f1a053e823d69bfa1f70e8755300b5b76b429cf0a8435bd5e72b1f169a9381ed

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Size

380KB
MD5

4de9dd0b8583dfd946e49655960f398f
SHA1

c99cd58c5999a760fd12d3bfc9cc444efa2f0f2e
SHA256

f1a053e823d69bfa1f70e8755300b5b76b429cf0a8435bd5e72b1f169a9381ed
SHA512

f221408838dfe85f660c075325b7fa1409827168f411ae24917be7933cd2b26f3dc44b5cfe51a38532191e55ee63e8e72c012272c935156bda0c94102c49fe8f
SSDEEP

3072:mEGh0ovlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001223a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122a3-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001223a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}\stubpath = "C:\\Windows\\{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe"	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}\stubpath = "C:\\Windows\\{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe"	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B68E358-9A52-4648-B376-9C7A292E3567}\stubpath = "C:\\Windows\\{7B68E358-9A52-4648-B376-9C7A292E3567}.exe"	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}\stubpath = "C:\\Windows\\{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe"	{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}\stubpath = "C:\\Windows\\{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe"	{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27F532F4-DC87-4700-ADFD-EDF10824FE05}\stubpath = "C:\\Windows\\{27F532F4-DC87-4700-ADFD-EDF10824FE05}.exe"	{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97ED41FD-1844-402c-A666-9A28A7DEBAB0}\stubpath = "C:\\Windows\\{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe"	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}\stubpath = "C:\\Windows\\{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe"	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}\stubpath = "C:\\Windows\\{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe"	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B68E358-9A52-4648-B376-9C7A292E3567}	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42F86685-7097-42a8-BB2D-36381AAAAC77}\stubpath = "C:\\Windows\\{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe"	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}	{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}\stubpath = "C:\\Windows\\{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe"	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42F86685-7097-42a8-BB2D-36381AAAAC77}	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97ED41FD-1844-402c-A666-9A28A7DEBAB0}	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}	{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27F532F4-DC87-4700-ADFD-EDF10824FE05}	{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe
2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe
2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe
2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe
2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe
2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe
1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe
2112	{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe
1924	{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe
2832	{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe
1480	{27F532F4-DC87-4700-ADFD-EDF10824FE05}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe
File created	C:\Windows\{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe	{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe
File created	C:\Windows\{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe	{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe
File created	C:\Windows\{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
File created	C:\Windows\{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe
File created	C:\Windows\{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe
File created	C:\Windows\{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe
File created	C:\Windows\{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe
File created	C:\Windows\{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe
File created	C:\Windows\{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe
File created	C:\Windows\{27F532F4-DC87-4700-ADFD-EDF10824FE05}.exe	{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe
Token: SeIncBasePriorityPrivilege	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe
Token: SeIncBasePriorityPrivilege	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe
Token: SeIncBasePriorityPrivilege	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe
Token: SeIncBasePriorityPrivilege	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe
Token: SeIncBasePriorityPrivilege	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe
Token: SeIncBasePriorityPrivilege	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe
Token: SeIncBasePriorityPrivilege	2112	{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe
Token: SeIncBasePriorityPrivilege	1924	{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe
Token: SeIncBasePriorityPrivilege	2832	{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2512	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	28
PID 1808 wrote to memory of 2512	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	28
PID 1808 wrote to memory of 2512	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	28
PID 1808 wrote to memory of 2512	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	28
PID 1808 wrote to memory of 2560	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	29
PID 1808 wrote to memory of 2560	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	29
PID 1808 wrote to memory of 2560	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	29
PID 1808 wrote to memory of 2560	1808	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	29
PID 2512 wrote to memory of 2504	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	30
PID 2512 wrote to memory of 2504	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	30
PID 2512 wrote to memory of 2504	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	30
PID 2512 wrote to memory of 2504	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	30
PID 2512 wrote to memory of 2820	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	31
PID 2512 wrote to memory of 2820	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	31
PID 2512 wrote to memory of 2820	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	31
PID 2512 wrote to memory of 2820	2512	{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe	31
PID 2504 wrote to memory of 2764	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	32
PID 2504 wrote to memory of 2764	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	32
PID 2504 wrote to memory of 2764	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	32
PID 2504 wrote to memory of 2764	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	32
PID 2504 wrote to memory of 2420	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	33
PID 2504 wrote to memory of 2420	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	33
PID 2504 wrote to memory of 2420	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	33
PID 2504 wrote to memory of 2420	2504	{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe	33
PID 2764 wrote to memory of 2356	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	36
PID 2764 wrote to memory of 2356	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	36
PID 2764 wrote to memory of 2356	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	36
PID 2764 wrote to memory of 2356	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	36
PID 2764 wrote to memory of 2440	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	37
PID 2764 wrote to memory of 2440	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	37
PID 2764 wrote to memory of 2440	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	37
PID 2764 wrote to memory of 2440	2764	{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe	37
PID 2356 wrote to memory of 2052	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	38
PID 2356 wrote to memory of 2052	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	38
PID 2356 wrote to memory of 2052	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	38
PID 2356 wrote to memory of 2052	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	38
PID 2356 wrote to memory of 1564	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	39
PID 2356 wrote to memory of 1564	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	39
PID 2356 wrote to memory of 1564	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	39
PID 2356 wrote to memory of 1564	2356	{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe	39
PID 2052 wrote to memory of 2424	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	40
PID 2052 wrote to memory of 2424	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	40
PID 2052 wrote to memory of 2424	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	40
PID 2052 wrote to memory of 2424	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	40
PID 2052 wrote to memory of 2700	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	41
PID 2052 wrote to memory of 2700	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	41
PID 2052 wrote to memory of 2700	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	41
PID 2052 wrote to memory of 2700	2052	{7B68E358-9A52-4648-B376-9C7A292E3567}.exe	41
PID 2424 wrote to memory of 1956	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	42
PID 2424 wrote to memory of 1956	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	42
PID 2424 wrote to memory of 1956	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	42
PID 2424 wrote to memory of 1956	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	42
PID 2424 wrote to memory of 2720	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	43
PID 2424 wrote to memory of 2720	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	43
PID 2424 wrote to memory of 2720	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	43
PID 2424 wrote to memory of 2720	2424	{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe	43
PID 1956 wrote to memory of 2112	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	44
PID 1956 wrote to memory of 2112	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	44
PID 1956 wrote to memory of 2112	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	44
PID 1956 wrote to memory of 2112	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	44
PID 1956 wrote to memory of 756	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	45
PID 1956 wrote to memory of 756	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	45
PID 1956 wrote to memory of 756	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	45
PID 1956 wrote to memory of 756	1956	{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe
  C:\Windows\{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe
    C:\Windows\{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe
      C:\Windows\{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe
        
        C:\Windows\{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\{7B68E358-9A52-4648-B376-9C7A292E3567}.exe
        
        C:\Windows\{7B68E358-9A52-4648-B376-9C7A292E3567}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe
        
        C:\Windows\{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe
        
        C:\Windows\{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe
        
        C:\Windows\{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe
        
        C:\Windows\{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe
        
        C:\Windows\{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\{27F532F4-DC87-4700-ADFD-EDF10824FE05}.exe
        
        C:\Windows\{27F532F4-DC87-4700-ADFD-EDF10824FE05}.exe
        12⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C220~1.EXE > nul
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BCE9~1.EXE > nul
        11⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E5FA~1.EXE > nul
        10⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97ED4~1.EXE > nul
        9⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42F86~1.EXE > nul
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B68E~1.EXE > nul
        7⤵
        
        PID:2700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB9C3~1.EXE > nul
        6⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6296E~1.EXE > nul
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BAB05~1.EXE > nul
      4⤵
      PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6DD4~1.EXE > nul
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27F532F4-DC87-4700-ADFD-EDF10824FE05}.exe

Filesize
380KB

MD5
b2456543d5f5c7b0d44cb3e547c66a4b

SHA1
3b21cf88a69ea9097f26590c6578be2633b81443

SHA256
6ba823569cf46d366e0e1e77b5ec80129b797f7cf372a0ded8acd3300cc6b638

SHA512
da9a16e98538d5c727fad2613c324882598542a9bfc1a091c35c82e01de718dce675bcb393eff322285b0c38979797e70f98237376a9259437c796581b2c2132

Download Submit
C:\Windows\{42F86685-7097-42a8-BB2D-36381AAAAC77}.exe

Filesize
380KB

MD5
b3ad33013e52f926068af62bfbb1f709

SHA1
5b4a21644f8a5703ba7199e27c3b84a9512c9129

SHA256
645d07fc317e89e2c724393507fc9eb71e961e862c593105daffa772f0d15ddc

SHA512
6b70b9b6decc6113aa8ac821a0c26eace044722179af76663fa15d93a80d6c3e74a1765bd215e0d369b1b1aa07a70890ec305536f0c2f7b5e6565ede604add04

Download Submit
C:\Windows\{5E5FAFE7-310A-45a3-9737-2A69AB6A3566}.exe

Filesize
380KB

MD5
a692007bfd299e1f833ea89b8eb9d14d

SHA1
4570257e1a389813f338f2c3526018987390bd89

SHA256
bc53e5c14254c25bef0d17d434d3317f7820f29b7f1b411607941e899986a118

SHA512
6b5338b88982aecf2431000091dda028b6e8e7c4480ca96b7a06a485cfb47b170dca645fd2ff378a78ba5d3cf6cd6527228d3a5759c3dbc4c04ace69e31bb947

Download Submit
C:\Windows\{6296E51F-8E42-4fca-B8EB-CD45498FFD7E}.exe

Filesize
380KB

MD5
fe48686db46d1c1e5c639df8f9013874

SHA1
71ea9f5ecfa92ef3629297e0c1d1ac597109ff2d

SHA256
44006a831da9cadb2801f6870300d502fd7e18cef7790982fd973fcf1234e190

SHA512
94400d5ba4e847bc5200f628c7c7db73ecb8ab2011bd6f7344ca67cf215915737acd6ac5dcd1be905287572465fb032efb5c603b30666361bde468c91efde1f4

Download Submit
C:\Windows\{7B68E358-9A52-4648-B376-9C7A292E3567}.exe

Filesize
380KB

MD5
503e416810829a0c7c93635169ba1887

SHA1
524a22f4ead3d9025906bf69ed59936352ab8a9b

SHA256
1b649707bede41fe4346e0226c3b6870f16752eecc1cca6361e48cae5501a2b6

SHA512
58370f354fe0ee260084d6c87e53e06b4b78ff92ee4cd2191d85cb5a1f973176cfb52d1878580230c4222b4d0db73831eaf833ccef7a3d1a8501230c75a2c3f9

Download Submit
C:\Windows\{7C22089E-B1FE-41a8-A6A0-23E03EA0CCA9}.exe

Filesize
380KB

MD5
9d5e777d0eb266dd47a9b04a035e309e

SHA1
2228f97d90a6c070b1bf33cee32e855cf19e5f48

SHA256
c1ae4240902ecb8663093f18f28c7480e40d6ad79915b91034ac3659923474f8

SHA512
0d2a749e57023550326b6b3146ae82d5c736db65a3a196e835a4df7471f2a4615a9fbf0ed7e9b989eb633c00d0082f31ba5152357562550f2db037c9e4b98406

Download Submit
C:\Windows\{97ED41FD-1844-402c-A666-9A28A7DEBAB0}.exe

Filesize
380KB

MD5
835e35faf601d01e4ac834b0e479bea3

SHA1
c78afb719d5535eee47b6971d4d80b3d6d6b4905

SHA256
daf8d9147f39a57c3c62b41b12f4eaae2ea75e2c5b8e49d4a6a9782196896312

SHA512
2d6935decdb1c114766824d202746d84b4e304062083d0404be89e31f187977cff2640cce38d7aa0cce8522b3b6b3988f77796a02b4f20131ede549b64d95afc

Download Submit
C:\Windows\{9BCE9B71-98DE-422e-AA65-7E04F9964A4C}.exe

Filesize
380KB

MD5
aa205a4b8fb4156778ef40207d2e3148

SHA1
cd5f0691c260d0e1785532142a6dd0b9801f7460

SHA256
4e013d1a788b965bd757da1ad4cd3ec770a1c344bca95bc426ef591f42884b87

SHA512
2bdbcd0e083c272ab7eb50c55a6b22016cbf75bb76bf14c089c2f6ef6755cb0d9b8c0433e5a5346875eca4070ffc01ea703ad57911ad1ea9268276dc9a868615

Download Submit
C:\Windows\{A6DD4B3D-6789-4e62-8FE9-37D34675BA76}.exe

Filesize
380KB

MD5
76aa67558dda52f010687692ccf1f198

SHA1
e7c97ef627d55c95b46edeb4cb6a72edd83ec4ca

SHA256
0965692f393f96703097cefc6d5c0631312a664e86089af1810abdddaae21c92

SHA512
8a054829ac3138e35560d1a191cbcc133d80dab46e5a3ba5185c084cea1907e7d5fc4fc2331d8eee396b5131088c980093f55e03e969b3322765caceb094572f

Download Submit
C:\Windows\{BAB05DE5-B63E-46d0-BEC6-088059F3BE9C}.exe

Filesize
380KB

MD5
52ddba028b5c1e54bff0d15dddaac3ad

SHA1
b7977c13bbfd75fe3bc68738065ad6e14a4ba13d

SHA256
1ff4da90c502ec05226dbb1c84ec28cb1cce3f914230f6b72519e94cb26e8e8d

SHA512
da20ecf445dcbd5fb6cc3c8b8ce616be298b3f69f8ffca508afcb88869eb69fa3174ffd82cab851176c5f89618bc153681898c3c5928cbbac739e94f3c9b23eb

Download Submit
C:\Windows\{EB9C30B0-9434-4034-B2BD-F4F03FBF2550}.exe

Filesize
380KB

MD5
ec914d9b93f85b2fcb0251a14c141bb2

SHA1
752bb6608d4f90d89a25d9d71d6cb265692989cb

SHA256
8086b67e97fa9e4de32c021e3900147b19b3d1433497ab3e51d940cafb5e3a58

SHA512
1a5d45f87cd783fba13f9cdea0644dabf6c7d5c9f834620abd38420a0bd5ec9a5bf8212c64679b36189bb5dabc3f2e67221fc409b52b54bbee6437d1268930b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads