e5028e27b0ccfec330e2997e7ca5a674c17021ca94c9776d6910eb95778e4cf0

Analysis

max time kernel
138s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe
Size

372KB
MD5

ac4a35c2f89e795a446d90572c26b552
SHA1

a63ff85125ca868262f4142892b00121c5b09dc1
SHA256

e5028e27b0ccfec330e2997e7ca5a674c17021ca94c9776d6910eb95778e4cf0
SHA512

85d837eef056b6098f192294e8348fa7e52fa101acd841db118de2aa9b6135354397b71d8cf76d420d763044002114282cbc4405f185fa7eed4e44cbc3e503d3
SSDEEP

3072:CEGh0o1lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGLlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001393e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000139d6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001393e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001411b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001393e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001393e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001393e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001393e-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57AE9C69-27E5-4365-8304-5C4C20391606}	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2891178B-31A8-465c-A275-A9680C93F227}	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2891178B-31A8-465c-A275-A9680C93F227}\stubpath = "C:\\Windows\\{2891178B-31A8-465c-A275-A9680C93F227}.exe"	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B4DC-A83F-4748-BAF9-49A9185C7A61}	{2891178B-31A8-465c-A275-A9680C93F227}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B4DC-A83F-4748-BAF9-49A9185C7A61}\stubpath = "C:\\Windows\\{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe"	{2891178B-31A8-465c-A275-A9680C93F227}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3A326C6-2C46-4360-9F76-82C3A3A335DB}\stubpath = "C:\\Windows\\{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe"	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{328A8966-D4BA-4a48-9304-1F9E18209E20}\stubpath = "C:\\Windows\\{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe"	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88F1D98-914D-438e-B3D2-282EF15EC0C3}	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88F1D98-914D-438e-B3D2-282EF15EC0C3}\stubpath = "C:\\Windows\\{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe"	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}\stubpath = "C:\\Windows\\{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe"	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57AE9C69-27E5-4365-8304-5C4C20391606}\stubpath = "C:\\Windows\\{57AE9C69-27E5-4365-8304-5C4C20391606}.exe"	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{328A8966-D4BA-4a48-9304-1F9E18209E20}	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96CCCF4D-94E6-44db-8D93-4CDC84D08086}	{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}\stubpath = "C:\\Windows\\{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe"	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}\stubpath = "C:\\Windows\\{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe"	{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}	{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}\stubpath = "C:\\Windows\\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe"	{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3A326C6-2C46-4360-9F76-82C3A3A335DB}	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}	{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96CCCF4D-94E6-44db-8D93-4CDC84D08086}\stubpath = "C:\\Windows\\{96CCCF4D-94E6-44db-8D93-4CDC84D08086}.exe"	{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe
2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe
2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe
2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe
2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe
2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe
2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe
860	{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe
3012	{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe
324	{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe
960	{96CCCF4D-94E6-44db-8D93-4CDC84D08086}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe
File created	C:\Windows\{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe
File created	C:\Windows\{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	{2891178B-31A8-465c-A275-A9680C93F227}.exe
File created	C:\Windows\{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe
File created	C:\Windows\{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe
File created	C:\Windows\{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe
File created	C:\Windows\{2891178B-31A8-465c-A275-A9680C93F227}.exe	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe
File created	C:\Windows\{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe
File created	C:\Windows\{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe	{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe
File created	C:\Windows\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe	{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe
File created	C:\Windows\{96CCCF4D-94E6-44db-8D93-4CDC84D08086}.exe	{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe
Token: SeIncBasePriorityPrivilege	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe
Token: SeIncBasePriorityPrivilege	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe
Token: SeIncBasePriorityPrivilege	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe
Token: SeIncBasePriorityPrivilege	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe
Token: SeIncBasePriorityPrivilege	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe
Token: SeIncBasePriorityPrivilege	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe
Token: SeIncBasePriorityPrivilege	860	{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe
Token: SeIncBasePriorityPrivilege	3012	{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe
Token: SeIncBasePriorityPrivilege	324	{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1648	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	28
PID 1704 wrote to memory of 1648	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	28
PID 1704 wrote to memory of 1648	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	28
PID 1704 wrote to memory of 1648	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	28
PID 1704 wrote to memory of 2152	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	29
PID 1704 wrote to memory of 2152	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	29
PID 1704 wrote to memory of 2152	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	29
PID 1704 wrote to memory of 2152	1704	2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe	29
PID 1648 wrote to memory of 2680	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	30
PID 1648 wrote to memory of 2680	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	30
PID 1648 wrote to memory of 2680	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	30
PID 1648 wrote to memory of 2680	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	30
PID 1648 wrote to memory of 2700	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	31
PID 1648 wrote to memory of 2700	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	31
PID 1648 wrote to memory of 2700	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	31
PID 1648 wrote to memory of 2700	1648	{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe	31
PID 2680 wrote to memory of 2688	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	33
PID 2680 wrote to memory of 2688	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	33
PID 2680 wrote to memory of 2688	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	33
PID 2680 wrote to memory of 2688	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	33
PID 2680 wrote to memory of 2212	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	32
PID 2680 wrote to memory of 2212	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	32
PID 2680 wrote to memory of 2212	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	32
PID 2680 wrote to memory of 2212	2680	{57AE9C69-27E5-4365-8304-5C4C20391606}.exe	32
PID 2688 wrote to memory of 2028	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	37
PID 2688 wrote to memory of 2028	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	37
PID 2688 wrote to memory of 2028	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	37
PID 2688 wrote to memory of 2028	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	37
PID 2688 wrote to memory of 1688	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	36
PID 2688 wrote to memory of 1688	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	36
PID 2688 wrote to memory of 1688	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	36
PID 2688 wrote to memory of 1688	2688	{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe	36
PID 2028 wrote to memory of 2656	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	39
PID 2028 wrote to memory of 2656	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	39
PID 2028 wrote to memory of 2656	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	39
PID 2028 wrote to memory of 2656	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	39
PID 2028 wrote to memory of 1620	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	38
PID 2028 wrote to memory of 1620	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	38
PID 2028 wrote to memory of 1620	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	38
PID 2028 wrote to memory of 1620	2028	{2891178B-31A8-465c-A275-A9680C93F227}.exe	38
PID 2656 wrote to memory of 2556	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	40
PID 2656 wrote to memory of 2556	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	40
PID 2656 wrote to memory of 2556	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	40
PID 2656 wrote to memory of 2556	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	40
PID 2656 wrote to memory of 2800	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	41
PID 2656 wrote to memory of 2800	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	41
PID 2656 wrote to memory of 2800	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	41
PID 2656 wrote to memory of 2800	2656	{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe	41
PID 2556 wrote to memory of 2852	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	43
PID 2556 wrote to memory of 2852	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	43
PID 2556 wrote to memory of 2852	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	43
PID 2556 wrote to memory of 2852	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	43
PID 2556 wrote to memory of 2840	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	42
PID 2556 wrote to memory of 2840	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	42
PID 2556 wrote to memory of 2840	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	42
PID 2556 wrote to memory of 2840	2556	{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe	42
PID 2852 wrote to memory of 860	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	44
PID 2852 wrote to memory of 860	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	44
PID 2852 wrote to memory of 860	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	44
PID 2852 wrote to memory of 860	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	44
PID 2852 wrote to memory of 1696	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	45
PID 2852 wrote to memory of 1696	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	45
PID 2852 wrote to memory of 1696	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	45
PID 2852 wrote to memory of 1696	2852	{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_ac4a35c2f89e795a446d90572c26b552_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe
  C:\Windows\{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\{57AE9C69-27E5-4365-8304-5C4C20391606}.exe
    C:\Windows\{57AE9C69-27E5-4365-8304-5C4C20391606}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{57AE9~1.EXE > nul
      4⤵
      PID:2212
  - - C:\Windows\{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe
      C:\Windows\{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8BA9~1.EXE > nul
        5⤵
        
        PID:1688
    - - C:\Windows\{2891178B-31A8-465c-A275-A9680C93F227}.exe
        
        C:\Windows\{2891178B-31A8-465c-A275-A9680C93F227}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28911~1.EXE > nul
        6⤵
        
        PID:1620
      - C:\Windows\{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe
        
        C:\Windows\{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe
        
        C:\Windows\{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3A32~1.EXE > nul
        8⤵
        
        PID:2840
        
        C:\Windows\{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe
        
        C:\Windows\{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe
        
        C:\Windows\{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe
        
        C:\Windows\{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe
        
        C:\Windows\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\{96CCCF4D-94E6-44db-8D93-4CDC84D08086}.exe
        
        C:\Windows\{96CCCF4D-94E6-44db-8D93-4CDC84D08086}.exe
        12⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC132~1.EXE > nul
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{982D9~1.EXE > nul
        11⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B88F1~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{328A8~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A509B~1.EXE > nul
        7⤵
        
        PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B51C~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2891178B-31A8-465c-A275-A9680C93F227}.exe

Filesize
372KB

MD5
84cd2e5d41d7232b9e6333617f767a94

SHA1
c4f9652754336b45f149bed2a119db7141c65458

SHA256
decce37699f20641ebb6438a699524929db09c5a91162a1cb11aa13cecab4a87

SHA512
aa858566fa3ada738d8034a45f81dfff35c8efa2240d54f8f47b74f54499a770463ac87d14802415dfff6472b75526a5670215e8e2f4a1b3cade782649a38718

Download Submit
C:\Windows\{328A8966-D4BA-4a48-9304-1F9E18209E20}.exe

Filesize
372KB

MD5
32568b09a64b139f6a78bcadfdef427a

SHA1
68550b4403570cff979b4404e72f403b4f0a77d3

SHA256
7a7fa99fe981c038fe4b33ee0a5058b3b540e150229de791b12cd904c3852a3a

SHA512
1b08798228c8d687bae3ee4b55544c75f238be3d91f6cd68d9deced5f30bce65ac6b40c74c1c2d4bd25aa0950a625c2aa86be4fc32ff95f350a790ff64337538

Download Submit
C:\Windows\{3B51CBDA-7E43-4fcc-B1A1-F905A6F2D871}.exe

Filesize
372KB

MD5
23868e0b981c18aa75f9a92a69335bb7

SHA1
83d7a98826b23d62bcf53d7846567b07da548fcb

SHA256
b02b196f428f010b551daf075b2c5078e510b2044fe4e3d837581a6603ed049e

SHA512
6ef74e56d1caf2933d1c299874855f8d52093620d04fb462975dc50182076a9492317979ca1fa2e597fc86f5df1cbd714b14b52fa061f0abb1331a48a25b86d9

Download Submit
C:\Windows\{57AE9C69-27E5-4365-8304-5C4C20391606}.exe

Filesize
372KB

MD5
5262383c1c5b7551099802c7f8389d15

SHA1
9daf9ada440432ae61e7f11da6b3580b1adaa531

SHA256
b35e8e09bba74e448a63848aaa927fdc5a6fb2593a55d21ba95fb1f6f9ed23f5

SHA512
50e958569c369ace9fbe606ddcd4ce474a8d2fae8b8e6910a899f652150bd4e02c413a28344a1c700776f398f846d85369b67648915bf56d3a8667d590f3e194

Download Submit
C:\Windows\{96CCCF4D-94E6-44db-8D93-4CDC84D08086}.exe

Filesize
73KB

MD5
2d6db020f38dfe0bae9c36fe79c21308

SHA1
353cbb703eb103117d92d5ab496e1a8f48a2d41c

SHA256
823e9ad583f109e7d8d56557b9b55fd96fdc83522cfe6a48ea170b18f0ec933d

SHA512
1a936b9bd6439af3a973c36c471d6dba58e112d1b3ed58dd501cc583f7211d916ab7cba36df7f060cc8f836d8a5aa8e9cbc0914ca0be28e91b6cd5844ee70ac7

Download Submit
C:\Windows\{982D9459-73D6-4c9c-A6A2-A018FA0C4F4B}.exe

Filesize
372KB

MD5
7f197f84badb0d1badb82f53711e21a7

SHA1
a62d5368f8cc650c217f172475ec5bfbb4382937

SHA256
6f8c7f98f5046d51d48dcfc0bb062cb2c57f59e2187ffee8b36ea79b0000f812

SHA512
ab55a23dafe34da826eb8954220a180e681d33d0aeae8a668434a92a62184fef99847e13cf8775a89821898861aa527c3567320bc4cd5ee8d7b15ba63db68551

Download Submit
C:\Windows\{A509B4DC-A83F-4748-BAF9-49A9185C7A61}.exe

Filesize
372KB

MD5
1b739cccfc2ae103bc3a2f976414119c

SHA1
be516d1f9048792cc181afd777b15616381ab7e0

SHA256
4cc52af21f36ecc5b908e68363bf568571c0022f923a995cdf7986754fd35483

SHA512
09d2460e0a37aa0e09add27a7cdee43a61910ff82505a85f67f2cacf8327d1ba2f87f26223e1138f0797a20c48ed6cd8d3a255b0c8c46818ba16e3a058d476ba

Download Submit
C:\Windows\{B3A326C6-2C46-4360-9F76-82C3A3A335DB}.exe

Filesize
372KB

MD5
49c2d2498d13f37987c9c4383c631e68

SHA1
4791d545772cbb196c87841a45c1017d10841264

SHA256
ff34c7fbf3760ccb96a3b3bec59bf708f0698b3924f061bbbff670cd29584b74

SHA512
f27b90e89002e097a9786d2fd3507ee95cb0d73e81195141dd6edf160f8bf99ffab094db74ae43dd76a65e7f66c7ee9ab2f61fd9ed15e09b5fb48aadf26be9b6

Download Submit
C:\Windows\{B88F1D98-914D-438e-B3D2-282EF15EC0C3}.exe

Filesize
372KB

MD5
3b616cc4c08d13736f99ef1942cd80b3

SHA1
6253b7ccd88f51550314c24d75f8c51c41a84a8d

SHA256
6ac8adfe30fa4c624503ee0a341628a954c5e37bae3e403e0c18d6bfa9ef06e1

SHA512
d58edc1167ab95e91f50435a9edae1e395e2fd9a1d77ab8f8df5eb047a7773ce9fad5198ea4ff59db357673001d32413161d08f520e51cd967ffb4ac78fc899c

Download Submit
C:\Windows\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe

Filesize
372KB

MD5
3f8d17049326c994dccde82c763f92c9

SHA1
1ef8e55fb96288ace9c4dc7a60c4af0ccef74414

SHA256
c2e3e74e6faf8bd814b3e314cd3bc52a2642de134967a4bbc895fa98718ba342

SHA512
6a4748c22aa2ef86fda67d255d449802c6e0f417bfe135c2d943769ee45f446a264b6db1f7173f3fbcd0fea4f1732540ef8e5797c33506f9597042f3b9d29b8c

Download Submit
C:\Windows\{CC1320CF-7F05-4c90-AA09-06648BF0ADC4}.exe

Filesize
31KB

MD5
3ad49ee34918a56b461d5e656b71f2d3

SHA1
22309d95c512c2d532a1f719c4fa18b534a5c1f1

SHA256
cf8d75dbd0ac7230f40095fcc7d3cbd318367d29dbe1d3295750c35a588afdc0

SHA512
555e4a402adb59b4c07077469181837527291a78529ed5b8a80e7721523d3943bb737c6836333ab0b4c9c8469afadc1e504cdfe9d209993c39e55cbdb135372f

Download Submit
C:\Windows\{E8BA948C-A14A-4ac6-8348-D5CD6AA1A968}.exe

Filesize
372KB

MD5
4f9a6a5b99b2c5c5517948baf69b4af3

SHA1
8ef4cceabfc7971e4d003cdcd3bca465cb1ba8f2

SHA256
ceb564fae818817b98adbd27f4c1c848057492587d7de28975bf1a6c51fd30b7

SHA512
aab159a111e56af08a0fbcdbb0103c156dcc799ba752e10e0fb41bab743984996a2b68f1f6293ef33d1aef26a7cff7811d5613ed217131291f282b6899a61523

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads