ccd1f28296203b60433205d7fe8f7e8a5123cbbec610b41e62f03a81c13dd238

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Size

168KB
MD5

b70c6bde26ef83834f16076bc248a2d4
SHA1

af748f866f88a5de7a239057a6c54df2e061b843
SHA256

ccd1f28296203b60433205d7fe8f7e8a5123cbbec610b41e62f03a81c13dd238
SHA512

bc496ca2dec7018f321a7cd08c2663a98e94d63efed9cb2c1b2d40a3e55662d6aebd08898143d8b05c1b31b0cc373ad73089e6ef03415d3a7b219c374229b372
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023157-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e5ea-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023243-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000233a1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000234c2-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233a1-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c2-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002314a-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002314a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002314b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002314a-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002314d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{916D0B8A-672F-493f-AF91-C961828A7F9C}\stubpath = "C:\\Windows\\{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe"	{F658B13E-604E-4163-8179-47F51F601C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}\stubpath = "C:\\Windows\\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe"	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}\stubpath = "C:\\Windows\\{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe"	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B8F730-77E3-4af2-9C3B-050242C7C495}	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B8F730-77E3-4af2-9C3B-050242C7C495}\stubpath = "C:\\Windows\\{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe"	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08915AFB-E739-40c6-9ABD-64BE7B275825}\stubpath = "C:\\Windows\\{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe"	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F658B13E-604E-4163-8179-47F51F601C63}	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA9F847-4764-413b-B98B-522CE2D3EACD}\stubpath = "C:\\Windows\\{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe"	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DAE9A63-69F2-4a76-8061-34454AE57D88}	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD95C00-6402-4208-A295-28C77CFBEE94}\stubpath = "C:\\Windows\\{EBD95C00-6402-4208-A295-28C77CFBEE94}.exe"	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F658B13E-604E-4163-8179-47F51F601C63}\stubpath = "C:\\Windows\\{F658B13E-604E-4163-8179-47F51F601C63}.exe"	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD95C00-6402-4208-A295-28C77CFBEE94}	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}\stubpath = "C:\\Windows\\{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe"	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}\stubpath = "C:\\Windows\\{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe"	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DAE9A63-69F2-4a76-8061-34454AE57D88}\stubpath = "C:\\Windows\\{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe"	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08915AFB-E739-40c6-9ABD-64BE7B275825}	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{916D0B8A-672F-493f-AF91-C961828A7F9C}	{F658B13E-604E-4163-8179-47F51F601C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA9F847-4764-413b-B98B-522CE2D3EACD}	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe

Executes dropped EXE 11 IoCs

pid	Process
3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe
2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe
3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe
1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe
4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe
3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe
3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe
4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe
1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe
2940	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe
1044	{EBD95C00-6402-4208-A295-28C77CFBEE94}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe
File created	C:\Windows\{F658B13E-604E-4163-8179-47F51F601C63}.exe	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe
File created	C:\Windows\{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe	{F658B13E-604E-4163-8179-47F51F601C63}.exe
File created	C:\Windows\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe
File created	C:\Windows\{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe
File created	C:\Windows\{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe
File created	C:\Windows\{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
File created	C:\Windows\{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe
File created	C:\Windows\{EBD95C00-6402-4208-A295-28C77CFBEE94}.exe	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe
File created	C:\Windows\{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe
File created	C:\Windows\{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5108	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe
Token: SeIncBasePriorityPrivilege	2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe
Token: SeIncBasePriorityPrivilege	3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe
Token: SeIncBasePriorityPrivilege	1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe
Token: SeIncBasePriorityPrivilege	4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe
Token: SeIncBasePriorityPrivilege	3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe
Token: SeIncBasePriorityPrivilege	3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe
Token: SeIncBasePriorityPrivilege	4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe
Token: SeIncBasePriorityPrivilege	1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe
Token: SeIncBasePriorityPrivilege	2940	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3972	5108	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	103
PID 5108 wrote to memory of 3972	5108	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	103
PID 5108 wrote to memory of 3972	5108	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	103
PID 5108 wrote to memory of 4692	5108	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	102
PID 5108 wrote to memory of 4692	5108	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	102
PID 5108 wrote to memory of 4692	5108	2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe	102
PID 3972 wrote to memory of 2244	3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe	105
PID 3972 wrote to memory of 2244	3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe	105
PID 3972 wrote to memory of 2244	3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe	105
PID 3972 wrote to memory of 1952	3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe	106
PID 3972 wrote to memory of 1952	3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe	106
PID 3972 wrote to memory of 1952	3972	{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe	106
PID 2244 wrote to memory of 3704	2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe	111
PID 2244 wrote to memory of 3704	2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe	111
PID 2244 wrote to memory of 3704	2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe	111
PID 2244 wrote to memory of 2708	2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe	110
PID 2244 wrote to memory of 2708	2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe	110
PID 2244 wrote to memory of 2708	2244	{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe	110
PID 3704 wrote to memory of 1332	3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe	112
PID 3704 wrote to memory of 1332	3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe	112
PID 3704 wrote to memory of 1332	3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe	112
PID 3704 wrote to memory of 872	3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe	113
PID 3704 wrote to memory of 872	3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe	113
PID 3704 wrote to memory of 872	3704	{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe	113
PID 1332 wrote to memory of 4440	1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe	116
PID 1332 wrote to memory of 4440	1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe	116
PID 1332 wrote to memory of 4440	1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe	116
PID 1332 wrote to memory of 2596	1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe	115
PID 1332 wrote to memory of 2596	1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe	115
PID 1332 wrote to memory of 2596	1332	{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe	115
PID 4440 wrote to memory of 3900	4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe	118
PID 4440 wrote to memory of 3900	4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe	118
PID 4440 wrote to memory of 3900	4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe	118
PID 4440 wrote to memory of 4776	4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe	117
PID 4440 wrote to memory of 4776	4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe	117
PID 4440 wrote to memory of 4776	4440	{F658B13E-604E-4163-8179-47F51F601C63}.exe	117
PID 3900 wrote to memory of 3576	3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe	119
PID 3900 wrote to memory of 3576	3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe	119
PID 3900 wrote to memory of 3576	3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe	119
PID 3900 wrote to memory of 4980	3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe	120
PID 3900 wrote to memory of 4980	3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe	120
PID 3900 wrote to memory of 4980	3900	{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe	120
PID 3576 wrote to memory of 4288	3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe	131
PID 3576 wrote to memory of 4288	3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe	131
PID 3576 wrote to memory of 4288	3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe	131
PID 3576 wrote to memory of 2000	3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe	130
PID 3576 wrote to memory of 2000	3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe	130
PID 3576 wrote to memory of 2000	3576	{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe	130
PID 4288 wrote to memory of 1964	4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe	133
PID 4288 wrote to memory of 1964	4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe	133
PID 4288 wrote to memory of 1964	4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe	133
PID 4288 wrote to memory of 4200	4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe	132
PID 4288 wrote to memory of 4200	4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe	132
PID 4288 wrote to memory of 4200	4288	{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe	132
PID 1964 wrote to memory of 2940	1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe	135
PID 1964 wrote to memory of 2940	1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe	135
PID 1964 wrote to memory of 2940	1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe	135
PID 1964 wrote to memory of 4796	1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe	134
PID 1964 wrote to memory of 4796	1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe	134
PID 1964 wrote to memory of 4796	1964	{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe	134
PID 2940 wrote to memory of 1044	2940	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe	139
PID 2940 wrote to memory of 1044	2940	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe	139
PID 2940 wrote to memory of 1044	2940	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe	139
PID 2940 wrote to memory of 2484	2940	{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_b70c6bde26ef83834f16076bc248a2d4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4692
- C:\Windows\{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe
  C:\Windows\{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe
    C:\Windows\{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{90B8F~1.EXE > nul
      4⤵
      PID:2708
  - - C:\Windows\{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe
      C:\Windows\{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe
        
        C:\Windows\{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A27EA~1.EXE > nul
        6⤵
        
        PID:2596
      - C:\Windows\{F658B13E-604E-4163-8179-47F51F601C63}.exe
        
        C:\Windows\{F658B13E-604E-4163-8179-47F51F601C63}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F658B~1.EXE > nul
        7⤵
        
        PID:4776
        
        C:\Windows\{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe
        
        C:\Windows\{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe
        
        C:\Windows\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C8B1~1.EXE > nul
        9⤵
        
        PID:2000
        
        C:\Windows\{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe
        
        C:\Windows\{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA9F~1.EXE > nul
        10⤵
        
        PID:4200
        
        C:\Windows\{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe
        
        C:\Windows\{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2896B~1.EXE > nul
        11⤵
        
        PID:4796
        
        C:\Windows\{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe
        
        C:\Windows\{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DAE9~1.EXE > nul
        12⤵
        
        PID:2484
        
        C:\Windows\{EBD95C00-6402-4208-A295-28C77CFBEE94}.exe
        
        C:\Windows\{EBD95C00-6402-4208-A295-28C77CFBEE94}.exe
        12⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{916D0~1.EXE > nul
        8⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08915~1.EXE > nul
        5⤵
        
        PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5450E~1.EXE > nul
    3⤵
    PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08915AFB-E739-40c6-9ABD-64BE7B275825}.exe

Filesize
168KB

MD5
bea36155ab691c2735794fc659d1e67f

SHA1
2f3e972f53dcc41146bd0b8a67589aff9219a3aa

SHA256
516f528c950207cf67f0979e59aeb061fdb2ac36d9d25f9808f594b40d34b373

SHA512
667c527646b17df5d40983d706f30771a7db70d0dedd24357f9a7cac1366e83de05636eb9e5ac20268d65f4a8308293d2329af3ee521520b6bf2701273f6ae72

Download Submit
C:\Windows\{2896BE92-C7EE-42fb-9200-CF3B731DA4EA}.exe

Filesize
168KB

MD5
7d472bd904a10d832e8c7873911d3a66

SHA1
c751e8cca39e6e87996256547f037bc7906398d0

SHA256
2eb7f1e91610c18729c2a0c6b935dc58289648bd543eb8899ad09c5d9a85b3be

SHA512
8337805b9b721d9cc181823a6c325b84ac866060535d121e936e851cd0b634cdbd338421b3f076cb311fb2e4aaedad8fe5d5640a45c1e03691132d452415030a

Download Submit
C:\Windows\{5450E24C-40AF-4c2d-89D4-AFAAFB40A973}.exe

Filesize
168KB

MD5
2160767fd216d46f1bc31e755f8cc5ee

SHA1
23fc1abd18349523ee8f2f465b6bbda72d1726a6

SHA256
c2a22ed769ec2e966f2b4cd6b23ef0f517502d9bcbd8999ef0f517ed1dbd343d

SHA512
a1125c33fb1b6d6e7f8c8f8a96f7a7285139e3819194b8827302c114845d4b464a64ccbe024641d6d9eb008f65cac0dd0e5e9a63d16f8bd4ebd755ddec47caab

Download Submit
C:\Windows\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe

Filesize
146KB

MD5
b27f0ad2b584a0b56c27419070fe8241

SHA1
062a5e4d43078e2f8d2c2c8b3c87855caec3b334

SHA256
4f4b9c11f9f123aa126e093231c6e4cf9c9b19c2ef17e14ea71d78071c7511b5

SHA512
9b197432c061dadf55b1f084f1ea1ae241d586788f186e1ca8f49d2dd120f3d3070abfb149ba2643a269ad308c7c919a055d34c6102fb21a601fedf285f1563f

Download Submit
C:\Windows\{6C8B1CD2-6B74-438d-A8EE-55FE0DF20425}.exe

Filesize
141KB

MD5
ca695f08742db27194020c0f1d34a48e

SHA1
be22f3509aaf047595596dfd72b76b452ffbc04a

SHA256
f5662a884ea81f4f40291159aa2c397af14f995118ff0127a466c9ba4969d39c

SHA512
ce28f53aab308565333855113f8e7a5677a261d7befcbff497ff943fba13f77a3bdf31b9384650741594d8dc3148a7a6af15b53bcfe32dfe4c32fc0f4b429c8c

Download Submit
C:\Windows\{6DAE9A63-69F2-4a76-8061-34454AE57D88}.exe

Filesize
168KB

MD5
8f719c12f724b9a10867d363909db837

SHA1
86bc666f1620c66cff84dc72d027a0d434f56c2e

SHA256
5afad2e2d966a09deb6d69230e4f9755a3fbcc85d0fc1470884f0b0310745c06

SHA512
7207a06f6ee357b5bd23e4a92b945331a078d9571b8d9f1c6f3b87c20db261c8bbbb0db64014c1c8aedcf476395601df6abad127318b7fc1127dfcaafcd983a5

Download Submit
C:\Windows\{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe

Filesize
39KB

MD5
9460d4fc1946cdc5ddfc6a6f662c401c

SHA1
a35644d58c3f571d254c6c25577d14d001971dab

SHA256
2a0d58ed4ace03a7a939c0610ef7bc6967a91f2219eadfff8a2c40bae85bd391

SHA512
e153d90270d67c9003cc9ccd154f126fa62c1f8a242f71cc4c5a70ed5d443abd3d78b6d9abc65d316a9c893e91bd996dd6d45d6168432eb107677dbbc6af6f64

Download Submit
C:\Windows\{8EA9F847-4764-413b-B98B-522CE2D3EACD}.exe

Filesize
49KB

MD5
0ae91198b1404162945d9778cbcfe41b

SHA1
ea255b1b19d165301410eb42bd46fa3d0b403dc7

SHA256
051ff06c007d7cb1f682f3f28054a2040db4e884c50a4d1f3fdad93df6db11ca

SHA512
d71a805bfc76eac0a190c616771a45d6d50ae9f92d3ae62922d5f8a9a0d0226cd116a5b6e22ef7c71400426c5d442072315f953a7cd3c1143fffc7333e4d7181

Download Submit
C:\Windows\{90B8F730-77E3-4af2-9C3B-050242C7C495}.exe

Filesize
168KB

MD5
9591e89a882e75c55ab5d4c0baa70e82

SHA1
63b8915f8a8f8c1e2016d3abd16ed7786cf5ff00

SHA256
26475d32ff8cb63c8e39936e3c653eb656f39dca615b08b15e2ad319e85380f7

SHA512
21372c5c39fb6c644d725adf476dd572dc43075c2627d66b8d964a41373ec6b455f15ae3c4e1cbf5bc84a968091254ae5893398841ab42d4bae988a74c7ca6b9

Download Submit
C:\Windows\{916D0B8A-672F-493f-AF91-C961828A7F9C}.exe

Filesize
168KB

MD5
871a5cff708ffb249ab10e85d7a7879f

SHA1
5c9eff306509d601fd09aba9b65b830d9566b92c

SHA256
8ffb8081ec0c0b439c11d7679cb606695f29216542d66f33431373be374e8bba

SHA512
7c352bf296f826ac87e9697eefddd06e3957ab83de7ceec888b82daaa9c839bdc056b87512442f46623156b5fc5f7d505b45b7ac3b296ccd773ac869551a3950

Download Submit
C:\Windows\{A27EAA9B-DA9B-4910-BE81-49C4EEA1B233}.exe

Filesize
168KB

MD5
51281e511b8b92fd84061698888da3cc

SHA1
c29ea80bd7eb1c7e6677c27216f9b44e0a3fdd7a

SHA256
f5b4a74ea87d024d965b95b8dc5af9836f88cebe98c234ade4b7937a2581bd2e

SHA512
a2afee9bf9a0cb2f6b772b50dcf631ab188ad345d16520da7a4011daefe8c4f817950abe7810153ecba6a4244337be6434806c1473deef7289c89d7f562c18e3

Download Submit
C:\Windows\{EBD95C00-6402-4208-A295-28C77CFBEE94}.exe

Filesize
168KB

MD5
3ec44072a8edb6692fb8950ed123ec82

SHA1
9221fff3e770043d2aa5c28ca0dec2696be9a145

SHA256
1fada30a086a23dc0372f0b9a4ad0cf6ed0029eee0b16bf7fefeb52b631e87b8

SHA512
efa494aabf5c1e5d01507c68ad45c911cfae17eb7fe8760052bf37c3c93886ee7cdc68c75c91e304b39cd330c20ecfaf5f7d11d1ddc10416c091d51b800243f8

Download Submit
C:\Windows\{F658B13E-604E-4163-8179-47F51F601C63}.exe

Filesize
168KB

MD5
e86595b2d01c9824ef8a3645d6fe19a0

SHA1
595e4e33cc28f578a0ad95a57770e674009a7901

SHA256
dd817a25618ceb2c73c724941143f9a56ce0795561cb745b050c80fc20efc6fd

SHA512
fa227989aa5073b64f6c66d7fd39ac1104b5d5eaee24437d235b34dd5e9c54a6209d54c7f6cb0b22b1f9634dd4f0285702b8288c7d815f0101df05b3951d8481

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads