2ee5307d7da48269978b8775ede1a099e97a80d88f4f313ecfcf624bca05eec2

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 12:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe
Size

180KB
MD5

8b2c4da439a983d485c8850331ca09ec
SHA1

bdff15ec46e50e592aa9206246fb2b1c35ef8672
SHA256

2ee5307d7da48269978b8775ede1a099e97a80d88f4f313ecfcf624bca05eec2
SHA512

6771ee93bf83cbf87a96bf6dc5fcb372134aaa1a09b7b6bb650c315341d7559e18959242241d55eaa6beba48f4ebf01badae8877918350286c75de2a3f85a1c8
SSDEEP

3072:jEGh0oglfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGml5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012279-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016126-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012279-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016228-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012279-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012279-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012279-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D64ADE-04CD-4e18-A27D-54CC00594885}\stubpath = "C:\\Windows\\{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe"	{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{635E9015-A118-4776-9840-12BFA3EB3A94}\stubpath = "C:\\Windows\\{635E9015-A118-4776-9840-12BFA3EB3A94}.exe"	{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F40C29D9-3967-44f6-95A8-D14FE171721C}\stubpath = "C:\\Windows\\{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe"	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF9EB07B-3CBA-4192-92B4-C48BBD571922}	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36BB6119-6288-4067-9204-CF07A0AF670C}\stubpath = "C:\\Windows\\{36BB6119-6288-4067-9204-CF07A0AF670C}.exe"	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D916BECB-149E-4f07-9585-B7EA50DF15B6}\stubpath = "C:\\Windows\\{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe"	{692C1574-9984-404b-B388-2C83A53D578D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D64ADE-04CD-4e18-A27D-54CC00594885}	{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F40C29D9-3967-44f6-95A8-D14FE171721C}	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36BB6119-6288-4067-9204-CF07A0AF670C}	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}\stubpath = "C:\\Windows\\{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe"	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E54266E-60E7-4b84-B34A-0E52F5A71033}	{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E54266E-60E7-4b84-B34A-0E52F5A71033}\stubpath = "C:\\Windows\\{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe"	{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{635E9015-A118-4776-9840-12BFA3EB3A94}	{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}\stubpath = "C:\\Windows\\{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe"	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A298EF41-A91B-4fa2-A140-DE90034284FA}	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{692C1574-9984-404b-B388-2C83A53D578D}\stubpath = "C:\\Windows\\{692C1574-9984-404b-B388-2C83A53D578D}.exe"	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D916BECB-149E-4f07-9585-B7EA50DF15B6}	{692C1574-9984-404b-B388-2C83A53D578D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF9EB07B-3CBA-4192-92B4-C48BBD571922}\stubpath = "C:\\Windows\\{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe"	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A298EF41-A91B-4fa2-A140-DE90034284FA}\stubpath = "C:\\Windows\\{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe"	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{692C1574-9984-404b-B388-2C83A53D578D}	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe

Executes dropped EXE 11 IoCs

pid	Process
2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe
2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe
2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe
2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe
2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe
1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe
1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe
1192	{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe
2868	{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe
676	{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe
108	{635E9015-A118-4776-9840-12BFA3EB3A94}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe
File created	C:\Windows\{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe
File created	C:\Windows\{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe
File created	C:\Windows\{692C1574-9984-404b-B388-2C83A53D578D}.exe	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe
File created	C:\Windows\{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe	{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe
File created	C:\Windows\{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe
File created	C:\Windows\{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe
File created	C:\Windows\{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	{692C1574-9984-404b-B388-2C83A53D578D}.exe
File created	C:\Windows\{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe
File created	C:\Windows\{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe	{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe
File created	C:\Windows\{635E9015-A118-4776-9840-12BFA3EB3A94}.exe	{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe
Token: SeIncBasePriorityPrivilege	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe
Token: SeIncBasePriorityPrivilege	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe
Token: SeIncBasePriorityPrivilege	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe
Token: SeIncBasePriorityPrivilege	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe
Token: SeIncBasePriorityPrivilege	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe
Token: SeIncBasePriorityPrivilege	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe
Token: SeIncBasePriorityPrivilege	1192	{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe
Token: SeIncBasePriorityPrivilege	2868	{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe
Token: SeIncBasePriorityPrivilege	676	{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2620	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	28
PID 2956 wrote to memory of 2620	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	28
PID 2956 wrote to memory of 2620	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	28
PID 2956 wrote to memory of 2620	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	28
PID 2956 wrote to memory of 2696	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	29
PID 2956 wrote to memory of 2696	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	29
PID 2956 wrote to memory of 2696	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	29
PID 2956 wrote to memory of 2696	2956	2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe	29
PID 2620 wrote to memory of 2588	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	30
PID 2620 wrote to memory of 2588	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	30
PID 2620 wrote to memory of 2588	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	30
PID 2620 wrote to memory of 2588	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	30
PID 2620 wrote to memory of 2800	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	31
PID 2620 wrote to memory of 2800	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	31
PID 2620 wrote to memory of 2800	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	31
PID 2620 wrote to memory of 2800	2620	{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe	31
PID 2588 wrote to memory of 2528	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	32
PID 2588 wrote to memory of 2528	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	32
PID 2588 wrote to memory of 2528	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	32
PID 2588 wrote to memory of 2528	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	32
PID 2588 wrote to memory of 2492	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	33
PID 2588 wrote to memory of 2492	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	33
PID 2588 wrote to memory of 2492	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	33
PID 2588 wrote to memory of 2492	2588	{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe	33
PID 2528 wrote to memory of 2772	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	36
PID 2528 wrote to memory of 2772	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	36
PID 2528 wrote to memory of 2772	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	36
PID 2528 wrote to memory of 2772	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	36
PID 2528 wrote to memory of 2764	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	37
PID 2528 wrote to memory of 2764	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	37
PID 2528 wrote to memory of 2764	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	37
PID 2528 wrote to memory of 2764	2528	{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe	37
PID 2772 wrote to memory of 2360	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	38
PID 2772 wrote to memory of 2360	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	38
PID 2772 wrote to memory of 2360	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	38
PID 2772 wrote to memory of 2360	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	38
PID 2772 wrote to memory of 2184	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	39
PID 2772 wrote to memory of 2184	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	39
PID 2772 wrote to memory of 2184	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	39
PID 2772 wrote to memory of 2184	2772	{36BB6119-6288-4067-9204-CF07A0AF670C}.exe	39
PID 2360 wrote to memory of 1868	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	40
PID 2360 wrote to memory of 1868	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	40
PID 2360 wrote to memory of 1868	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	40
PID 2360 wrote to memory of 1868	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	40
PID 2360 wrote to memory of 2208	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	41
PID 2360 wrote to memory of 2208	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	41
PID 2360 wrote to memory of 2208	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	41
PID 2360 wrote to memory of 2208	2360	{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe	41
PID 1868 wrote to memory of 1168	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	42
PID 1868 wrote to memory of 1168	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	42
PID 1868 wrote to memory of 1168	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	42
PID 1868 wrote to memory of 1168	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	42
PID 1868 wrote to memory of 2400	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	43
PID 1868 wrote to memory of 2400	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	43
PID 1868 wrote to memory of 2400	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	43
PID 1868 wrote to memory of 2400	1868	{692C1574-9984-404b-B388-2C83A53D578D}.exe	43
PID 1168 wrote to memory of 1192	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	44
PID 1168 wrote to memory of 1192	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	44
PID 1168 wrote to memory of 1192	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	44
PID 1168 wrote to memory of 1192	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	44
PID 1168 wrote to memory of 2072	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	45
PID 1168 wrote to memory of 2072	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	45
PID 1168 wrote to memory of 2072	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	45
PID 1168 wrote to memory of 2072	1168	{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_8b2c4da439a983d485c8850331ca09ec_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe
  C:\Windows\{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe
    C:\Windows\{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe
      C:\Windows\{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{36BB6119-6288-4067-9204-CF07A0AF670C}.exe
        
        C:\Windows\{36BB6119-6288-4067-9204-CF07A0AF670C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe
        
        C:\Windows\{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{692C1574-9984-404b-B388-2C83A53D578D}.exe
        
        C:\Windows\{692C1574-9984-404b-B388-2C83A53D578D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe
        
        C:\Windows\{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe
        
        C:\Windows\{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe
        
        C:\Windows\{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe
        
        C:\Windows\{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\{635E9015-A118-4776-9840-12BFA3EB3A94}.exe
        
        C:\Windows\{635E9015-A118-4776-9840-12BFA3EB3A94}.exe
        12⤵
        Executes dropped EXE
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82D64~1.EXE > nul
        12⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E542~1.EXE > nul
        11⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C5B2~1.EXE > nul
        10⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D916B~1.EXE > nul
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{692C1~1.EXE > nul
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A298E~1.EXE > nul
        7⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36BB6~1.EXE > nul
        6⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D50D~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CF9EB~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F40C2~1.EXE > nul
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{36BB6119-6288-4067-9204-CF07A0AF670C}.exe

Filesize
180KB

MD5
39a07be89edc01b4db363a6bd629d6a1

SHA1
c716cfdfacf61fea56bbf446077754d890177405

SHA256
00d15cb392194ae9e3b7b74f1678dc598fbbc55384ddc9e98a9dd21e12b2d552

SHA512
b1cb7e5c9bbe871ee18583354d7748547cb97426060cf61978a41967f68005610225623b215865125fd82689d1b127adc092d288e43ff041bea6b8d40a9a5041

Download Submit
C:\Windows\{635E9015-A118-4776-9840-12BFA3EB3A94}.exe

Filesize
180KB

MD5
06db34077096702d942c8d1cd410965e

SHA1
9d744681bc9d9ede973c0b8810be569dddfdc797

SHA256
55c9881e61f460aec555bab615261a70b83e849fbe93b11b0cfb57690aed0322

SHA512
bb350659c6d6c3f9635b998d5f9f1cbc872c92c614b14c955805fb0ff9714e87ecacd3e2da142b9841f098388c6ff619c997642c595e063061dedd207c889909

Download Submit
C:\Windows\{692C1574-9984-404b-B388-2C83A53D578D}.exe

Filesize
180KB

MD5
8613a36dc1fa6c9f91a0ecaf97713f02

SHA1
5dcfd514a8e580918d4c0b585cf7b342cf78819c

SHA256
3d420bbf05d673f38033784dddf13b28064307854f901da440aba1e9852bf4c7

SHA512
acb6b6ce7f36acc1d4f2669bd3132cf5dffad7b778a60a17d375403f924a4d9a115e31ac2cce62d9528286fac99a8dc336996fa16513a61f2a675895df68b389

Download Submit
C:\Windows\{6C5B2101-1C90-4c82-9BBD-19AF75FEF0B1}.exe

Filesize
180KB

MD5
7ef63f897afa83c639928ab8db757a25

SHA1
77ab692dde8fa7f4ed28a27dbf633a0146f5c086

SHA256
a99766b3c6e36ecfc438f32163ad4a1e504b996b962dd324194d94ac80d9b7ff

SHA512
87f7d17b52fd772711f9c545b8dae4acdfae9c37956a9e8f83cead5f129b3a6026b48b52de5758b4121c8b7678e91aefce6527d51c64dfd87b6ada155a81e9da

Download Submit
C:\Windows\{7D50D5A0-49AA-4b68-B89C-B4467AFACE10}.exe

Filesize
180KB

MD5
1dfc0d4cc3911f2b8b15a47fe9bc1d3b

SHA1
75b2d96fb2cf23f1233b091bf3469bcbce9f826b

SHA256
c0130d5827d98168a53d669ef742e66e6ebdb47f5aad76d2e53fb8172dbeec1d

SHA512
4af5ec898b42f93af31c115513bd54cb72ef2489d920569e8988f6e3e67a97d8b035fcd3aa4e08ce2820c8936ee0c15b7e1d47aa3ec2209bfcb0453080a4d07b

Download Submit
C:\Windows\{7E54266E-60E7-4b84-B34A-0E52F5A71033}.exe

Filesize
180KB

MD5
b39d23dc0a22c96d5bf43f26ccdc06ce

SHA1
a66aca8a2ac9aabbce6f3cb151347b05d59bcf88

SHA256
142442c5aec9cd5fb4cbcdc1f3539e6df9cd107fdca96fe31ff7428aa8144126

SHA512
c896ba92fbccfd4cc0cd359afb93b24fd159c0cede51ed2134e654e7da85b8975ed2b8979b023e5224342f548e7eb25dc2737eb99488bc8ebc5c63cf567f268a

Download Submit
C:\Windows\{82D64ADE-04CD-4e18-A27D-54CC00594885}.exe

Filesize
180KB

MD5
2873353a50f90966c0bb7a0dd3330f3f

SHA1
7e706b856b409fb519bf75e1f6be3d12786e0455

SHA256
16e5d33c6c677cb1b1596ce9b238458cc3e002510df111beecde8435618fad00

SHA512
ca4a24464910ca381b85090dd431a8222c5dd80c935370186c4ca2be0f4b4cf5b33bf445b86179a36fd31edf9cc6b5fbd4134f0bc38bb09e0fb1c0b221646544

Download Submit
C:\Windows\{A298EF41-A91B-4fa2-A140-DE90034284FA}.exe

Filesize
180KB

MD5
4fd0f010d73cb8f4d3bd27c8d134dc8b

SHA1
71103561e5216f14d6ef3d79bb3e38bd6749ec85

SHA256
e3361743acaf3bc0f3ccdc00f68a263a468d6950c69c3082b627aef43731ebb0

SHA512
5210e53c6f5ec3042743d3f4db42b39b404d57d0a2ab116e6486d8a5851437706418e979e0ab226b11b1688aaca2c3dcc47efdc4ad025135fd2b99bd25e48e01

Download Submit
C:\Windows\{CF9EB07B-3CBA-4192-92B4-C48BBD571922}.exe

Filesize
180KB

MD5
eeb3ce919cbe9adb17ed4b8e109c3969

SHA1
5df477f7fdd604b4e4c450962975f99dec8dd82b

SHA256
f03e34c4d14abdf99dade3afec949ae660e186c6c9f47a4706a1a29b2b24bd3f

SHA512
a6d6cbcbdb4a36904a5320579419a995d74080b52d5f366a8965a106351e80ea9b08960fd9c68ea71471a211a45bb8854896b3600454bcaf7399775fe4e52bb9

Download Submit
C:\Windows\{D916BECB-149E-4f07-9585-B7EA50DF15B6}.exe

Filesize
180KB

MD5
3d48776b2e372987ed9b2baad42ddcd0

SHA1
f244b28035bcaa745714ed2294eb0926ca958bef

SHA256
2d8c4354d8b27fe1179c67a77dea8814eca0aa476886591aef0af95471e068c2

SHA512
f3dd3481adb0c960e7c0caf7de132bd31dfcba823581390284e451e4105883ecbaf2e9a157ce0379b2fd8e47943038ecf9988c15fbf2aa2747a07cc0407ca268

Download Submit
C:\Windows\{F40C29D9-3967-44f6-95A8-D14FE171721C}.exe

Filesize
180KB

MD5
82596766d0dd383d6a7e20d9d54fb351

SHA1
4c2e79be739069fec6b44ba94679c302093297e0

SHA256
be4e145027ffa786896a0f2c657b831cc4a0f501e4a5ca991c11101951807d88

SHA512
923bbaa15c1bc6be7cf6b36dffa2ca7365fa9218c6c42afefeba1bf1800d8ef27999106b30a5d66fab2a746e2d02943ba44aa944f9c7c6051ac5a745d43b8ad1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads