c29233b3077f554fb3fb32042bf22db7a95d0492200b12a47b5ee1964950a4d9

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe
Size

197KB
MD5

4df6c1a53c463b3859045a1e55e7b630
SHA1

85b10597572568089cc86bc93a7c6db1d3b9596e
SHA256

c29233b3077f554fb3fb32042bf22db7a95d0492200b12a47b5ee1964950a4d9
SHA512

765a4c7976ba323a66660593258beaefe94ff9271a3a306d16a78863ddec6ff1f6756e4969b19aa11ad36fa831287b7f02cf677f835ba400685d6f0a8a1cdd7b
SSDEEP

3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGulEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000133a9-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001345a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000133a9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013ac5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000133a9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000133a9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000133a9-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000133a9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E0E490-0C22-40a4-B634-282362D9AE40}	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}\stubpath = "C:\\Windows\\{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe"	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}	{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47E6D9B8-1471-4b47-AD2B-07119F0050B1}\stubpath = "C:\\Windows\\{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe"	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF0BE13C-9D1E-4086-8A01-846FBEC82001}	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E141C7-FEE7-45e8-B859-A7AD5057C091}\stubpath = "C:\\Windows\\{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe"	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58E0E490-0C22-40a4-B634-282362D9AE40}\stubpath = "C:\\Windows\\{58E0E490-0C22-40a4-B634-282362D9AE40}.exe"	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{487660C5-1183-4a9b-A5D4-02C16721BB0B}	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42431776-A111-4e51-9CF0-872E51ACEF4D}	{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}\stubpath = "C:\\Windows\\{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}.exe"	{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA07A848-9574-4d16-B1D0-51887C410030}\stubpath = "C:\\Windows\\{EA07A848-9574-4d16-B1D0-51887C410030}.exe"	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}	{EA07A848-9574-4d16-B1D0-51887C410030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47E6D9B8-1471-4b47-AD2B-07119F0050B1}	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF0BE13C-9D1E-4086-8A01-846FBEC82001}\stubpath = "C:\\Windows\\{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe"	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}\stubpath = "C:\\Windows\\{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe"	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E141C7-FEE7-45e8-B859-A7AD5057C091}	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{487660C5-1183-4a9b-A5D4-02C16721BB0B}\stubpath = "C:\\Windows\\{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe"	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA07A848-9574-4d16-B1D0-51887C410030}	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}\stubpath = "C:\\Windows\\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe"	{EA07A848-9574-4d16-B1D0-51887C410030}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42431776-A111-4e51-9CF0-872E51ACEF4D}\stubpath = "C:\\Windows\\{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe"	{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe

Deletes itself 1 IoCs

pid	Process
1332	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe
2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe
2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe
2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe
952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe
2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe
1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe
636	{EA07A848-9574-4d16-B1D0-51887C410030}.exe
2856	{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe
2296	{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe
1060	{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe
File created	C:\Windows\{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe
File created	C:\Windows\{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe
File created	C:\Windows\{EA07A848-9574-4d16-B1D0-51887C410030}.exe	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe
File created	C:\Windows\{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}.exe	{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe
File created	C:\Windows\{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe
File created	C:\Windows\{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe
File created	C:\Windows\{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe
File created	C:\Windows\{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe
File created	C:\Windows\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe	{EA07A848-9574-4d16-B1D0-51887C410030}.exe
File created	C:\Windows\{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe	{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe
Token: SeIncBasePriorityPrivilege	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe
Token: SeIncBasePriorityPrivilege	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe
Token: SeIncBasePriorityPrivilege	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe
Token: SeIncBasePriorityPrivilege	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe
Token: SeIncBasePriorityPrivilege	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe
Token: SeIncBasePriorityPrivilege	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe
Token: SeIncBasePriorityPrivilege	636	{EA07A848-9574-4d16-B1D0-51887C410030}.exe
Token: SeIncBasePriorityPrivilege	2856	{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe
Token: SeIncBasePriorityPrivilege	2296	{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1968	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	28
PID 2888 wrote to memory of 1968	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	28
PID 2888 wrote to memory of 1968	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	28
PID 2888 wrote to memory of 1968	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	28
PID 2888 wrote to memory of 1332	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	29
PID 2888 wrote to memory of 1332	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	29
PID 2888 wrote to memory of 1332	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	29
PID 2888 wrote to memory of 1332	2888	2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe	29
PID 1968 wrote to memory of 2584	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	30
PID 1968 wrote to memory of 2584	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	30
PID 1968 wrote to memory of 2584	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	30
PID 1968 wrote to memory of 2584	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	30
PID 1968 wrote to memory of 2660	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	31
PID 1968 wrote to memory of 2660	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	31
PID 1968 wrote to memory of 2660	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	31
PID 1968 wrote to memory of 2660	1968	{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe	31
PID 2584 wrote to memory of 2088	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	32
PID 2584 wrote to memory of 2088	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	32
PID 2584 wrote to memory of 2088	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	32
PID 2584 wrote to memory of 2088	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	32
PID 2584 wrote to memory of 1716	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	33
PID 2584 wrote to memory of 1716	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	33
PID 2584 wrote to memory of 1716	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	33
PID 2584 wrote to memory of 1716	2584	{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe	33
PID 2088 wrote to memory of 2532	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	36
PID 2088 wrote to memory of 2532	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	36
PID 2088 wrote to memory of 2532	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	36
PID 2088 wrote to memory of 2532	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	36
PID 2088 wrote to memory of 2500	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	37
PID 2088 wrote to memory of 2500	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	37
PID 2088 wrote to memory of 2500	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	37
PID 2088 wrote to memory of 2500	2088	{58E0E490-0C22-40a4-B634-282362D9AE40}.exe	37
PID 2532 wrote to memory of 952	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	38
PID 2532 wrote to memory of 952	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	38
PID 2532 wrote to memory of 952	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	38
PID 2532 wrote to memory of 952	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	38
PID 2532 wrote to memory of 1752	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	39
PID 2532 wrote to memory of 1752	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	39
PID 2532 wrote to memory of 1752	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	39
PID 2532 wrote to memory of 1752	2532	{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe	39
PID 952 wrote to memory of 2172	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	41
PID 952 wrote to memory of 2172	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	41
PID 952 wrote to memory of 2172	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	41
PID 952 wrote to memory of 2172	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	41
PID 952 wrote to memory of 2348	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	40
PID 952 wrote to memory of 2348	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	40
PID 952 wrote to memory of 2348	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	40
PID 952 wrote to memory of 2348	952	{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe	40
PID 2172 wrote to memory of 1616	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	42
PID 2172 wrote to memory of 1616	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	42
PID 2172 wrote to memory of 1616	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	42
PID 2172 wrote to memory of 1616	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	42
PID 2172 wrote to memory of 2516	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	43
PID 2172 wrote to memory of 2516	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	43
PID 2172 wrote to memory of 2516	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	43
PID 2172 wrote to memory of 2516	2172	{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe	43
PID 1616 wrote to memory of 636	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	44
PID 1616 wrote to memory of 636	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	44
PID 1616 wrote to memory of 636	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	44
PID 1616 wrote to memory of 636	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	44
PID 1616 wrote to memory of 1552	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	45
PID 1616 wrote to memory of 1552	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	45
PID 1616 wrote to memory of 1552	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	45
PID 1616 wrote to memory of 1552	1616	{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_4df6c1a53c463b3859045a1e55e7b630_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe
  C:\Windows\{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe
    C:\Windows\{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{58E0E490-0C22-40a4-B634-282362D9AE40}.exe
      C:\Windows\{58E0E490-0C22-40a4-B634-282362D9AE40}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe
        
        C:\Windows\{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe
        
        C:\Windows\{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E14~1.EXE > nul
        7⤵
        
        PID:2348
        
        C:\Windows\{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe
        
        C:\Windows\{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe
        
        C:\Windows\{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{EA07A848-9574-4d16-B1D0-51887C410030}.exe
        
        C:\Windows\{EA07A848-9574-4d16-B1D0-51887C410030}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe
        
        C:\Windows\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41AE4~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe
        
        C:\Windows\{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42431~1.EXE > nul
        12⤵
        
        PID:1500
        
        C:\Windows\{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}.exe
        
        C:\Windows\{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA07A~1.EXE > nul
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48766~1.EXE > nul
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18670~1.EXE > nul
        8⤵
        
        PID:2516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1009~1.EXE > nul
        6⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58E0E~1.EXE > nul
        5⤵
        
        PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DF0BE~1.EXE > nul
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{47E6D~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{186707BC-2B52-4e31-8BEE-F15A0BB6B9DF}.exe

Filesize
197KB

MD5
82eb6f9572c8f0a02cca86804ac6524a

SHA1
f0bb4573ecd59b549073703b5838389ec626ca31

SHA256
91afed8036a62bfdfe33112ff3e867284ddf1f2bef9c7dc3e2f492f618d2a85c

SHA512
9123322afb568c8311abdd35813ba88e77123708a6022ac09031227b715f51cfa11818a187b5dfe760b20074d0492da7a270a3de3e4f7b02870b351ba8c50718

Download Submit
C:\Windows\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe

Filesize
74KB

MD5
36524c6fe4764fe874910dcc4ed8645a

SHA1
415c371d76d7cb1bbbcd56ab5475574e30ca07f0

SHA256
67b97a5e61ca3d0fd1f43c2886ce8dbfaa7d3d952f13b5ee54fd93c84a95cfcc

SHA512
9d2ea8e8e2684a2c23c157db3c4940eec8bb16d7b5a2522da63dd582b7bc85a46d8bf5dc7d87f7b851762b1f6ae7db9a31537ceab99fd28f43af9d0c71f459dc

Download Submit
C:\Windows\{41AE4AFF-CADA-4445-8DDA-E1D3D96B32FE}.exe

Filesize
197KB

MD5
dfbe39b7663dbac839ac950c75a87d9b

SHA1
857cb0621937ac239a6593e69c045d75bd2b7115

SHA256
7cd0e43887ead0cf8e6ddf6abc7ddae9504e2f9470808d84a0a4f5c7dd277b57

SHA512
bc4434cc753ec280e7ed1a447880c2207e74fb706fba429e9a04b0c97ef54e007bbad6296b6b6e0ec6bc563a4f4340b7c4e557928910e81561e91cd494b417c2

Download Submit
C:\Windows\{42431776-A111-4e51-9CF0-872E51ACEF4D}.exe

Filesize
197KB

MD5
75e86d770a1188d62997e2e28992bed3

SHA1
023f26514df4acfc942cd6a7255f5aa4fe87b354

SHA256
fa5891a74e9ca00d4c8772daaf4ccf78ed2beee4a274be99eb0202b819291cf3

SHA512
fcdf04c32ed2f24ced06ae15956aa1d0342417d6779ec9cd88cbcf5e54db1baefb889693fffcdd7c02cfdd0d2a919cdbaf58504cfdcc9f42560d7d4d6f69408d

Download Submit
C:\Windows\{47E6D9B8-1471-4b47-AD2B-07119F0050B1}.exe

Filesize
197KB

MD5
226af615be0c0d1901dff441dabc1025

SHA1
14350eb4af28961aa6984c6395fdc36614a7582b

SHA256
d2c82a19e7e0282a12640df7b35fabf7b3823292930f26b3084d6b150dfbc987

SHA512
f1a4a17aa1fc41d67a14113def753b18967259e2af6061b9abc7c459982bdc645958f0187b7bfaa9e99b49acffbff987f75f1ea1eac3c3cd2c86bb331f434417

Download Submit
C:\Windows\{487660C5-1183-4a9b-A5D4-02C16721BB0B}.exe

Filesize
197KB

MD5
aa9ee5e46b0b0f7437e60969cc64ef45

SHA1
e92f0755e2313fcff6145d58a6522bc01e6b74fe

SHA256
a602f207533e63bb3827e10ce170b063d2b010c7a6df54b066f0b409a4262232

SHA512
68bd7bcb77dd939542f58a064486998397d1bb99776fc123341c3bd5f7ff9dc9338867bedf074a211a3c4c8de8286087942321c62e2609fb03775a50da1e5ffb

Download Submit
C:\Windows\{58E0E490-0C22-40a4-B634-282362D9AE40}.exe

Filesize
197KB

MD5
b213d19144858f47a9fbfc571eaec76b

SHA1
bf6b79392cbc03274927e0bfd4cd9e4d3791b221

SHA256
1cd8e8368bd0d6a70499b865bbc4bdcd440e6b3c2445b4289c2e2c53ce10cb61

SHA512
127e3f7db3bc37cb183d49ff5705758e293bf08b78001ef26a6065b20d59cce051b15f4dee649b00b38bc7a85b55f1dd76db5c7aaedc67e1049f01efb7af7979

Download Submit
C:\Windows\{83BE7286-A3F3-44fa-B2B8-E0CBE441834F}.exe

Filesize
197KB

MD5
034da707c7e4785bab9b50244c44256e

SHA1
f051c5f82372d498b9ca537cbfaeb327ca487802

SHA256
13d321b3358ffd6e868d8f909012baed98dd08b5fb41d099128ad6745a1e0a0a

SHA512
ef18a30b5d555d2d57eb9f6ae154d304f922404e6b58e1a6c20d64a5f43bed71d2b15fbb96f07dcec95b3edcb4dd7a516ad86c14bda4c3b0fdb2fedce0347ebb

Download Submit
C:\Windows\{DF0BE13C-9D1E-4086-8A01-846FBEC82001}.exe

Filesize
197KB

MD5
c2997e4f19ca9af034749c9352f325f7

SHA1
c036ae1f4825764ef3d03da9f3534a73947bc8f2

SHA256
aa1f87dbaf9eda131309d5ad074dd86933f337d2a505d4042e0a8f995dbef417

SHA512
ffc0ade89abf99c10a59b9e7fb4c9182f836f995afe64111ac2b9629a290388cd389a09af3e9ea1420bcb1b351d76f1b89f6e7b0cc5c9d8c7a64a666ce62f717

Download Submit
C:\Windows\{E1009B03-7022-43af-8B30-BE7DF7CC5B7B}.exe

Filesize
197KB

MD5
968ab8bd953ed6948224a95fe62220fb

SHA1
3533514bffe372c64e49e45d28063e5cf1fb747b

SHA256
8ac472b11c11e3e6518f7e725d03d1b87bb92dd7df1259d622cea5d3c61037a9

SHA512
a5b6a92be45aa8d34cbde5dd4ba7bffdabea574fddca932f31d8e96288ea84db5b6aab8d6530b07b8cb6720dc7ce3044c5ac3aeab287b78c3fb36fb29f0e2d23

Download Submit
C:\Windows\{E6E141C7-FEE7-45e8-B859-A7AD5057C091}.exe

Filesize
197KB

MD5
c859e67d193334c584944912b435f5df

SHA1
3fe51d2632be011977d830de4fcc0f21fc7d2d21

SHA256
1f6a0a7819613d4193f344f13b613c1f26e4cc58a04f89d37919874ed7e194f3

SHA512
ae0cfcd245e2cc27544dd0ba9aa05edf9bf40d36e94b47c477ab2482d2ed3c6ff8eb18ffb7084dd37803b0dfe0555dcdc4d81901ad04cd0894266a8ea2473f9b

Download Submit
C:\Windows\{EA07A848-9574-4d16-B1D0-51887C410030}.exe

Filesize
197KB

MD5
f07339ee53e861b0ed566cc298c570ff

SHA1
6121599513e931abc51799ca235ef0937ed0cd7e

SHA256
ef84dcda5e41e1018b16915ec63e01b896aa240acdb25aa8d800412aaa9877e5

SHA512
8de74b1bd6e990f749882469bde76cafd0932f8a572a236d65a50c3254c98d39742ac4ca0b1d725e80ed5da7cfd9c042382722bb30f44255b6807bbcf719f535

Download Submit
C:\Windows\{EA07A848-9574-4d16-B1D0-51887C410030}.exe

Filesize
78KB

MD5
20b98ac9fe431d2ef296c2acca34a4d9

SHA1
7e94523db691d110d4b567c7b0e9c8eb5287cf09

SHA256
fc0783f911a6d5099ca3a92799ca0c4f103e51a00efdaa10467c567b40467fc9

SHA512
0443fe4e03d89ceef9fb4ea6c75a97f4630d38d4d830cf868bc26db7d0f7b132adadc772bd5dc7709f1ab428673b4c38bc5ee8c711f81abeebfb081f553742a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads