1ce6038ad69f2261ae73838ec703e0863c07e8f41ddc2525db3ebf72b3d1534e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe
Size

192KB
MD5

ae2295dc1f38fc634f7df4b6d6f88149
SHA1

09e773c814b5fad55b3469de5f5558f60314a008
SHA256

1ce6038ad69f2261ae73838ec703e0863c07e8f41ddc2525db3ebf72b3d1534e
SHA512

5c3ca089b48bb07a72151ba75f83a5ac6548b3253834a2d81ff7f48acd846c8c842a65db7f155cfb9fde97912c3fc60bdb743ec065f70d06ee25123bdd8c921c
SSDEEP

1536:1EGh0osLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122eb-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015cb8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122eb-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122eb-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122eb-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122eb-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000122eb-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D643B3EE-66F5-4580-91F8-D813B0AB83A9}\stubpath = "C:\\Windows\\{D643B3EE-66F5-4580-91F8-D813B0AB83A9}.exe"	{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4518925B-4DFA-43d1-A2AC-03F167574A34}\stubpath = "C:\\Windows\\{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe"	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2F34BC2-3520-4985-8D17-AD253016D608}\stubpath = "C:\\Windows\\{C2F34BC2-3520-4985-8D17-AD253016D608}.exe"	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA2E903-6767-4963-866B-43D600791163}	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}	{582E6B54-19E1-4827-A50E-92856706B389}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4518925B-4DFA-43d1-A2AC-03F167574A34}	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2F34BC2-3520-4985-8D17-AD253016D608}	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA2E903-6767-4963-866B-43D600791163}\stubpath = "C:\\Windows\\{4CA2E903-6767-4963-866B-43D600791163}.exe"	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582E6B54-19E1-4827-A50E-92856706B389}	{4CA2E903-6767-4963-866B-43D600791163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{513A9D43-68EE-4e2a-A18F-2106B77B09AF}\stubpath = "C:\\Windows\\{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe"	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582E6B54-19E1-4827-A50E-92856706B389}\stubpath = "C:\\Windows\\{582E6B54-19E1-4827-A50E-92856706B389}.exe"	{4CA2E903-6767-4963-866B-43D600791163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}	{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}\stubpath = "C:\\Windows\\{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe"	{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}\stubpath = "C:\\Windows\\{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe"	{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D643B3EE-66F5-4580-91F8-D813B0AB83A9}	{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}\stubpath = "C:\\Windows\\{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe"	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{513A9D43-68EE-4e2a-A18F-2106B77B09AF}	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}\stubpath = "C:\\Windows\\{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe"	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}\stubpath = "C:\\Windows\\{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe"	{582E6B54-19E1-4827-A50E-92856706B389}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}	{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe
2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe
2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe
2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe
2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe
1988	{4CA2E903-6767-4963-866B-43D600791163}.exe
2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe
2768	{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe
692	{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe
1292	{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe
564	{D643B3EE-66F5-4580-91F8-D813B0AB83A9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe
File created	C:\Windows\{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe
File created	C:\Windows\{4CA2E903-6767-4963-866B-43D600791163}.exe	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe
File created	C:\Windows\{582E6B54-19E1-4827-A50E-92856706B389}.exe	{4CA2E903-6767-4963-866B-43D600791163}.exe
File created	C:\Windows\{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe	{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe
File created	C:\Windows\{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe	{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe
File created	C:\Windows\{D643B3EE-66F5-4580-91F8-D813B0AB83A9}.exe	{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe
File created	C:\Windows\{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe
File created	C:\Windows\{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe
File created	C:\Windows\{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe	{582E6B54-19E1-4827-A50E-92856706B389}.exe
File created	C:\Windows\{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe
Token: SeIncBasePriorityPrivilege	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe
Token: SeIncBasePriorityPrivilege	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe
Token: SeIncBasePriorityPrivilege	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe
Token: SeIncBasePriorityPrivilege	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe
Token: SeIncBasePriorityPrivilege	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe
Token: SeIncBasePriorityPrivilege	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe
Token: SeIncBasePriorityPrivilege	2768	{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe
Token: SeIncBasePriorityPrivilege	692	{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe
Token: SeIncBasePriorityPrivilege	1292	{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2104	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	28
PID 2408 wrote to memory of 2104	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	28
PID 2408 wrote to memory of 2104	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	28
PID 2408 wrote to memory of 2104	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	28
PID 2408 wrote to memory of 2880	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	29
PID 2408 wrote to memory of 2880	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	29
PID 2408 wrote to memory of 2880	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	29
PID 2408 wrote to memory of 2880	2408	2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe	29
PID 2104 wrote to memory of 2736	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	30
PID 2104 wrote to memory of 2736	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	30
PID 2104 wrote to memory of 2736	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	30
PID 2104 wrote to memory of 2736	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	30
PID 2104 wrote to memory of 2668	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	31
PID 2104 wrote to memory of 2668	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	31
PID 2104 wrote to memory of 2668	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	31
PID 2104 wrote to memory of 2668	2104	{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe	31
PID 2736 wrote to memory of 2628	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	32
PID 2736 wrote to memory of 2628	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	32
PID 2736 wrote to memory of 2628	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	32
PID 2736 wrote to memory of 2628	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	32
PID 2736 wrote to memory of 2780	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	33
PID 2736 wrote to memory of 2780	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	33
PID 2736 wrote to memory of 2780	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	33
PID 2736 wrote to memory of 2780	2736	{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe	33
PID 2628 wrote to memory of 2744	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	36
PID 2628 wrote to memory of 2744	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	36
PID 2628 wrote to memory of 2744	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	36
PID 2628 wrote to memory of 2744	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	36
PID 2628 wrote to memory of 2992	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	37
PID 2628 wrote to memory of 2992	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	37
PID 2628 wrote to memory of 2992	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	37
PID 2628 wrote to memory of 2992	2628	{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe	37
PID 2744 wrote to memory of 2872	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	38
PID 2744 wrote to memory of 2872	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	38
PID 2744 wrote to memory of 2872	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	38
PID 2744 wrote to memory of 2872	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	38
PID 2744 wrote to memory of 3004	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	39
PID 2744 wrote to memory of 3004	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	39
PID 2744 wrote to memory of 3004	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	39
PID 2744 wrote to memory of 3004	2744	{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe	39
PID 2872 wrote to memory of 1988	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	40
PID 2872 wrote to memory of 1988	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	40
PID 2872 wrote to memory of 1988	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	40
PID 2872 wrote to memory of 1988	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	40
PID 2872 wrote to memory of 1060	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	41
PID 2872 wrote to memory of 1060	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	41
PID 2872 wrote to memory of 1060	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	41
PID 2872 wrote to memory of 1060	2872	{C2F34BC2-3520-4985-8D17-AD253016D608}.exe	41
PID 1988 wrote to memory of 2248	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	42
PID 1988 wrote to memory of 2248	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	42
PID 1988 wrote to memory of 2248	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	42
PID 1988 wrote to memory of 2248	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	42
PID 1988 wrote to memory of 1672	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	43
PID 1988 wrote to memory of 1672	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	43
PID 1988 wrote to memory of 1672	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	43
PID 1988 wrote to memory of 1672	1988	{4CA2E903-6767-4963-866B-43D600791163}.exe	43
PID 2248 wrote to memory of 2768	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	44
PID 2248 wrote to memory of 2768	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	44
PID 2248 wrote to memory of 2768	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	44
PID 2248 wrote to memory of 2768	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	44
PID 2248 wrote to memory of 1984	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	45
PID 2248 wrote to memory of 1984	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	45
PID 2248 wrote to memory of 1984	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	45
PID 2248 wrote to memory of 1984	2248	{582E6B54-19E1-4827-A50E-92856706B389}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ae2295dc1f38fc634f7df4b6d6f88149_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe
  C:\Windows\{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe
    C:\Windows\{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe
      C:\Windows\{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe
        
        C:\Windows\{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\{C2F34BC2-3520-4985-8D17-AD253016D608}.exe
        
        C:\Windows\{C2F34BC2-3520-4985-8D17-AD253016D608}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{4CA2E903-6767-4963-866B-43D600791163}.exe
        
        C:\Windows\{4CA2E903-6767-4963-866B-43D600791163}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{582E6B54-19E1-4827-A50E-92856706B389}.exe
        
        C:\Windows\{582E6B54-19E1-4827-A50E-92856706B389}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe
        
        C:\Windows\{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe
        
        C:\Windows\{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe
        
        C:\Windows\{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\{D643B3EE-66F5-4580-91F8-D813B0AB83A9}.exe
        
        C:\Windows\{D643B3EE-66F5-4580-91F8-D813B0AB83A9}.exe
        12⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEE67~1.EXE > nul
        12⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CB3D~1.EXE > nul
        11⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A719B~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{582E6~1.EXE > nul
        9⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA2E~1.EXE > nul
        8⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2F34~1.EXE > nul
        7⤵
        
        PID:1060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F8F2~1.EXE > nul
        6⤵
        
        PID:3004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{513A9~1.EXE > nul
        5⤵
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{45189~1.EXE > nul
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E5CF7~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CB3D2E8-3C07-4f86-8AB1-EF24652E7ACB}.exe

Filesize
192KB

MD5
fd1c3e4d4fa1af2b5a6682db9b8a5267

SHA1
f802f0328c1ea78ea529659964134b6bb0d9aec7

SHA256
28ad6d5ee63a427a10a2b18161994090754429c0d83374c951e1825af8cf60d6

SHA512
9165ba6892152a8dc82d214d8288fd1bc2ed1a4b480e9f0d5e17c33e29b9a5640cf307ff20272c77a378a5c2bccf6e15d0503482bb304093261104c47727da32

Download Submit
C:\Windows\{4518925B-4DFA-43d1-A2AC-03F167574A34}.exe

Filesize
192KB

MD5
28d55286c0728b0e3c5c3854bd582402

SHA1
f35e3e7f07bdde271e74f4cb4602e5c265327065

SHA256
6bc8a6c679be70ff20fb43016753d643c94d48149a368e96b01e46abcb07da11

SHA512
85c22b4e28981204ad45366e513b8a5a62d7ca51a68655b4848f4413b8b4d8a8cfb7c26ca3783e39abd43934027e538d50367037bcbac82f54f2b23fbe49f7a0

Download Submit
C:\Windows\{4CA2E903-6767-4963-866B-43D600791163}.exe

Filesize
192KB

MD5
7de7df2d5978a5347af8ab450b3fab1e

SHA1
01f0c77843e6d404b680dae55967215bae11b087

SHA256
f153519e71292806579a1f461043f0066295e654a3af421e6ed94e1a41bf571a

SHA512
91115bc290d9eeaf28191dfcbb4c8dbee1bc9dfcec22af708754fe8fb9a506ec464212bb74b45650e6ff150e3e63b45dd105739ee21631fb3c3fc57e676eb1b0

Download Submit
C:\Windows\{513A9D43-68EE-4e2a-A18F-2106B77B09AF}.exe

Filesize
192KB

MD5
24a3c9c1b4eba06e9bfe9401a45baba4

SHA1
02c34b6d527d62ed174ada8d15a7e3f2d8ee993a

SHA256
72ae7021cdf40ac1da8aae7dff794326176d745ba82362cbd5fa5d8be4961e72

SHA512
5805e61dc9c6fd8a7ab8f541393d7f5e6c657a83403a758b13625e7b03babdfec34a634451d69408b2746bb731aed6d0752ccf011501b97bd6fef87a3df5447c

Download Submit
C:\Windows\{582E6B54-19E1-4827-A50E-92856706B389}.exe

Filesize
192KB

MD5
70145d32b14528360a41125e7eab62cb

SHA1
cd6a531b6f8d25a4afd367d327a26cf292e7a142

SHA256
e7b2b83f28a7e0b7392fb971d2fe1b192bda1f4f2ecd629417a4edca383a3e8f

SHA512
22684e09ab7df912904800aae7a9d9f6712c7e072a7d79cc9932c959d4aa9a541bde8289b1f514f2adbbe1656267828473058bdabdcc6a9e2f939f665a56842e

Download Submit
C:\Windows\{9F8F27D0-C51D-4d4b-9A9E-5BD047E22027}.exe

Filesize
192KB

MD5
b0e0e4999e45edbadb1c91ea12ee7034

SHA1
cc225b4a44204c5b881e8e5f84e634fe5f7bed75

SHA256
d1ace44690cd3e83e94284b2306659d2d21be0974cffc3fb29c300b9fb2e6e12

SHA512
f04935bc8854a3c6f068261767d58263b6e58b9d0ac03472d5ac7b8dfc5de5264aa574afb53e9bad8040133ed6664636a6f7f2c9f0978541a4d2ce01081e5214

Download Submit
C:\Windows\{A719BBE8-852F-4afb-9A70-B9C1D1EEE585}.exe

Filesize
192KB

MD5
46170cfb1fd9a851ff264e1d353cc1dc

SHA1
a904c131ff2a543bf13ec7f1083306ef8cb9a655

SHA256
412debf710cd02585a1ad739089aea722da3f6e286143becdd94e65d6f9f64c8

SHA512
9d319866d91747a9e4f74e27b0b49f06d6a08d5b6e047b70351f12fa917d306ec2e9188856cb6f3584ce42af46f6c2d2974eb27a2dee1ff3b35fff53cf560df3

Download Submit
C:\Windows\{C2F34BC2-3520-4985-8D17-AD253016D608}.exe

Filesize
192KB

MD5
b40c56048880dfaabdd4a03ea316856a

SHA1
0002149073395f3cd3318a630fa602860ac4aa37

SHA256
b88e9ecb66c90a13b85080fcc20ad9e6b988252e2ee4c3f8a35678b49767825f

SHA512
adc42ac19c14f931f0f245cb3e31a497a4fd725810864bf1da031d379070c2ed3f454df226b34e4f92e8109acfe16cfab63aad071307d661e9e33dedc1689319

Download Submit
C:\Windows\{D643B3EE-66F5-4580-91F8-D813B0AB83A9}.exe

Filesize
192KB

MD5
3ef994c78a5f6d71e23d4180cb6a5d1f

SHA1
35e705bad67a172de5c6f65954e9987e8891c357

SHA256
c88ce995c1d11d74d996c8dba91071268ffd8878c625dd3db43362daf5d81b04

SHA512
7127f420878355d4fbeaf7b03e4f100e39ec4372e5e18d2b4e477d7ff4f49b5674da4b74291ea76f1acb24f434b016329cf39cd62cd999912acf44e78798feea

Download Submit
C:\Windows\{DEE67639-26B5-43b4-BAA0-980E3B2EC54D}.exe

Filesize
192KB

MD5
016a8bdf8ef76529793c3622cbf14465

SHA1
b3cb6f8df00a239af1ef7492edcb05f83b693fe7

SHA256
a6d669c8d8005f267203c7ec31a725a1c87220691bdb4de92e3a1129a357523b

SHA512
cd5597561a58bf05d7d944f8329d808c1fa0355481593452298c7fc13845ffd3186bb1ce759ef66bdc698ae517a1ad3653f6ee9352964b93eb60a3ab9c1699f4

Download Submit
C:\Windows\{E5CF73A1-BF04-4ef0-86D4-728991CB04D8}.exe

Filesize
192KB

MD5
f6becb71dfbfc82c7025b8db7ce390da

SHA1
33a41cc2642868bf67da4b3810810e442eb85d5b

SHA256
5058db2988c8df33d4aa6ad568cf52c68b23ae316f82c36e5c72ebb2e70ece02

SHA512
1cec9a216211d4aaaa4aa4b2896bde616c8d9a710a39fa7ebcff5d77477d0ca4f69e14b3c782796ecaffa6dc92a7ac43fe38d8e2015e89126a4ca0564c919300

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads