d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe
Size

408KB
MD5

a26f0a1827be1ecbd0cd62e8c3b6b07a
SHA1

ecf6efb8a8282fcc4546501470188ba803cdb23d
SHA256

d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50
SHA512

60a105dc5b52ce4940a945a34068cb9a66b5af3c16f36277ecfc4789062db9514c85da677f4d69650de366d8c442611c322f2c807701685438e0bff85efe9640
SSDEEP

3072:CEGh0o/l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016332-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016c23-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016332-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016c23-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016332-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016c23-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016332-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016c23-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016c90-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016ca9-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56041D2B-0042-48ef-BDBA-AB032447B796}	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}\stubpath = "C:\\Windows\\{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe"	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}\stubpath = "C:\\Windows\\{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe"	{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}\stubpath = "C:\\Windows\\{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}.exe"	{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09072768-6A46-4ead-8345-40130F958B86}	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF370D08-BE6C-4283-8124-ED58D3AB5359}	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91E72917-FD30-422b-9323-B06235540C7C}	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91E72917-FD30-422b-9323-B06235540C7C}\stubpath = "C:\\Windows\\{91E72917-FD30-422b-9323-B06235540C7C}.exe"	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}\stubpath = "C:\\Windows\\{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe"	{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{416D9FA8-DD98-4f5e-953C-01B8C050CED5}	{09072768-6A46-4ead-8345-40130F958B86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F177E5E4-8CBF-494a-89A7-FA657AD635C8}	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98973697-9A0F-45f0-B6A9-E5886C72A2C1}\stubpath = "C:\\Windows\\{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe"	{91E72917-FD30-422b-9323-B06235540C7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}	{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{416D9FA8-DD98-4f5e-953C-01B8C050CED5}\stubpath = "C:\\Windows\\{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe"	{09072768-6A46-4ead-8345-40130F958B86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56041D2B-0042-48ef-BDBA-AB032447B796}\stubpath = "C:\\Windows\\{56041D2B-0042-48ef-BDBA-AB032447B796}.exe"	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F177E5E4-8CBF-494a-89A7-FA657AD635C8}\stubpath = "C:\\Windows\\{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe"	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF370D08-BE6C-4283-8124-ED58D3AB5359}\stubpath = "C:\\Windows\\{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe"	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98973697-9A0F-45f0-B6A9-E5886C72A2C1}	{91E72917-FD30-422b-9323-B06235540C7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}	{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}	{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09072768-6A46-4ead-8345-40130F958B86}\stubpath = "C:\\Windows\\{09072768-6A46-4ead-8345-40130F958B86}.exe"	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2896	{09072768-6A46-4ead-8345-40130F958B86}.exe
2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe
2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe
2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe
1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe
2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe
1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe
1940	{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe
1908	{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe
2268	{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe
1384	{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}.exe	{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe
File created	C:\Windows\{09072768-6A46-4ead-8345-40130F958B86}.exe	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe
File created	C:\Windows\{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe
File created	C:\Windows\{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe
File created	C:\Windows\{91E72917-FD30-422b-9323-B06235540C7C}.exe	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe
File created	C:\Windows\{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe	{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe
File created	C:\Windows\{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe	{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe
File created	C:\Windows\{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	{09072768-6A46-4ead-8345-40130F958B86}.exe
File created	C:\Windows\{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe
File created	C:\Windows\{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe
File created	C:\Windows\{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe	{91E72917-FD30-422b-9323-B06235540C7C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe
Token: SeIncBasePriorityPrivilege	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe
Token: SeIncBasePriorityPrivilege	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe
Token: SeIncBasePriorityPrivilege	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe
Token: SeIncBasePriorityPrivilege	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe
Token: SeIncBasePriorityPrivilege	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe
Token: SeIncBasePriorityPrivilege	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe
Token: SeIncBasePriorityPrivilege	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe
Token: SeIncBasePriorityPrivilege	1940	{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe
Token: SeIncBasePriorityPrivilege	1908	{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe
Token: SeIncBasePriorityPrivilege	2268	{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2896	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	28
PID 2504 wrote to memory of 2896	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	28
PID 2504 wrote to memory of 2896	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	28
PID 2504 wrote to memory of 2896	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	28
PID 2504 wrote to memory of 3048	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	29
PID 2504 wrote to memory of 3048	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	29
PID 2504 wrote to memory of 3048	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	29
PID 2504 wrote to memory of 3048	2504	d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe	29
PID 2896 wrote to memory of 2548	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	32
PID 2896 wrote to memory of 2548	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	32
PID 2896 wrote to memory of 2548	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	32
PID 2896 wrote to memory of 2548	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	32
PID 2896 wrote to memory of 2776	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	33
PID 2896 wrote to memory of 2776	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	33
PID 2896 wrote to memory of 2776	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	33
PID 2896 wrote to memory of 2776	2896	{09072768-6A46-4ead-8345-40130F958B86}.exe	33
PID 2548 wrote to memory of 2560	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	34
PID 2548 wrote to memory of 2560	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	34
PID 2548 wrote to memory of 2560	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	34
PID 2548 wrote to memory of 2560	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	34
PID 2548 wrote to memory of 2676	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	35
PID 2548 wrote to memory of 2676	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	35
PID 2548 wrote to memory of 2676	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	35
PID 2548 wrote to memory of 2676	2548	{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe	35
PID 2560 wrote to memory of 2856	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	36
PID 2560 wrote to memory of 2856	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	36
PID 2560 wrote to memory of 2856	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	36
PID 2560 wrote to memory of 2856	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	36
PID 2560 wrote to memory of 3060	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	37
PID 2560 wrote to memory of 3060	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	37
PID 2560 wrote to memory of 3060	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	37
PID 2560 wrote to memory of 3060	2560	{56041D2B-0042-48ef-BDBA-AB032447B796}.exe	37
PID 2856 wrote to memory of 1148	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	38
PID 2856 wrote to memory of 1148	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	38
PID 2856 wrote to memory of 1148	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	38
PID 2856 wrote to memory of 1148	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	38
PID 2856 wrote to memory of 1916	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	39
PID 2856 wrote to memory of 1916	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	39
PID 2856 wrote to memory of 1916	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	39
PID 2856 wrote to memory of 1916	2856	{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe	39
PID 1148 wrote to memory of 2616	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	40
PID 1148 wrote to memory of 2616	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	40
PID 1148 wrote to memory of 2616	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	40
PID 1148 wrote to memory of 2616	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	40
PID 1148 wrote to memory of 1904	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	41
PID 1148 wrote to memory of 1904	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	41
PID 1148 wrote to memory of 1904	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	41
PID 1148 wrote to memory of 1904	1148	{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe	41
PID 2616 wrote to memory of 1652	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	42
PID 2616 wrote to memory of 1652	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	42
PID 2616 wrote to memory of 1652	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	42
PID 2616 wrote to memory of 1652	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	42
PID 2616 wrote to memory of 832	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	43
PID 2616 wrote to memory of 832	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	43
PID 2616 wrote to memory of 832	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	43
PID 2616 wrote to memory of 832	2616	{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe	43
PID 1652 wrote to memory of 1940	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	44
PID 1652 wrote to memory of 1940	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	44
PID 1652 wrote to memory of 1940	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	44
PID 1652 wrote to memory of 1940	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	44
PID 1652 wrote to memory of 2016	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	45
PID 1652 wrote to memory of 2016	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	45
PID 1652 wrote to memory of 2016	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	45
PID 1652 wrote to memory of 2016	1652	{91E72917-FD30-422b-9323-B06235540C7C}.exe	45

C:\Users\Admin\AppData\Local\Temp\d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe
"C:\Users\Admin\AppData\Local\Temp\d496819c36d895045dc62bacc4be623d9f84a9bfa8889f9bad978905c2ca7f50.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\{09072768-6A46-4ead-8345-40130F958B86}.exe
  C:\Windows\{09072768-6A46-4ead-8345-40130F958B86}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe
    C:\Windows\{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\{56041D2B-0042-48ef-BDBA-AB032447B796}.exe
      C:\Windows\{56041D2B-0042-48ef-BDBA-AB032447B796}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe
        
        C:\Windows\{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe
        
        C:\Windows\{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe
        
        C:\Windows\{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{91E72917-FD30-422b-9323-B06235540C7C}.exe
        
        C:\Windows\{91E72917-FD30-422b-9323-B06235540C7C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe
        
        C:\Windows\{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe
        
        C:\Windows\{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe
        
        C:\Windows\{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}.exe
        
        C:\Windows\{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}.exe
        12⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B22B1~1.EXE > nul
        12⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DEED~1.EXE > nul
        11⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98973~1.EXE > nul
        10⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91E72~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF370~1.EXE > nul
        8⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F177E~1.EXE > nul
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD6CA~1.EXE > nul
        6⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56041~1.EXE > nul
        5⤵
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{416D9~1.EXE > nul
      4⤵
      PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{09072~1.EXE > nul
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D49681~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09072768-6A46-4ead-8345-40130F958B86}.exe

Filesize
408KB

MD5
5da417e7e797cd6aabc8d9c73d6b02ff

SHA1
c894a9b17bfcdc99cb4cf1f07070b40f6d9afad7

SHA256
a147ca77a1988c265341540398e7d77323130065684847692b136c4886b2cefe

SHA512
4b1e9fcd40a27270752b74a9a82fc4f968526ecf66b1798415922f458edc4360803b5ba95b5aa439de406ce36f221e363a815a192f26680777a51db916efb588

Download Submit
C:\Windows\{1DEEDDBF-061E-4984-AC3E-A032CFD3D9EF}.exe

Filesize
408KB

MD5
0cc7bc31228529454de8086820b9c241

SHA1
e686fc3683414d0c8f6a7cda2184c8785bcc7d25

SHA256
54ba6a23426727091e088756460970bb1ee3a5da2cff176f96a06372102bd9e5

SHA512
50fccfa138f09a99dfb0e775379597e264d6f5d7493523eecca2e209b9b7fc187beda32bc3301a4456cb4eba37ca2a97ffe94dffb403f0e6a9fa85fce6442117

Download Submit
C:\Windows\{416D9FA8-DD98-4f5e-953C-01B8C050CED5}.exe

Filesize
408KB

MD5
4707ab06298718a0e5ba1a20313092e0

SHA1
c1477752452dd734ada0a9413d20c2bcc55d8d69

SHA256
3dfb4eb46901656a7f31bbb802020a488f83d76b15310182fc89c12b50a61dcc

SHA512
1199cbe0462c13f749ade0ae252bf3911149e4a7a6990e260dadd5d3aa8e36e8f365c97722b0107a54fcb2e9f03509ed3e8e8859f62068d5ab74b0e9cf99efce

Download Submit
C:\Windows\{56041D2B-0042-48ef-BDBA-AB032447B796}.exe

Filesize
408KB

MD5
6d1c50cd3856543b36da02b7e68fb37b

SHA1
69412ae063157739dad15be930a66b4288cf47bf

SHA256
de515d118316c93e9ecca900d3dcb73f7a1ae5ed9b409836a7eb71025fe109e8

SHA512
e89d6310dac0a49965c53334a765790dcdc8d66b9409de9c83e06ecd72a0ebc3aa0d131133149da933e8c2d13cb7162155f383312be679cacd8fbd26679526be

Download Submit
C:\Windows\{91E72917-FD30-422b-9323-B06235540C7C}.exe

Filesize
408KB

MD5
fc28490372a994fce740e68ab834100d

SHA1
dac800d740114cbc0dea821c8916cc86a3befed3

SHA256
629e1e903c3cb82970c0b8174e905d0f8e2259e342bff0cf2b4aa08150fb3fb0

SHA512
6a3ddec8c180d904528596b8917db35848c162d845cdc5c48cb236275ecb5636e08a449b07be386dd87f4814972bd3a1dc2aeda01c0223590405ae4939a37778

Download Submit
C:\Windows\{98973697-9A0F-45f0-B6A9-E5886C72A2C1}.exe

Filesize
408KB

MD5
339a4be81f66c0fc77de3e4bc4f91b47

SHA1
432352eb185f63e717137c87d4cb788756b03cac

SHA256
e7c5b3b68c813cddf84cf618449cea037934bf6c75792aabbad41d77adbf0040

SHA512
80ba938bff5a849875b72f5ec2b699a7f62332aa982ddfc7a96e4a3d3139bf8eecea9c1917109224da06671ba99306865b3a0eb61e6f3d67ddf552b87369defa

Download Submit
C:\Windows\{AD6CA702-5FAB-4d5e-BC7D-2EF4A0D75E39}.exe

Filesize
408KB

MD5
acc8e96e90fb38263644f051ae24b2db

SHA1
f956986b85e3b83242b70682f41bcd05e7c9b81c

SHA256
f63fdcb0f71b8f35c3049412158accf695f8b53b438ca59f2657d2f159a36411

SHA512
972f9c79cf2e697379640e90f1bc7913e8d9c43096c1c89a35f0003d1b9451bb07eb1dc7fa1e786390d632dd188d42fef72cb1ed49c5bdf0674f9471e0cb2400

Download Submit
C:\Windows\{AF370D08-BE6C-4283-8124-ED58D3AB5359}.exe

Filesize
408KB

MD5
44ab48d90b128978c0cd7dcb6dd98eeb

SHA1
1ccab73456e30a5d53afc561d96f56bd935f3cf8

SHA256
d708df10bcd491ca6877ae270d3f19f64362e344098de834aded5a4b41e64f31

SHA512
df7adf8c0266e694e016d7a2e0a99d7094a434cba6749eed365c9e10c6d13c824be7e39bada0d86ee718a54e1a85af89747c8de69b0c96f97859d59700f9e3f6

Download Submit
C:\Windows\{B22B1E15-6F92-4e85-B0C6-6714E3BB95E9}.exe

Filesize
408KB

MD5
76b72c4558635d506dca4c8951633925

SHA1
a0d67e719a1827497d76febd8b11ef5a093b3440

SHA256
da49f6faecb9a6b03b3dfbaab345bacc62cd8a8cb2799d8a3dc5a09fb529e738

SHA512
e9049a2272a7286ce6f89458247e41f526b24dd699125bae23f2416f68b0ab212e2b61ab4708b9148b86eed1085446fd351a4d5693ab7cac8b30659342aacb84

Download Submit
C:\Windows\{B64F98B4-1B5A-4fc3-9EA5-BD1E048A6E04}.exe

Filesize
408KB

MD5
41438d9708c54dd510a982083e76b4b0

SHA1
7d934916ad0c5e884579d659f1b184e6dabcb082

SHA256
89d2a8d7b5eccde78bad0ccb772d54d77766306916361ab99462075e28873335

SHA512
3984fa57dae0b1d8f9456e5c35d0d116f723d679f1abce6e0f222e8925bd605cbde839a85cb2a42cdb0e444626008e87c3bdd703602fe2d74ac9a6b9e05f1b61

Download Submit
C:\Windows\{F177E5E4-8CBF-494a-89A7-FA657AD635C8}.exe

Filesize
408KB

MD5
212852d015e05bc8c19dab74d9cabea4

SHA1
dcc6ff720ab8244c2aebd314dd7f5a67fc1c0fb3

SHA256
a8438197147102f0325a6c8ad5e36213a6aa56f3d5d7e8ab769f70d58da58824

SHA512
58a2f452579302760a5394111a6ef055ac15d5e7b6e11249ae0ef0b2c4ebb728e1c31f13489a262d74ea4e0ef27eab050aa8bf44face98580d4253cb0ba455b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads