343cf76d81bd99a068554f914a429089bbfc8c446fc5056a47bd213349141586

Analysis

max time kernel
144s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Size

408KB
MD5

51bd6199a4651fe230a0d039083f0ef2
SHA1

76c091f72d0ddbf1862fc7b03054d6a0be696c2b
SHA256

343cf76d81bd99a068554f914a429089bbfc8c446fc5056a47bd213349141586
SHA512

54b1f7e0f424eb55617b672a08770bc4bc321acfd7fb7e1ab4bb8f0e4b8b6cbd278d384a58f8891e31dc82c09a28e55e7bf5172a99d3bc1fc2d782d2c03abe49
SSDEEP

3072:CEGh0owl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGCldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000143d1-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014738-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000143d1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014738-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000143d1-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014909-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000143d1-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014a55-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014a94-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014aec-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}\stubpath = "C:\\Windows\\{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe"	{05771731-2666-4c89-A02D-8C455A4D2619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30BB9F3A-C429-4677-87DC-61F97BE20EAA}\stubpath = "C:\\Windows\\{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe"	{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF85D613-451D-494d-B7DC-75370FCA6C44}\stubpath = "C:\\Windows\\{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe"	{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3C82DBA-B380-435f-9D22-DF408E7F64FD}\stubpath = "C:\\Windows\\{E3C82DBA-B380-435f-9D22-DF408E7F64FD}.exe"	{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FDEC599-5859-4384-93B5-8C029249EB0F}\stubpath = "C:\\Windows\\{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe"	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}	{05771731-2666-4c89-A02D-8C455A4D2619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30BB9F3A-C429-4677-87DC-61F97BE20EAA}	{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA334761-7E64-48b7-91E9-1E653453AA8A}\stubpath = "C:\\Windows\\{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe"	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FDEC599-5859-4384-93B5-8C029249EB0F}	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214B674D-7881-47f5-BC38-9CF532888B0B}\stubpath = "C:\\Windows\\{214B674D-7881-47f5-BC38-9CF532888B0B}.exe"	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA334761-7E64-48b7-91E9-1E653453AA8A}	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}\stubpath = "C:\\Windows\\{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe"	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214B674D-7881-47f5-BC38-9CF532888B0B}	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}\stubpath = "C:\\Windows\\{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe"	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}\stubpath = "C:\\Windows\\{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe"	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF85D613-451D-494d-B7DC-75370FCA6C44}	{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3C82DBA-B380-435f-9D22-DF408E7F64FD}	{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05771731-2666-4c89-A02D-8C455A4D2619}	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05771731-2666-4c89-A02D-8C455A4D2619}\stubpath = "C:\\Windows\\{05771731-2666-4c89-A02D-8C455A4D2619}.exe"	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe
2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe
2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe
580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe
1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe
2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe
1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe
1636	{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe
1580	{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe
2264	{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe
2928	{E3C82DBA-B380-435f-9D22-DF408E7F64FD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
File created	C:\Windows\{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	{05771731-2666-4c89-A02D-8C455A4D2619}.exe
File created	C:\Windows\{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe
File created	C:\Windows\{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe
File created	C:\Windows\{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe
File created	C:\Windows\{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe	{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe
File created	C:\Windows\{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe
File created	C:\Windows\{05771731-2666-4c89-A02D-8C455A4D2619}.exe	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe
File created	C:\Windows\{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe
File created	C:\Windows\{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe	{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe
File created	C:\Windows\{E3C82DBA-B380-435f-9D22-DF408E7F64FD}.exe	{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe
Token: SeIncBasePriorityPrivilege	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe
Token: SeIncBasePriorityPrivilege	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe
Token: SeIncBasePriorityPrivilege	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe
Token: SeIncBasePriorityPrivilege	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe
Token: SeIncBasePriorityPrivilege	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe
Token: SeIncBasePriorityPrivilege	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe
Token: SeIncBasePriorityPrivilege	1636	{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe
Token: SeIncBasePriorityPrivilege	1580	{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe
Token: SeIncBasePriorityPrivilege	2264	{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2744	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	28
PID 1612 wrote to memory of 2744	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	28
PID 1612 wrote to memory of 2744	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	28
PID 1612 wrote to memory of 2744	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	28
PID 1612 wrote to memory of 2516	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	29
PID 1612 wrote to memory of 2516	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	29
PID 1612 wrote to memory of 2516	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	29
PID 1612 wrote to memory of 2516	1612	2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe	29
PID 2744 wrote to memory of 2096	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	32
PID 2744 wrote to memory of 2096	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	32
PID 2744 wrote to memory of 2096	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	32
PID 2744 wrote to memory of 2096	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	32
PID 2744 wrote to memory of 2448	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	33
PID 2744 wrote to memory of 2448	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	33
PID 2744 wrote to memory of 2448	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	33
PID 2744 wrote to memory of 2448	2744	{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe	33
PID 2096 wrote to memory of 2436	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	34
PID 2096 wrote to memory of 2436	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	34
PID 2096 wrote to memory of 2436	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	34
PID 2096 wrote to memory of 2436	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	34
PID 2096 wrote to memory of 2496	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	35
PID 2096 wrote to memory of 2496	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	35
PID 2096 wrote to memory of 2496	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	35
PID 2096 wrote to memory of 2496	2096	{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe	35
PID 2436 wrote to memory of 580	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	36
PID 2436 wrote to memory of 580	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	36
PID 2436 wrote to memory of 580	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	36
PID 2436 wrote to memory of 580	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	36
PID 2436 wrote to memory of 1052	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	37
PID 2436 wrote to memory of 1052	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	37
PID 2436 wrote to memory of 1052	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	37
PID 2436 wrote to memory of 1052	2436	{05771731-2666-4c89-A02D-8C455A4D2619}.exe	37
PID 580 wrote to memory of 1748	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	38
PID 580 wrote to memory of 1748	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	38
PID 580 wrote to memory of 1748	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	38
PID 580 wrote to memory of 1748	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	38
PID 580 wrote to memory of 1336	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	39
PID 580 wrote to memory of 1336	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	39
PID 580 wrote to memory of 1336	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	39
PID 580 wrote to memory of 1336	580	{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe	39
PID 1748 wrote to memory of 2716	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	40
PID 1748 wrote to memory of 2716	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	40
PID 1748 wrote to memory of 2716	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	40
PID 1748 wrote to memory of 2716	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	40
PID 1748 wrote to memory of 2832	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	41
PID 1748 wrote to memory of 2832	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	41
PID 1748 wrote to memory of 2832	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	41
PID 1748 wrote to memory of 2832	1748	{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe	41
PID 2716 wrote to memory of 1796	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	42
PID 2716 wrote to memory of 1796	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	42
PID 2716 wrote to memory of 1796	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	42
PID 2716 wrote to memory of 1796	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	42
PID 2716 wrote to memory of 1500	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	43
PID 2716 wrote to memory of 1500	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	43
PID 2716 wrote to memory of 1500	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	43
PID 2716 wrote to memory of 1500	2716	{214B674D-7881-47f5-BC38-9CF532888B0B}.exe	43
PID 1796 wrote to memory of 1636	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	44
PID 1796 wrote to memory of 1636	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	44
PID 1796 wrote to memory of 1636	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	44
PID 1796 wrote to memory of 1636	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	44
PID 1796 wrote to memory of 2024	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	45
PID 1796 wrote to memory of 2024	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	45
PID 1796 wrote to memory of 2024	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	45
PID 1796 wrote to memory of 2024	1796	{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_51bd6199a4651fe230a0d039083f0ef2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe
  C:\Windows\{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe
    C:\Windows\{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\{05771731-2666-4c89-A02D-8C455A4D2619}.exe
      C:\Windows\{05771731-2666-4c89-A02D-8C455A4D2619}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe
        
        C:\Windows\{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Windows\{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe
        
        C:\Windows\{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{214B674D-7881-47f5-BC38-9CF532888B0B}.exe
        
        C:\Windows\{214B674D-7881-47f5-BC38-9CF532888B0B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe
        
        C:\Windows\{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe
        
        C:\Windows\{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe
        
        C:\Windows\{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe
        
        C:\Windows\{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{E3C82DBA-B380-435f-9D22-DF408E7F64FD}.exe
        
        C:\Windows\{E3C82DBA-B380-435f-9D22-DF408E7F64FD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF85D~1.EXE > nul
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30BB9~1.EXE > nul
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4059A~1.EXE > nul
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFD76~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{214B6~1.EXE > nul
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{819EB~1.EXE > nul
        7⤵
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A45A~1.EXE > nul
        6⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05771~1.EXE > nul
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1FDEC~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AA334~1.EXE > nul
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05771731-2666-4c89-A02D-8C455A4D2619}.exe

Filesize
408KB

MD5
1515eb1695a93423991994c059f661f7

SHA1
ad2f9873cc22caa2af9609996dd3eb1866777dc0

SHA256
0626408c25c1f026afaa7306f34fd602bf411cf57d8caa2a53d4736a333ff09e

SHA512
07f7db43fef67f097c0391940d5263109688e54d27268c4d4525a281aa77951e201c9d1e114c49586ffe279f5a934cd012e5e64f51e7e340931e23ca6e057d0f

Download Submit
C:\Windows\{1FDEC599-5859-4384-93B5-8C029249EB0F}.exe

Filesize
408KB

MD5
654c85db6012aa333e6ff2bbb2a8aeae

SHA1
afe2f4469eadfe77aa0d1444393f60ce71b6af49

SHA256
b75865713a0467be88c0a207d6ed6341e24419e167eb1ef1e2e67ac7e8e8b03e

SHA512
6f94947b3c8cb9c381f73c509865b6d705cbac92b2efe12b9b722e1a0a67c4c18a42057f72c029b4ba37125ab6b2f332a8c9bcbbf80963b69c575136661aba31

Download Submit
C:\Windows\{214B674D-7881-47f5-BC38-9CF532888B0B}.exe

Filesize
408KB

MD5
c9280c66b2b8f18e8209169276e65a98

SHA1
8d2be8ee53adcbd8a7da2bcf336d95e6f4f8fbf6

SHA256
053b64c882da08ab200cb44dd52f9cdcbde05efc896fd765747fe06d820f289e

SHA512
c1820655874bf7ef3955407c88e31a3ccdb7e441ee800d6c3a3d7e589fb95bdad392e6218b479925feb3ad97073a155b292382b3cad29b4e51614a1be0eec321

Download Submit
C:\Windows\{30BB9F3A-C429-4677-87DC-61F97BE20EAA}.exe

Filesize
408KB

MD5
7c50a3b25e38eded9bec8fb877cf02f2

SHA1
d48c21566be53f63afcf248804f78647fa955e86

SHA256
f5270f9864dc0d00e0b2da02bdf2d50de51d3349de6ea1d6b922d4d1198fb214

SHA512
3c5a75c9f9ad3412897042cacb957f725a7b71accbe1c50a372d6fcbfbf2cc8459407a0cf836fa5bc5bb5e7425b74eec259baef6c10e4f5a0b994ab9cbfd63a4

Download Submit
C:\Windows\{4059A73E-8EFA-4427-81AD-E20F4D70C7AB}.exe

Filesize
408KB

MD5
4d453d7c070f9d5e7040ee51f95683e9

SHA1
4b939d85c7efdc21cdd6f272f3036c2f96f3e1e8

SHA256
2c7fb1b9dbd913c725c16b6730f2806ec477ccc6058601e84ce35983cbfda986

SHA512
782a0ec1b0d33f0b25fd2d0894ac7e9426a536a9e7806d4887c955d1ce6ba509fa1da25374b88f275451eebd970f17bea8c999e00cc2ce9371523b502d8e0934

Download Submit
C:\Windows\{819EBE25-2E28-4cd2-ADE2-DD30F2D46891}.exe

Filesize
408KB

MD5
eb80b04eabc4e6318fa4a4173f052d78

SHA1
cffe7f5cff8de03931bdcddf2e1194adeef504b1

SHA256
33ff9f5fe322910aa7ba3f9b6ec351728cca94f5f92b5c82ba5596fbf1a5dd46

SHA512
ecc9a917d09ff983f0bfe7f3448e8a574942412a12a44c888911601c1df8dcf88e2751eff7bfcec0b590cccd77224d7fcd1cd4e895cbeba2e28cc167dd765e88

Download Submit
C:\Windows\{9A45AF8C-AE67-4d4a-B763-1C9AE3E032C4}.exe

Filesize
408KB

MD5
b82a0214ba840218c132440515b81dba

SHA1
6cf5ef821b8e294c2fa2a9a39029d7f85bf69629

SHA256
9b7eb1f66e840ca4f8a5e3f68d6027c23be5183fd3dc435085761d87a1b74084

SHA512
a3544fc20b39554c447b1675f6038d26d9c25d69ad8341ace3c4d7117376b9fa33e080dab9cbf26324ecf574f25889443ef65458161825694c9dda731265b312

Download Submit
C:\Windows\{AA334761-7E64-48b7-91E9-1E653453AA8A}.exe

Filesize
408KB

MD5
16a651f30485da24ef6255fc33ba1694

SHA1
671ed2f4d5916a69c597a273db28034c5c4402a0

SHA256
1b7998cc5d989d328c456f7cb9277b283d2e59f58431e089dfd102cdb05bdd25

SHA512
de5a5edea475347babf09c7dceaa15246fb9fcceda1be4ac98524e8e03bd66365b2fa3dda15aad06a36f537b1c74c540f145fc76d9569720445f03df116e8288

Download Submit
C:\Windows\{DF85D613-451D-494d-B7DC-75370FCA6C44}.exe

Filesize
408KB

MD5
73546165a22a86cb83930b9fe0b8c60d

SHA1
39ee3f634635b4a7007ea073ea27b6b2dfd1446d

SHA256
629c32747d98861190a5fb58f6b0da1c9c8a21ebfb88b2fe074483d74c806ce5

SHA512
9ef8d5c86476d87d6eabb3dd6c728f7b59f34b505068d01b2157385e2c4dc4fe6a3db6420ffe9e51200881f3ecf3b6d14172d33862d8cf4c5ffb6827d05b135a

Download Submit
C:\Windows\{DFD76C9D-0B11-473c-A4E2-4972EDEE9372}.exe

Filesize
408KB

MD5
f21f9278e39c2c8d56d9d099d5b7de1b

SHA1
0b461609b2abba4a18bcee3c9fcd53b631f081fa

SHA256
01434cc85d7bc50f932cba733cf472047d076a90524b627cc20a2c1c47e3b3de

SHA512
6e77497600b01a4d96433dd608bfd09dab01a865b9c4bba64936aefc4cd27438d2c62cdfceed8a5afb8570773e2503548fcb56dd01c076f1667fd558946515cc

Download Submit
C:\Windows\{E3C82DBA-B380-435f-9D22-DF408E7F64FD}.exe

Filesize
408KB

MD5
9c3745d36c86a00029ce2b61f7b6ad62

SHA1
a0756f5d6fbf5e6038b0ce2ac0ec9ad30519f6c1

SHA256
962c0da808944945779ee20c851f1f11836cc727a786ab19aba313c76f318678

SHA512
84257e201a286c3bd9201696814595f4a6ea17a72fe280992c6d24d37a4bc0e58df4e8b01ce348261c687e368c6692a01b48dabbfc50998c76b8eeb3731cf1a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads