164e16d117d09e1f4f2d1c093cc0d18c8b819595fdce3631376a5a8e561c02ee

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 22:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe
Size

408KB
MD5

fefaca3a5ece27420128261448ce2adb
SHA1

882029596667a747a4cab8ca50fc3253f608f9cf
SHA256

164e16d117d09e1f4f2d1c093cc0d18c8b819595fdce3631376a5a8e561c02ee
SHA512

9a8a6157953bf7b19e3ad6cf8ae6f162214f30e266bbdff09ddfff9de2a4f40dd2482b31a0e3c890c3424653c090568bf031f0cc322a3bcb6cb132e2cdab4e89
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGMldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014abe-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015018-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014abe-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155ed-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014abe-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014abe-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014abe-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E127806F-EC1F-42c7-ADDC-287911D214B1}\stubpath = "C:\\Windows\\{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe"	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEF50B04-062C-487d-8E83-D5CE6889C8E2}\stubpath = "C:\\Windows\\{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe"	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF589579-8DE7-4460-895A-72DAEBB78093}	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76824628-E037-490d-9B0B-3A483B698B7C}	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E127806F-EC1F-42c7-ADDC-287911D214B1}	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEF50B04-062C-487d-8E83-D5CE6889C8E2}	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCC0FDCE-DA14-49db-9798-41F4D122A36C}\stubpath = "C:\\Windows\\{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe"	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1974B6BE-7543-4e35-9AD5-7A1E7E592040}	{76824628-E037-490d-9B0B-3A483B698B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}	{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86012C64-4618-47e2-A85C-C951A5C244B8}	{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}\stubpath = "C:\\Windows\\{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe"	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}\stubpath = "C:\\Windows\\{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe"	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCC0FDCE-DA14-49db-9798-41F4D122A36C}	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76824628-E037-490d-9B0B-3A483B698B7C}\stubpath = "C:\\Windows\\{76824628-E037-490d-9B0B-3A483B698B7C}.exe"	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF589579-8DE7-4460-895A-72DAEBB78093}\stubpath = "C:\\Windows\\{DF589579-8DE7-4460-895A-72DAEBB78093}.exe"	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1974B6BE-7543-4e35-9AD5-7A1E7E592040}\stubpath = "C:\\Windows\\{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe"	{76824628-E037-490d-9B0B-3A483B698B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}\stubpath = "C:\\Windows\\{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe"	{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86012C64-4618-47e2-A85C-C951A5C244B8}\stubpath = "C:\\Windows\\{86012C64-4618-47e2-A85C-C951A5C244B8}.exe"	{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}\stubpath = "C:\\Windows\\{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe"	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe
2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe
2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe
2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe
1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe
812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe
2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe
628	{76824628-E037-490d-9B0B-3A483B698B7C}.exe
1828	{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe
1228	{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe
1036	{86012C64-4618-47e2-A85C-C951A5C244B8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe
File created	C:\Windows\{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe
File created	C:\Windows\{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe	{76824628-E037-490d-9B0B-3A483B698B7C}.exe
File created	C:\Windows\{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe	{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe
File created	C:\Windows\{86012C64-4618-47e2-A85C-C951A5C244B8}.exe	{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe
File created	C:\Windows\{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe
File created	C:\Windows\{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe
File created	C:\Windows\{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe
File created	C:\Windows\{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe
File created	C:\Windows\{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe
File created	C:\Windows\{76824628-E037-490d-9B0B-3A483B698B7C}.exe	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe
Token: SeIncBasePriorityPrivilege	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe
Token: SeIncBasePriorityPrivilege	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe
Token: SeIncBasePriorityPrivilege	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe
Token: SeIncBasePriorityPrivilege	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe
Token: SeIncBasePriorityPrivilege	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe
Token: SeIncBasePriorityPrivilege	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe
Token: SeIncBasePriorityPrivilege	628	{76824628-E037-490d-9B0B-3A483B698B7C}.exe
Token: SeIncBasePriorityPrivilege	1828	{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe
Token: SeIncBasePriorityPrivilege	1228	{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 860	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	28
PID 2140 wrote to memory of 860	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	28
PID 2140 wrote to memory of 860	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	28
PID 2140 wrote to memory of 860	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	28
PID 2140 wrote to memory of 2312	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	29
PID 2140 wrote to memory of 2312	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	29
PID 2140 wrote to memory of 2312	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	29
PID 2140 wrote to memory of 2312	2140	2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe	29
PID 860 wrote to memory of 2560	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	30
PID 860 wrote to memory of 2560	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	30
PID 860 wrote to memory of 2560	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	30
PID 860 wrote to memory of 2560	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	30
PID 860 wrote to memory of 2636	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	31
PID 860 wrote to memory of 2636	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	31
PID 860 wrote to memory of 2636	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	31
PID 860 wrote to memory of 2636	860	{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe	31
PID 2560 wrote to memory of 2564	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	32
PID 2560 wrote to memory of 2564	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	32
PID 2560 wrote to memory of 2564	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	32
PID 2560 wrote to memory of 2564	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	32
PID 2560 wrote to memory of 2776	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	33
PID 2560 wrote to memory of 2776	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	33
PID 2560 wrote to memory of 2776	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	33
PID 2560 wrote to memory of 2776	2560	{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe	33
PID 2564 wrote to memory of 2552	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	36
PID 2564 wrote to memory of 2552	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	36
PID 2564 wrote to memory of 2552	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	36
PID 2564 wrote to memory of 2552	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	36
PID 2564 wrote to memory of 2848	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	37
PID 2564 wrote to memory of 2848	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	37
PID 2564 wrote to memory of 2848	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	37
PID 2564 wrote to memory of 2848	2564	{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe	37
PID 2552 wrote to memory of 1800	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	38
PID 2552 wrote to memory of 1800	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	38
PID 2552 wrote to memory of 1800	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	38
PID 2552 wrote to memory of 1800	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	38
PID 2552 wrote to memory of 1268	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	39
PID 2552 wrote to memory of 1268	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	39
PID 2552 wrote to memory of 1268	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	39
PID 2552 wrote to memory of 1268	2552	{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe	39
PID 1800 wrote to memory of 812	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	40
PID 1800 wrote to memory of 812	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	40
PID 1800 wrote to memory of 812	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	40
PID 1800 wrote to memory of 812	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	40
PID 1800 wrote to memory of 1780	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	41
PID 1800 wrote to memory of 1780	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	41
PID 1800 wrote to memory of 1780	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	41
PID 1800 wrote to memory of 1780	1800	{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe	41
PID 812 wrote to memory of 2156	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	42
PID 812 wrote to memory of 2156	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	42
PID 812 wrote to memory of 2156	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	42
PID 812 wrote to memory of 2156	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	42
PID 812 wrote to memory of 2492	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	43
PID 812 wrote to memory of 2492	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	43
PID 812 wrote to memory of 2492	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	43
PID 812 wrote to memory of 2492	812	{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe	43
PID 2156 wrote to memory of 628	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	44
PID 2156 wrote to memory of 628	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	44
PID 2156 wrote to memory of 628	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	44
PID 2156 wrote to memory of 628	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	44
PID 2156 wrote to memory of 1552	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	45
PID 2156 wrote to memory of 1552	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	45
PID 2156 wrote to memory of 1552	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	45
PID 2156 wrote to memory of 1552	2156	{DF589579-8DE7-4460-895A-72DAEBB78093}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_fefaca3a5ece27420128261448ce2adb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe
  C:\Windows\{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe
    C:\Windows\{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe
      C:\Windows\{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe
        
        C:\Windows\{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe
        
        C:\Windows\{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe
        
        C:\Windows\{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{DF589579-8DE7-4460-895A-72DAEBB78093}.exe
        
        C:\Windows\{DF589579-8DE7-4460-895A-72DAEBB78093}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{76824628-E037-490d-9B0B-3A483B698B7C}.exe
        
        C:\Windows\{76824628-E037-490d-9B0B-3A483B698B7C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe
        
        C:\Windows\{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe
        
        C:\Windows\{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\{86012C64-4618-47e2-A85C-C951A5C244B8}.exe
        
        C:\Windows\{86012C64-4618-47e2-A85C-C951A5C244B8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{234A6~1.EXE > nul
        12⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1974B~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76824~1.EXE > nul
        10⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF589~1.EXE > nul
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCC0F~1.EXE > nul
        8⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DBD7~1.EXE > nul
        7⤵
        
        PID:1780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BAB0~1.EXE > nul
        6⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEF50~1.EXE > nul
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1278~1.EXE > nul
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B3D6~1.EXE > nul
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1974B6BE-7543-4e35-9AD5-7A1E7E592040}.exe

Filesize
408KB

MD5
8188c83cee6d112df9a63e39c5d68016

SHA1
20c37e95418274906cfc6ef9f2bee0788cd7eb8c

SHA256
3783cffd6187fe58225f61c285df469141b4801c48612e067ebbbc09b33dd1ad

SHA512
90b756b42d5be5d34be8cc18082d1328439d80b5a8006b12351aab62ecb24e5b3122e9f6393d87a4396a622d4764f6093d81cebf1470f8a45e24c9fc11720ced

Download Submit
C:\Windows\{234A6541-B727-48ee-8EED-7E7DCF8ACAF9}.exe

Filesize
408KB

MD5
f2fb274935f2017b5dd93f244fb3ac01

SHA1
bbe24f3c4faaf896b45173d8ec614685b0d994fe

SHA256
a116eece4b63f274bf0c8db3582298688ed3fcf00fd24e007a8e34684d2df01f

SHA512
a294405de031a0b193f699772fb2583a05a00f9a5e92ec5ebb063929080f1d8bd5f2f38eed15d391aa2b792b20c6ce76e06fea3173873abd7a02b3c312609743

Download Submit
C:\Windows\{2BAB037C-CFEF-4c01-B45F-7172B38B6DFF}.exe

Filesize
408KB

MD5
73e748792871e4ea73ca943a99139f61

SHA1
324ee187cbea8ef2e330824b68fe22165235d7d9

SHA256
da786050827005606ccaad8af91ba93c64676185aafbc169ade8554a50947fea

SHA512
0e79f6103d1d313d7ea9a96c415362133bff88f8ce6a99a66d4c8ec9435a714afe98a2a125273a11cd32cb67609023c2afa03e907dd5a76398e52edebe844edb

Download Submit
C:\Windows\{5B3D6C0D-51C6-4420-A969-B5D02BC1D832}.exe

Filesize
408KB

MD5
46b655edda0ae6b33bbc066a5898f765

SHA1
daff328629ab7769128cce19a72802e801e82d06

SHA256
0bdb00bf14650826cdbf13c839a9d24aa4edbdc99693e63db01cbe6898312f2b

SHA512
09cf40d2374b62734368d2fdae4837b3043f2028a1967e97897b871650e2e7d017d9d040dc852801c9bd6d95aac184f80819b4fee166c8f4f14723f826b8105e

Download Submit
C:\Windows\{6DBD77E3-AA1C-486a-800C-70FBF507BFD5}.exe

Filesize
408KB

MD5
fbc4afc337379206ae06bfa0a9d448ac

SHA1
f8ffe19d38d760c511c7215aa83b252e05c0e789

SHA256
030429b369c75e5268591116a9e9c07db7508a7fb395a3fb0a5af016ff851a88

SHA512
8c6eebb78f4fef0597dc884a9e47b3af13dcdaabfe40ee8b3782954f3137f9805f5cde57674c6b9b009c37cc98cb7a3f0a9b98505bda5a7f9a603c7bc5be72e8

Download Submit
C:\Windows\{76824628-E037-490d-9B0B-3A483B698B7C}.exe

Filesize
408KB

MD5
861483f4ffdbf27427526bd41fc953eb

SHA1
0035ccc9f183ec443b9b201e14635f5b826168b6

SHA256
bea7df74ff8bc704189f168ea43f259720e689ddd27b0fb19885fbdda9e5b474

SHA512
6858ada36385985bd769f98c1a1e7d3f8c50bf6b6d7f02dcbe072f83c865413944a3f58943ad00e74035b193d0f7286b637797872f1673877688f78a2d5a9f08

Download Submit
C:\Windows\{86012C64-4618-47e2-A85C-C951A5C244B8}.exe

Filesize
408KB

MD5
cca894ac64a0d2d0b357271664ee651f

SHA1
cfe2ab377e59e2c9f237c61be16ac4606ab58d14

SHA256
3874fc5996578c982c839916743321182f6685f169a081d7e57cf4317ab201f5

SHA512
582ce3ab328461c4191cd4d320406c521adad8c436b4ef26e52c59336a942394402bfce6616161175e178ef8a50b4863c515d97683f97b717f1055d65ca87726

Download Submit
C:\Windows\{AEF50B04-062C-487d-8E83-D5CE6889C8E2}.exe

Filesize
408KB

MD5
fccc351ebbbe8ffc309140d4da1265d0

SHA1
dccc59f62c99ff07f7a4c14759d4b6dd1fdc8106

SHA256
ee2909bd18223d0f52139a36b88d41c5e9b2341aeaa9243aaf37365c6e60f53d

SHA512
a429a043551f7dda1862d41d05ac21b97a0ce18182174516df42894d385f6179ee59ce88e0f70011fb68efc419769f07506dd2f42d4e01c30bb850643993ac62

Download Submit
C:\Windows\{DF589579-8DE7-4460-895A-72DAEBB78093}.exe

Filesize
408KB

MD5
44837d304aa1f9f20c357dfdd1ffc023

SHA1
d66d8374485454d85ce7cff2feed19b38f587c1b

SHA256
61224d088d84d74faf8da81ff938107791278a1315d9e92bc9772ae94837d89a

SHA512
7dfe08a451aa12432c5f61be94ca3c111d2ef718b098f7edfdb97053552f6ae444ace2de703498751664d86a5c562de1803ff07155da9264bc2aae4afdbf73eb

Download Submit
C:\Windows\{E127806F-EC1F-42c7-ADDC-287911D214B1}.exe

Filesize
408KB

MD5
5456d292b44d82f0b8f054d13de301fa

SHA1
63406fd5adbf3d14f7e15be54589455c3510af84

SHA256
12cdea9bd49aa548f6a27ea5f6751de97f1b423a68cf6030fca13baf5e1c546b

SHA512
f5f1f864c21ad73826f06a837fe821607ddbafddcbd0170fc0f42d4a8dcee57a653dcbeb9a2ed716de1de9120216a8402bd17e9c8963019c95a509159e081972

Download Submit
C:\Windows\{FCC0FDCE-DA14-49db-9798-41F4D122A36C}.exe

Filesize
408KB

MD5
bd258447a85ec4654fbf8243195c4107

SHA1
021a17805b9417ca670215fb4ed1d3085c781330

SHA256
b8c0d8914128fdfed24c6edf59b7d99bbaffdf8e4162cd8a4d1dc96c9a8e76a4

SHA512
e315953fe3cb8733c5cc304af6d750da97c1400c4a1bf67b80a979349e64eb600053dc071f5cc844edcdc690641639930b4978afd8fe18f4eb99bafc02c0f359

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads