1e578bfee7aae8c5b2dcc577921808da5b98045eb96b223b7e2c3eaee844087b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe
Size

168KB
MD5

34dcd4ba96462d71e1fa6a8356b7ea1b
SHA1

7e1d089f9db3bfc1ffa2dd2675dea978ed49091a
SHA256

1e578bfee7aae8c5b2dcc577921808da5b98045eb96b223b7e2c3eaee844087b
SHA512

e3534257904e108bc2c2016763d57ce7fcf0aedd9f3c5d5dcaf39783294bbb56c73a5856d42b7f2d021da2e6760680920fe371ea9eb98d7e0146a92fc73a3f4b
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000121c5-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000001220a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0024000000015574-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001220a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001220a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001220a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001220a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE98013-6044-4361-B52D-CB3F6C47921D}\stubpath = "C:\\Windows\\{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe"	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D5F8BC4-7318-4e23-8468-58C0F359540B}\stubpath = "C:\\Windows\\{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe"	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}\stubpath = "C:\\Windows\\{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe"	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB4352F-4DFC-4345-9228-AFE7B259D933}	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE98013-6044-4361-B52D-CB3F6C47921D}	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}\stubpath = "C:\\Windows\\{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe"	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}	{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE6296C-D63F-429d-9658-5A1EEC389DDE}\stubpath = "C:\\Windows\\{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe"	{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}\stubpath = "C:\\Windows\\{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}.exe"	{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40D539C9-4E65-4911-AD26-E9D4467C96BE}	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40D539C9-4E65-4911-AD26-E9D4467C96BE}\stubpath = "C:\\Windows\\{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe"	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62256EAB-0829-48a9-A3B0-85D938AD08D8}	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62256EAB-0829-48a9-A3B0-85D938AD08D8}\stubpath = "C:\\Windows\\{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe"	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE6296C-D63F-429d-9658-5A1EEC389DDE}	{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}	{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB4352F-4DFC-4345-9228-AFE7B259D933}\stubpath = "C:\\Windows\\{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe"	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}\stubpath = "C:\\Windows\\{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe"	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D5F8BC4-7318-4e23-8468-58C0F359540B}	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}\stubpath = "C:\\Windows\\{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe"	{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe

Executes dropped EXE 11 IoCs

pid	Process
1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe
2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe
2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe
2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe
2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe
1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe
1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe
1200	{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe
1280	{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe
2044	{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe
2584	{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe
File created	C:\Windows\{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe
File created	C:\Windows\{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe
File created	C:\Windows\{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe
File created	C:\Windows\{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe	{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe
File created	C:\Windows\{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe
File created	C:\Windows\{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe
File created	C:\Windows\{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe
File created	C:\Windows\{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe
File created	C:\Windows\{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe	{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe
File created	C:\Windows\{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}.exe	{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe
Token: SeIncBasePriorityPrivilege	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe
Token: SeIncBasePriorityPrivilege	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe
Token: SeIncBasePriorityPrivilege	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe
Token: SeIncBasePriorityPrivilege	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe
Token: SeIncBasePriorityPrivilege	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe
Token: SeIncBasePriorityPrivilege	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe
Token: SeIncBasePriorityPrivilege	1200	{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe
Token: SeIncBasePriorityPrivilege	1280	{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe
Token: SeIncBasePriorityPrivilege	2044	{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1356	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	28
PID 2188 wrote to memory of 1356	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	28
PID 2188 wrote to memory of 1356	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	28
PID 2188 wrote to memory of 1356	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	28
PID 2188 wrote to memory of 2948	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	29
PID 2188 wrote to memory of 2948	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	29
PID 2188 wrote to memory of 2948	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	29
PID 2188 wrote to memory of 2948	2188	2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe	29
PID 1356 wrote to memory of 2836	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	30
PID 1356 wrote to memory of 2836	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	30
PID 1356 wrote to memory of 2836	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	30
PID 1356 wrote to memory of 2836	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	30
PID 1356 wrote to memory of 2520	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	31
PID 1356 wrote to memory of 2520	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	31
PID 1356 wrote to memory of 2520	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	31
PID 1356 wrote to memory of 2520	1356	{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe	31
PID 2836 wrote to memory of 2672	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	34
PID 2836 wrote to memory of 2672	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	34
PID 2836 wrote to memory of 2672	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	34
PID 2836 wrote to memory of 2672	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	34
PID 2836 wrote to memory of 2376	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	35
PID 2836 wrote to memory of 2376	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	35
PID 2836 wrote to memory of 2376	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	35
PID 2836 wrote to memory of 2376	2836	{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe	35
PID 2672 wrote to memory of 2424	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	36
PID 2672 wrote to memory of 2424	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	36
PID 2672 wrote to memory of 2424	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	36
PID 2672 wrote to memory of 2424	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	36
PID 2672 wrote to memory of 2912	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	37
PID 2672 wrote to memory of 2912	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	37
PID 2672 wrote to memory of 2912	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	37
PID 2672 wrote to memory of 2912	2672	{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe	37
PID 2424 wrote to memory of 2740	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	38
PID 2424 wrote to memory of 2740	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	38
PID 2424 wrote to memory of 2740	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	38
PID 2424 wrote to memory of 2740	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	38
PID 2424 wrote to memory of 2776	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	39
PID 2424 wrote to memory of 2776	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	39
PID 2424 wrote to memory of 2776	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	39
PID 2424 wrote to memory of 2776	2424	{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe	39
PID 2740 wrote to memory of 1660	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	40
PID 2740 wrote to memory of 1660	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	40
PID 2740 wrote to memory of 1660	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	40
PID 2740 wrote to memory of 1660	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	40
PID 2740 wrote to memory of 1712	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	41
PID 2740 wrote to memory of 1712	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	41
PID 2740 wrote to memory of 1712	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	41
PID 2740 wrote to memory of 1712	2740	{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe	41
PID 1660 wrote to memory of 1688	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	42
PID 1660 wrote to memory of 1688	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	42
PID 1660 wrote to memory of 1688	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	42
PID 1660 wrote to memory of 1688	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	42
PID 1660 wrote to memory of 2580	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	43
PID 1660 wrote to memory of 2580	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	43
PID 1660 wrote to memory of 2580	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	43
PID 1660 wrote to memory of 2580	1660	{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe	43
PID 1688 wrote to memory of 1200	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	44
PID 1688 wrote to memory of 1200	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	44
PID 1688 wrote to memory of 1200	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	44
PID 1688 wrote to memory of 1200	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	44
PID 1688 wrote to memory of 2616	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	45
PID 1688 wrote to memory of 2616	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	45
PID 1688 wrote to memory of 2616	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	45
PID 1688 wrote to memory of 2616	1688	{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_34dcd4ba96462d71e1fa6a8356b7ea1b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe
  C:\Windows\{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe
    C:\Windows\{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe
      C:\Windows\{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe
        
        C:\Windows\{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe
        
        C:\Windows\{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe
        
        C:\Windows\{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe
        
        C:\Windows\{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe
        
        C:\Windows\{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe
        
        C:\Windows\{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe
        
        C:\Windows\{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}.exe
        
        C:\Windows\{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE62~1.EXE > nul
        12⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D06E~1.EXE > nul
        11⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{592BC~1.EXE > nul
        10⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CE98~1.EXE > nul
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62256~1.EXE > nul
        8⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB43~1.EXE > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40D53~1.EXE > nul
        6⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABCF4~1.EXE > nul
        5⤵
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9D5F8~1.EXE > nul
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C65FF~1.EXE > nul
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{40D539C9-4E65-4911-AD26-E9D4467C96BE}.exe

Filesize
168KB

MD5
8981995d023f7c97e711190d9dbedaa8

SHA1
cebf034a2775b2895fe18788b7c4527398151c5e

SHA256
0d6c69d76bb186135f1cc21482d97880ece738c5bf2b8b1923cff07f46ccdbb5

SHA512
c961ea5db852c1fcb094308e43e39f9c5c3eb54fad4cd58c9867383704edd9fb659ecad05d8ba1afb5c7b7cfbbe8ebf8034d003475e874a4c7ae1bc801e9f256

Download Submit
C:\Windows\{592BCE4A-EF74-4ef2-A49C-FF402D1465BC}.exe

Filesize
168KB

MD5
76dc4ebaefbdac899ea913658dbd1484

SHA1
ce81fae4cb4f43ec1d7b0a9e76597b28fa76218e

SHA256
b22055eff2c7c1301ea07ae9e7c4146d83a4d03d04d83699d7e6c8849d1b8764

SHA512
fa89add438c1cff770398fb5ea7742ee70a0bc43362dfe0a337a43c087b5d4b59f98dbfa6daf7b6e9cadf8221a01b75178fe9753712278fb066ccaaaf58402a3

Download Submit
C:\Windows\{5CE98013-6044-4361-B52D-CB3F6C47921D}.exe

Filesize
168KB

MD5
060fcb0a9c4e1a0990996869d5527032

SHA1
83b94cb5abe24075b388f512812c91d5ba0e5f4a

SHA256
7181992c837d0f449456249aebba03f6adba6bede74bb7db8e82271607c7fbf3

SHA512
ba4282e5bee972e0bb566134bf75deb3aa2359ffc02acca81c28b66040c83a73ecf08d0dbe8a9b9fc00dd1ec4e515ee6dea7edeee5bc94bd5d816d6f97774e68

Download Submit
C:\Windows\{62256EAB-0829-48a9-A3B0-85D938AD08D8}.exe

Filesize
168KB

MD5
cc82d9978c800bc919d0028d9f1c8c7e

SHA1
686eefe55d7cd4051fcb30caa2b2c16d8f99cb93

SHA256
bad6081c433104408f4f9ef752baa07a6016e1c3bf1f55fdc8496ad131369600

SHA512
0f37a74efd7e2870a871a34134078a3a4ec71bf9e036fcfb7b80ff03f97f869dd5aa0489f04337dbd763be07589de85315be4c997dba3055f47a31503d0c17f4

Download Submit
C:\Windows\{7D06EDC2-D81B-40e7-A20A-5D0E47FB89F3}.exe

Filesize
168KB

MD5
a0efb70c25814656f91d0cd9684125c5

SHA1
4f4b8eed3117d60b2233f34b6f41bdfa57221166

SHA256
1b84b4bcd492b7e60384ca6dd751d17bc5b282f6e9095f9c6be4617d4f6bcffe

SHA512
d900193888614048519f005c7c0577812e3044f53a4fa6d5aa62d6b921bf7efe2dfb6a994110c2a208bd1516144f752c77d7b4c7dbdea89742df03fd920828cc

Download Submit
C:\Windows\{9D5F8BC4-7318-4e23-8468-58C0F359540B}.exe

Filesize
168KB

MD5
74bbe6123ed8b852922162fd780d0583

SHA1
7b0b2533b2b4b525f7716210f368d4dce24504c2

SHA256
3039c2098de3ba66a391ada15d6e021feb07017dae19d73de5f10daa6775f793

SHA512
30d6d19f30d6c60b0d6e64538cd1ab006bc6ebef6777a4111748ebc33428804fd6547c3f2cfb8bd06cf623af59374f959f6bab1db026266aef2ee9851104f1f4

Download Submit
C:\Windows\{9DB4352F-4DFC-4345-9228-AFE7B259D933}.exe

Filesize
168KB

MD5
ad2bec13745547684ff54f51e61adfa5

SHA1
7a877a6a8306b7313cff996fc1a79f4a4009075a

SHA256
bdf416b97b631f6555a620d504c1a9163622815199eb2adc3a81643418c4da57

SHA512
6d6b507515447b54491a1804f5873c3e2f16796d52397718378ff7e093a0f561121237c6b63f63dc1c6dd58d00a091cbbc86694a0f7c194f65ae2757ee698c74

Download Submit
C:\Windows\{ABCF4BDF-8720-48b3-8EA1-7A75C22A9035}.exe

Filesize
168KB

MD5
25600a1f4f8859bf367aaae14da46ee0

SHA1
e8aca898007da622823b519ddc84d7e393f7c114

SHA256
20394db4e2793fea75bdb66713cf928f8cadf46006cac58ebf03fbfdaf1ded1f

SHA512
7ffe7d3b9c7355e037e20af8c450304baa9b186b6879b92f1a9a56e90c27138e97a494730c8a865a48da06eee5a930723ec63d5a7e4f0e45e791b8aff4c922eb

Download Submit
C:\Windows\{C65FF657-B2C9-4fe7-93C6-8A9E900D86A3}.exe

Filesize
168KB

MD5
39a8a8caebe592dc68d11111eeaa314d

SHA1
b4fe775332cb79b3a1abf2b4b3947e59c9495e7b

SHA256
9b5cea98c3679643e601288f9d330e98382f3755edb8abd6368514b1f2037995

SHA512
c7d610c5ab9fda887f5d3083e2d514c70291dbef4501f5755b2ef03dd0c776907c608f2fac953ee73b9ec77405d789a0ee76716f514e1a267b32938106671132

Download Submit
C:\Windows\{CEE6296C-D63F-429d-9658-5A1EEC389DDE}.exe

Filesize
168KB

MD5
8484f998c9e842bea44b3b13f1df1422

SHA1
be65098da98f19f7b9529866ee50aeca47188932

SHA256
d3911629bd1f194d3f2418fc78600879e57c27d31e98439699570a996ec55463

SHA512
21b5db6ab228d8022f3f00e16951b61e919e1cf3ca389eff1af2bce731e92a2b30d95393f17d1d92580e1483d8b3e100f44fea3b5807e5902e137975039c070d

Download Submit
C:\Windows\{D683AF0C-DA36-46c4-98C8-7F98AB857BF2}.exe

Filesize
168KB

MD5
a3513bb55e767f60ef4d6599a429a006

SHA1
be039f90e711a9879fe278f913c77d5372b98a90

SHA256
614e3b105309189eabaddf86c6dba6e54d004a6da621d83da365e8f14c17bdf5

SHA512
953dddfb71d6c02bc84d9650d698153d2fb921a8afedc8261c4454ff160e56f9e8ccd29142ed4696dcf04815d5e6462d105a5208fece1414df6c59a6222db519

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads