c99067bf081e407c232e594d2a1f0cb844aaaf5e3fcc99a38296b15777d68c78

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe
Size

197KB
MD5

a274098e8b0890d6ca9541ee0153ea36
SHA1

f2e604b9be64480dcc565211d201f9c19a598ac3
SHA256

c99067bf081e407c232e594d2a1f0cb844aaaf5e3fcc99a38296b15777d68c78
SHA512

0f8464cd5175d56ad507d0df26057f0b4e59922bdf6af8648671171231c8f56c228c21fb124ea8174dcd14d7d19831d37297292b31e86c6feb3a9117ecbe5a67
SSDEEP

3072:jEGh0oGl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d81-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000164cc-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000164cc-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016558-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016558-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01CDB790-5941-4bc3-9187-6AD4C20A4378}	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}\stubpath = "C:\\Windows\\{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe"	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FFECE86-A06A-4420-8531-CE55EB6DFA43}	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}\stubpath = "C:\\Windows\\{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe"	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98E313BF-C675-4d78-9A68-A5D551FDE537}	{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9292092-941F-4481-9EF5-3359A5D7EDDB}	{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B75F9FB4-156E-4768-AAF3-D00C05B90D26}	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{221D161E-3E16-44af-B0CA-ED4EF195885D}\stubpath = "C:\\Windows\\{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe"	{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01CDB790-5941-4bc3-9187-6AD4C20A4378}\stubpath = "C:\\Windows\\{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe"	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B75F9FB4-156E-4768-AAF3-D00C05B90D26}\stubpath = "C:\\Windows\\{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe"	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FFECE86-A06A-4420-8531-CE55EB6DFA43}\stubpath = "C:\\Windows\\{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe"	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1A2538-A774-458c-9DF7-8248B396C4A5}	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}\stubpath = "C:\\Windows\\{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe"	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98E313BF-C675-4d78-9A68-A5D551FDE537}\stubpath = "C:\\Windows\\{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe"	{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{221D161E-3E16-44af-B0CA-ED4EF195885D}	{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9292092-941F-4481-9EF5-3359A5D7EDDB}\stubpath = "C:\\Windows\\{D9292092-941F-4481-9EF5-3359A5D7EDDB}.exe"	{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1A2538-A774-458c-9DF7-8248B396C4A5}\stubpath = "C:\\Windows\\{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe"	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}\stubpath = "C:\\Windows\\{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe"	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe
2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe
2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe
2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe
3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe
1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe
2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe
852	{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe
532	{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe
2628	{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe
1392	{D9292092-941F-4481-9EF5-3359A5D7EDDB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe
File created	C:\Windows\{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe	{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe
File created	C:\Windows\{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe
File created	C:\Windows\{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe
File created	C:\Windows\{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe
File created	C:\Windows\{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe
File created	C:\Windows\{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe
File created	C:\Windows\{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe
File created	C:\Windows\{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe	{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe
File created	C:\Windows\{D9292092-941F-4481-9EF5-3359A5D7EDDB}.exe	{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe
File created	C:\Windows\{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe
Token: SeIncBasePriorityPrivilege	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe
Token: SeIncBasePriorityPrivilege	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe
Token: SeIncBasePriorityPrivilege	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe
Token: SeIncBasePriorityPrivilege	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe
Token: SeIncBasePriorityPrivilege	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe
Token: SeIncBasePriorityPrivilege	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe
Token: SeIncBasePriorityPrivilege	852	{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe
Token: SeIncBasePriorityPrivilege	532	{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe
Token: SeIncBasePriorityPrivilege	2628	{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2316	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	28
PID 2616 wrote to memory of 2316	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	28
PID 2616 wrote to memory of 2316	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	28
PID 2616 wrote to memory of 2316	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	28
PID 2616 wrote to memory of 2676	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	29
PID 2616 wrote to memory of 2676	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	29
PID 2616 wrote to memory of 2676	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	29
PID 2616 wrote to memory of 2676	2616	2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe	29
PID 2316 wrote to memory of 2664	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	30
PID 2316 wrote to memory of 2664	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	30
PID 2316 wrote to memory of 2664	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	30
PID 2316 wrote to memory of 2664	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	30
PID 2316 wrote to memory of 2780	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	31
PID 2316 wrote to memory of 2780	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	31
PID 2316 wrote to memory of 2780	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	31
PID 2316 wrote to memory of 2780	2316	{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe	31
PID 2664 wrote to memory of 2556	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	32
PID 2664 wrote to memory of 2556	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	32
PID 2664 wrote to memory of 2556	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	32
PID 2664 wrote to memory of 2556	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	32
PID 2664 wrote to memory of 2704	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	33
PID 2664 wrote to memory of 2704	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	33
PID 2664 wrote to memory of 2704	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	33
PID 2664 wrote to memory of 2704	2664	{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe	33
PID 2556 wrote to memory of 2408	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	36
PID 2556 wrote to memory of 2408	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	36
PID 2556 wrote to memory of 2408	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	36
PID 2556 wrote to memory of 2408	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	36
PID 2556 wrote to memory of 2932	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	37
PID 2556 wrote to memory of 2932	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	37
PID 2556 wrote to memory of 2932	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	37
PID 2556 wrote to memory of 2932	2556	{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe	37
PID 2408 wrote to memory of 3064	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	38
PID 2408 wrote to memory of 3064	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	38
PID 2408 wrote to memory of 3064	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	38
PID 2408 wrote to memory of 3064	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	38
PID 2408 wrote to memory of 1620	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	39
PID 2408 wrote to memory of 1620	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	39
PID 2408 wrote to memory of 1620	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	39
PID 2408 wrote to memory of 1620	2408	{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe	39
PID 3064 wrote to memory of 1012	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	40
PID 3064 wrote to memory of 1012	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	40
PID 3064 wrote to memory of 1012	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	40
PID 3064 wrote to memory of 1012	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	40
PID 3064 wrote to memory of 1000	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	41
PID 3064 wrote to memory of 1000	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	41
PID 3064 wrote to memory of 1000	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	41
PID 3064 wrote to memory of 1000	3064	{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe	41
PID 1012 wrote to memory of 2748	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	42
PID 1012 wrote to memory of 2748	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	42
PID 1012 wrote to memory of 2748	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	42
PID 1012 wrote to memory of 2748	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	42
PID 1012 wrote to memory of 2864	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	43
PID 1012 wrote to memory of 2864	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	43
PID 1012 wrote to memory of 2864	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	43
PID 1012 wrote to memory of 2864	1012	{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe	43
PID 2748 wrote to memory of 852	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	44
PID 2748 wrote to memory of 852	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	44
PID 2748 wrote to memory of 852	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	44
PID 2748 wrote to memory of 852	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	44
PID 2748 wrote to memory of 1156	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	45
PID 2748 wrote to memory of 1156	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	45
PID 2748 wrote to memory of 1156	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	45
PID 2748 wrote to memory of 1156	2748	{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_a274098e8b0890d6ca9541ee0153ea36_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe
  C:\Windows\{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe
    C:\Windows\{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe
      C:\Windows\{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe
        
        C:\Windows\{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe
        
        C:\Windows\{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe
        
        C:\Windows\{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe
        
        C:\Windows\{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe
        
        C:\Windows\{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe
        
        C:\Windows\{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe
        
        C:\Windows\{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{D9292092-941F-4481-9EF5-3359A5D7EDDB}.exe
        
        C:\Windows\{D9292092-941F-4481-9EF5-3359A5D7EDDB}.exe
        12⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{221D1~1.EXE > nul
        12⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98E31~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A57B~1.EXE > nul
        10⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FFCD~1.EXE > nul
        9⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63FDE~1.EXE > nul
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A1A2~1.EXE > nul
        7⤵
        
        PID:1000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FFEC~1.EXE > nul
        6⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F927~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B75F9~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{01CDB~1.EXE > nul
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01CDB790-5941-4bc3-9187-6AD4C20A4378}.exe

Filesize
197KB

MD5
bcf3e0ba7a7ccd28db5b9d9959727f24

SHA1
0104f52e8877595152f4d316a48340c26d5a11c5

SHA256
3f51a1429bedc73d5e1e6a7c9deac5e40b93892811212e201cf3a79b80c8ff62

SHA512
140892c6516346dbe23123d107ac3be5f03a53f0dc78a5c516202ffdbe782a29ed4f3dffcca4acdcc8e977659eea07f660943f449f04e294ecb2d09fd0981872

Download Submit
C:\Windows\{221D161E-3E16-44af-B0CA-ED4EF195885D}.exe

Filesize
197KB

MD5
ed832fe80b028dff67b4c5bbbe199a1c

SHA1
de7da9e7b7521a261ce076058af81fc753b23c5e

SHA256
1e9881d1f52e21389182789a7cb2fca2963e7b77c92b579290ef9b63b963dc8a

SHA512
d457947af8d534c8f3721805ca34f3ee7c39aa8cff159a7f9e53b2196915023ff2d1b99831e76c64c7992b1079d90bbd76e7fb75f9cb6edc75fc35b402fb4aa2

Download Submit
C:\Windows\{5F9277D6-5AFD-49f8-94C6-8FAAABD7A453}.exe

Filesize
197KB

MD5
924a9c3cbf73ab5d24ffcfa1f41c48b6

SHA1
c51136fbd242f53c3b14c98a68c4e07d95f150be

SHA256
0d2915b44682cb9de1ff486d3ba351e254b173c9d0f233c8ddf5ee5f6cc67f04

SHA512
482f74446a2edc0e7ca6f4c690e91a0d8352fdf6013efc767af2be23b8a9394fd83b004065e19a5ac5a15ece401a36148bfa847bf57c4c0c1275a93611528f5e

Download Submit
C:\Windows\{63FDE112-7968-4c3c-9789-93C5BD1EB0E7}.exe

Filesize
197KB

MD5
3d9a341925581ac9dac71758a65db6c0

SHA1
4e26a9b1a126b27439fdc01d00f4b0ef1e34dcf1

SHA256
2e6e8c90f66c3beb4d83d2ec2b9bc1a3004eac21879d01853133ea20c80c305a

SHA512
765ba2308e87311d1eb8af7f69ebefc2857e195b49de6a26fcc5c161028afd19ac4830d23009aab3a6c7e36edccbf308cf2631d08a0879d777ab8b9bed9c5c86

Download Submit
C:\Windows\{6FFCD0AF-0D0D-4080-95DA-8B48049C1696}.exe

Filesize
197KB

MD5
b528da0be1d8c08775d12ed2d6a0d916

SHA1
30933fcc4a445104fd59ae29effa48805ab12e2a

SHA256
51bde626ec5282a797aaf9e81d08b91a8f5c742d8aed578d6ecfb02781348ca0

SHA512
fbe7a77232bb7cc0354e7406cb42cd0ae86a767571a20bdbb04b0f2213f8e916e67cd7ed91a94da116f3e19cb8eba15398dab10ae8231008f4560cd09a9cd9e2

Download Submit
C:\Windows\{8A1A2538-A774-458c-9DF7-8248B396C4A5}.exe

Filesize
197KB

MD5
12e3dd7b64607b15254d3f63db78ff0a

SHA1
fd22d7cbfb38db28f8a4d67e6f2b5eb06df4dfa4

SHA256
ae473113c669043e58fd3c308b204e7ac9f58199865b2093ed3a5698a3d1dc7e

SHA512
b747fc8726c2ba453d2200b0ac611ec770ea34e64d477fc0d93d51336280bbccdc041df1d96ae5b86623e8a2dea1a9fb3dae34e46ebb1f06f109d0aa0b4c603a

Download Submit
C:\Windows\{8A57BE42-C9B5-44bf-BC85-F17E6DAAC148}.exe

Filesize
197KB

MD5
82555ee038600ecacf90847c81731496

SHA1
2007fdd1848233652df3da30bc019e52474fdd8d

SHA256
71d85770423e1c5cecb24058947cfab7c4798d71d8c0abbae362f5df564424ae

SHA512
7721efaf2cae66ffea43e0e042d20c4d09730809a11e7910ed93025719dcd7e46d7e3267a1e71717d4ff50b6bb08c3d2bed3eb31119c38afc63e725261256786

Download Submit
C:\Windows\{98E313BF-C675-4d78-9A68-A5D551FDE537}.exe

Filesize
197KB

MD5
5ef65cc0977cd2927cf96c9b705dd867

SHA1
0766d967f1aead4274ec3481a86617a7ed774026

SHA256
1b2c02dd5c8dde85a3ea58da4aa22966632a9840485eccdc39884654d17da8c3

SHA512
9bf2881abdf61910c40901f3f84fd30e772521fd4eac62cb4e1b9a62f7ce7e309a43ba7d2d7c5c5fa29173ec60dc5f65af2dcb379ab435791b830e7947fd5a5c

Download Submit
C:\Windows\{9FFECE86-A06A-4420-8531-CE55EB6DFA43}.exe

Filesize
197KB

MD5
e9bb658060157c60dfd3a6e4fe2f8c00

SHA1
8d897d056e6bb43432c851819240a90e4e4693a6

SHA256
9843816f540bedf7ee9fece7b7cdf3be3ce622ed9bb9e9b12aeeaf17f70d8c40

SHA512
e9ed418a76da134723bafa25f6cc0837d57801bb1928b076c188ec53bdc6e3b15d7da65f78bf4bd608ede51169de22c3313b0412075b7a0147816524d4e5633b

Download Submit
C:\Windows\{B75F9FB4-156E-4768-AAF3-D00C05B90D26}.exe

Filesize
197KB

MD5
10b04129363f191ba0d0d8ece76810db

SHA1
2f399720ffbe0a6182f3c5ba4e9606d25dcb6178

SHA256
2f16084eff00d7658c7b7a7b43acd1149d9d1524704d79c12b2d01d7d8a864c1

SHA512
635aab2bf9f78e631e6d881d8edbfa9f289f17d996005ee2093aaab409740463dd8387bf0ef2652fed8d2055425fe20e4c321d5efae7ee8b94e3e6afa0412d62

Download Submit
C:\Windows\{D9292092-941F-4481-9EF5-3359A5D7EDDB}.exe

Filesize
197KB

MD5
2593b452a44dba0ce907308b8ab16931

SHA1
ab1638e3b5ab9d9bce88812781d7467af232c23e

SHA256
485729fd3ba90de0bea173d2ff00bb673dbcfee1fd03b7ced1c250a33d0255ba

SHA512
b6715b397cca26535f3108c82cacae27592e9a257249c33c9bb9c8f02967592ec4421e8236db7949cc4d3f6c788f56a3be13004b74c1b6f216f31d89828a1cd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads