26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Size

204KB
MD5

89b565ae54683fd4686b90f98a0736d3
SHA1

dbe785ba300339552b4e2aa28f05d7121190931c
SHA256

26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f
SHA512

dc726b33abf6812bfc990d0b74e0808e7769c7eaf8467cc9afdea2e806865d485bc3c9eb8d8ae35af850566234656c8b265d626530436341461dd1630fac4ccf
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o/l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001231a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a3d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001231a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a7c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001231a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001231a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001231a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D02433A3-B4E9-4753-A26B-35D91F1C5972}	{52A689E1-DB73-43f9-8772-3295116BE92F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EB94056-BEFD-4a7b-B359-C6D6B037A432}\stubpath = "C:\\Windows\\{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe"	{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35BE13D6-0C83-4f15-BF72-773EC9E88515}	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52A689E1-DB73-43f9-8772-3295116BE92F}\stubpath = "C:\\Windows\\{52A689E1-DB73-43f9-8772-3295116BE92F}.exe"	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52A689E1-DB73-43f9-8772-3295116BE92F}	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D02433A3-B4E9-4753-A26B-35D91F1C5972}\stubpath = "C:\\Windows\\{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe"	{52A689E1-DB73-43f9-8772-3295116BE92F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}	{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35BE13D6-0C83-4f15-BF72-773EC9E88515}\stubpath = "C:\\Windows\\{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe"	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{481E86D1-8BD4-4e81-978A-BC8CBCE97234}\stubpath = "C:\\Windows\\{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe"	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32D1E455-E571-48f7-91A0-5DCCAEE64267}	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E047F370-DD01-46ec-921D-7352D2EC1B75}	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E047F370-DD01-46ec-921D-7352D2EC1B75}\stubpath = "C:\\Windows\\{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe"	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EB94056-BEFD-4a7b-B359-C6D6B037A432}	{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FD9CAE-1DDF-4eff-8B4B-962619754E04}\stubpath = "C:\\Windows\\{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe"	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32D1E455-E571-48f7-91A0-5DCCAEE64267}\stubpath = "C:\\Windows\\{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe"	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}\stubpath = "C:\\Windows\\{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe"	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}\stubpath = "C:\\Windows\\{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe"	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}\stubpath = "C:\\Windows\\{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}.exe"	{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{481E86D1-8BD4-4e81-978A-BC8CBCE97234}	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FD9CAE-1DDF-4eff-8B4B-962619754E04}	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe
2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe
2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe
1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe
2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe
2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe
1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe
1648	{52A689E1-DB73-43f9-8772-3295116BE92F}.exe
2304	{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe
2092	{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe
580	{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe
File created	C:\Windows\{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe
File created	C:\Windows\{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe
File created	C:\Windows\{52A689E1-DB73-43f9-8772-3295116BE92F}.exe	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe
File created	C:\Windows\{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}.exe	{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe
File created	C:\Windows\{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe	{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe
File created	C:\Windows\{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
File created	C:\Windows\{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe
File created	C:\Windows\{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe
File created	C:\Windows\{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe
File created	C:\Windows\{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe	{52A689E1-DB73-43f9-8772-3295116BE92F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Token: SeIncBasePriorityPrivilege	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe
Token: SeIncBasePriorityPrivilege	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe
Token: SeIncBasePriorityPrivilege	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe
Token: SeIncBasePriorityPrivilege	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe
Token: SeIncBasePriorityPrivilege	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe
Token: SeIncBasePriorityPrivilege	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe
Token: SeIncBasePriorityPrivilege	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe
Token: SeIncBasePriorityPrivilege	1648	{52A689E1-DB73-43f9-8772-3295116BE92F}.exe
Token: SeIncBasePriorityPrivilege	2304	{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe
Token: SeIncBasePriorityPrivilege	2092	{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2204	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	28
PID 2120 wrote to memory of 2204	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	28
PID 2120 wrote to memory of 2204	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	28
PID 2120 wrote to memory of 2204	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	28
PID 2120 wrote to memory of 2600	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	29
PID 2120 wrote to memory of 2600	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	29
PID 2120 wrote to memory of 2600	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	29
PID 2120 wrote to memory of 2600	2120	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	29
PID 2204 wrote to memory of 2584	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	30
PID 2204 wrote to memory of 2584	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	30
PID 2204 wrote to memory of 2584	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	30
PID 2204 wrote to memory of 2584	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	30
PID 2204 wrote to memory of 2996	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	31
PID 2204 wrote to memory of 2996	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	31
PID 2204 wrote to memory of 2996	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	31
PID 2204 wrote to memory of 2996	2204	{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe	31
PID 2584 wrote to memory of 2488	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	32
PID 2584 wrote to memory of 2488	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	32
PID 2584 wrote to memory of 2488	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	32
PID 2584 wrote to memory of 2488	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	32
PID 2584 wrote to memory of 2624	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	33
PID 2584 wrote to memory of 2624	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	33
PID 2584 wrote to memory of 2624	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	33
PID 2584 wrote to memory of 2624	2584	{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe	33
PID 2488 wrote to memory of 1036	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	36
PID 2488 wrote to memory of 1036	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	36
PID 2488 wrote to memory of 1036	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	36
PID 2488 wrote to memory of 1036	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	36
PID 2488 wrote to memory of 1720	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	37
PID 2488 wrote to memory of 1720	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	37
PID 2488 wrote to memory of 1720	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	37
PID 2488 wrote to memory of 1720	2488	{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe	37
PID 1036 wrote to memory of 2796	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	38
PID 1036 wrote to memory of 2796	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	38
PID 1036 wrote to memory of 2796	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	38
PID 1036 wrote to memory of 2796	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	38
PID 1036 wrote to memory of 2896	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	39
PID 1036 wrote to memory of 2896	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	39
PID 1036 wrote to memory of 2896	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	39
PID 1036 wrote to memory of 2896	1036	{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe	39
PID 2796 wrote to memory of 2024	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	40
PID 2796 wrote to memory of 2024	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	40
PID 2796 wrote to memory of 2024	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	40
PID 2796 wrote to memory of 2024	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	40
PID 2796 wrote to memory of 1828	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	41
PID 2796 wrote to memory of 1828	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	41
PID 2796 wrote to memory of 1828	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	41
PID 2796 wrote to memory of 1828	2796	{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe	41
PID 2024 wrote to memory of 1060	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	42
PID 2024 wrote to memory of 1060	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	42
PID 2024 wrote to memory of 1060	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	42
PID 2024 wrote to memory of 1060	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	42
PID 2024 wrote to memory of 2220	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	43
PID 2024 wrote to memory of 2220	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	43
PID 2024 wrote to memory of 2220	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	43
PID 2024 wrote to memory of 2220	2024	{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe	43
PID 1060 wrote to memory of 1648	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	44
PID 1060 wrote to memory of 1648	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	44
PID 1060 wrote to memory of 1648	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	44
PID 1060 wrote to memory of 1648	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	44
PID 1060 wrote to memory of 1692	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	45
PID 1060 wrote to memory of 1692	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	45
PID 1060 wrote to memory of 1692	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	45
PID 1060 wrote to memory of 1692	1060	{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe	45

C:\Users\Admin\AppData\Local\Temp\26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
"C:\Users\Admin\AppData\Local\Temp\26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe
  C:\Windows\{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe
    C:\Windows\{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe
      C:\Windows\{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe
        
        C:\Windows\{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe
        
        C:\Windows\{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe
        
        C:\Windows\{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe
        
        C:\Windows\{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{52A689E1-DB73-43f9-8772-3295116BE92F}.exe
        
        C:\Windows\{52A689E1-DB73-43f9-8772-3295116BE92F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe
        
        C:\Windows\{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe
        
        C:\Windows\{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}.exe
        
        C:\Windows\{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EB94~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0243~1.EXE > nul
        11⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52A68~1.EXE > nul
        10⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3F7~1.EXE > nul
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E047F~1.EXE > nul
        8⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{319D9~1.EXE > nul
        7⤵
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32D1E~1.EXE > nul
        6⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33FD9~1.EXE > nul
        5⤵
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{481E8~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{35BE1~1.EXE > nul
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\26794A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{319D9D92-1CDF-48d0-B90F-1B0B4CBB4DA0}.exe

Filesize
204KB

MD5
0bc09e22faaf43dd0f60793574088808

SHA1
3f9ac29c8a39406a32f0d67db680c8c90d605739

SHA256
6b3e65551b135178502f5da1625016f9b07e3b65e1505b1c47e22f424346589b

SHA512
19cf0da8c2c1d9a11cb1391a24ac3dbfe4e80ef0a8818ab7d9e78a9af3959fa40beebed4f81983543049bea7f92cd73a17be857d8465bbadfb9221cee33442ad

Download Submit
C:\Windows\{32D1E455-E571-48f7-91A0-5DCCAEE64267}.exe

Filesize
204KB

MD5
ba5315312ab600e0ff77242b91ca991e

SHA1
feae2627404d50560d40cb1564a9a339497d149f

SHA256
c3cd55d0bcd08c62dcb3102da38dd40f62e86418a4a0302520dc236c52d0e73f

SHA512
1c74382307f98b706b1559b51de70050de6c8373e247c0f0829bdb2c1fc0c885bb74cf9de17264a97dfb9731030b8c97e893233c1462bd7ef75a9db617af2dba

Download Submit
C:\Windows\{33FD9CAE-1DDF-4eff-8B4B-962619754E04}.exe

Filesize
204KB

MD5
0ff04856340f6fd910ba10d1835cc4fc

SHA1
6f6828264c327fab0ff312be4eebc5dd2a87ad96

SHA256
49fa83338dc967697cbb372df8cf0ab5637acbc047f06a91135ea3267b8f6e12

SHA512
6745928b0ea9cba39f78ceeac6c66917b9ec6612d80a5d430484a45c57608d94d249c984a2680ae04f343521f122e2408192bec396add04d41d3fbd805079927

Download Submit
C:\Windows\{35BE13D6-0C83-4f15-BF72-773EC9E88515}.exe

Filesize
204KB

MD5
4a149873abd20d9d8cd991543aacb7da

SHA1
be2f13a3ddf322d55b13634f6d05def957d28a2c

SHA256
d43769e269c88ee81c7bbff1e8a3f4a68692e0f0b8591dd67276ed3d064f574c

SHA512
c11e5d612e4c61a646a4795ecd8a14cc142657367f25af8e431f7a89f9c25b2acbdc9c41be6101a5eb1363c4d2f1e036b33d5aca3c77c935d64963d09854ae26

Download Submit
C:\Windows\{481E86D1-8BD4-4e81-978A-BC8CBCE97234}.exe

Filesize
204KB

MD5
a22f930c814ea54a694a2f34542ff059

SHA1
fda9747217bf4a525a849534dc77cdb40491c786

SHA256
c0ea7a77598324d567ab95661cda4bc3e928f5a7a10f26fb001335ae8f47206d

SHA512
c554020379af109cb697420c79a6b70810e01f2b4dfda39ac3dc881c0d3401b6fc560567a2a1eec556fe388eed21c8b85b30db11402afed15c81c50347f89cbb

Download Submit
C:\Windows\{52A689E1-DB73-43f9-8772-3295116BE92F}.exe

Filesize
204KB

MD5
25072f6f29bf4af1273f194475128ae8

SHA1
4251da33bc9d1af013f51c242147da7fb1cec859

SHA256
2cd0b897a011b8414a46e7fc979cc4253a0eaa31d714c9788dce024137e09083

SHA512
18aafe1d29782277ad201d922ad53a2724a7e9f84794f58ff63fba22df97c240b546ec299269b890351dfe021ea67f4af821ab488f8a531b11aab5c8ab3fbecd

Download Submit
C:\Windows\{5EB94056-BEFD-4a7b-B359-C6D6B037A432}.exe

Filesize
204KB

MD5
06b956e780996f471dac98df7153ec36

SHA1
66eb1e4b446c2dbc64282162a69383fbdfa9397e

SHA256
1dd118ac1f318a581caefc9669418e5809f32e0b5dddba40fa7ca59c62d2d2ca

SHA512
3b41aff3896946b6083a3f18fa9ff39028bca60ae69cdd0f087ef6a3f4c81c702c93d2ca887b92adcb9b9325e9ead20d251bcf39ffd89b16e2e94077c20e1453

Download Submit
C:\Windows\{D02433A3-B4E9-4753-A26B-35D91F1C5972}.exe

Filesize
204KB

MD5
75d8606f8197d28bfe464c43c4391ee0

SHA1
088c353c0415a763507a19675a6b14bf8e392d0e

SHA256
960787f68f2dfe0c8b35bea4be7c797fc431038e0d00378ffc9a27375bbedc2f

SHA512
d32b173c54e50e8ac1d5da80d5a89d96d77f2065c0c81befa7647729cdadc5a7bdd838e93cb5e6943a1c6efeba5cde81e402c3c91b8acb8eab5622ed5411bb81

Download Submit
C:\Windows\{E047F370-DD01-46ec-921D-7352D2EC1B75}.exe

Filesize
204KB

MD5
9f2c2af6df1ad53517a2b6edb5db088c

SHA1
e0cdd8035994c6c345079f41a399527ebc3dbfb5

SHA256
735b99002f4ec507c0492e34fdce58eacef37654dd9ef08cd2a27f65f10c0fd9

SHA512
17b347c290707e88eacc1f5803093e805ca3a45670bc120e832031cb4d6dd3098484e656d43ad9f467f0767444bad7367784298d6343fa4b48a90eccc0b6e163

Download Submit
C:\Windows\{E7BEF439-6EEF-4b12-8A68-ABAE268C0AAA}.exe

Filesize
204KB

MD5
aa65fae74cde603e078599975b272277

SHA1
24d6250954f765ae5598aad1abe2f6fab68e78ab

SHA256
ab80a943b4733b050092459360700f8c32eb740a0f0dc3c515d1bc16a5e3fce8

SHA512
15e680ecee75e94374b03dfaccd966c26f63eb04a70db216371701fb0c46cf9689ed6535eeb063f89297485efdd3b3a8f7b1f45fe5a55c219574d48de0ff30c4

Download Submit
C:\Windows\{FE3F7F91-64D3-425d-9041-9FE82BBC09F3}.exe

Filesize
204KB

MD5
3fc21b0469be881b4389158192262a08

SHA1
add0d250d5c21eeed13d943928be030b1ce0a725

SHA256
a5fddece01a3453fc828f90c2fd514c95e731fe2e87ac3abea4572da671288fc

SHA512
fb4ec62ef2890cce32df113af0eb62b9dcdb6ca28e7cde241f18618da902e9991983b814c9bb8f58dbb6297ac2df2771f58272b5f0316f0d8b2d146a9e0515fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads