3CB5FD9CB69B}.exe

Filesize
216KB

MD5
84790f7a3007cafec99189aab0c4fc95

SHA1
e6e0938d5bd43b4994918c49e2b14c99ffcad947

SHA256
6bc6fb3a07ae47423df1d391a34a5df4d944fa98a3a67cb56296a5655c5d3cd4

SHA512
f6544457c1a727185ba1e144cfbbb783c931d4582fa489f712e76e3f392db64b5bf998984bd0c5a8e56e5c307e5b74422843e255b870d1b4ef0d194c69eff26f

Download Submit
C:\Windows\{99942460-61CB-4a75-AAFB-1F19B8283C76}.exe

Filesize
216KB

MD5
6bcfb2338ab71a14db57be5c38cca315

SHA1
d0d882514d227a5b5ef21bca36ddd7044b393995

SHA256
bce95769d0db21428f7b4f5d2051db207d68be09386ceef1969feb044d0f7878

SHA512
95164e3472e25f2940dc3325ecd0bcc62856c2a30c700afd2d399a78422ee7d5d85ad5e71b4993247dc0b46785f947c210ca2dfe35e6317653728e0d99d6e302

Download Submit
C:\Windows\{A3425493-88A2-43d3-983C-0BA6BB904705}.exe

Filesize
216KB

MD5
20436cd320f029599403f7d0fe1aea29

SHA1
b862d7ccf8705d71a4fd19652aaf6b6e22cb171c

SHA256
7914a562dd141c05d3acc5097c7393c72688ac5d386290e777001176bbe609ab

SHA512
c37e3943f7a425319f819ca74f7f5018b1393bb92253c41168bfc272b300538c33c7ee7e35ef7182fda1a356971dcb3cc2d6ac9d4052352bcc1b2698fd5d6572

Download Submit
C:\Windows\{A997FC7D-CECF-4cde-812E-C5170749E765}.exe

Filesize
216KB

MD5
a26bc1c692d4feaee2ae44ec464d96cc

SHA1
221903cbd22074658b536122871fc23f5e2cbb0d

SHA256
371b8ce08d0ffaeda36dd4d937a8ef6f251079d31bcf9498fa10496e9081c21f

SHA512
93a6eb8809abcb6eab5936c25f47030619004a0b7e0ea9223d508af9abbf94b5491f8b67abd8cc97a9eb6b1348d6cbad3d3ebcf4e190865b059c9eccda638474

Download Submit
C:\Windows\{D0B17F9B-D296-4b70-ABDC-BDB2B60470AD}.exe

Filesize
216KB

MD5
65a217bc3aba584c618403a6f661abbc

SHA1
9d780f76e81cc3d1fde5eff51a483fc9162da1a6

SHA256
6ec0b0c5ba78f3ee4c19752b13b184e6ebceef60d4a53c5dfcafdc8456e1a276

SHA512
669fa9c295f6617591a15a8cc7449b3701b88353ac08b7ef7f148a2caf0eb0898479bdfe020e61bae320eff9897f11ac3de5e8c9397ac196a44aa45a3278d941

Download Submit
C:\Windows\{D44E5CF3-267C-4591-B554-AE83DD072AE9}.exe

Filesize
216KB

MD5
0fb7c0c133081b52d16863e622163890

SHA1
52bb9d471ae647a77a4ac1f044c90e4092385088

SHA256
f3916e543a1e12572c1529864cb76a8e3f143ac40d2ab7d97282cb8222feea9b

SHA512
f30c87b29871e0108db9b24c312ab98e46f1e851b66f466700b7d349d513aa6b432c1d696daed05f79b84ff63feb1121ad93c868e6b4b334c82610aec8069d60

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads