f66ae114876ad238a714c861f2d9a5869bf63efe76e08c98dfbe9d6c320918c7

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 21:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe
Size

408KB
MD5

45add5bc311a28c1de8e031dc8d9359d
SHA1

3732f8633ebe98c3f6cb59bbfc5160c24f2427aa
SHA256

f66ae114876ad238a714c861f2d9a5869bf63efe76e08c98dfbe9d6c320918c7
SHA512

3ba4adde123130c66ed802d9bc5ef91d21f48201eb9cec776ff94b575de04c163210ea034e86415152c69fc1c010381e1d7c56d5835e7b1a750149d420f0ed7f
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGqldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001416a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cb0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001416a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cbd-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001416a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001416a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001416a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DD7A77-B937-4699-9C9A-518571DEBD93}\stubpath = "C:\\Windows\\{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe"	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA91C032-07DC-45cf-9117-71AD9FBCD785}	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6476E178-70F2-49d6-B5DF-3983708DF4DB}	{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6476E178-70F2-49d6-B5DF-3983708DF4DB}\stubpath = "C:\\Windows\\{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe"	{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}\stubpath = "C:\\Windows\\{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}.exe"	{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}\stubpath = "C:\\Windows\\{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe"	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}\stubpath = "C:\\Windows\\{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe"	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}\stubpath = "C:\\Windows\\{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe"	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01D5D312-59B6-413e-AD4A-1EA1DFD27116}	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E306129-E71C-4b12-A4E7-8FC91E321998}	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DD7A77-B937-4699-9C9A-518571DEBD93}	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}\stubpath = "C:\\Windows\\{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe"	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01D5D312-59B6-413e-AD4A-1EA1DFD27116}\stubpath = "C:\\Windows\\{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe"	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA1C830E-BB72-47bc-A6D7-53790D3764C5}	{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA1C830E-BB72-47bc-A6D7-53790D3764C5}\stubpath = "C:\\Windows\\{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe"	{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E306129-E71C-4b12-A4E7-8FC91E321998}\stubpath = "C:\\Windows\\{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe"	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA91C032-07DC-45cf-9117-71AD9FBCD785}\stubpath = "C:\\Windows\\{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe"	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}	{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe

Executes dropped EXE 11 IoCs

pid	Process
1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe
2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe
2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe
2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe
1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe
2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe
896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe
1876	{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe
2024	{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe
3052	{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe
1156	{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe
File created	C:\Windows\{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe
File created	C:\Windows\{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe	{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe
File created	C:\Windows\{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}.exe	{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe
File created	C:\Windows\{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe
File created	C:\Windows\{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe
File created	C:\Windows\{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe
File created	C:\Windows\{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe
File created	C:\Windows\{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe
File created	C:\Windows\{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe	{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe
File created	C:\Windows\{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe
Token: SeIncBasePriorityPrivilege	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe
Token: SeIncBasePriorityPrivilege	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe
Token: SeIncBasePriorityPrivilege	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe
Token: SeIncBasePriorityPrivilege	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe
Token: SeIncBasePriorityPrivilege	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe
Token: SeIncBasePriorityPrivilege	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe
Token: SeIncBasePriorityPrivilege	1876	{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe
Token: SeIncBasePriorityPrivilege	2024	{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe
Token: SeIncBasePriorityPrivilege	3052	{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1668	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	28
PID 2792 wrote to memory of 1668	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	28
PID 2792 wrote to memory of 1668	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	28
PID 2792 wrote to memory of 1668	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	28
PID 2792 wrote to memory of 2272	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	29
PID 2792 wrote to memory of 2272	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	29
PID 2792 wrote to memory of 2272	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	29
PID 2792 wrote to memory of 2272	2792	2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe	29
PID 1668 wrote to memory of 2752	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	30
PID 1668 wrote to memory of 2752	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	30
PID 1668 wrote to memory of 2752	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	30
PID 1668 wrote to memory of 2752	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	30
PID 1668 wrote to memory of 2740	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	31
PID 1668 wrote to memory of 2740	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	31
PID 1668 wrote to memory of 2740	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	31
PID 1668 wrote to memory of 2740	1668	{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe	31
PID 2752 wrote to memory of 2704	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	32
PID 2752 wrote to memory of 2704	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	32
PID 2752 wrote to memory of 2704	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	32
PID 2752 wrote to memory of 2704	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	32
PID 2752 wrote to memory of 2144	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	33
PID 2752 wrote to memory of 2144	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	33
PID 2752 wrote to memory of 2144	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	33
PID 2752 wrote to memory of 2144	2752	{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe	33
PID 2704 wrote to memory of 2584	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	36
PID 2704 wrote to memory of 2584	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	36
PID 2704 wrote to memory of 2584	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	36
PID 2704 wrote to memory of 2584	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	36
PID 2704 wrote to memory of 2340	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	37
PID 2704 wrote to memory of 2340	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	37
PID 2704 wrote to memory of 2340	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	37
PID 2704 wrote to memory of 2340	2704	{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe	37
PID 2584 wrote to memory of 1992	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	38
PID 2584 wrote to memory of 1992	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	38
PID 2584 wrote to memory of 1992	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	38
PID 2584 wrote to memory of 1992	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	38
PID 2584 wrote to memory of 1440	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	39
PID 2584 wrote to memory of 1440	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	39
PID 2584 wrote to memory of 1440	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	39
PID 2584 wrote to memory of 1440	2584	{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe	39
PID 1992 wrote to memory of 2696	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	40
PID 1992 wrote to memory of 2696	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	40
PID 1992 wrote to memory of 2696	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	40
PID 1992 wrote to memory of 2696	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	40
PID 1992 wrote to memory of 1588	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	41
PID 1992 wrote to memory of 1588	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	41
PID 1992 wrote to memory of 1588	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	41
PID 1992 wrote to memory of 1588	1992	{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe	41
PID 2696 wrote to memory of 896	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	42
PID 2696 wrote to memory of 896	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	42
PID 2696 wrote to memory of 896	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	42
PID 2696 wrote to memory of 896	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	42
PID 2696 wrote to memory of 1048	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	43
PID 2696 wrote to memory of 1048	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	43
PID 2696 wrote to memory of 1048	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	43
PID 2696 wrote to memory of 1048	2696	{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe	43
PID 896 wrote to memory of 1876	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	44
PID 896 wrote to memory of 1876	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	44
PID 896 wrote to memory of 1876	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	44
PID 896 wrote to memory of 1876	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	44
PID 896 wrote to memory of 2796	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	45
PID 896 wrote to memory of 2796	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	45
PID 896 wrote to memory of 2796	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	45
PID 896 wrote to memory of 2796	896	{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_45add5bc311a28c1de8e031dc8d9359d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe
  C:\Windows\{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe
    C:\Windows\{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe
      C:\Windows\{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe
        
        C:\Windows\{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe
        
        C:\Windows\{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe
        
        C:\Windows\{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe
        
        C:\Windows\{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe
        
        C:\Windows\{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe
        
        C:\Windows\{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe
        
        C:\Windows\{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}.exe
        
        C:\Windows\{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6476E~1.EXE > nul
        12⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA1C8~1.EXE > nul
        11⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D5D~1.EXE > nul
        10⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F36C~1.EXE > nul
        9⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA91C~1.EXE > nul
        8⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6830~1.EXE > nul
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67DD7~1.EXE > nul
        6⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E306~1.EXE > nul
        5⤵
        
        PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3BEDC~1.EXE > nul
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1395~1.EXE > nul
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01D5D312-59B6-413e-AD4A-1EA1DFD27116}.exe

Filesize
408KB

MD5
a77cf225c5e8868cd5846d80f03ff02d

SHA1
ea494e53182d1c16751db754f5e32f4c45e16809

SHA256
7379e951bf71909339955d0844309bd45e5e1faba3b09c921088d782ed5b1ffd

SHA512
8c935a12d29b6b9bf53ecce03df5b81368a30bfb80619fe31aafe0aa97624c814efa11b7dd7553ef68cd8ba83d98939e3dc530179165175e78451edb39cbf9c8

Download Submit
C:\Windows\{0F36CC9F-AFF0-4124-A18D-09B8C0B53437}.exe

Filesize
408KB

MD5
35485b966a0bcc6e1f389be6a2297ff3

SHA1
50f6c56b8871ef2ce372a0769d63a2774a8c2964

SHA256
b13fe63e73fe79bf5700de93aa0b54e7a13314771f93a7b66038455226803948

SHA512
3ede9fd6ce98f951cf4ca529c24586dc4514711a42a5f79f06d599dad42a958d64bc644bc6c217389b8bdc295e2793b4ad08cd2ae3dd17436cb86510b2fac28d

Download Submit
C:\Windows\{3BEDC219-A8F4-4c61-A3B8-B23C65B17BDF}.exe

Filesize
408KB

MD5
97636475c5e64d8340dc8fd8d5a2f4cb

SHA1
cd3fc9e2fe0dd0a0c41a6de345aacf16012c73a6

SHA256
7dc3614d950059f37760ebbc44c4065e6ac6808df0d279fd975af6007142a08c

SHA512
f9e190bc91aa4cbd2145c26fa920eab55a218f94e57d22bc7cc857d1e4c81b7ee076e66f8c17c73e82859edf6e3e3aaf7f949d898e65364eca305583bbf00393

Download Submit
C:\Windows\{6476E178-70F2-49d6-B5DF-3983708DF4DB}.exe

Filesize
408KB

MD5
bbb4da4f316735f30f225f2dfcca8a85

SHA1
34344cb8ddcb252e3fd943f5059b893b392cf06b

SHA256
9f8d5865382599d380deb41c6e1b22964edbb166f4ab1b972feb00a9eefe2095

SHA512
0b6d587713955763ecb69b9d19d27d70ea95caabb404ab6ab0ed5f6cbebe0ff682b3c25c54a80435a483bf97481e3835dcbf7b42387932ca78ac00201b058b4f

Download Submit
C:\Windows\{67DD7A77-B937-4699-9C9A-518571DEBD93}.exe

Filesize
408KB

MD5
fa755086862b4cd8800817d4ebde3127

SHA1
69250288a3c3f6c44c66bb5fbfc319fa7e70b8bf

SHA256
49c7869fa867578d8e74581a9d4659fecfd90fda4c65737ed53cec182c920225

SHA512
eff92ef9126928bcc4576e7d248095f7bc7bcfa5ee227078be0ba02a30a78b470c6ea077eee6f63dc5fab780b06728261463f0fe84626126b63b67371d0c92e5

Download Submit
C:\Windows\{8BE240B8-03C3-4ba0-9FA5-B86ACFC8A7A4}.exe

Filesize
408KB

MD5
462184a19d9b4d55205e4c24217cf238

SHA1
d2b51d2a480bcd1b54f2b908dc5ba378912ff7c3

SHA256
bfb510c038948c0e55bc485eb0584b29f6cab2782d8a973eae5333e9e2b882d3

SHA512
ea71bdf34dec8876a4b4790284fa2fca282948a75869f40379641fe25f24825af4cac9a00ac4a2b99bfce121c2ace907920b24b5a9ee9a4ac9b47ccaf2c59985

Download Submit
C:\Windows\{8E306129-E71C-4b12-A4E7-8FC91E321998}.exe

Filesize
408KB

MD5
dc6cbd514ec3ae594231a0497d8bdbd8

SHA1
2b6f98909ffd580a81422f298ad29d7290bf87ab

SHA256
0f94e456e579df8474f6025a02f2e94a11e6ad575d0427063e6022e109535ced

SHA512
71cab6ddf72d413358ba85d046c8d1a95dbdae5c856fc11b5ae3cd5fd1dc65da4aaa87006aa3eeafa46282b87ccb2c7c5a488be6de46a83b67046bd00540561e

Download Submit
C:\Windows\{A6830D32-B8CE-4562-93B5-B5AFEA79AB52}.exe

Filesize
408KB

MD5
92d36c1e7b1a8ad7439ffeedf51f9c12

SHA1
a70431b592d52b87baf9dd5378fdd1094afcf270

SHA256
59fb805565dbeda3e43a5df52a1a41d1157a4c8df4a390a92a97df6cd9359098

SHA512
827ff641735bc0c87004bc60079c2ee9cdd22103ec6a27b6421b75afc0fbf718c5ae955a423cf54e5787a5d02b2c7e69a3ac718aabdca114574e2ee3e33f5c6a

Download Submit
C:\Windows\{C1395E54-B52A-4fcc-BE86-FC1F33A1DC7D}.exe

Filesize
408KB

MD5
1b6d9b13e6e444f8f3d6cf044c9e376c

SHA1
85a30f6247b01e6b56dd6cb8712ceedcaacc8df4

SHA256
a7da08270dc4854aec31a8c9f6e0b8653b38d256b281a4575e5f01f9319acb78

SHA512
8f9e49d4ba3ef5e91dcd9c855ce308e049208bd24056dc167bd9c8eb53a8da999e2d646b4e5a34aee3c00e875245f2d4c168509e27bb6e7c0f57a95f22a9a152

Download Submit
C:\Windows\{DA91C032-07DC-45cf-9117-71AD9FBCD785}.exe

Filesize
408KB

MD5
67b9ba35f6d6bde963247dddd4c139a6

SHA1
11f9a96fdf084fd744b8220894a5bcc83e4ed016

SHA256
c5e5a53cc2d95560049a7c693337ab9169e9996ea4d46253f65010fa4e8b9af8

SHA512
600082655fafcf8f6630193f6a326b2558e7ff05643c9b10d13346b0f5e618a279dd480f5a1d0e2ed8af2cb3422d025de0a67ef111b779e5220ec7fdfba8892f

Download Submit
C:\Windows\{FA1C830E-BB72-47bc-A6D7-53790D3764C5}.exe

Filesize
408KB

MD5
962b07e959795301a884ed7e6da4f613

SHA1
5ea16639b74ea9b99a4b08187a521d5c434d1c12

SHA256
5edb8235382859a7f14497808fbd737fd7f705a6d876dc56d1f17704b90923a9

SHA512
6f5b02be529869b12254dfbf1483ae6613ea8e920f222fa2934ca621041bd683828651da57fee5971e9e9a309973d8fe8e273df38dc20197fa466abde41d5759

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads