c6220bad3b38c8cfdb2c5b40f2207ff9e7cc3c490f4cd21f13dd1f34fc3545b8

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Size

216KB
MD5

443d05567206d65460493fcba0b78ec0
SHA1

40f3ee13d8d92c357079a897ee0c388e29c9354e
SHA256

c6220bad3b38c8cfdb2c5b40f2207ff9e7cc3c490f4cd21f13dd1f34fc3545b8
SHA512

8f0f0f5f44d7b0029aa70b96e5de5adcfd1705e85e8471689eef55d0847147c0be8ae93eb0ac9d7b328399f5495e4d06a519d12c9d17c9431e83867eb186c81f
SSDEEP

3072:jEGh0oJl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGvlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012345-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000015ca1-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000015cd7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015e2f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015e2f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015e2f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015ea0-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}\stubpath = "C:\\Windows\\{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe"	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5129A50E-3F50-47ea-977A-189B560B425A}\stubpath = "C:\\Windows\\{5129A50E-3F50-47ea-977A-189B560B425A}.exe"	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}	{5129A50E-3F50-47ea-977A-189B560B425A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B6C1067-5648-4fc1-AF4E-60E11836885C}	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B6C1067-5648-4fc1-AF4E-60E11836885C}\stubpath = "C:\\Windows\\{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe"	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55FDC039-6779-40d7-8D03-634307C3E61A}\stubpath = "C:\\Windows\\{55FDC039-6779-40d7-8D03-634307C3E61A}.exe"	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}\stubpath = "C:\\Windows\\{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe"	{55FDC039-6779-40d7-8D03-634307C3E61A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C6D2F9-409B-464b-B9EA-A08A77238F91}	{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}\stubpath = "C:\\Windows\\{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe"	{5129A50E-3F50-47ea-977A-189B560B425A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E241429-18AA-4c3e-A100-74CE052A9B3B}	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E241429-18AA-4c3e-A100-74CE052A9B3B}\stubpath = "C:\\Windows\\{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe"	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60B753D4-B536-4006-A556-7B88914B928B}	{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60B753D4-B536-4006-A556-7B88914B928B}\stubpath = "C:\\Windows\\{60B753D4-B536-4006-A556-7B88914B928B}.exe"	{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}	{55FDC039-6779-40d7-8D03-634307C3E61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C6D2F9-409B-464b-B9EA-A08A77238F91}\stubpath = "C:\\Windows\\{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe"	{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}\stubpath = "C:\\Windows\\{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe"	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F637DF-BA49-46a1-BB1A-01D870FA844A}	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F637DF-BA49-46a1-BB1A-01D870FA844A}\stubpath = "C:\\Windows\\{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe"	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5129A50E-3F50-47ea-977A-189B560B425A}	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55FDC039-6779-40d7-8D03-634307C3E61A}	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe
2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe
2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe
852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe
2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe
2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe
680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe
1100	{55FDC039-6779-40d7-8D03-634307C3E61A}.exe
1248	{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe
1404	{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe
2068	{60B753D4-B536-4006-A556-7B88914B928B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe	{55FDC039-6779-40d7-8D03-634307C3E61A}.exe
File created	C:\Windows\{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe	{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe
File created	C:\Windows\{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
File created	C:\Windows\{5129A50E-3F50-47ea-977A-189B560B425A}.exe	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe
File created	C:\Windows\{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	{5129A50E-3F50-47ea-977A-189B560B425A}.exe
File created	C:\Windows\{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe
File created	C:\Windows\{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe
File created	C:\Windows\{55FDC039-6779-40d7-8D03-634307C3E61A}.exe	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe
File created	C:\Windows\{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe
File created	C:\Windows\{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe
File created	C:\Windows\{60B753D4-B536-4006-A556-7B88914B928B}.exe	{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe
Token: SeIncBasePriorityPrivilege	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe
Token: SeIncBasePriorityPrivilege	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe
Token: SeIncBasePriorityPrivilege	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe
Token: SeIncBasePriorityPrivilege	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe
Token: SeIncBasePriorityPrivilege	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe
Token: SeIncBasePriorityPrivilege	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe
Token: SeIncBasePriorityPrivilege	1100	{55FDC039-6779-40d7-8D03-634307C3E61A}.exe
Token: SeIncBasePriorityPrivilege	1248	{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe
Token: SeIncBasePriorityPrivilege	1404	{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2880	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	28
PID 2288 wrote to memory of 2880	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	28
PID 2288 wrote to memory of 2880	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	28
PID 2288 wrote to memory of 2880	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	28
PID 2288 wrote to memory of 2348	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	29
PID 2288 wrote to memory of 2348	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	29
PID 2288 wrote to memory of 2348	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	29
PID 2288 wrote to memory of 2348	2288	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	29
PID 2880 wrote to memory of 2688	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	30
PID 2880 wrote to memory of 2688	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	30
PID 2880 wrote to memory of 2688	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	30
PID 2880 wrote to memory of 2688	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	30
PID 2880 wrote to memory of 2680	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	31
PID 2880 wrote to memory of 2680	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	31
PID 2880 wrote to memory of 2680	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	31
PID 2880 wrote to memory of 2680	2880	{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe	31
PID 2688 wrote to memory of 2612	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	34
PID 2688 wrote to memory of 2612	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	34
PID 2688 wrote to memory of 2612	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	34
PID 2688 wrote to memory of 2612	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	34
PID 2688 wrote to memory of 1000	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	35
PID 2688 wrote to memory of 1000	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	35
PID 2688 wrote to memory of 1000	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	35
PID 2688 wrote to memory of 1000	2688	{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe	35
PID 2612 wrote to memory of 852	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	36
PID 2612 wrote to memory of 852	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	36
PID 2612 wrote to memory of 852	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	36
PID 2612 wrote to memory of 852	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	36
PID 2612 wrote to memory of 2932	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	37
PID 2612 wrote to memory of 2932	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	37
PID 2612 wrote to memory of 2932	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	37
PID 2612 wrote to memory of 2932	2612	{5129A50E-3F50-47ea-977A-189B560B425A}.exe	37
PID 852 wrote to memory of 2964	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	38
PID 852 wrote to memory of 2964	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	38
PID 852 wrote to memory of 2964	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	38
PID 852 wrote to memory of 2964	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	38
PID 852 wrote to memory of 3060	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	39
PID 852 wrote to memory of 3060	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	39
PID 852 wrote to memory of 3060	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	39
PID 852 wrote to memory of 3060	852	{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe	39
PID 2964 wrote to memory of 2236	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	40
PID 2964 wrote to memory of 2236	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	40
PID 2964 wrote to memory of 2236	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	40
PID 2964 wrote to memory of 2236	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	40
PID 2964 wrote to memory of 1216	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	41
PID 2964 wrote to memory of 1216	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	41
PID 2964 wrote to memory of 1216	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	41
PID 2964 wrote to memory of 1216	2964	{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe	41
PID 2236 wrote to memory of 680	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	42
PID 2236 wrote to memory of 680	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	42
PID 2236 wrote to memory of 680	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	42
PID 2236 wrote to memory of 680	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	42
PID 2236 wrote to memory of 684	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	43
PID 2236 wrote to memory of 684	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	43
PID 2236 wrote to memory of 684	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	43
PID 2236 wrote to memory of 684	2236	{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe	43
PID 680 wrote to memory of 1100	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	44
PID 680 wrote to memory of 1100	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	44
PID 680 wrote to memory of 1100	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	44
PID 680 wrote to memory of 1100	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	44
PID 680 wrote to memory of 1116	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	45
PID 680 wrote to memory of 1116	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	45
PID 680 wrote to memory of 1116	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	45
PID 680 wrote to memory of 1116	680	{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe
  C:\Windows\{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe
    C:\Windows\{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{5129A50E-3F50-47ea-977A-189B560B425A}.exe
      C:\Windows\{5129A50E-3F50-47ea-977A-189B560B425A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe
        
        C:\Windows\{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Windows\{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe
        
        C:\Windows\{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe
        
        C:\Windows\{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe
        
        C:\Windows\{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{55FDC039-6779-40d7-8D03-634307C3E61A}.exe
        
        C:\Windows\{55FDC039-6779-40d7-8D03-634307C3E61A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55FDC~1.EXE > nul
        10⤵
        
        PID:872
        
        C:\Windows\{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe
        
        C:\Windows\{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe
        
        C:\Windows\{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\{60B753D4-B536-4006-A556-7B88914B928B}.exe
        
        C:\Windows\{60B753D4-B536-4006-A556-7B88914B928B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81C6D~1.EXE > nul
        12⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79E5D~1.EXE > nul
        11⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B6C1~1.EXE > nul
        9⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E241~1.EXE > nul
        8⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2219E~1.EXE > nul
        7⤵
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F140~1.EXE > nul
        6⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5129A~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F63~1.EXE > nul
      4⤵
      PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F0FF~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2219EDA6-13C3-46f4-B6CE-09797DFBDE0C}.exe

Filesize
216KB

MD5
bd65bb32bc11de57c983c03cd91fb721

SHA1
7d361e972b13e4c0f86695bbffb572c5c77e0d53

SHA256
5d508aacedfa4449952620bd3c5c5ba6dcea8a6b06a0fa437555bb2f4bd52dbc

SHA512
5e7a50053bd4026cb78df5dad75124194f1889eaa93808f6ea50d6014ffdd3cf63cce6031e080dc385aac922190fb0f6246bf19a67932a007ba86e450713579a

Download Submit
C:\Windows\{3E241429-18AA-4c3e-A100-74CE052A9B3B}.exe

Filesize
216KB

MD5
661de685c2e704de53c0b9a64e9b0531

SHA1
f8a54bb61824176a120424a0adc18ad8bb789199

SHA256
76bbb9a47e942350029bfe9acbdae13bb5674f1792168b9f17cf8738e83a539e

SHA512
e213b5c885b97555bc73387d5f67567dd51b607d24dbd4ca0c55df107986566e4c132bf3494a8afd8762d0937e75bf463fe7c74d50622520d50767a147ee51f5

Download Submit
C:\Windows\{5129A50E-3F50-47ea-977A-189B560B425A}.exe

Filesize
216KB

MD5
e549079150b65449566812f1a79e8154

SHA1
b838e02cfe19fabf413f0c47f3581bfb6ac98e73

SHA256
8e4261e22a63dcc19d33b637dd8c052554130c3525ee6d8fb91ff1982b09d3c6

SHA512
f6be9ff5d4fcfe884748659ec73e33f10152ecab9d2a280785a82fc5f4e50eca374dd318a256c43fa9bb9fd76c69820537026e09ed651d70d62379c19ac13720

Download Submit
C:\Windows\{55FDC039-6779-40d7-8D03-634307C3E61A}.exe

Filesize
216KB

MD5
4bf1a6de38160e267e4e9b89625133e8

SHA1
2b2ee8ca2b099276f0e2a00c5dd8d61fd49c5559

SHA256
81eda46d5fdf5f010a06ad469262a0d1e4d434c465c9a299a1596cdfffa547ea

SHA512
57a1f85b4f59c0746a7498ed404c03b630bea3ea87526bf055141d233b3aa6c8971cfd07f5ad3fc98932675e356e0382387525825187df9ddf5f89a7c3fe5a96

Download Submit
C:\Windows\{60B753D4-B536-4006-A556-7B88914B928B}.exe

Filesize
216KB

MD5
587df93a90e828cb1f378b5c714a4d43

SHA1
dec164cd0cb1c14216428d79c479a03e3256843b

SHA256
b2b078aba04fcaf08f9c5d689fe150578cdb36dbb5f394712df5cd5faa330245

SHA512
c1a7b12df16f7ce05310cb2b3098f1071db2585c8c3c5ab9ade4d3b5e6b3c9b4bc949b45ac68c659144e3f9d600842f1b2544d49ba72d5f0c20c6476864549d6

Download Submit
C:\Windows\{79E5D883-0FD8-4edc-AFD8-5C0417A3CC67}.exe

Filesize
216KB

MD5
de0ce70f6c46de74970d383a8581ae94

SHA1
6f49aa06184dab18817b1301709c5e50ad2ccbdc

SHA256
15aceeec39d481548bde9c8c20d23de617aa0818aa0116e1ae6916c43326d81e

SHA512
ca2b5da7cb6d5741b4ac9a313633a03b335f48986940f79e5b5a267e2d9550a9f5805441aa0dfe861fc78a0414ad0ae2db8d288bacee4f7c4b9f5625b0329bd3

Download Submit
C:\Windows\{7F0FF68D-7AE2-4895-A377-13D5D8CE3904}.exe

Filesize
216KB

MD5
dfca0646633a685ebd1c016fc1020849

SHA1
918480ff6660bafb0dc65705b48aa19f51fdad17

SHA256
8196ad87c13ead80c5f86787ffd733b929bf71c8b361c6a9335225fe9e697ddd

SHA512
1aa51a934592c4b6ead19e29fa2ee83d97a03a75a70bfc9a688c3c6d4e1c914119dd51840fb3c6d741248b0b3a863f2357560961e7141c351ce0995f2cb410db

Download Submit
C:\Windows\{81C6D2F9-409B-464b-B9EA-A08A77238F91}.exe

Filesize
216KB

MD5
9ba29a0336925cc09794168e039bb2e4

SHA1
0a0585f0b4bd18f8fe61e015cd01bd99ee0271f2

SHA256
f912c14e9c0a08edf44248f16655b0ac08d3daf0d15f41e5fe8763651b1f8598

SHA512
bb1c71438f9c43862f3b97ae18dd13218a38fd273e31610f3835c3c8172e3576d4642a10bbc20f44cc521460acbc95c2aebb9b7e56c0d5d9f8fbdfa6963bee92

Download Submit
C:\Windows\{8B6C1067-5648-4fc1-AF4E-60E11836885C}.exe

Filesize
216KB

MD5
4a54b5b643b95494269d63e48bc0396f

SHA1
06446f1e13379fafc3d6fc50817188b3607cba46

SHA256
9982905c68ac5d40dac42423368a27fc4bcffeee6a9b72df08215c0f4dcb0d17

SHA512
a5be097bb9c58f31fae771d3a8c3aebf4cd77308ff880346e2217796cef2c6f32aeb3ea65ee107074e7c5c09ec29a9b78bc673a4737db1a50e20c60c64346c7a

Download Submit
C:\Windows\{8F140D3E-8BE6-4240-9753-B6CC5FD3C662}.exe

Filesize
216KB

MD5
f1e255a991fc4b2f4fb94188ae585dc6

SHA1
6d70e740d7b6ad3a48c2cc55e486b72cbafe7117

SHA256
76746bc807c2d8aa8328b21668006e160df4bb097dee1b33b79dbeb423db3185

SHA512
e5a8403847c2813e989e113ca66878f31e4072e02a58768f6962600e8d6dacff7fa5bbb5b1b509de436a46dba62b996748a5d88ef1a18be95aba383b2a50242c

Download Submit
C:\Windows\{E1F637DF-BA49-46a1-BB1A-01D870FA844A}.exe

Filesize
216KB

MD5
716fec53f624256a4b6a84152807f377

SHA1
a07fd191686c226a35c8dca1fbe48066aa769a11

SHA256
50ddf189d71f0e079153d7a1d4c99cc454b21fca1c5ca2f6be38afff267521c1

SHA512
feea1260d41de3118e3900befd77d90696676d85183cd956ef277de7d5c0fd230a6532395ed38a4ee3c6b034bd74b55f2cbac515bdc91c175667d2209bfdea06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads