36d67f97374b387d64d28eb78b4f837e9a9b698f41251e3ebab942351929a71e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
Size

180KB
MD5

38f9caeb7d7555edb384d102b3e5e824
SHA1

9509853f3a21fa960fcc251778124764e2b214af
SHA256

36d67f97374b387d64d28eb78b4f837e9a9b698f41251e3ebab942351929a71e
SHA512

5fd536303a0004d83053ab6eecfa9254fa600e7a17a681fdb910eb6db1aa0d9bc4502eeb41eaef1450db2ceffc9457627b22b4c2d03285228d876ec1eacfb4c8
SSDEEP

3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014454-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014708-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014454-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003700000001471d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014454-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014454-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014454-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}\stubpath = "C:\\Windows\\{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe"	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67202A4E-D544-40d2-A5A3-907A8AD97B45}	{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67202A4E-D544-40d2-A5A3-907A8AD97B45}\stubpath = "C:\\Windows\\{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe"	{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{165CF42F-F126-4764-A4F7-B5E4592066CD}\stubpath = "C:\\Windows\\{165CF42F-F126-4764-A4F7-B5E4592066CD}.exe"	{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D3EA11-69DF-4dd2-8301-5533734A5982}\stubpath = "C:\\Windows\\{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe"	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}\stubpath = "C:\\Windows\\{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe"	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D214BA1C-2E28-4912-9837-E60A86EDF807}	{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}\stubpath = "C:\\Windows\\{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe"	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6510D688-12C1-438b-A94C-405AA007BCD1}\stubpath = "C:\\Windows\\{6510D688-12C1-438b-A94C-405AA007BCD1}.exe"	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36965BEA-4D6A-4678-8094-50ADC15CCA0D}\stubpath = "C:\\Windows\\{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe"	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{165CF42F-F126-4764-A4F7-B5E4592066CD}	{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}\stubpath = "C:\\Windows\\{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe"	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6510D688-12C1-438b-A94C-405AA007BCD1}	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36965BEA-4D6A-4678-8094-50ADC15CCA0D}	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D214BA1C-2E28-4912-9837-E60A86EDF807}\stubpath = "C:\\Windows\\{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe"	{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D3EA11-69DF-4dd2-8301-5533734A5982}	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}\stubpath = "C:\\Windows\\{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe"	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe

Executes dropped EXE 11 IoCs

pid	Process
296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe
2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe
2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe
1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe
1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe
2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe
2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe
2952	{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe
2012	{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe
2008	{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe
612	{165CF42F-F126-4764-A4F7-B5E4592066CD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe	{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe
File created	C:\Windows\{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe	{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe
File created	C:\Windows\{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
File created	C:\Windows\{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe
File created	C:\Windows\{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe
File created	C:\Windows\{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe
File created	C:\Windows\{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe
File created	C:\Windows\{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe
File created	C:\Windows\{165CF42F-F126-4764-A4F7-B5E4592066CD}.exe	{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe
File created	C:\Windows\{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe
File created	C:\Windows\{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
Token: SeIncBasePriorityPrivilege	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe
Token: SeIncBasePriorityPrivilege	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe
Token: SeIncBasePriorityPrivilege	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe
Token: SeIncBasePriorityPrivilege	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe
Token: SeIncBasePriorityPrivilege	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe
Token: SeIncBasePriorityPrivilege	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe
Token: SeIncBasePriorityPrivilege	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe
Token: SeIncBasePriorityPrivilege	2952	{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe
Token: SeIncBasePriorityPrivilege	2012	{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe
Token: SeIncBasePriorityPrivilege	2008	{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 296	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	28
PID 3048 wrote to memory of 296	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	28
PID 3048 wrote to memory of 296	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	28
PID 3048 wrote to memory of 296	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	28
PID 3048 wrote to memory of 2532	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	29
PID 3048 wrote to memory of 2532	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	29
PID 3048 wrote to memory of 2532	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	29
PID 3048 wrote to memory of 2532	3048	2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe	29
PID 296 wrote to memory of 2600	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	30
PID 296 wrote to memory of 2600	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	30
PID 296 wrote to memory of 2600	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	30
PID 296 wrote to memory of 2600	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	30
PID 296 wrote to memory of 2576	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	31
PID 296 wrote to memory of 2576	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	31
PID 296 wrote to memory of 2576	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	31
PID 296 wrote to memory of 2576	296	{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe	31
PID 2600 wrote to memory of 2700	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	32
PID 2600 wrote to memory of 2700	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	32
PID 2600 wrote to memory of 2700	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	32
PID 2600 wrote to memory of 2700	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	32
PID 2600 wrote to memory of 2580	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	33
PID 2600 wrote to memory of 2580	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	33
PID 2600 wrote to memory of 2580	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	33
PID 2600 wrote to memory of 2580	2600	{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe	33
PID 2700 wrote to memory of 1656	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	36
PID 2700 wrote to memory of 1656	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	36
PID 2700 wrote to memory of 1656	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	36
PID 2700 wrote to memory of 1656	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	36
PID 2700 wrote to memory of 1452	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	37
PID 2700 wrote to memory of 1452	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	37
PID 2700 wrote to memory of 1452	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	37
PID 2700 wrote to memory of 1452	2700	{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe	37
PID 1656 wrote to memory of 1712	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	38
PID 1656 wrote to memory of 1712	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	38
PID 1656 wrote to memory of 1712	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	38
PID 1656 wrote to memory of 1712	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	38
PID 1656 wrote to memory of 1120	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	39
PID 1656 wrote to memory of 1120	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	39
PID 1656 wrote to memory of 1120	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	39
PID 1656 wrote to memory of 1120	1656	{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe	39
PID 1712 wrote to memory of 2784	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	40
PID 1712 wrote to memory of 2784	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	40
PID 1712 wrote to memory of 2784	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	40
PID 1712 wrote to memory of 2784	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	40
PID 1712 wrote to memory of 1276	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	41
PID 1712 wrote to memory of 1276	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	41
PID 1712 wrote to memory of 1276	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	41
PID 1712 wrote to memory of 1276	1712	{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe	41
PID 2784 wrote to memory of 2772	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	42
PID 2784 wrote to memory of 2772	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	42
PID 2784 wrote to memory of 2772	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	42
PID 2784 wrote to memory of 2772	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	42
PID 2784 wrote to memory of 2776	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	43
PID 2784 wrote to memory of 2776	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	43
PID 2784 wrote to memory of 2776	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	43
PID 2784 wrote to memory of 2776	2784	{6510D688-12C1-438b-A94C-405AA007BCD1}.exe	43
PID 2772 wrote to memory of 2952	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	44
PID 2772 wrote to memory of 2952	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	44
PID 2772 wrote to memory of 2952	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	44
PID 2772 wrote to memory of 2952	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	44
PID 2772 wrote to memory of 1324	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	45
PID 2772 wrote to memory of 1324	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	45
PID 2772 wrote to memory of 1324	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	45
PID 2772 wrote to memory of 1324	2772	{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_38f9caeb7d7555edb384d102b3e5e824_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe
  C:\Windows\{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Windows\{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe
    C:\Windows\{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe
      C:\Windows\{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe
        
        C:\Windows\{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe
        
        C:\Windows\{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{6510D688-12C1-438b-A94C-405AA007BCD1}.exe
        
        C:\Windows\{6510D688-12C1-438b-A94C-405AA007BCD1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe
        
        C:\Windows\{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe
        
        C:\Windows\{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe
        
        C:\Windows\{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe
        
        C:\Windows\{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\{165CF42F-F126-4764-A4F7-B5E4592066CD}.exe
        
        C:\Windows\{165CF42F-F126-4764-A4F7-B5E4592066CD}.exe
        12⤵
        Executes dropped EXE
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D214B~1.EXE > nul
        12⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67202~1.EXE > nul
        11⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36965~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC190~1.EXE > nul
        9⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6510D~1.EXE > nul
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD98E~1.EXE > nul
        7⤵
        
        PID:1276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C71F~1.EXE > nul
        6⤵
        
        PID:1120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46AE4~1.EXE > nul
        5⤵
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9EFDA~1.EXE > nul
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83D3E~1.EXE > nul
    3⤵
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{165CF42F-F126-4764-A4F7-B5E4592066CD}.exe

Filesize
180KB

MD5
305dbafd8ab3555e06d6c2b9de8bc754

SHA1
cd74adff35d89e58a8ba7aecda17751cff39e228

SHA256
8891cf0619ae36cc3a4f7f875d3905d32aa24565c74cf5217e6c53496bf33b47

SHA512
0d117acd3a7a4419844f4bfbb41683961992dc4ed9ca18aa9730a9d559b6ca2e70d2193dbedb620105b248da725aede666dd7940bffb1110ac75190072d9205a

Download Submit
C:\Windows\{36965BEA-4D6A-4678-8094-50ADC15CCA0D}.exe

Filesize
180KB

MD5
fc0f4a5a8200499f2145da203cc71274

SHA1
681d8cb62ea1e45c707c0668fa0d83dea28fb4fa

SHA256
b9d9212a0fe7ebabc5e60e333d4f890dbe527669914af66bb6dcfac84d10deb2

SHA512
b105e6588232159f240933c13af0b482bc2002d6e764284d1b1feec3ac28166baa3cb82a04de745c953b20baa6c52e004031ddac3f94a135e767130bef3289e4

Download Submit
C:\Windows\{46AE4C4D-A78D-41b8-8870-AADCE3D8D829}.exe

Filesize
180KB

MD5
951ebacdc7675d2d859f624bfc33dccc

SHA1
5356bdaf7946cef639e784de482d4b5e6f2af8a7

SHA256
935396c9a63da9386d614bb3793a0cd27f3eb4c41832923de0bcde1d7f27bbeb

SHA512
09b5cefa0bf391d5283725fe7bbfe98c24f0a5e21ff2c8e6888cf24b4f43c29d15d54f896e5b890948140e9a1a4a666daf28c107e237d2df87a5124550dd3af5

Download Submit
C:\Windows\{6510D688-12C1-438b-A94C-405AA007BCD1}.exe

Filesize
180KB

MD5
6be367d9db53c46ed103770598690fe1

SHA1
7fd3d468fc0c4d9e584eabcd8f345ec5d19d468c

SHA256
e92921aabe8db0c8e5f24ce404886be16dfccaf87d80dd0e1526215f1082e825

SHA512
15eb71da5fee5ecbd232d8fb9fc4cd4108d4eb6f86d55a81c0e551d1c14aee3519f4f2dc75910ddb9da62a0710a2eb6006956272ab640a0bbf19e64266f1a8bc

Download Submit
C:\Windows\{67202A4E-D544-40d2-A5A3-907A8AD97B45}.exe

Filesize
180KB

MD5
9f73018d54b38c29be5fa2e184ab02ef

SHA1
26e1f596c57f2b7602dc2aaf46229e7b4bb6bfc1

SHA256
d2952f58f030fa33dfc8202dea03a7395fb6407fe1d695d0019479a4ccf1d000

SHA512
6c9159e2c6ed5a19bbaaab41b49c49322c6766ead2d613038811c95bf0595620f8e1af6788bf3d300f18232a52972b14781e78e3dbd96914e0c0293fbe79cdfb

Download Submit
C:\Windows\{6C71F562-1CA7-4050-84D9-7E2E91AAF7AB}.exe

Filesize
180KB

MD5
496c75f62d9deccfdc41b6e87efb2f46

SHA1
40747bc0991f4e8f758e83d733f72d5df7079f6c

SHA256
2952954135789bab4fa7e0f010e91d72b1e524cc567c4e8c216ac26c06a4e26d

SHA512
40b843e85d5562f5ac2add70191906e70c7876c72a47ea6778235548ac8f6034ccd824e000177e9cbf6a1ca01bb1b7c5e0ca2494dd67528dddf97c3f1e512921

Download Submit
C:\Windows\{83D3EA11-69DF-4dd2-8301-5533734A5982}.exe

Filesize
180KB

MD5
b13bbae2da3f30f0cd0e26b6f64febdf

SHA1
3aac6d590034a42501477af2a87c519b0c3779be

SHA256
ab1bdede094aa4ac67b72feb066202e7f3302722e6f5fc80342f69f268c7f975

SHA512
b9e542f473720b2e462e51b61ba911ea6834fecf1266c00a7bf421b7a8afd6a75a43d96db8dba1d05f81807096722fb4bbec9d74fac753c9a0575b5217e7ba44

Download Submit
C:\Windows\{9EFDA756-CC75-4e85-A061-1D7A13A6F6D9}.exe

Filesize
180KB

MD5
5d2c76264240f813e687e1bd6e65e5d8

SHA1
7aead6d5f4b835cf54ab71e0ead146304170d58e

SHA256
4921d4cedc1817883fc11040fad4ef8358616e872c714aa1baa267b83593fcb6

SHA512
aec77a54ecff9a470d2d5025bda25ea35905fd9128486037b6435a083402c261736000d47257ae08eff3b40295bc278657fac953fd96db070aa91cea2811436b

Download Submit
C:\Windows\{AD98EF0F-6D08-496a-912B-AAC01BC6EFED}.exe

Filesize
180KB

MD5
5b0d24f1d874e3dc95eaf7cb38a7c2a2

SHA1
3c3f7e025bcf35f4dcbcac04426d6eb65a11b0be

SHA256
23814508850375ac3b89705d17c4578f2b1ad0dd2d90ee6521f27591174dec54

SHA512
8034c8ea0ea4b24f35ef521b4475ccd28dd4066ea951203908c007ac18c8d4a22b11318d60b164c7c48c16a497228c23076aaf723c2720e09b3e2013926391c9

Download Submit
C:\Windows\{D214BA1C-2E28-4912-9837-E60A86EDF807}.exe

Filesize
180KB

MD5
0923c6739010a6b751dc1a035e677cd1

SHA1
697bd27c8f36c44118bab67c04b895731fbe6d97

SHA256
473c2ed96c353fc977ebe70f87e9cbe36c97ea47df2588c23bf4e3e05a172e44

SHA512
4e6da1c2634dd08c9c642a6b2effca31220ce30285b48b5e0b7ff65ed6e8e3ada7dcab88c15d7f4e974c9a3634dbca89a8a764a0ddec6b8634cfca7093c69ff0

Download Submit
C:\Windows\{DC19036D-1A4E-4951-9A11-67BDCFFA3DC6}.exe

Filesize
180KB

MD5
d42fe2cf2a6fe2335c7502de32565a21

SHA1
c484716cf542c2d9194aa12c37bf1231288f0934

SHA256
27b11cde9086af2199fc36e7bd8d706eb3bffa3846a4f7d5cb0dc7a93b49cd45

SHA512
52a58132bfbd516b34646c4213a13abe8052cd49cba937b0bc092a57a2e4801e0e35339934abe6c1fb77cf01ae76533335e74a94063891eb0c4cd8ad7b4b09a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads