5eab239bb3f4235f54c8f2e7e594c3258f47aea4aa0c1ee9f078a1c0f6a705b1

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Size

344KB
MD5

063cae50d88b087e665e90441c154026
SHA1

36881913c7708e6ed7989f81bddf8d97f46ef387
SHA256

5eab239bb3f4235f54c8f2e7e594c3258f47aea4aa0c1ee9f078a1c0f6a705b1
SHA512

c1f532aab434d9b9e02109b589e714df408aa1211c461fc67d4a3b85feae5816397e0e3cc5f6dcd9aeaad07d294f4ee027a03ad357a2e568ba5f86c6b1210aa1
SSDEEP

3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001445e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d000000014a55-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e000000014a55-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000014a55-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014a55-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000014a55-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014c67-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34AF8AD2-9B5D-4929-B3E2-286EFC706142}\stubpath = "C:\\Windows\\{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe"	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE362263-71C7-43b1-A3CF-A3C082DA72FD}	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE362263-71C7-43b1-A3CF-A3C082DA72FD}\stubpath = "C:\\Windows\\{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe"	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}\stubpath = "C:\\Windows\\{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe"	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34AF8AD2-9B5D-4929-B3E2-286EFC706142}	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB4A219-A333-43a4-9319-FC03FF17DF47}\stubpath = "C:\\Windows\\{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe"	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}\stubpath = "C:\\Windows\\{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe"	{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{249CF942-4D30-46cc-85C5-BE43BE5E57AE}	{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{249CF942-4D30-46cc-85C5-BE43BE5E57AE}\stubpath = "C:\\Windows\\{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe"	{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765CF42-714C-41a9-940B-120EB0E4A667}	{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69205BD9-744E-4b53-9A21-25A7316B3D3D}\stubpath = "C:\\Windows\\{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe"	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}	{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6765CF42-714C-41a9-940B-120EB0E4A667}\stubpath = "C:\\Windows\\{6765CF42-714C-41a9-940B-120EB0E4A667}.exe"	{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69205BD9-744E-4b53-9A21-25A7316B3D3D}	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB4A219-A333-43a4-9319-FC03FF17DF47}	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}\stubpath = "C:\\Windows\\{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe"	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}\stubpath = "C:\\Windows\\{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe"	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C333D7FF-2D63-4e7c-9493-5143163179B1}	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C333D7FF-2D63-4e7c-9493-5143163179B1}\stubpath = "C:\\Windows\\{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe"	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe
2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe
2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe
1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe
1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe
1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe
1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe
2136	{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe
1140	{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe
1756	{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe
2924	{6765CF42-714C-41a9-940B-120EB0E4A667}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe
File created	C:\Windows\{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe
File created	C:\Windows\{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe
File created	C:\Windows\{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe
File created	C:\Windows\{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe	{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe
File created	C:\Windows\{6765CF42-714C-41a9-940B-120EB0E4A667}.exe	{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe
File created	C:\Windows\{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
File created	C:\Windows\{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe
File created	C:\Windows\{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe
File created	C:\Windows\{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe
File created	C:\Windows\{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe	{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe
Token: SeIncBasePriorityPrivilege	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe
Token: SeIncBasePriorityPrivilege	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe
Token: SeIncBasePriorityPrivilege	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe
Token: SeIncBasePriorityPrivilege	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe
Token: SeIncBasePriorityPrivilege	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe
Token: SeIncBasePriorityPrivilege	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe
Token: SeIncBasePriorityPrivilege	2136	{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe
Token: SeIncBasePriorityPrivilege	1140	{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe
Token: SeIncBasePriorityPrivilege	1756	{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1940	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	28
PID 2248 wrote to memory of 1940	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	28
PID 2248 wrote to memory of 1940	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	28
PID 2248 wrote to memory of 1940	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	28
PID 2248 wrote to memory of 2492	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	29
PID 2248 wrote to memory of 2492	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	29
PID 2248 wrote to memory of 2492	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	29
PID 2248 wrote to memory of 2492	2248	2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe	29
PID 1940 wrote to memory of 2748	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	30
PID 1940 wrote to memory of 2748	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	30
PID 1940 wrote to memory of 2748	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	30
PID 1940 wrote to memory of 2748	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	30
PID 1940 wrote to memory of 2624	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	31
PID 1940 wrote to memory of 2624	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	31
PID 1940 wrote to memory of 2624	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	31
PID 1940 wrote to memory of 2624	1940	{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe	31
PID 2748 wrote to memory of 2452	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	34
PID 2748 wrote to memory of 2452	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	34
PID 2748 wrote to memory of 2452	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	34
PID 2748 wrote to memory of 2452	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	34
PID 2748 wrote to memory of 2824	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	35
PID 2748 wrote to memory of 2824	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	35
PID 2748 wrote to memory of 2824	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	35
PID 2748 wrote to memory of 2824	2748	{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe	35
PID 2452 wrote to memory of 1568	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	36
PID 2452 wrote to memory of 1568	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	36
PID 2452 wrote to memory of 1568	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	36
PID 2452 wrote to memory of 1568	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	36
PID 2452 wrote to memory of 1908	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	37
PID 2452 wrote to memory of 1908	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	37
PID 2452 wrote to memory of 1908	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	37
PID 2452 wrote to memory of 1908	2452	{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe	37
PID 1568 wrote to memory of 1516	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	38
PID 1568 wrote to memory of 1516	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	38
PID 1568 wrote to memory of 1516	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	38
PID 1568 wrote to memory of 1516	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	38
PID 1568 wrote to memory of 2644	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	39
PID 1568 wrote to memory of 2644	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	39
PID 1568 wrote to memory of 2644	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	39
PID 1568 wrote to memory of 2644	1568	{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe	39
PID 1516 wrote to memory of 1128	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	40
PID 1516 wrote to memory of 1128	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	40
PID 1516 wrote to memory of 1128	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	40
PID 1516 wrote to memory of 1128	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	40
PID 1516 wrote to memory of 1836	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	41
PID 1516 wrote to memory of 1836	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	41
PID 1516 wrote to memory of 1836	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	41
PID 1516 wrote to memory of 1836	1516	{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe	41
PID 1128 wrote to memory of 1472	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	42
PID 1128 wrote to memory of 1472	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	42
PID 1128 wrote to memory of 1472	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	42
PID 1128 wrote to memory of 1472	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	42
PID 1128 wrote to memory of 2316	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	43
PID 1128 wrote to memory of 2316	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	43
PID 1128 wrote to memory of 2316	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	43
PID 1128 wrote to memory of 2316	1128	{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe	43
PID 1472 wrote to memory of 2136	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	44
PID 1472 wrote to memory of 2136	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	44
PID 1472 wrote to memory of 2136	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	44
PID 1472 wrote to memory of 2136	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	44
PID 1472 wrote to memory of 1116	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	45
PID 1472 wrote to memory of 1116	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	45
PID 1472 wrote to memory of 1116	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	45
PID 1472 wrote to memory of 1116	1472	{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_063cae50d88b087e665e90441c154026_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe
  C:\Windows\{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe
    C:\Windows\{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe
      C:\Windows\{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe
        
        C:\Windows\{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe
        
        C:\Windows\{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe
        
        C:\Windows\{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe
        
        C:\Windows\{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe
        
        C:\Windows\{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe
        
        C:\Windows\{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe
        
        C:\Windows\{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\{6765CF42-714C-41a9-940B-120EB0E4A667}.exe
        
        C:\Windows\{6765CF42-714C-41a9-940B-120EB0E4A667}.exe
        12⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{249CF~1.EXE > nul
        12⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98F42~1.EXE > nul
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB4A~1.EXE > nul
        10⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34AF8~1.EXE > nul
        9⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69205~1.EXE > nul
        8⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4B99~1.EXE > nul
        7⤵
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE362~1.EXE > nul
        6⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C333D~1.EXE > nul
        5⤵
        
        PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1BB56~1.EXE > nul
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80FAE~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BB565E9-F8F7-4bb3-B11D-B1A0129DB0B1}.exe

Filesize
344KB

MD5
5afdef3de051ffa6015fd59add086d3a

SHA1
c552d98ffefbc2b4bbca0bb0b6e20baaed261399

SHA256
b8954588f9ea0cfce469ab2897b06574a169f35d7ea72a2aec2b0d8a33584ebf

SHA512
510abf4202770dcc2beb8799c69595ac0c38a9475f38dd87378457c81a68dc4bc37ae775aa10f344c9856784f67d7627881b6b08d287958bd3295cce891a18ef

Download Submit
C:\Windows\{249CF942-4D30-46cc-85C5-BE43BE5E57AE}.exe

Filesize
344KB

MD5
ae1fcdf71147abf70abaf45993889ccf

SHA1
84869b2c2caf0546e2b35d271df5a521c11a91e0

SHA256
bc7d9d4ff36c4aea75ca09263689f87f09789b04c9500b80cbe8793fac745910

SHA512
e91f1aa84cd3d30f5333a4de4936c8a2de8c6d97e01318c37338e122d421babc486a392997caae2627628f3f3d8e803823c8c80e4c727cb416fd2d8334652a9a

Download Submit
C:\Windows\{34AF8AD2-9B5D-4929-B3E2-286EFC706142}.exe

Filesize
344KB

MD5
24398bf794aa1f06f2fc046a7e4b8627

SHA1
a4b528e2804a7a7a5b58680bcdbab839b03b0a56

SHA256
de457fbc39f0313dd6c49962557c7f0b1f1df2a5fb2e3f75c02c4f51403b0577

SHA512
23800424b5fe77857ad2b79398b46d7d7ecb8cbc3092da594de483902353d10906f9f2fc2b3acb0c1989d180c26e6adac1f083a6e12af5acaf29e7d269db2fa6

Download Submit
C:\Windows\{6765CF42-714C-41a9-940B-120EB0E4A667}.exe

Filesize
344KB

MD5
f6a56a548a6fa31882b21f0819e29fa9

SHA1
c10e0b96d4d643e46d3ff4d0b30885f9ec6338df

SHA256
420cb1a2b4aad3807a0466bdee2559ce9159a6c34592f453706102bb853409cf

SHA512
c0b96b0a9388dede62a3d87a8ce3ce3ca22c0bd572619077c076d58fb1f844fc3fb1b558d0f9110f159cc925c186843f5ce4f9efd29f610f328298d1857870be

Download Submit
C:\Windows\{69205BD9-744E-4b53-9A21-25A7316B3D3D}.exe

Filesize
344KB

MD5
d053b22fe6adc53c9521118752b11a95

SHA1
0f7ceb60ac2413d52ecd353633528beccbc66b62

SHA256
c6acc5b87afdd372fee2a782bc19d20fe981fab21abea09d6e50bdf86025f51a

SHA512
00116499a72152326eb52f78d305152c84593a5444ddf2e43095cf9210052c0f09b088e9c4cf0b0c57d7f9044071f8d7d1bdd026c81e49e4a4b7cc64d436d269

Download Submit
C:\Windows\{6AB4A219-A333-43a4-9319-FC03FF17DF47}.exe

Filesize
344KB

MD5
443fbc523262f1ab399ce6d24e2b44eb

SHA1
16215f5d5185e1df504aa02bfe82116b163a0944

SHA256
80fd6f40d2d7ac4353bf4104daeb6df37cf95d0655d8d40d14c4323a16237969

SHA512
d98c629c46d19ca05edfd6e9c63e3dfc5ca5f6d71aea2779c3a391c5bf39e66589665601ad78ebdf92cd0dc7f41472d6de97ca18deb6d624c67f3631fbfa10e7

Download Submit
C:\Windows\{80FAE068-1E8A-4bf9-A60B-D404476B0D7E}.exe

Filesize
344KB

MD5
10c373258d69d085cdaf8817cc5f457c

SHA1
f53a08bc5423344e5585432e87c4f6bc81739dd7

SHA256
f1e85437b75bd36bbfff3418fa2e613a5b4a2e8d590e4efbb2a9f5400726fb2a

SHA512
50032abfb287cde5eb6294748dd6ad2b2075ac583961af94a45c566feca5e623c2a1edc1461af0a18ba309af8ba1ae7cf70fe5594a0b00fec8f32bbe6e566f1d

Download Submit
C:\Windows\{98F42D1F-3D1D-478a-BC17-4CFC07F6B4BD}.exe

Filesize
344KB

MD5
89c535c9a7540dcb32bd1cd142e995ba

SHA1
c3a12ff8e436b00ecec1232c255acf8b01e7d9d6

SHA256
81f96fe7db6dc067547e8640afd63d55de62521ae4dd182016edf6339f72c6f0

SHA512
fc1a8febb513013fd5ff2af8ab1c2d58eea90ecb37fb54509bfd352eab19353e45755566d39332af9333d20c528fef955b8870d8aad181af50db72d4583ee6e0

Download Submit
C:\Windows\{C333D7FF-2D63-4e7c-9493-5143163179B1}.exe

Filesize
344KB

MD5
cc769e9bffb0dc53c583d2f819b84cdb

SHA1
d746ebeb74abd0962f6489010af73711bade7a98

SHA256
5da915cbd018ec63e5908d407fa7ba856f8cfa942312685611d3a1e1297c3a72

SHA512
79828a37a45d6ebc23f84ca14693433ca7ad5dfd39f24e19006b4972303ba01482f1d7e06d0e174fa260daff36e5c9d465007987dc3f05453c097fedba20eff3

Download Submit
C:\Windows\{D4B9979C-ED27-4b50-8CC7-6C7E769CFEC6}.exe

Filesize
344KB

MD5
6ecae4820e697c3cf532a580eaa98856

SHA1
c4d353799fd321bbb4bb843dc40b57bd87cbc5e0

SHA256
8195388dc05a03215fdbb11b895561d21e18a917ebffb6e4905edfb866063d32

SHA512
41dac931ed4075e4ec1ab9481a8113c15fdbeeef9f6e465425ba057fd042215c258c057f419f610e7fb5f659a845a9d00d5bf4ecc7d2717376c9a5011d75e90f

Download Submit
C:\Windows\{FE362263-71C7-43b1-A3CF-A3C082DA72FD}.exe

Filesize
344KB

MD5
5ee1f59debeb8f6599fdc234bc4d2e88

SHA1
b5b7a019de5fc5a33d57a5e8626f0628af153f0c

SHA256
fe8cbcb2e834b4a5ad9c58313e33707022f2b73dbcbf2677819164e193354a50

SHA512
6dfcec01234d197543699e6e072b02c36705c77845535e2bba80b6fa3f85a1f10b6638f9d685f706d1d8dd936bc4a944ba63524bc64c692cfbec1c87d937cc9d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads