cf4bb03d0a91d5b001112dd9f3d27551f4bf929396a77e52fa81f9a73458a80e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe
Size

180KB
MD5

f6995c6e1d471d0848c655728e62e179
SHA1

1666f41ded2aea7433d40dc88c8f50807c48177b
SHA256

cf4bb03d0a91d5b001112dd9f3d27551f4bf929396a77e52fa81f9a73458a80e
SHA512

83082f8d66ca10c6cba5bd7032e3ec25fec1bd816127bd087a67d425b465edf3bb13d383cc16776c6fe9a1b9b0432a235f03bc6d0c3a0da115bdf88fa4f8aa3a
SSDEEP

3072:jEGh0oQlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014267-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014267-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014267-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014267-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000014267-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9492C0FC-55A3-4066-8E16-4CC689766183}	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}	{655F650D-7827-4f76-8A1D-FA0996002771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}\stubpath = "C:\\Windows\\{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe"	{655F650D-7827-4f76-8A1D-FA0996002771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237525E1-7B28-4d19-9092-E9F068AACD56}\stubpath = "C:\\Windows\\{237525E1-7B28-4d19-9092-E9F068AACD56}.exe"	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}\stubpath = "C:\\Windows\\{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe"	{237525E1-7B28-4d19-9092-E9F068AACD56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76090E2A-239D-47ac-816C-21BA9EC90E34}	{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}	{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EF926D1-26DD-4186-8234-89BF1D770AA7}\stubpath = "C:\\Windows\\{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe"	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}\stubpath = "C:\\Windows\\{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe"	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}\stubpath = "C:\\Windows\\{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}.exe"	{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4F57471-BD8E-441b-B653-6CDD773D930A}	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9492C0FC-55A3-4066-8E16-4CC689766183}\stubpath = "C:\\Windows\\{9492C0FC-55A3-4066-8E16-4CC689766183}.exe"	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{655F650D-7827-4f76-8A1D-FA0996002771}	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}	{237525E1-7B28-4d19-9092-E9F068AACD56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4F57471-BD8E-441b-B653-6CDD773D930A}\stubpath = "C:\\Windows\\{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe"	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}\stubpath = "C:\\Windows\\{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe"	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EF926D1-26DD-4186-8234-89BF1D770AA7}	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{655F650D-7827-4f76-8A1D-FA0996002771}\stubpath = "C:\\Windows\\{655F650D-7827-4f76-8A1D-FA0996002771}.exe"	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237525E1-7B28-4d19-9092-E9F068AACD56}	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76090E2A-239D-47ac-816C-21BA9EC90E34}\stubpath = "C:\\Windows\\{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe"	{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe
2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe
2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe
2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe
472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe
1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe
1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe
620	{237525E1-7B28-4d19-9092-E9F068AACD56}.exe
1764	{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe
1636	{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe
2228	{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe
File created	C:\Windows\{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe
File created	C:\Windows\{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe
File created	C:\Windows\{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe
File created	C:\Windows\{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe
File created	C:\Windows\{237525E1-7B28-4d19-9092-E9F068AACD56}.exe	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe
File created	C:\Windows\{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe	{237525E1-7B28-4d19-9092-E9F068AACD56}.exe
File created	C:\Windows\{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}.exe	{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe
File created	C:\Windows\{655F650D-7827-4f76-8A1D-FA0996002771}.exe	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe
File created	C:\Windows\{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	{655F650D-7827-4f76-8A1D-FA0996002771}.exe
File created	C:\Windows\{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe	{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe
Token: SeIncBasePriorityPrivilege	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe
Token: SeIncBasePriorityPrivilege	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe
Token: SeIncBasePriorityPrivilege	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe
Token: SeIncBasePriorityPrivilege	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe
Token: SeIncBasePriorityPrivilege	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe
Token: SeIncBasePriorityPrivilege	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe
Token: SeIncBasePriorityPrivilege	620	{237525E1-7B28-4d19-9092-E9F068AACD56}.exe
Token: SeIncBasePriorityPrivilege	1764	{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe
Token: SeIncBasePriorityPrivilege	1636	{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1384	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	28
PID 2032 wrote to memory of 1720	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe	29
PID 1384 wrote to memory of 2880	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	30
PID 1384 wrote to memory of 2880	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	30
PID 1384 wrote to memory of 2880	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	30
PID 1384 wrote to memory of 2880	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	30
PID 1384 wrote to memory of 2504	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	31
PID 1384 wrote to memory of 2504	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	31
PID 1384 wrote to memory of 2504	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	31
PID 1384 wrote to memory of 2504	1384	{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe	31
PID 2880 wrote to memory of 2632	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	34
PID 2880 wrote to memory of 2632	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	34
PID 2880 wrote to memory of 2632	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	34
PID 2880 wrote to memory of 2632	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	34
PID 2880 wrote to memory of 2640	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	35
PID 2880 wrote to memory of 2640	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	35
PID 2880 wrote to memory of 2640	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	35
PID 2880 wrote to memory of 2640	2880	{9492C0FC-55A3-4066-8E16-4CC689766183}.exe	35
PID 2632 wrote to memory of 2396	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	36
PID 2632 wrote to memory of 2396	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	36
PID 2632 wrote to memory of 2396	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	36
PID 2632 wrote to memory of 2396	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	36
PID 2632 wrote to memory of 2496	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	37
PID 2632 wrote to memory of 2496	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	37
PID 2632 wrote to memory of 2496	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	37
PID 2632 wrote to memory of 2496	2632	{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe	37
PID 2396 wrote to memory of 472	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	38
PID 2396 wrote to memory of 472	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	38
PID 2396 wrote to memory of 472	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	38
PID 2396 wrote to memory of 472	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	38
PID 2396 wrote to memory of 788	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	39
PID 2396 wrote to memory of 788	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	39
PID 2396 wrote to memory of 788	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	39
PID 2396 wrote to memory of 788	2396	{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe	39
PID 472 wrote to memory of 1344	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	40
PID 472 wrote to memory of 1344	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	40
PID 472 wrote to memory of 1344	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	40
PID 472 wrote to memory of 1344	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	40
PID 472 wrote to memory of 1372	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	41
PID 472 wrote to memory of 1372	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	41
PID 472 wrote to memory of 1372	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	41
PID 472 wrote to memory of 1372	472	{655F650D-7827-4f76-8A1D-FA0996002771}.exe	41
PID 1344 wrote to memory of 1780	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	42
PID 1344 wrote to memory of 1780	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	42
PID 1344 wrote to memory of 1780	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	42
PID 1344 wrote to memory of 1780	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	42
PID 1344 wrote to memory of 748	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	43
PID 1344 wrote to memory of 748	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	43
PID 1344 wrote to memory of 748	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	43
PID 1344 wrote to memory of 748	1344	{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe	43
PID 1780 wrote to memory of 620	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	44
PID 1780 wrote to memory of 620	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	44
PID 1780 wrote to memory of 620	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	44
PID 1780 wrote to memory of 620	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	44
PID 1780 wrote to memory of 1084	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	45
PID 1780 wrote to memory of 1084	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	45
PID 1780 wrote to memory of 1084	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	45
PID 1780 wrote to memory of 1084	1780	{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_f6995c6e1d471d0848c655728e62e179_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe
  C:\Windows\{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\{9492C0FC-55A3-4066-8E16-4CC689766183}.exe
    C:\Windows\{9492C0FC-55A3-4066-8E16-4CC689766183}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe
      C:\Windows\{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe
        
        C:\Windows\{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\{655F650D-7827-4f76-8A1D-FA0996002771}.exe
        
        C:\Windows\{655F650D-7827-4f76-8A1D-FA0996002771}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe
        
        C:\Windows\{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe
        
        C:\Windows\{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{237525E1-7B28-4d19-9092-E9F068AACD56}.exe
        
        C:\Windows\{237525E1-7B28-4d19-9092-E9F068AACD56}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe
        
        C:\Windows\{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe
        
        C:\Windows\{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}.exe
        
        C:\Windows\{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76090~1.EXE > nul
        12⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A0D0~1.EXE > nul
        11⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23752~1.EXE > nul
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4D1A~1.EXE > nul
        9⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB2A~1.EXE > nul
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{655F6~1.EXE > nul
        7⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EF92~1.EXE > nul
        6⤵
        
        PID:788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C739B~1.EXE > nul
        5⤵
        
        PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9492C~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F4F57~1.EXE > nul
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E22FC7A-B084-426d-AAD2-7CD66261AD9D}.exe

Filesize
180KB

MD5
861d8fbc4dc0825337843f2bbdccd11f

SHA1
2e570f17de9a25a2698923e79cc329df72ccc047

SHA256
6ed82f4eab090b2bb0c6607f7a8c3ef9e389fca0d6cf8211d33d8e0a8f6843e2

SHA512
3fa23cdbf9482e559ba5594b65a06a4718103d23cc8c9aaa34b8278687a0a90e5936dd7c738ce989515ba9813a506ee8d2c2275f83c463a6d75625b6240110e6

Download Submit
C:\Windows\{237525E1-7B28-4d19-9092-E9F068AACD56}.exe

Filesize
180KB

MD5
86835297576c3c0e84da0d0b43d33995

SHA1
617bf78402b6252c36696729ededf3d9fa7e32e5

SHA256
e65e1d2df73132f83e71f24da5db63240fd79ac805132711e1075a39f5956222

SHA512
57b646fa642c6c1f9ae73db158440bdeb6bf4e0b71a7cc729fdf6a0897d4c2d2c91bc6270847687cad63eabfec763c5782adb052618b4998b09f1f69a3160e14

Download Submit
C:\Windows\{3EF926D1-26DD-4186-8234-89BF1D770AA7}.exe

Filesize
180KB

MD5
3c08c67dca8281abbfd0c4e8b0dd047b

SHA1
c057ca4e730596d4e798feeaab53fd4f9f1082d9

SHA256
601cc61c2c747fee4f9b6526934a9ffb183072adfb745c7bc77594c4e6767dd1

SHA512
93a40ddd1779e5392f9fd225eed5a10b6a9779456ddde2e0c1ba6a6f92008dad5d3fca011d468d4db9a6536da5fafe4dd2b8785d799d977d86281445cd77d979

Download Submit
C:\Windows\{5A0D0CE3-C4BF-4ff8-B3A3-0993D61147F9}.exe

Filesize
180KB

MD5
e66a3388c5a7bef68359bcb03df300cb

SHA1
cdf6c4883aeff8f8dbe019f3f85d768b6de07e03

SHA256
467a77efcc04bb9b3941ed025c5abbf0a3773cc2e4cb5185c685c26f80d36605

SHA512
ffc1ccd856da0d945c7e1c8c045cc48d50727bec2f12b8ddcdf23afb4cc72fe709cee8abaf576dd4fd2e5da0ec55292ee3bd5775ed6fd92d56437660dcdf13ac

Download Submit
C:\Windows\{655F650D-7827-4f76-8A1D-FA0996002771}.exe

Filesize
180KB

MD5
045f76ae15363e4f50fd729db5549a8c

SHA1
b53a10c37a22155127940db2205a8e5d491ab78a

SHA256
e66a93802642dd114f40ba1b325582de60b1be95db22f68db25f7039a9c9a70c

SHA512
0762bec72b8c0b1c70187e91009d8a55131179cd5aa59559e4afe9be156f7f67e21ba7bfe20f4f8c094c0c482878d65ccfe92bdc15e78a46f1f099941ea4e3bb

Download Submit
C:\Windows\{76090E2A-239D-47ac-816C-21BA9EC90E34}.exe

Filesize
180KB

MD5
f6f3d39ec48287cb21d9d5b46836da34

SHA1
b7e6cd6de7d00766eeb8305996a291384209cdf5

SHA256
e16695945ecc02a5603c0dd8dba351966e9e4833d1dcb800bb689900a206e6b8

SHA512
1feee0e8f7956a44ebe5b8471a01fffef82ca950ef254944754098a4d78fad366c56120ee71a9c901d854d7dbb83161866b4b768970b81deabf5a95f29e7ed39

Download Submit
C:\Windows\{9492C0FC-55A3-4066-8E16-4CC689766183}.exe

Filesize
180KB

MD5
3955bbb70afac969cda6a096b458e41f

SHA1
96133f4d3bff619641bcd8204439afc4dc974db2

SHA256
18590a890bdf90be1632cbb23d2eb573ed53d04dcea5b2f33cab214843221ef1

SHA512
8410be5f8f4a4309791ce9439ae9d2f20c4b18750ddde340f9e908ba65eccd94cbf528b5acb02f94d15b6132991be67e79b899662e34729ab4d9b1f2a1e12de8

Download Submit
C:\Windows\{A4D1A7C5-B40F-4ae3-8FB8-595EF4E94467}.exe

Filesize
180KB

MD5
63443d04bcd6f54e276d5f57a14a84a9

SHA1
2c23ebae840952ad07b9a3a0bc137338543b796d

SHA256
29938b3df703c16734a8234b4dcb689b66779741c79492e675856c4b9b653318

SHA512
3551695fd55c579885440a487ab9d08b171828345bd3058277aecac44b48bea7e85ab28556b1b0fbae3ab01ab07967c7d7833a52ccb0205a45a28e10fb511e93

Download Submit
C:\Windows\{BCB2A7B7-4EE5-4810-B882-90750BF46CBC}.exe

Filesize
180KB

MD5
646317def6204b1cab765b6b802c5a32

SHA1
7e5b9355b72c91dd1e6a0bb471c7e3d48d6af786

SHA256
f49a76f491d3601b656f33e6bffc66843f746b9147363a3601303a010a3450c2

SHA512
c7dc60ec1c1f92c22dbad4129e3abbc65673572c59dc0b22f6d8fa7aafa14648d18c3c0da1c87c8f2b02a8ed396a8dbe7f71be6b935fa8fe611d1f52c67d050c

Download Submit
C:\Windows\{C739B15A-DF2A-43c6-A3D4-79C3C1BA7BAB}.exe

Filesize
180KB

MD5
016f3b673477d1e021f4130dd9d66a38

SHA1
325beb0ea2fb046061cbd0ee85e60d78b37fe01f

SHA256
d6218f7994bf4b8cf5b27ea5812b2d05748d9c95c524d88ddbca5bc5be4d3dc3

SHA512
51b0ca040024b1a81aec94736d9d690b7c8acaa6097703f9cff152813a4048c813ed8b31a6eac1b3b071e44105464116dc85cbea9715d4e784c8c6a747dcedc8

Download Submit
C:\Windows\{F4F57471-BD8E-441b-B653-6CDD773D930A}.exe

Filesize
180KB

MD5
64b07bd8b9cff459bba498a66a7e73c8

SHA1
9ae12c1cfd9e88b6cb72386407093578a6a5edf5

SHA256
bf72953502127599d945084545eddfe6319557b24dd69d6dde0054920c80819b

SHA512
4ce9184c0b6be27ee50ad01fe4fd611abdf950b7a5c1eae9bc6a49f83cde87c151a4ca672ea15e5a3799d7908d23874689468a6fc23b257476d450db684d00d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads