bc6992374181bd36f2f6b4a42faf24d2b4c2696f5a8c34a43540bacb417262a5

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe
Size

168KB
MD5

98cd9ab42cf856879af0aa66ea89d245
SHA1

e8434381bc299695eeafec65a9c7a59d08601438
SHA256

bc6992374181bd36f2f6b4a42faf24d2b4c2696f5a8c34a43540bacb417262a5
SHA512

0b8e057bf8567cba98d5b1d5a62419e7c25e57dc78777ef4d1789a2285fa167b750d749cda1e1d4b681066b1619277c157bf96ac8637e3d927b217770646a8ff
SSDEEP

1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012256-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001566b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003800000001567f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001566b-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003900000001567f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001568c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C500D349-CDF9-405e-8F64-7928B894DE35}\stubpath = "C:\\Windows\\{C500D349-CDF9-405e-8F64-7928B894DE35}.exe"	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D89ED0-0244-45dd-B17E-A10F98944A50}\stubpath = "C:\\Windows\\{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe"	{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}\stubpath = "C:\\Windows\\{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe"	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AD8485C-19A8-45ef-A165-B553EB9AE117}	{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AD8485C-19A8-45ef-A165-B553EB9AE117}\stubpath = "C:\\Windows\\{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe"	{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F92A1ABB-625A-4075-861F-376E8BB126DE}	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}\stubpath = "C:\\Windows\\{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe"	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D89ED0-0244-45dd-B17E-A10F98944A50}	{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D19A1D-FB69-487d-BA90-286887FBE21A}	{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D19A1D-FB69-487d-BA90-286887FBE21A}\stubpath = "C:\\Windows\\{44D19A1D-FB69-487d-BA90-286887FBE21A}.exe"	{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}\stubpath = "C:\\Windows\\{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe"	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3462E3E4-701F-4cdf-98AF-7061B83C222E}\stubpath = "C:\\Windows\\{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe"	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}\stubpath = "C:\\Windows\\{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe"	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3462E3E4-701F-4cdf-98AF-7061B83C222E}	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F92A1ABB-625A-4075-861F-376E8BB126DE}\stubpath = "C:\\Windows\\{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe"	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C500D349-CDF9-405e-8F64-7928B894DE35}	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}\stubpath = "C:\\Windows\\{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe"	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe
2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe
2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe
2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe
2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe
1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe
1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe
2700	{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe
1964	{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe
2304	{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe
1288	{44D19A1D-FB69-487d-BA90-286887FBE21A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe
File created	C:\Windows\{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe
File created	C:\Windows\{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe
File created	C:\Windows\{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe
File created	C:\Windows\{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe	{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe
File created	C:\Windows\{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe
File created	C:\Windows\{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe
File created	C:\Windows\{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe
File created	C:\Windows\{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe
File created	C:\Windows\{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe	{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe
File created	C:\Windows\{44D19A1D-FB69-487d-BA90-286887FBE21A}.exe	{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe
Token: SeIncBasePriorityPrivilege	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe
Token: SeIncBasePriorityPrivilege	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe
Token: SeIncBasePriorityPrivilege	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe
Token: SeIncBasePriorityPrivilege	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe
Token: SeIncBasePriorityPrivilege	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe
Token: SeIncBasePriorityPrivilege	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe
Token: SeIncBasePriorityPrivilege	2700	{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe
Token: SeIncBasePriorityPrivilege	1964	{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe
Token: SeIncBasePriorityPrivilege	2304	{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2648	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	28
PID 1952 wrote to memory of 2648	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	28
PID 1952 wrote to memory of 2648	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	28
PID 1952 wrote to memory of 2648	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	28
PID 1952 wrote to memory of 2164	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	29
PID 1952 wrote to memory of 2164	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	29
PID 1952 wrote to memory of 2164	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	29
PID 1952 wrote to memory of 2164	1952	2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe	29
PID 2648 wrote to memory of 2616	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	30
PID 2648 wrote to memory of 2616	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	30
PID 2648 wrote to memory of 2616	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	30
PID 2648 wrote to memory of 2616	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	30
PID 2648 wrote to memory of 2592	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	31
PID 2648 wrote to memory of 2592	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	31
PID 2648 wrote to memory of 2592	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	31
PID 2648 wrote to memory of 2592	2648	{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe	31
PID 2616 wrote to memory of 2488	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	32
PID 2616 wrote to memory of 2488	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	32
PID 2616 wrote to memory of 2488	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	32
PID 2616 wrote to memory of 2488	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	32
PID 2616 wrote to memory of 2596	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	33
PID 2616 wrote to memory of 2596	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	33
PID 2616 wrote to memory of 2596	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	33
PID 2616 wrote to memory of 2596	2616	{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe	33
PID 2488 wrote to memory of 2252	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	36
PID 2488 wrote to memory of 2252	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	36
PID 2488 wrote to memory of 2252	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	36
PID 2488 wrote to memory of 2252	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	36
PID 2488 wrote to memory of 2696	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	37
PID 2488 wrote to memory of 2696	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	37
PID 2488 wrote to memory of 2696	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	37
PID 2488 wrote to memory of 2696	2488	{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe	37
PID 2252 wrote to memory of 2940	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	38
PID 2252 wrote to memory of 2940	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	38
PID 2252 wrote to memory of 2940	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	38
PID 2252 wrote to memory of 2940	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	38
PID 2252 wrote to memory of 2996	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	39
PID 2252 wrote to memory of 2996	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	39
PID 2252 wrote to memory of 2996	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	39
PID 2252 wrote to memory of 2996	2252	{C500D349-CDF9-405e-8F64-7928B894DE35}.exe	39
PID 2940 wrote to memory of 1340	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	40
PID 2940 wrote to memory of 1340	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	40
PID 2940 wrote to memory of 1340	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	40
PID 2940 wrote to memory of 1340	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	40
PID 2940 wrote to memory of 2348	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	41
PID 2940 wrote to memory of 2348	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	41
PID 2940 wrote to memory of 2348	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	41
PID 2940 wrote to memory of 2348	2940	{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe	41
PID 1340 wrote to memory of 1028	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	42
PID 1340 wrote to memory of 1028	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	42
PID 1340 wrote to memory of 1028	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	42
PID 1340 wrote to memory of 1028	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	42
PID 1340 wrote to memory of 1044	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	43
PID 1340 wrote to memory of 1044	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	43
PID 1340 wrote to memory of 1044	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	43
PID 1340 wrote to memory of 1044	1340	{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe	43
PID 1028 wrote to memory of 2700	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	44
PID 1028 wrote to memory of 2700	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	44
PID 1028 wrote to memory of 2700	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	44
PID 1028 wrote to memory of 2700	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	44
PID 1028 wrote to memory of 492	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	45
PID 1028 wrote to memory of 492	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	45
PID 1028 wrote to memory of 492	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	45
PID 1028 wrote to memory of 492	1028	{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_98cd9ab42cf856879af0aa66ea89d245_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe
  C:\Windows\{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe
    C:\Windows\{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe
      C:\Windows\{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{C500D349-CDF9-405e-8F64-7928B894DE35}.exe
        
        C:\Windows\{C500D349-CDF9-405e-8F64-7928B894DE35}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe
        
        C:\Windows\{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe
        
        C:\Windows\{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe
        
        C:\Windows\{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe
        
        C:\Windows\{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe
        
        C:\Windows\{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe
        
        C:\Windows\{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{44D19A1D-FB69-487d-BA90-286887FBE21A}.exe
        
        C:\Windows\{44D19A1D-FB69-487d-BA90-286887FBE21A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD84~1.EXE > nul
        12⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17D89~1.EXE > nul
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A13EC~1.EXE > nul
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E418~1.EXE > nul
        9⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74F0A~1.EXE > nul
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B264~1.EXE > nul
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C500D~1.EXE > nul
        6⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F92A1~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3462E~1.EXE > nul
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{190FC~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AD8485C-19A8-45ef-A165-B553EB9AE117}.exe

Filesize
168KB

MD5
480c727c7dad375db9f221d438d220a0

SHA1
942424f39f26110780c5bfb17431dc18ddeef220

SHA256
7b2dab992998f17f35a025407179bbb424036a46456a1d27ce74df0436d66b58

SHA512
3d77b6fe397c4bb743c345115b1badc3e4cb832e59f52536221e7aa62ad6b821135ba282e9fdfbb68958e28ac58f40a97ca4954cf535121f06b59ec8c839f4bc

Download Submit
C:\Windows\{17D89ED0-0244-45dd-B17E-A10F98944A50}.exe

Filesize
168KB

MD5
cc8cc42235072f5595a478ed6fe4e8d2

SHA1
2f1c9335f6eee1f06709efd132fdf8fa09cce861

SHA256
ce2e4937b7c88557e57ff0a76003839f6f50e54b18502b413034e1e5fb35bb56

SHA512
75d28b2acdb230b16f73201df2e68beac17ff953c58eba79c2b6362591f33a6ba0935e7cf1353102ee4ec8773f56736da2beaf6341f2da98f419e5134e1e3687

Download Submit
C:\Windows\{190FC8E0-86D4-45a8-947C-C5F74BFFE7FD}.exe

Filesize
168KB

MD5
bf3627d03e3b9165550f5222549d18da

SHA1
10e88f362b405133c7fbbe1422af6c4c6bab1756

SHA256
12f6fc79978691984301ffc5e9e84dd1e86b1b7fd38c376451ab637e3f8710f0

SHA512
adf3c1b8cca574ffad0ea19db86c54712946f1a437e4abc444b655c149ce7c2140fbe4b5f979593047b3086eb188b0d93aec5a7f296ef7aed1a47f71dd13997c

Download Submit
C:\Windows\{1B26412C-5EB0-4c67-9CEA-85DBA5278F7B}.exe

Filesize
168KB

MD5
4b4299600ffc04482cf6f54475ac80ed

SHA1
7af0a87924b5560066b43ffddfefb59b34b86375

SHA256
357a1b0d89d061d6e9ac69ef00ea0f17717408c48071dc41e019e2023534cda8

SHA512
840dbd0cf30d2f159744ecc55216f62adff63cb09d2dd208e808c37e6d8c9371a2df5b99facd89c7ea6ef3655bcff8f2e68760b466baabfc855a3a1c9ff5795d

Download Submit
C:\Windows\{3462E3E4-701F-4cdf-98AF-7061B83C222E}.exe

Filesize
168KB

MD5
a800185158050d968c99bd21cc4981e0

SHA1
ff29bca7c5c4cbacb480655551bbfacd2ea6ad7a

SHA256
abde8ebaa859759fc6866d13ee9891f62833c7ca9f37e9373e4ed0a314b740cc

SHA512
1010077ae7e4bba87ba18f00b80dc21bc0717751ab7e46e2140b5d1fc3b79294a2d9010a95c06360f821268b09ec07c9c2e2dd636590dfb8b4145922775c3507

Download Submit
C:\Windows\{44D19A1D-FB69-487d-BA90-286887FBE21A}.exe

Filesize
168KB

MD5
a147b27d90f19ee513677c9a6c0b4afc

SHA1
0a4d5772406630c03dd9484b1747fb62b573b0c1

SHA256
ef22fd13b3e3cfc560b5b5238c652b58c83dfc06e8baeb5a668440505e010501

SHA512
8e8bb9c3cf069d6123a66c7e70d2f001264da859231d1599004ca6af45af03ccecd4a73b46a5b08021e97b7fa5254e96cd3515f63ab71432c41b4f196c444170

Download Submit
C:\Windows\{6E41870A-8EFC-4d28-9A92-F289BC3BAF5D}.exe

Filesize
168KB

MD5
69352d1b77fc3cc726c6853e38b3483d

SHA1
37ea6081a15c72459ab03926fbf4088cf132fb0b

SHA256
ec20d3942b4672a18ebf1a82d88aebe9e155066db50a711dbb32a8e100bd8e95

SHA512
0b9ecdd9aed06502431ae72654131ba90e52cbe063a79e935af08dcb2b0a1e037e23f6c7da438bb5e5526e915b5ade162cc5db8a0883865634de8f382d000d80

Download Submit
C:\Windows\{74F0AFD2-1EC5-4174-B08B-8FAE4DF5453A}.exe

Filesize
168KB

MD5
05d2aaeeda5bd019dd59219018e68131

SHA1
6e040e1541a85fe3d5dac9fdaee86e2d2911dad6

SHA256
1175d8417d272e48289dd60ac141522dac418641497e90511205e43d5dde9a8c

SHA512
8e7e91fae5a1b1599b8ebad5a07116e22a25d2753dcd4b45b21f2ceed35a70e9b171940474c0d80a9151426780b36a56fc48b41b1dd2d0dd8986b551b4a28267

Download Submit
C:\Windows\{A13ECC64-CBF0-47f1-B8FD-D6A43ADA4C1C}.exe

Filesize
168KB

MD5
3feff76f5bb7a83e4fe47fd69cf4681d

SHA1
a4e806e863e739977537fe568969b7d57e8b016e

SHA256
1ce03cbe2fe79eee1c94b93062f417c7f42fa41182602706fb6d7f20cc563ba2

SHA512
f3a3fca85804a3736b8a10cef4a87d97ee2116bec3c02885ba830b42f09b5ffd226eb65ccb05b132f17051bc66d9605a141dffacca0825b0736ea23ae28bc169

Download Submit
C:\Windows\{C500D349-CDF9-405e-8F64-7928B894DE35}.exe

Filesize
168KB

MD5
fe0c314f878446e79c23f432cd352c84

SHA1
aefd2bff9403c485d42a6264ad08409259525505

SHA256
e98e05f431d37a86cf8d1ccef0f4bea70ed075bdac9d0761cfd35a46e98fd460

SHA512
dc72bb12011157b7ef8c60b45301733837012b9e7f085a7755c34d16f80a342d8d04027c3f215ee1dcfc6b5dbb42986ebf38d9a8362a88e994ddf580a98f11c7

Download Submit
C:\Windows\{F92A1ABB-625A-4075-861F-376E8BB126DE}.exe

Filesize
168KB

MD5
d0996345a3f42ae9284ffeec9a4b11fb

SHA1
fe98674402adc515124d434dff10f13685100bf1

SHA256
96d70feebff578ec69c3162948789a4c7191eb2e14ef551249de5ecf5260634c

SHA512
08f34090c479c8ddeb8d6ca16067f4fd377c009f79c96921ded110f8ae231622bdcfd8c8299be85d545e14c98c4b37715170491027a5057a219adb7e9a5b5a35

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads