6bb8777789b11b512c70e92d6c732fbf088960cbca26097e5cf473f9d1dc4b37

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Size

168KB
MD5

5d584b36a8e3e14c4cc713e0a6f40fa9
SHA1

3b7e3b31e01e28db83a840293c80edc72d4a5c99
SHA256

6bb8777789b11b512c70e92d6c732fbf088960cbca26097e5cf473f9d1dc4b37
SHA512

e9db19ad1ce146ef547ec8d78a8422b36e3f782b185c27b65c4648244e25096da520ce722c21e515dbb3dcfefd40260fefc24ab4f5fc4a0226760494b8f2c806
SSDEEP

1536:1EGh0o1lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o1lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001340b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d5e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001340b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001340b-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001340b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001340b-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001340b-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}\stubpath = "C:\\Windows\\{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe"	{C6C0768A-BF1F-471a-901C-15786A295766}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}	{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}\stubpath = "C:\\Windows\\{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe"	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E5B2FD-B555-4d35-979A-86D3999FE73D}\stubpath = "C:\\Windows\\{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe"	{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{947EEEE0-1C32-42c9-97CA-445BEED5377E}	{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6C0768A-BF1F-471a-901C-15786A295766}	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}\stubpath = "C:\\Windows\\{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe"	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E2A744B-7313-4899-A457-39ED2292F2B6}\stubpath = "C:\\Windows\\{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe"	{609F398A-AA13-4998-8750-56EA11563101}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6C0768A-BF1F-471a-901C-15786A295766}\stubpath = "C:\\Windows\\{C6C0768A-BF1F-471a-901C-15786A295766}.exe"	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}\stubpath = "C:\\Windows\\{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe"	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E5B2FD-B555-4d35-979A-86D3999FE73D}	{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}\stubpath = "C:\\Windows\\{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe"	{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}\stubpath = "C:\\Windows\\{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe"	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{609F398A-AA13-4998-8750-56EA11563101}\stubpath = "C:\\Windows\\{609F398A-AA13-4998-8750-56EA11563101}.exe"	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{947EEEE0-1C32-42c9-97CA-445BEED5377E}\stubpath = "C:\\Windows\\{947EEEE0-1C32-42c9-97CA-445BEED5377E}.exe"	{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{609F398A-AA13-4998-8750-56EA11563101}	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E2A744B-7313-4899-A457-39ED2292F2B6}	{609F398A-AA13-4998-8750-56EA11563101}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}	{C6C0768A-BF1F-471a-901C-15786A295766}.exe

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe
2800	{609F398A-AA13-4998-8750-56EA11563101}.exe
2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe
1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe
2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe
1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe
1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe
872	{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe
2732	{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe
1944	{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe
1784	{947EEEE0-1C32-42c9-97CA-445BEED5377E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	{609F398A-AA13-4998-8750-56EA11563101}.exe
File created	C:\Windows\{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	{C6C0768A-BF1F-471a-901C-15786A295766}.exe
File created	C:\Windows\{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe
File created	C:\Windows\{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe	{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe
File created	C:\Windows\{947EEEE0-1C32-42c9-97CA-445BEED5377E}.exe	{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe
File created	C:\Windows\{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
File created	C:\Windows\{609F398A-AA13-4998-8750-56EA11563101}.exe	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe
File created	C:\Windows\{C6C0768A-BF1F-471a-901C-15786A295766}.exe	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe
File created	C:\Windows\{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe
File created	C:\Windows\{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe
File created	C:\Windows\{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe	{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe
Token: SeIncBasePriorityPrivilege	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe
Token: SeIncBasePriorityPrivilege	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe
Token: SeIncBasePriorityPrivilege	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe
Token: SeIncBasePriorityPrivilege	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe
Token: SeIncBasePriorityPrivilege	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe
Token: SeIncBasePriorityPrivilege	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe
Token: SeIncBasePriorityPrivilege	872	{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe
Token: SeIncBasePriorityPrivilege	2732	{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe
Token: SeIncBasePriorityPrivilege	1944	{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2468	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	28
PID 2000 wrote to memory of 2468	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	28
PID 2000 wrote to memory of 2468	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	28
PID 2000 wrote to memory of 2468	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	28
PID 2000 wrote to memory of 3028	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	29
PID 2000 wrote to memory of 3028	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	29
PID 2000 wrote to memory of 3028	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	29
PID 2000 wrote to memory of 3028	2000	2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe	29
PID 2468 wrote to memory of 2800	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	30
PID 2468 wrote to memory of 2800	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	30
PID 2468 wrote to memory of 2800	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	30
PID 2468 wrote to memory of 2800	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	30
PID 2468 wrote to memory of 2796	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	31
PID 2468 wrote to memory of 2796	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	31
PID 2468 wrote to memory of 2796	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	31
PID 2468 wrote to memory of 2796	2468	{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe	31
PID 2800 wrote to memory of 2928	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	32
PID 2800 wrote to memory of 2928	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	32
PID 2800 wrote to memory of 2928	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	32
PID 2800 wrote to memory of 2928	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	32
PID 2800 wrote to memory of 2428	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	33
PID 2800 wrote to memory of 2428	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	33
PID 2800 wrote to memory of 2428	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	33
PID 2800 wrote to memory of 2428	2800	{609F398A-AA13-4998-8750-56EA11563101}.exe	33
PID 2928 wrote to memory of 1688	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	36
PID 2928 wrote to memory of 1688	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	36
PID 2928 wrote to memory of 1688	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	36
PID 2928 wrote to memory of 1688	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	36
PID 2928 wrote to memory of 1348	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	37
PID 2928 wrote to memory of 1348	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	37
PID 2928 wrote to memory of 1348	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	37
PID 2928 wrote to memory of 1348	2928	{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe	37
PID 1688 wrote to memory of 2684	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	38
PID 1688 wrote to memory of 2684	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	38
PID 1688 wrote to memory of 2684	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	38
PID 1688 wrote to memory of 2684	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	38
PID 1688 wrote to memory of 1188	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	39
PID 1688 wrote to memory of 1188	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	39
PID 1688 wrote to memory of 1188	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	39
PID 1688 wrote to memory of 1188	1688	{C6C0768A-BF1F-471a-901C-15786A295766}.exe	39
PID 2684 wrote to memory of 1776	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	40
PID 2684 wrote to memory of 1776	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	40
PID 2684 wrote to memory of 1776	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	40
PID 2684 wrote to memory of 1776	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	40
PID 2684 wrote to memory of 1896	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	41
PID 2684 wrote to memory of 1896	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	41
PID 2684 wrote to memory of 1896	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	41
PID 2684 wrote to memory of 1896	2684	{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe	41
PID 1776 wrote to memory of 1600	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	42
PID 1776 wrote to memory of 1600	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	42
PID 1776 wrote to memory of 1600	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	42
PID 1776 wrote to memory of 1600	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	42
PID 1776 wrote to memory of 2112	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	43
PID 1776 wrote to memory of 2112	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	43
PID 1776 wrote to memory of 2112	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	43
PID 1776 wrote to memory of 2112	1776	{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe	43
PID 1600 wrote to memory of 872	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	44
PID 1600 wrote to memory of 872	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	44
PID 1600 wrote to memory of 872	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	44
PID 1600 wrote to memory of 872	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	44
PID 1600 wrote to memory of 1248	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	45
PID 1600 wrote to memory of 1248	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	45
PID 1600 wrote to memory of 1248	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	45
PID 1600 wrote to memory of 1248	1600	{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_5d584b36a8e3e14c4cc713e0a6f40fa9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe
  C:\Windows\{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\{609F398A-AA13-4998-8750-56EA11563101}.exe
    C:\Windows\{609F398A-AA13-4998-8750-56EA11563101}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe
      C:\Windows\{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\{C6C0768A-BF1F-471a-901C-15786A295766}.exe
        
        C:\Windows\{C6C0768A-BF1F-471a-901C-15786A295766}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe
        
        C:\Windows\{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe
        
        C:\Windows\{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe
        
        C:\Windows\{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe
        
        C:\Windows\{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe
        
        C:\Windows\{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe
        
        C:\Windows\{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\{947EEEE0-1C32-42c9-97CA-445BEED5377E}.exe
        
        C:\Windows\{947EEEE0-1C32-42c9-97CA-445BEED5377E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB25~1.EXE > nul
        12⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64E5B~1.EXE > nul
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14D7F~1.EXE > nul
        10⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48F5A~1.EXE > nul
        9⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7FAE~1.EXE > nul
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BAE7~1.EXE > nul
        7⤵
        
        PID:1896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6C07~1.EXE > nul
        6⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E2A7~1.EXE > nul
        5⤵
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{609F3~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2F9A1~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14D7F8AB-BF3A-41d4-8B5C-03A1CFDC4E47}.exe

Filesize
168KB

MD5
95be676bae601d1079c5b17b82658186

SHA1
1322fbd39d19ff5caaca2db551ba7ad12f960b50

SHA256
6c159da748840a2c3affd98c89eed8a4567eb0dbc7c93282b1c3c473b25a3e98

SHA512
86eb8329db1035958ae9a0124b7650ecb77e0f73d355b20b3a00a64cd4f727c5635e85a32c0fb555cbb618f2b866675a1d0dffb51982079510bef8d3e4641892

Download Submit
C:\Windows\{1BAE78B6-EE90-4abf-839D-FDECC8A68D52}.exe

Filesize
168KB

MD5
19e42a0b992b35db7dd798e88f78c711

SHA1
5153a2f579a1bbeabcfa43183a8e561d43c2bc7d

SHA256
1e599958dbe5c954c09daabcb0b4728fbe5de92d7cfa75d3243a72a293357c19

SHA512
a50f15bc83d4b014a9f86e1a7ebeefdb408c16c93897f5ce46ef30ba2331f1633b071d99c2072f7fba1e35afe0473946d5dfafe54fbf101ddcc205f684e63bf5

Download Submit
C:\Windows\{2F9A145A-35EE-4bc0-95FF-0FFB07BF8EDB}.exe

Filesize
168KB

MD5
b8e604c6eb857a2a1e13ded1d174d0f3

SHA1
884c3d39870fb02ebea0d4cb3f1e79076018bfd3

SHA256
5d7ce0e8170d644ccd50218b83de14443c466e2a384fca05882797c321e1ae60

SHA512
7aa838d8fe7b9b94c804da211a4ebb3719b68560eea928e7f53421226dc4f1c3bf7d1cf1aa39d0078e428ed516f0ec48c990af984304c255dc01256c1c0f99b8

Download Submit
C:\Windows\{48F5A7E4-7462-4b9c-ACCB-76C3DAA91623}.exe

Filesize
168KB

MD5
fe1900b5d18432bb9023758123f8089c

SHA1
e0cc62d7a42849f9fff64bd3f2bfeeb23cf4274c

SHA256
83b19ba64602e37f4c0ab28c9f1502073e97003d026e483a26f28776490127e1

SHA512
64a599e7e5bbc4d5bb0599e4f5e5981af18c39f120dfe6b23d226fbd0658dfc4b456dc544280cab8f142a0d4bb628c251d2f75447b9c601bc688e937fdf1be69

Download Submit
C:\Windows\{5E2A744B-7313-4899-A457-39ED2292F2B6}.exe

Filesize
168KB

MD5
f33cd02f1a3aae4fdfd175629557de66

SHA1
432d8eff860f2160f4cdc241a9f6646862d520b1

SHA256
36608cdba62e87aeb61c059bc3617f52a2cf51a049f50cc4b494fbb224c87f2d

SHA512
90b602053f7ca1ca1990731768688c2f629a0cf42484fa380f2ade188d4ae56a43226d39c81eba2b315df0714a32aca74a546ddb6d996323eb387a5b6a7f6860

Download Submit
C:\Windows\{609F398A-AA13-4998-8750-56EA11563101}.exe

Filesize
168KB

MD5
5870854d67f4a37dca03fca2731bdce4

SHA1
d7e48d2e669d6fb43ef3818bab1b00df5131bf6d

SHA256
532bbfbaf74a1db03eeac6cd673e9ebf2e61a8171be2323b4f9b8205ca343253

SHA512
47e35f8b81e4108ea90f46415e2b62ef922f843db5b3db3f32b9a61bf2a58aeffa7daceb0b42d1f9279baf52bb9debec5f8c58aecc4d40148de970fe3792f3ab

Download Submit
C:\Windows\{64E5B2FD-B555-4d35-979A-86D3999FE73D}.exe

Filesize
168KB

MD5
745b9ad7a8b1ed882b88959132d607fb

SHA1
973a78e761e46e05c2c74ab0eb98f49cb2363525

SHA256
18331bb8d7aaf64e0818aa19359333fd7c13b39bb51b45b0d0a43feb7f698f32

SHA512
2bf8be8a196bf21589ae6c114217e3c72f08367b92119320ecf16e2a3eb066ee5d0b8b9e5e1edc036ba6064c8f315d962b14c3bf8781f8a93eb34f2bb4113a6a

Download Submit
C:\Windows\{947EEEE0-1C32-42c9-97CA-445BEED5377E}.exe

Filesize
168KB

MD5
5db064a6dedbaaae474e716631906e2e

SHA1
e86678dcf41e14c2ac4c8ff85189e26fea666893

SHA256
a95b2fedfb87d9694d8036795f04c7d2c2747691f2d7d214de0e3bfb147659b9

SHA512
dd9152d18a20c163a4440146ec01a9ed031a02103573be2778a698b43b79a4ca72a39ccfb73307b5b1b52d11b1f85aba70832f0756658114c0ee4453b51c1cc8

Download Submit
C:\Windows\{B7FAEA50-4D13-4c37-B3AB-69094EDA6609}.exe

Filesize
168KB

MD5
5536400bc0251cd761bf2efd9d852519

SHA1
e1b57b05fd09130fdabcecc1ace047deddb4c840

SHA256
a1b97fddbfaed214a738530f92b146113925c6d0e69d8e24b397d378eaac109d

SHA512
5a39ddad08e32b6463196a35d0c78d432f4945f3e177d949d8e5d39811b584ec94557774b08b49b62d5d4b6b3aaa3e15bf631551acd73d85d001d0ac48dd0e40

Download Submit
C:\Windows\{C6C0768A-BF1F-471a-901C-15786A295766}.exe

Filesize
168KB

MD5
702ecf54d492f80d708bcddac21ad479

SHA1
f8e9ca946b7193453cdf959ea88a905c4fb6c20b

SHA256
ab016514f23c94f17385725ceb770f2fa338425bb1106367b23f7a378fffbf29

SHA512
19f3956d74661d9fd8fb9772fc8bdc571d610ddba9aafda1364276c0901ff9f0e09eedf557ee3c8be2f1ee43f3cee8b820c5144310da7c4c2295d39759e76345

Download Submit
C:\Windows\{DEB25B0F-180F-4a28-B50E-64BED3BEE4B1}.exe

Filesize
168KB

MD5
44534809bcad1203b103218dd5a364a1

SHA1
bf4fede38cbd18a8c91384a3a025003f1e929f0f

SHA256
4ea2a286f3b13d912cf77e8d3aaf70c7ec72af6b219915f612eee63faf682663

SHA512
d3ffcacc084cefec95cff52adff8ba9d202e8c9964510d6b6edffb21427765b91242015b0448531f4e0908a4db91489e7181a7bd185eaf3d850e6f4691ee02d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads