5d4d1fb3107331b8802beab9c9441b5ad48ff4a0935d52d40af7aa63583e9d71

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 04:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe
Size

197KB
MD5

2c524acf81d9f5957816e41a70e885c8
SHA1

3db935e1dc7d1673a0a759e62ef02b70937c275d
SHA256

5d4d1fb3107331b8802beab9c9441b5ad48ff4a0935d52d40af7aa63583e9d71
SHA512

50bdc54d32f3889c132c0a08060c3e07366558cd2afeda30bdb53f17e5fcbb6f41c831e7f4d424c3bea0b368b7a721eee418416bbd3adb6cafce2f1ec95109a8
SSDEEP

3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG/lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001224f-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012302-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015c8a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000000f6f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000000f6f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000000f6f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}\stubpath = "C:\\Windows\\{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe"	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95438E10-3B7F-4cff-8DD4-C7BA342E846A}\stubpath = "C:\\Windows\\{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe"	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC812340-C3A8-46ad-B538-3B78E76764C0}	{FBEA487E-866F-4f80-949F-0BC50851F933}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C32401-6A7E-4193-AB98-98752496E5E7}	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C32401-6A7E-4193-AB98-98752496E5E7}\stubpath = "C:\\Windows\\{64C32401-6A7E-4193-AB98-98752496E5E7}.exe"	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}\stubpath = "C:\\Windows\\{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe"	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F33F3B3-224F-4010-B1D1-362D13F10EF1}	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F33F3B3-224F-4010-B1D1-362D13F10EF1}\stubpath = "C:\\Windows\\{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe"	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95438E10-3B7F-4cff-8DD4-C7BA342E846A}	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DA988AE-1A8B-4020-8526-A21F30B8250F}	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8154EBC-4A07-49f2-A0E9-2927DAD15276}	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2488240A-6FE0-4ad5-9E54-2E11061C06A8}	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2488240A-6FE0-4ad5-9E54-2E11061C06A8}\stubpath = "C:\\Windows\\{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe"	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8154EBC-4A07-49f2-A0E9-2927DAD15276}\stubpath = "C:\\Windows\\{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe"	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0807AFD1-A977-4fe9-9606-C2CCC8041B16}	{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DA988AE-1A8B-4020-8526-A21F30B8250F}\stubpath = "C:\\Windows\\{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe"	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEA487E-866F-4f80-949F-0BC50851F933}\stubpath = "C:\\Windows\\{FBEA487E-866F-4f80-949F-0BC50851F933}.exe"	{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0807AFD1-A977-4fe9-9606-C2CCC8041B16}\stubpath = "C:\\Windows\\{0807AFD1-A977-4fe9-9606-C2CCC8041B16}.exe"	{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEA487E-866F-4f80-949F-0BC50851F933}	{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC812340-C3A8-46ad-B538-3B78E76764C0}\stubpath = "C:\\Windows\\{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe"	{FBEA487E-866F-4f80-949F-0BC50851F933}.exe

Executes dropped EXE 11 IoCs

pid	Process
2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe
2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe
2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe
2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe
2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe
1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe
1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe
684	{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe
3008	{FBEA487E-866F-4f80-949F-0BC50851F933}.exe
2292	{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe
2964	{0807AFD1-A977-4fe9-9606-C2CCC8041B16}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe
File created	C:\Windows\{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe
File created	C:\Windows\{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe
File created	C:\Windows\{FBEA487E-866F-4f80-949F-0BC50851F933}.exe	{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe
File created	C:\Windows\{0807AFD1-A977-4fe9-9606-C2CCC8041B16}.exe	{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe
File created	C:\Windows\{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe
File created	C:\Windows\{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe
File created	C:\Windows\{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe
File created	C:\Windows\{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe
File created	C:\Windows\{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe
File created	C:\Windows\{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe	{FBEA487E-866F-4f80-949F-0BC50851F933}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe
Token: SeIncBasePriorityPrivilege	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe
Token: SeIncBasePriorityPrivilege	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe
Token: SeIncBasePriorityPrivilege	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe
Token: SeIncBasePriorityPrivilege	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe
Token: SeIncBasePriorityPrivilege	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe
Token: SeIncBasePriorityPrivilege	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe
Token: SeIncBasePriorityPrivilege	684	{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe
Token: SeIncBasePriorityPrivilege	3008	{FBEA487E-866F-4f80-949F-0BC50851F933}.exe
Token: SeIncBasePriorityPrivilege	2292	{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2580	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	28
PID 2968 wrote to memory of 2580	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	28
PID 2968 wrote to memory of 2580	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	28
PID 2968 wrote to memory of 2580	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	28
PID 2968 wrote to memory of 2920	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	29
PID 2968 wrote to memory of 2920	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	29
PID 2968 wrote to memory of 2920	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	29
PID 2968 wrote to memory of 2920	2968	2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe	29
PID 2580 wrote to memory of 2556	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	30
PID 2580 wrote to memory of 2556	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	30
PID 2580 wrote to memory of 2556	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	30
PID 2580 wrote to memory of 2556	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	30
PID 2580 wrote to memory of 2592	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	31
PID 2580 wrote to memory of 2592	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	31
PID 2580 wrote to memory of 2592	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	31
PID 2580 wrote to memory of 2592	2580	{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe	31
PID 2556 wrote to memory of 2896	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	32
PID 2556 wrote to memory of 2896	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	32
PID 2556 wrote to memory of 2896	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	32
PID 2556 wrote to memory of 2896	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	32
PID 2556 wrote to memory of 2568	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	33
PID 2556 wrote to memory of 2568	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	33
PID 2556 wrote to memory of 2568	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	33
PID 2556 wrote to memory of 2568	2556	{64C32401-6A7E-4193-AB98-98752496E5E7}.exe	33
PID 2896 wrote to memory of 2384	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	36
PID 2896 wrote to memory of 2384	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	36
PID 2896 wrote to memory of 2384	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	36
PID 2896 wrote to memory of 2384	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	36
PID 2896 wrote to memory of 1312	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	37
PID 2896 wrote to memory of 1312	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	37
PID 2896 wrote to memory of 1312	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	37
PID 2896 wrote to memory of 1312	2896	{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe	37
PID 2384 wrote to memory of 2696	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	38
PID 2384 wrote to memory of 2696	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	38
PID 2384 wrote to memory of 2696	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	38
PID 2384 wrote to memory of 2696	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	38
PID 2384 wrote to memory of 2680	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	39
PID 2384 wrote to memory of 2680	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	39
PID 2384 wrote to memory of 2680	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	39
PID 2384 wrote to memory of 2680	2384	{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe	39
PID 2696 wrote to memory of 1672	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	40
PID 2696 wrote to memory of 1672	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	40
PID 2696 wrote to memory of 1672	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	40
PID 2696 wrote to memory of 1672	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	40
PID 2696 wrote to memory of 2000	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	41
PID 2696 wrote to memory of 2000	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	41
PID 2696 wrote to memory of 2000	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	41
PID 2696 wrote to memory of 2000	2696	{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe	41
PID 1672 wrote to memory of 1704	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	42
PID 1672 wrote to memory of 1704	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	42
PID 1672 wrote to memory of 1704	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	42
PID 1672 wrote to memory of 1704	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	42
PID 1672 wrote to memory of 1920	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	43
PID 1672 wrote to memory of 1920	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	43
PID 1672 wrote to memory of 1920	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	43
PID 1672 wrote to memory of 1920	1672	{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe	43
PID 1704 wrote to memory of 684	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	44
PID 1704 wrote to memory of 684	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	44
PID 1704 wrote to memory of 684	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	44
PID 1704 wrote to memory of 684	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	44
PID 1704 wrote to memory of 1628	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	45
PID 1704 wrote to memory of 1628	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	45
PID 1704 wrote to memory of 1628	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	45
PID 1704 wrote to memory of 1628	1704	{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_2c524acf81d9f5957816e41a70e885c8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe
  C:\Windows\{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\{64C32401-6A7E-4193-AB98-98752496E5E7}.exe
    C:\Windows\{64C32401-6A7E-4193-AB98-98752496E5E7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe
      C:\Windows\{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe
        
        C:\Windows\{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe
        
        C:\Windows\{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe
        
        C:\Windows\{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe
        
        C:\Windows\{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe
        
        C:\Windows\{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{FBEA487E-866F-4f80-949F-0BC50851F933}.exe
        
        C:\Windows\{FBEA487E-866F-4f80-949F-0BC50851F933}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe
        
        C:\Windows\{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{0807AFD1-A977-4fe9-9606-C2CCC8041B16}.exe
        
        C:\Windows\{0807AFD1-A977-4fe9-9606-C2CCC8041B16}.exe
        12⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC812~1.EXE > nul
        12⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBEA4~1.EXE > nul
        11⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8154~1.EXE > nul
        10⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DA98~1.EXE > nul
        9⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95438~1.EXE > nul
        8⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F33F~1.EXE > nul
        7⤵
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC907~1.EXE > nul
        6⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17978~1.EXE > nul
        5⤵
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64C32~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24882~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0807AFD1-A977-4fe9-9606-C2CCC8041B16}.exe

Filesize
197KB

MD5
1a89b1a0791a4b3b76eb60ed7f309423

SHA1
c906328c513a656f9afc878576f34c223249f5c3

SHA256
83a6559e5d647c887f02ea88ebf849e248c21c566b7531ba0bee216034e0ff70

SHA512
65027728f2e8c0c3f180c807ca709d79a7b88de2a9e1d7de150fd0993db62eb5eab7e7f0877aaf55726f6aa32a018c85d29a3a5d00b512f3be21fcaf59979552

Download Submit
C:\Windows\{0F33F3B3-224F-4010-B1D1-362D13F10EF1}.exe

Filesize
197KB

MD5
51d28ac93fb5756c5bf3372e0cd3798a

SHA1
a08e863c395866a1d3e0d4c189724e8c871fead3

SHA256
21847971bc9168f229b540efe742bf2817d4eea787728ed63ec605fd93a3f7fd

SHA512
3a3efe0a65091d923e0879417ca0b3df3b81536c36d4cc22215a4782bf2e265e3a6071ace3532749b7a9e545c1ef2e604d5b176ad664fb042d33fffe900e112c

Download Submit
C:\Windows\{1797856B-1CF1-4d8a-AB13-4E3E4B54DA32}.exe

Filesize
197KB

MD5
74e73b0999f96089a46a7c574a009046

SHA1
c6cd30e6b279a43198baa7404c1406376ab1b6ee

SHA256
e800bb4f3601f1f5b5648d887088efff1d6dc9dc24b46700902c543c2560f799

SHA512
65353671c1c123ab186aeee2ca2c87855358e989a529f6d4a9856e0132a143e05cf9d8e0fe060431d05b2b3242ad01b4eb4662117002993aae816ad30b45adc6

Download Submit
C:\Windows\{2488240A-6FE0-4ad5-9E54-2E11061C06A8}.exe

Filesize
197KB

MD5
2046b89c83025237c870f897f6f4ea3c

SHA1
309f93caf3a7f99cf67bd8a01b4e8e3d6c1d9e93

SHA256
bc2111259cf6118861ba35826d869423ef93a25a1208b023beb2081a0f7f6bba

SHA512
4e435ddae425cc0b5fb0ea614b89d0b8742a31c97978c05cc44a95a407cce27ede03339f7f766f539501d93f1c76bc2dc36c5bdb514b6a7a0c69d471e7c14df9

Download Submit
C:\Windows\{2DA988AE-1A8B-4020-8526-A21F30B8250F}.exe

Filesize
197KB

MD5
80e2a61de59f809617f6f4783cecae1c

SHA1
5c185b7a4b9476caeb88af3d653547112579aadc

SHA256
a7bd7718fce76752aafb2e7c01e2fa0099472940445a570d1bfc14854c850711

SHA512
37a543c919839dea8180d93f304366118f07920232e382842f83adef5ab17eaffe985a7e36caf0653ace7c970d5003d70060b516987e6caec619a3877b4ea147

Download Submit
C:\Windows\{64C32401-6A7E-4193-AB98-98752496E5E7}.exe

Filesize
197KB

MD5
3bb7fc544b0b76cc96abf6922b715622

SHA1
b70976a0bebcba706709e55e075351da36e5343e

SHA256
a2258edf31f48392ca5edb9e0ee067bd9dc7a4b2a66c791f6b12112d57d5dc32

SHA512
f3e97ffc222df540d4039ed4bfcfab7485d170ed7247b708c0346d99a33047d63801748b69c5166a182853752ae9980c9bddb66e060f492220107a9d591334f6

Download Submit
C:\Windows\{95438E10-3B7F-4cff-8DD4-C7BA342E846A}.exe

Filesize
197KB

MD5
59085b0f76b3143a6aa02434dcf60d17

SHA1
b0fa5830586a411980ae6802964f4fff420c7560

SHA256
85c5182740fb9b9a64c6bc8880b729c132354b3911de0d098833b8091da2790f

SHA512
5bdadf8c4702a7531a4fca146c2d51e9c5775fea1c5d7ac7171fef739222e3e258b23877a22e5dd3c38db4a44ea1fd3647cb7f62db2b2d7dedb53565880b96a7

Download Submit
C:\Windows\{AC907D1A-99DA-4de9-9B28-1DFFDF87614B}.exe

Filesize
197KB

MD5
db0b23ade11ded9416114187cd268ff9

SHA1
d3dff4006bb1c7146a28ce99d4e37ebb986ff177

SHA256
4b35e0f78962644cdbed78ec86b11a1ecf198bb9b98652dbb8d8a41c3adc2421

SHA512
dd24ad197fd2ed96c4df9201cd9f336212b60e8fbd7e49381d971745e7267686f0a97ff45138116db77729b95f18446d996a02579e7e89a3179504766e964ef6

Download Submit
C:\Windows\{B8154EBC-4A07-49f2-A0E9-2927DAD15276}.exe

Filesize
197KB

MD5
e13faaf850e02894e647a051eb626d5d

SHA1
73b06134b139c0d9434493de7c9dcae3299a08e1

SHA256
101db67976914002282f88289df251e87f776f7f4249757eb3f46da43f0b8665

SHA512
dacd3c40f31ace9368ce91a5cd214234d27629f4400d74ec003acc40f819a14c4427cf477ec415ac9d44e24127bb335d4d902a1f2eae559163db96099a19dad5

Download Submit
C:\Windows\{CC812340-C3A8-46ad-B538-3B78E76764C0}.exe

Filesize
197KB

MD5
53bab31934d5eaf8e2548d4d2fd9d948

SHA1
70cafd5a72a9b50ccce5030228b71dc5160f0f2e

SHA256
4805fdd87e542448e53c24a28f8f6611cf6d4299633dde8314564b71f53183c0

SHA512
f4664e63ff7fb93ff833ea6163f287cb934dbbbded627e728890913c0913ddab586d9b845f187c044f3f65d386cb2ec9d1b3f7dca29ef3bd29e73b8179398fce

Download Submit
C:\Windows\{FBEA487E-866F-4f80-949F-0BC50851F933}.exe

Filesize
197KB

MD5
39e4eb7946c96debb7e7028730019603

SHA1
c4f92823602d781196c0029d128d2f05b2f83e5f

SHA256
b47fa7cd730f481d6c376f447a2c89c9f61faf12a83a315067884870db11c060

SHA512
ed1d05f32c24f0a4424df0ab8b63f066445e461fee1b9c1c8dc10ce26b1a460af2e5bc1ed73a27b685a68f163961b6313e49971f727d29a159de7ebcac5331fb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads