c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Size

168KB
MD5

213624e4547432f6b8e30670eddaafc9
SHA1

3a65c13e112b200bc4b67ea846169c4fd2dc4fd0
SHA256

c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7
SHA512

a79af212a2e163c933dbdf6817b10dceec888af00cb24f9660fc20e7d0f58278e3a979af5d3d33786c9d4828b8be93014f1f01bd9c1de1bcf28fcfb8e1688b5c
SSDEEP

1536:1EGh0oEli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oEliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012334-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0039000000012340-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012334-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003a000000012340-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003b000000012340-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003c000000012340-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003d000000012340-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5B5ED0-816F-4e96-9898-F30028670F8C}	{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}\stubpath = "C:\\Windows\\{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}.exe"	{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A40CC22-9222-4a45-917A-3E753F804032}	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}	{3A40CC22-9222-4a45-917A-3E753F804032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35AC4625-1B26-42dc-9107-A0FED14ACE5D}	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}	{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}\stubpath = "C:\\Windows\\{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe"	{3A40CC22-9222-4a45-917A-3E753F804032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}\stubpath = "C:\\Windows\\{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe"	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}\stubpath = "C:\\Windows\\{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe"	{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62CF4C28-F14A-47cb-BDC0-89A216B4039C}	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}\stubpath = "C:\\Windows\\{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe"	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35AC4625-1B26-42dc-9107-A0FED14ACE5D}\stubpath = "C:\\Windows\\{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe"	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A40CC22-9222-4a45-917A-3E753F804032}\stubpath = "C:\\Windows\\{3A40CC22-9222-4a45-917A-3E753F804032}.exe"	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5B5ED0-816F-4e96-9898-F30028670F8C}\stubpath = "C:\\Windows\\{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe"	{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}	{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}\stubpath = "C:\\Windows\\{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe"	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62CF4C28-F14A-47cb-BDC0-89A216B4039C}\stubpath = "C:\\Windows\\{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe"	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A115851C-5B5C-40a9-9875-5051E966FCD8}	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A115851C-5B5C-40a9-9875-5051E966FCD8}\stubpath = "C:\\Windows\\{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe"	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe
2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe
2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe
828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe
2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe
1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe
2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe
2252	{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe
2196	{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe
1888	{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe
924	{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3A40CC22-9222-4a45-917A-3E753F804032}.exe	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe
File created	C:\Windows\{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	{3A40CC22-9222-4a45-917A-3E753F804032}.exe
File created	C:\Windows\{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe
File created	C:\Windows\{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}.exe	{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe
File created	C:\Windows\{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
File created	C:\Windows\{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe
File created	C:\Windows\{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe
File created	C:\Windows\{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe
File created	C:\Windows\{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe
File created	C:\Windows\{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe	{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe
File created	C:\Windows\{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe	{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Token: SeIncBasePriorityPrivilege	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe
Token: SeIncBasePriorityPrivilege	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe
Token: SeIncBasePriorityPrivilege	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe
Token: SeIncBasePriorityPrivilege	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe
Token: SeIncBasePriorityPrivilege	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe
Token: SeIncBasePriorityPrivilege	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe
Token: SeIncBasePriorityPrivilege	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe
Token: SeIncBasePriorityPrivilege	2252	{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe
Token: SeIncBasePriorityPrivilege	2196	{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe
Token: SeIncBasePriorityPrivilege	1888	{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2272	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	28
PID 1740 wrote to memory of 2272	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	28
PID 1740 wrote to memory of 2272	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	28
PID 1740 wrote to memory of 2272	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	28
PID 1740 wrote to memory of 2576	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	29
PID 1740 wrote to memory of 2576	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	29
PID 1740 wrote to memory of 2576	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	29
PID 1740 wrote to memory of 2576	1740	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	29
PID 2272 wrote to memory of 2300	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	30
PID 2272 wrote to memory of 2300	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	30
PID 2272 wrote to memory of 2300	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	30
PID 2272 wrote to memory of 2300	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	30
PID 2272 wrote to memory of 2756	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	31
PID 2272 wrote to memory of 2756	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	31
PID 2272 wrote to memory of 2756	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	31
PID 2272 wrote to memory of 2756	2272	{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe	31
PID 2300 wrote to memory of 2608	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	32
PID 2300 wrote to memory of 2608	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	32
PID 2300 wrote to memory of 2608	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	32
PID 2300 wrote to memory of 2608	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	32
PID 2300 wrote to memory of 2708	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	33
PID 2300 wrote to memory of 2708	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	33
PID 2300 wrote to memory of 2708	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	33
PID 2300 wrote to memory of 2708	2300	{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe	33
PID 2608 wrote to memory of 828	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	34
PID 2608 wrote to memory of 828	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	34
PID 2608 wrote to memory of 828	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	34
PID 2608 wrote to memory of 828	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	34
PID 2608 wrote to memory of 2536	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	35
PID 2608 wrote to memory of 2536	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	35
PID 2608 wrote to memory of 2536	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	35
PID 2608 wrote to memory of 2536	2608	{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe	35
PID 828 wrote to memory of 2260	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	38
PID 828 wrote to memory of 2260	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	38
PID 828 wrote to memory of 2260	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	38
PID 828 wrote to memory of 2260	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	38
PID 828 wrote to memory of 2796	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	39
PID 828 wrote to memory of 2796	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	39
PID 828 wrote to memory of 2796	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	39
PID 828 wrote to memory of 2796	828	{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe	39
PID 2260 wrote to memory of 1620	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	40
PID 2260 wrote to memory of 1620	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	40
PID 2260 wrote to memory of 1620	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	40
PID 2260 wrote to memory of 1620	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	40
PID 2260 wrote to memory of 2788	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	41
PID 2260 wrote to memory of 2788	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	41
PID 2260 wrote to memory of 2788	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	41
PID 2260 wrote to memory of 2788	2260	{3A40CC22-9222-4a45-917A-3E753F804032}.exe	41
PID 1620 wrote to memory of 2760	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	42
PID 1620 wrote to memory of 2760	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	42
PID 1620 wrote to memory of 2760	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	42
PID 1620 wrote to memory of 2760	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	42
PID 1620 wrote to memory of 2804	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	43
PID 1620 wrote to memory of 2804	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	43
PID 1620 wrote to memory of 2804	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	43
PID 1620 wrote to memory of 2804	1620	{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe	43
PID 2760 wrote to memory of 2252	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	44
PID 2760 wrote to memory of 2252	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	44
PID 2760 wrote to memory of 2252	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	44
PID 2760 wrote to memory of 2252	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	44
PID 2760 wrote to memory of 900	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	45
PID 2760 wrote to memory of 900	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	45
PID 2760 wrote to memory of 900	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	45
PID 2760 wrote to memory of 900	2760	{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe	45

C:\Users\Admin\AppData\Local\Temp\c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
"C:\Users\Admin\AppData\Local\Temp\c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe
  C:\Windows\{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe
    C:\Windows\{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe
      C:\Windows\{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe
        
        C:\Windows\{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\{3A40CC22-9222-4a45-917A-3E753F804032}.exe
        
        C:\Windows\{3A40CC22-9222-4a45-917A-3E753F804032}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe
        
        C:\Windows\{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe
        
        C:\Windows\{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe
        
        C:\Windows\{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe
        
        C:\Windows\{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe
        
        C:\Windows\{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}.exe
        
        C:\Windows\{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}.exe
        12⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F5B5~1.EXE > nul
        12⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB848~1.EXE > nul
        11⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C67C~1.EXE > nul
        10⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1158~1.EXE > nul
        9⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE5F1~1.EXE > nul
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A40C~1.EXE > nul
        7⤵
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35AC4~1.EXE > nul
        6⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56F2B~1.EXE > nul
        5⤵
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{62CF4~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC14~1.EXE > nul
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C01D8C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{35AC4625-1B26-42dc-9107-A0FED14ACE5D}.exe

Filesize
168KB

MD5
f6dc33b015d679a4ed497c978edea90e

SHA1
8feb5cde5a5f03e48e941bd9a289427125e86069

SHA256
dbd33c02da80a5dc429f852a8dafff236459f966711a1923f238edbffe89c5f7

SHA512
4b9761724c64c696904bc59e94cefbde1b3d07dafee2e9558b284c073697a1b7f27c60f403e9505ac2d186483107ad5d08b6dec1f24bcf673171dac3e1ad423a

Download Submit
C:\Windows\{3A40CC22-9222-4a45-917A-3E753F804032}.exe

Filesize
168KB

MD5
37a1e3b9f8f9fa4eb19477efbea59d26

SHA1
34e103319feb6178e50ec7c785993c9940e1ef74

SHA256
b36abeeb5c2e3ac5c55abf34f9163c818939e53077d187c2b51a077ed12e1b86

SHA512
b0bc4fe127ad0379f475cb99173675fc12be40f94cfde744c8e5cc4eda29b42a04e6d826f4f30d6aad5c5b5abc6efa75c512f900a751a0a73982adc042734e04

Download Submit
C:\Windows\{56F2BF1A-0E2B-4cd3-8461-99B8AE2BA051}.exe

Filesize
168KB

MD5
55ac6c2da73c08047a87389f8f72e9fc

SHA1
25af8e96291b922f59831c42c658755b955261f9

SHA256
9ae940caa829f3e8717bc8ab9a77ea0c7475ba933a50ade3bd9fad9ead4dc759

SHA512
1ed6e8c93309eb975872c5f6971d27af47c40377849c64c4bd169e8fcd60d59430b7bafcea4f513e57dda021083d102e20044e8cfa99e1d93bf1a9d1a44d321d

Download Submit
C:\Windows\{5F5B5ED0-816F-4e96-9898-F30028670F8C}.exe

Filesize
168KB

MD5
77cacb7a1ce05016b3f1c8de8e96ec8b

SHA1
a6d9e7a9938b65b775c3d7ca3d8daeda6f2c6441

SHA256
d8af5d408557e7bcebaf54490a221455bdc4909cec2e8d518dba14fbcca9077e

SHA512
9c024ba6531715f407897058458597c84f4e12724d192899a1b1aff2812e3fb0c26395f59362c718ecca7b6973cbe6ad8c7f241898ce01c1f65f11b133979001

Download Submit
C:\Windows\{62CF4C28-F14A-47cb-BDC0-89A216B4039C}.exe

Filesize
168KB

MD5
949199f1a1846e847afc56e501666a41

SHA1
2208f090fdf4a4070c64007ddf47b2a29cecaea2

SHA256
6874a263c05d9f4bdb3d37e4d4b5f88acb6eca5f014b18204e388057aadcb606

SHA512
2d03dd4b3aa0ce4824ae84889cac1ba740cf8338441c2d464f0074784f8c90f3747560e05b875ff558eb014b2bf220c2048b17e1d06ab7d83fc63d5d05d737d8

Download Submit
C:\Windows\{7C67C448-05DC-4cc4-B04D-3D12C9E5EF44}.exe

Filesize
168KB

MD5
9054dab9ac4affe134c16d65efdbfc6e

SHA1
9bd6ffe8c185edb203baf1c7874fd3e3f6b06e83

SHA256
59f55ff5bb0339ccaa1d6fb1488f000388bb9e5ea5d1a5b877dd4fe7d2517ee6

SHA512
1fc8e047bd6a435757dd1e0b353e521d621a0f5267669848613dd95d7fb43f0b303c09eaf99509e2a0e4e9ac009059d81e53bd1c873c97a05e20ae14fc5e98e2

Download Submit
C:\Windows\{9DC14B7D-AF60-4d55-90DF-266DAFC785DD}.exe

Filesize
168KB

MD5
453503bdc253077105320596537895f6

SHA1
8cad5e8480fb165d74377628e0c75871c9dbb4d8

SHA256
07804b992d6efe6950b59ac999fc773245d18f09e671c9e01a90e81fd0d2da57

SHA512
50edcbb33b487ec71465e131f7fa59ad4a6d64556f7843890ef895f5e1d9f8048e061cfd6d8f9bd30f758e13bc70ec9df5e9bc86715c6783b00af36dc4b50527

Download Submit
C:\Windows\{A115851C-5B5C-40a9-9875-5051E966FCD8}.exe

Filesize
168KB

MD5
a122dbde758baf0ff160eaf024beb28f

SHA1
a8819024a7ec50ccbb4ca08539a23df128e10d06

SHA256
165c102bfdc2c1c17855e250ac515b8363233f515d79c1eb5ba95fbc517b5fba

SHA512
49c747fb713e2ddeb803baf3c0b460dd9f2bf697d5c9520d27116eead33f7362f117943af30700b92776b17030004d9e2a69df7ad5291d0ee1827b7bd2db5031

Download Submit
C:\Windows\{A1B7D308-4FC7-40ac-808E-C2C8E7AF8DF6}.exe

Filesize
168KB

MD5
e5f17c6591c3b188a782ad25f276f3f2

SHA1
ad557cb401c9aac69fab03e89e2a4747e764c09a

SHA256
53f17c2d21d4978a4b869a24228b6855f61b054e67f9554e03fb7fd9e4dfabad

SHA512
964df4de8102bfacc2c3cc3b388aeb20220bc3675e2b392324b470c0d8ecd99932d09f72fca472d90392cdf8a9207a835dfb622e5b32358f8a13e13faa35b7fc

Download Submit
C:\Windows\{CB848C98-FCEA-4011-BD4B-F2EA97CFF362}.exe

Filesize
168KB

MD5
b266c699d57dc0f53663516477f96410

SHA1
ccd6b09256390f08219604efef22138d805bd044

SHA256
1f7c63bd8251a61c33fc836a84ce0afcdc281cb5aa5d8da554f652785ba4d608

SHA512
315fe885cdcf8cbe8cd0b1020319a9a595e660cc3e510aaa03ed2d32c0330307a2619ba2f613312c6dedb8c790d5f08b39e6dec5578db5439b01d5e5ff134aca

Download Submit
C:\Windows\{FE5F1D19-250E-4b7e-A68A-41DDC6EE58AE}.exe

Filesize
168KB

MD5
5b4eeb2cd9c94aba0c0690dbd8888a00

SHA1
69f55d383ac42f9e445ec12c14fb714e1a535c21

SHA256
2429e9c00606ed38cb359ac452f75467eef3562f0b1a88cf4c717201748da4c7

SHA512
c2cd34eabdb077e116840d1844651312a7774d5a85bd929ea3c675f8d08ac33a924c11830a113e4768ddbbec1ee7cccf5689141ee0ecee83f830b7ebe35ae586

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads