85727092dcba96594dd2d98c00ceadc461d0895330cd0e6ff511e05e52a26350

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 10:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe
Size

380KB
MD5

a4da5c662a060f655f3ccdf2e4e5a360
SHA1

69e8d65c53a3292870aa7b946d1b118302fb34dd
SHA256

85727092dcba96594dd2d98c00ceadc461d0895330cd0e6ff511e05e52a26350
SHA512

a26a716994b1d3b2a1f5cf32fd6f39bea64c0f93680f43927bad9bce9999d51e329bd939a86d99d8acdd00cd49251a01d96dfd3e7205d6eb28554429c7d1991a
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGWl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225c-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002b00000001490f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014b50-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002c00000001490f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002d00000001490f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e00000001490f-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f00000001490f-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8570A3-88D3-495e-BE96-27C2CF800333}	{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8570A3-88D3-495e-BE96-27C2CF800333}\stubpath = "C:\\Windows\\{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe"	{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}\stubpath = "C:\\Windows\\{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe"	{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49D6968-2354-446a-AEF5-5B063388EB9B}\stubpath = "C:\\Windows\\{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe"	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}\stubpath = "C:\\Windows\\{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe"	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{245B8006-EDB7-4800-AF10-7250E8DD9FD3}	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}\stubpath = "C:\\Windows\\{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe"	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49D6968-2354-446a-AEF5-5B063388EB9B}	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42B1251-177E-43ce-86CD-D6EAD25275D8}	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42B1251-177E-43ce-86CD-D6EAD25275D8}\stubpath = "C:\\Windows\\{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe"	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}	{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}\stubpath = "C:\\Windows\\{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe"	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285D144E-C963-4724-9BAB-5D0945FD523A}	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{207760EC-4D2F-416a-B43D-1E001727EC7A}\stubpath = "C:\\Windows\\{207760EC-4D2F-416a-B43D-1E001727EC7A}.exe"	{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285D144E-C963-4724-9BAB-5D0945FD523A}\stubpath = "C:\\Windows\\{285D144E-C963-4724-9BAB-5D0945FD523A}.exe"	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{245B8006-EDB7-4800-AF10-7250E8DD9FD3}\stubpath = "C:\\Windows\\{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe"	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}\stubpath = "C:\\Windows\\{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe"	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{207760EC-4D2F-416a-B43D-1E001727EC7A}	{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe
1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe
2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe
1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe
1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe
2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe
2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe
1620	{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe
1280	{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe
2380	{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe
2288	{207760EC-4D2F-416a-B43D-1E001727EC7A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{207760EC-4D2F-416a-B43D-1E001727EC7A}.exe	{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe
File created	C:\Windows\{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe
File created	C:\Windows\{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe
File created	C:\Windows\{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe
File created	C:\Windows\{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe
File created	C:\Windows\{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe
File created	C:\Windows\{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe
File created	C:\Windows\{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe
File created	C:\Windows\{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe
File created	C:\Windows\{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe	{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe
File created	C:\Windows\{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe	{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe
Token: SeIncBasePriorityPrivilege	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe
Token: SeIncBasePriorityPrivilege	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe
Token: SeIncBasePriorityPrivilege	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe
Token: SeIncBasePriorityPrivilege	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe
Token: SeIncBasePriorityPrivilege	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe
Token: SeIncBasePriorityPrivilege	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe
Token: SeIncBasePriorityPrivilege	1620	{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe
Token: SeIncBasePriorityPrivilege	1280	{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe
Token: SeIncBasePriorityPrivilege	2380	{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2436	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	28
PID 2004 wrote to memory of 2436	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	28
PID 2004 wrote to memory of 2436	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	28
PID 2004 wrote to memory of 2436	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	28
PID 2004 wrote to memory of 2708	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	29
PID 2004 wrote to memory of 2708	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	29
PID 2004 wrote to memory of 2708	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	29
PID 2004 wrote to memory of 2708	2004	2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe	29
PID 2436 wrote to memory of 1076	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	30
PID 2436 wrote to memory of 1076	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	30
PID 2436 wrote to memory of 1076	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	30
PID 2436 wrote to memory of 1076	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	30
PID 2436 wrote to memory of 2820	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	31
PID 2436 wrote to memory of 2820	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	31
PID 2436 wrote to memory of 2820	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	31
PID 2436 wrote to memory of 2820	2436	{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe	31
PID 1076 wrote to memory of 2688	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	35
PID 1076 wrote to memory of 2688	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	35
PID 1076 wrote to memory of 2688	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	35
PID 1076 wrote to memory of 2688	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	35
PID 1076 wrote to memory of 3052	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	34
PID 1076 wrote to memory of 3052	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	34
PID 1076 wrote to memory of 3052	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	34
PID 1076 wrote to memory of 3052	1076	{285D144E-C963-4724-9BAB-5D0945FD523A}.exe	34
PID 2688 wrote to memory of 1912	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	36
PID 2688 wrote to memory of 1912	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	36
PID 2688 wrote to memory of 1912	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	36
PID 2688 wrote to memory of 1912	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	36
PID 2688 wrote to memory of 676	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	37
PID 2688 wrote to memory of 676	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	37
PID 2688 wrote to memory of 676	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	37
PID 2688 wrote to memory of 676	2688	{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe	37
PID 1912 wrote to memory of 1588	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	39
PID 1912 wrote to memory of 1588	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	39
PID 1912 wrote to memory of 1588	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	39
PID 1912 wrote to memory of 1588	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	39
PID 1912 wrote to memory of 764	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	38
PID 1912 wrote to memory of 764	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	38
PID 1912 wrote to memory of 764	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	38
PID 1912 wrote to memory of 764	1912	{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe	38
PID 1588 wrote to memory of 2884	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	40
PID 1588 wrote to memory of 2884	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	40
PID 1588 wrote to memory of 2884	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	40
PID 1588 wrote to memory of 2884	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	40
PID 1588 wrote to memory of 2504	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	41
PID 1588 wrote to memory of 2504	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	41
PID 1588 wrote to memory of 2504	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	41
PID 1588 wrote to memory of 2504	1588	{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe	41
PID 2884 wrote to memory of 2924	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	42
PID 2884 wrote to memory of 2924	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	42
PID 2884 wrote to memory of 2924	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	42
PID 2884 wrote to memory of 2924	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	42
PID 2884 wrote to memory of 1648	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	43
PID 2884 wrote to memory of 1648	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	43
PID 2884 wrote to memory of 1648	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	43
PID 2884 wrote to memory of 1648	2884	{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe	43
PID 2924 wrote to memory of 1620	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	44
PID 2924 wrote to memory of 1620	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	44
PID 2924 wrote to memory of 1620	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	44
PID 2924 wrote to memory of 1620	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	44
PID 2924 wrote to memory of 1480	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	45
PID 2924 wrote to memory of 1480	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	45
PID 2924 wrote to memory of 1480	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	45
PID 2924 wrote to memory of 1480	2924	{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-19_a4da5c662a060f655f3ccdf2e4e5a360_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe
  C:\Windows\{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\{285D144E-C963-4724-9BAB-5D0945FD523A}.exe
    C:\Windows\{285D144E-C963-4724-9BAB-5D0945FD523A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{285D1~1.EXE > nul
      4⤵
      PID:3052
  - - C:\Windows\{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe
      C:\Windows\{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe
        
        C:\Windows\{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{245B8~1.EXE > nul
        6⤵
        
        PID:764
      - C:\Windows\{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe
        
        C:\Windows\{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe
        
        C:\Windows\{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe
        
        C:\Windows\{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe
        
        C:\Windows\{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe
        
        C:\Windows\{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E857~1.EXE > nul
        11⤵
        
        PID:2216
        
        C:\Windows\{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe
        
        C:\Windows\{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{207760EC-4D2F-416a-B43D-1E001727EC7A}.exe
        
        C:\Windows\{207760EC-4D2F-416a-B43D-1E001727EC7A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B1AF~1.EXE > nul
        12⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E42B1~1.EXE > nul
        10⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A49D6~1.EXE > nul
        9⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7FBC~1.EXE > nul
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05C7D~1.EXE > nul
        7⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A385~1.EXE > nul
        5⤵
        
        PID:676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D6AA2~1.EXE > nul
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05C7DA11-75AC-4fa5-B441-6A3FB3E0714C}.exe

Filesize
380KB

MD5
1b2ea72706f0b7237d04f657275b5cd5

SHA1
b16fabb1d8370627266bfb2500d58d573a60e59d

SHA256
204761bcf06fa995d7f97d824d2e251a88de8c99c8f4ad72bcec9650bb5888ef

SHA512
a8a5742969582864611f9b46ccd50cce7f74d38f1091c228648ac0a6b8270c048f26785c9831b7867d8dac9388c7138fd8b4a2e1624da58ba05ffa56334498f0

Download Submit
C:\Windows\{0B1AF68F-E2B1-4865-8FCA-3250F00CCFBD}.exe

Filesize
380KB

MD5
8c125fa90b299146368cfb8a7e6ffcfd

SHA1
9c77e207c6d9ed3af7d346eaa731b86ec09ea07e

SHA256
50c046adb1e9d386493cd2f88d88d86e86b5bb7388dbde260609ce15186ef15f

SHA512
531f431b4a7407baf0f2c63be10b9cdf5db252e625f946f61f30c8114a786c53365226239916f71923bf82237886bf0d62008f9b5b618c6c29d62ece61a56280

Download Submit
C:\Windows\{207760EC-4D2F-416a-B43D-1E001727EC7A}.exe

Filesize
380KB

MD5
7a2a28be431f23cd5486012618f2f68a

SHA1
3fa956d58e4c3f08d9b2dddfea47543ea1664102

SHA256
26b5c82c62bcb8b526e17cc625a13403c552ea8f259cd323a843d8f29aca99b2

SHA512
3fb5c8987ee67599074af0c77d6182e99c587c44cf69c706b7b81025c5d090ad5a6f754dc86e11d8f9de8a650ea6b3fef85c09f49e764cdaa60c384f15bdc10b

Download Submit
C:\Windows\{245B8006-EDB7-4800-AF10-7250E8DD9FD3}.exe

Filesize
380KB

MD5
fedbae602a09d2c11ae43a3de8985eef

SHA1
3629e5654b87357dabcca48325646ceb29833ad3

SHA256
7a0c97418495d7c93eb48f90d16e5483d5f70dee4f2aa9acc05cbd042b6f06cb

SHA512
68e17a58b3f5fc84d24c515f6053be17d14b3bd2edf86a74cca9a23c219cc609e96fda861b66c77d326923ff3a0742e08795f29ec99246a8d7cf7be9d2aa3112

Download Submit
C:\Windows\{285D144E-C963-4724-9BAB-5D0945FD523A}.exe

Filesize
380KB

MD5
c12d54bda08dd8e68d63911f76d9e550

SHA1
05d7ae7c13679b943940704efc48043b58ce6e15

SHA256
584ac42894cbaa43f91920a27be3423eb8ba4cefec5e3a682bfce9ff025b712f

SHA512
c1a28f0887d3590e45efb34fc3b9ff2d22e13946e72ef8e8e636e1a2519fd73595f217a445d3ef106210b24c6527665e3780adb3ea2ba57dff294c65dbc16f00

Download Submit
C:\Windows\{5E8570A3-88D3-495e-BE96-27C2CF800333}.exe

Filesize
380KB

MD5
ce65dccd67d0df7771b5afcd7f22606b

SHA1
82353a4312c29692b78b61a6b3d5a63ec36d2935

SHA256
276217b2992e52dbdcb1096313c30f6f8d903ba070b354ce9f2de17e252e63da

SHA512
123df39162ceefde45caa3344729253092a21d253d6cba60d533d353f5c359a1efc3dda40ded6d0e2498c01c0207c71a5ca4556cf16c763b593234ac331382d2

Download Submit
C:\Windows\{6A38592E-1D2F-4adc-BB20-B81B5AEA68DB}.exe

Filesize
380KB

MD5
9f11552eada5b98976f3232ff3e12298

SHA1
3f7f697a1fb77ab9063d2cdb4a1a7e119d80a099

SHA256
4626e2397c7b138f8b05426a9c43e15094981951320ba289d294957191460b97

SHA512
bda58097594e872f4934fbbfa7f6f2435beb1a00d77fe4802f3985d8072f2bb10c86323f932f17daec11b953b4b1a9ffe1e4e7a20c8ff82bf6f18eec3e72b537

Download Submit
C:\Windows\{A49D6968-2354-446a-AEF5-5B063388EB9B}.exe

Filesize
380KB

MD5
d0ce1e4879469b43ac605668f4bd5ae0

SHA1
eb6166f7ad6e40e70764c2f58a04e85b9fdc8d46

SHA256
1247bb7080fa807887c1fe4f7e8fac78a988b11fe5d568a5da21cc3750657a9f

SHA512
8c2da896289b2a5539f9776e77e22cb1737298546da88d37368561b969c79c48defca922181c5969adf04e8d09013d63a4dbe88db266486aeb3fcce49b2415ff

Download Submit
C:\Windows\{D6AA2722-E214-45c2-8902-DE3B91A8B8A8}.exe

Filesize
380KB

MD5
cf7c6058840fc9f2478282ece64b0c51

SHA1
2ac2417e387583b1c800b5b7252e35a08c9779e4

SHA256
193345290865274f2c9c13158df0d634fb907199821a9c9dda8a4c3cce6bffdf

SHA512
104263180ebccb20ad49dd6c82080c02b4fb3a7f70ac950a3f3e2916b4833048d9f71d383f0aaf415705c0825a1b0bb896d374d026753ccfe7aee3e69c5cab3a

Download Submit
C:\Windows\{E42B1251-177E-43ce-86CD-D6EAD25275D8}.exe

Filesize
380KB

MD5
a348d45c45926db49569c3545cb92ab3

SHA1
e558c2a9907b915648ea678621f33fdb0935de56

SHA256
b4a42172622716fba21217ac514c129f4cdfb596617155f4025e483a925fd457

SHA512
df49882ba8ca7560f535798602c1c30083d83aa16110f3adf40835603a4b2812f753496476e480f3802ece7a5a9f8273ab347e71db1176f7f26ca87da45fe9a0

Download Submit
C:\Windows\{E7FBCAAB-612C-4a46-B056-0D2D5B17D4E6}.exe

Filesize
380KB

MD5
d939c641f4e776b311e2b13618f73481

SHA1
8f4946ca69590d8f6e718e06e9cf353afaad3b35

SHA256
66513f2cd7809cf8b8d122828228a9d2bd698cd035cf8f795e43cdfa127b0f6c

SHA512
a962c18bd0e2ee861c0c08bddc9f13f5be93f60842213e7aa9dd1f820f6bd0f69378f3ebe86132b20c6762e71f9db134add8353bc7fd62e02af0ce580bfcba37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads