13ef50c601362da512b6be84919240368b082195929494ec15eb85f1870439d4

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Size

344KB
MD5

a0b0fe16a7d4404f3676eb609f677826
SHA1

a4763391011afd89dea3c0ecfb165d0681fd3c6d
SHA256

13ef50c601362da512b6be84919240368b082195929494ec15eb85f1870439d4
SHA512

54fe6fa537b7bae07e839d3fcab70f7d2b04dd949a607a57ddd628e51596e8f19adb12716fa59560ae849bf2f41b24b130f2d64a9368bbba1067245afc8b2b9e
SSDEEP

3072:mEGh0oXlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012223-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012266-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003700000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00AB9FDF-0453-4744-999E-6F439D213D3E}\stubpath = "C:\\Windows\\{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe"	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}\stubpath = "C:\\Windows\\{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe"	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81671E39-1019-47bd-B8E3-6F2613FE657F}	{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}	{82D37051-0CB6-4a47-A0CC-550222601892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00AB9FDF-0453-4744-999E-6F439D213D3E}	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2063650-C4A3-4f75-A896-495A26E4BEA1}	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2063650-C4A3-4f75-A896-495A26E4BEA1}\stubpath = "C:\\Windows\\{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe"	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B964AF-CBAB-47ec-B68E-A48092CED724}	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B964AF-CBAB-47ec-B68E-A48092CED724}\stubpath = "C:\\Windows\\{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe"	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D37051-0CB6-4a47-A0CC-550222601892}	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C40AD4-9618-409b-98C1-76B16D410A32}	{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C40AD4-9618-409b-98C1-76B16D410A32}\stubpath = "C:\\Windows\\{43C40AD4-9618-409b-98C1-76B16D410A32}.exe"	{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}\stubpath = "C:\\Windows\\{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe"	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}\stubpath = "C:\\Windows\\{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe"	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82D37051-0CB6-4a47-A0CC-550222601892}\stubpath = "C:\\Windows\\{82D37051-0CB6-4a47-A0CC-550222601892}.exe"	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}\stubpath = "C:\\Windows\\{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe"	{82D37051-0CB6-4a47-A0CC-550222601892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81671E39-1019-47bd-B8E3-6F2613FE657F}\stubpath = "C:\\Windows\\{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe"	{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}	{43C40AD4-9618-409b-98C1-76B16D410A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}\stubpath = "C:\\Windows\\{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}.exe"	{43C40AD4-9618-409b-98C1-76B16D410A32}.exe

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe
2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe
1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe
2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe
2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe
2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe
2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe
1520	{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe
1488	{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe
2128	{43C40AD4-9618-409b-98C1-76B16D410A32}.exe
2000	{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
File created	C:\Windows\{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe
File created	C:\Windows\{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe
File created	C:\Windows\{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe
File created	C:\Windows\{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}.exe	{43C40AD4-9618-409b-98C1-76B16D410A32}.exe
File created	C:\Windows\{43C40AD4-9618-409b-98C1-76B16D410A32}.exe	{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe
File created	C:\Windows\{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe
File created	C:\Windows\{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe
File created	C:\Windows\{82D37051-0CB6-4a47-A0CC-550222601892}.exe	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe
File created	C:\Windows\{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe	{82D37051-0CB6-4a47-A0CC-550222601892}.exe
File created	C:\Windows\{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe	{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe
Token: SeIncBasePriorityPrivilege	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe
Token: SeIncBasePriorityPrivilege	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe
Token: SeIncBasePriorityPrivilege	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe
Token: SeIncBasePriorityPrivilege	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe
Token: SeIncBasePriorityPrivilege	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe
Token: SeIncBasePriorityPrivilege	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe
Token: SeIncBasePriorityPrivilege	1520	{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe
Token: SeIncBasePriorityPrivilege	1488	{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe
Token: SeIncBasePriorityPrivilege	2128	{43C40AD4-9618-409b-98C1-76B16D410A32}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2740	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	28
PID 3032 wrote to memory of 2740	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	28
PID 3032 wrote to memory of 2740	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	28
PID 3032 wrote to memory of 2740	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	28
PID 3032 wrote to memory of 2884	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	29
PID 3032 wrote to memory of 2884	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	29
PID 3032 wrote to memory of 2884	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	29
PID 3032 wrote to memory of 2884	3032	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	29
PID 2740 wrote to memory of 2872	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	30
PID 2740 wrote to memory of 2872	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	30
PID 2740 wrote to memory of 2872	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	30
PID 2740 wrote to memory of 2872	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	30
PID 2740 wrote to memory of 3044	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	31
PID 2740 wrote to memory of 3044	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	31
PID 2740 wrote to memory of 3044	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	31
PID 2740 wrote to memory of 3044	2740	{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe	31
PID 2872 wrote to memory of 1984	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	34
PID 2872 wrote to memory of 1984	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	34
PID 2872 wrote to memory of 1984	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	34
PID 2872 wrote to memory of 1984	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	34
PID 2872 wrote to memory of 2660	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	35
PID 2872 wrote to memory of 2660	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	35
PID 2872 wrote to memory of 2660	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	35
PID 2872 wrote to memory of 2660	2872	{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe	35
PID 1984 wrote to memory of 2904	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	36
PID 1984 wrote to memory of 2904	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	36
PID 1984 wrote to memory of 2904	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	36
PID 1984 wrote to memory of 2904	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	36
PID 1984 wrote to memory of 2944	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	37
PID 1984 wrote to memory of 2944	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	37
PID 1984 wrote to memory of 2944	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	37
PID 1984 wrote to memory of 2944	1984	{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe	37
PID 2904 wrote to memory of 2332	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	38
PID 2904 wrote to memory of 2332	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	38
PID 2904 wrote to memory of 2332	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	38
PID 2904 wrote to memory of 2332	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	38
PID 2904 wrote to memory of 1916	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	39
PID 2904 wrote to memory of 1916	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	39
PID 2904 wrote to memory of 1916	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	39
PID 2904 wrote to memory of 1916	2904	{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe	39
PID 2332 wrote to memory of 2564	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	40
PID 2332 wrote to memory of 2564	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	40
PID 2332 wrote to memory of 2564	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	40
PID 2332 wrote to memory of 2564	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	40
PID 2332 wrote to memory of 2796	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	41
PID 2332 wrote to memory of 2796	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	41
PID 2332 wrote to memory of 2796	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	41
PID 2332 wrote to memory of 2796	2332	{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe	41
PID 2564 wrote to memory of 2800	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	42
PID 2564 wrote to memory of 2800	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	42
PID 2564 wrote to memory of 2800	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	42
PID 2564 wrote to memory of 2800	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	42
PID 2564 wrote to memory of 532	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	43
PID 2564 wrote to memory of 532	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	43
PID 2564 wrote to memory of 532	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	43
PID 2564 wrote to memory of 532	2564	{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe	43
PID 2800 wrote to memory of 1520	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	44
PID 2800 wrote to memory of 1520	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	44
PID 2800 wrote to memory of 1520	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	44
PID 2800 wrote to memory of 1520	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	44
PID 2800 wrote to memory of 576	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	45
PID 2800 wrote to memory of 576	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	45
PID 2800 wrote to memory of 576	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	45
PID 2800 wrote to memory of 576	2800	{82D37051-0CB6-4a47-A0CC-550222601892}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe
  C:\Windows\{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe
    C:\Windows\{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe
      C:\Windows\{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe
        
        C:\Windows\{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe
        
        C:\Windows\{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe
        
        C:\Windows\{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{82D37051-0CB6-4a47-A0CC-550222601892}.exe
        
        C:\Windows\{82D37051-0CB6-4a47-A0CC-550222601892}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe
        
        C:\Windows\{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe
        
        C:\Windows\{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\{43C40AD4-9618-409b-98C1-76B16D410A32}.exe
        
        C:\Windows\{43C40AD4-9618-409b-98C1-76B16D410A32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}.exe
        
        C:\Windows\{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}.exe
        12⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43C40~1.EXE > nul
        12⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81671~1.EXE > nul
        11⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59DDA~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82D37~1.EXE > nul
        9⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B96~1.EXE > nul
        8⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2063~1.EXE > nul
        7⤵
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA89~1.EXE > nul
        6⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7CB6~1.EXE > nul
        5⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{00AB9~1.EXE > nul
      4⤵
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D81FD~1.EXE > nul
    3⤵
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00AB9FDF-0453-4744-999E-6F439D213D3E}.exe

Filesize
344KB

MD5
336b03949ae90c8a6136e59f7d51f734

SHA1
aa259509c2458e805b685afc04b3ba4dbc8fea17

SHA256
b132a2beece46a31f05ceb35abffbc0f2e8ea69b6c13e11049061492a2df102e

SHA512
3492a44d7e488d23460f07a562f1e025e687dddf0b776c1dc0eddf26fcf6382a84734319e909e979c16f63d87d4d49fade624a616299d0a61f2b3dbe18a0d32e

Download Submit
C:\Windows\{43C40AD4-9618-409b-98C1-76B16D410A32}.exe

Filesize
344KB

MD5
54ce896c1c37cfd201d836d1045616da

SHA1
4c489dd9c6b25be90b561ae67354a32e1d4545a8

SHA256
099b5d7a14c00e7d233289b8a823364c1039dc7e8d37f38754b81511d8a5f8da

SHA512
2422e85a49f45aab263d9bcbaabbb42e03cdb5a1200cb9b5470f88f9eb3db827edc352c3dc765d84bbce439fc84b216d2afc3ad176c851c9242be1aa7bd0191e

Download Submit
C:\Windows\{4AFCB211-5EA7-405f-A077-1FDC8D9F6665}.exe

Filesize
344KB

MD5
f00b54455f80a2aac3c48930259db9b0

SHA1
30797c2377f47de553ff7690386827ce2537fb5b

SHA256
b92d0af45e2e7990ee61abe7c6923b7ded2ecce802bfb01c722d6852525d1c6e

SHA512
a0307685fe610051e20956889aa24838055a233fcf6adcdd469d5d2c20705565a4c8a133e43090dabe9109fdb9916893ee5c5b2ec07ee26ca8b9b3f7e622edec

Download Submit
C:\Windows\{59DDAEF2-9A02-403c-99A7-89AEB5E09AEE}.exe

Filesize
344KB

MD5
8a06519dd0eafd228d19ba27ebf71cb8

SHA1
b6520b95dee17d8f86170d5d8c554ebc1ef22aa6

SHA256
860c67d0e80d66bdf433247e1bd6be2fc303cf4d6918c455a67117ff34c54006

SHA512
93d1dc273c25ed302dfd2ef74ca9131183ce9553d7fbcb7c01f7a4540b20c6fc3f73dafaccc16d9753f62a20ea802b2f387ff062ceac3c0c8021d131444f3ddb

Download Submit
C:\Windows\{6FA8925A-1A1E-4053-BDF0-581CEEEA0D77}.exe

Filesize
344KB

MD5
a20d4e015bfcc5befc59b24c3a0ba218

SHA1
5608149fcab1e45c325671a58de5edf5399edea8

SHA256
aa725bb6be2f6645937cd4935f936bd51388fd31c102b0d3bdb468672e95172c

SHA512
ba18d130bad827c59f18fcad76987253f6917129bd5f6465dcb19ca31c10efd43d294e727351e47aedf8c424f74d819e17ee5e83fc449da124270f1e554b0081

Download Submit
C:\Windows\{81671E39-1019-47bd-B8E3-6F2613FE657F}.exe

Filesize
344KB

MD5
8779c0d9a186b8bb0d1657000c909eb3

SHA1
c9b3f2d9d0a86ec59d2d84a4f66d48e50faf223a

SHA256
55eda98b845899eb547f6af36e182a91511beeb1f8fc6e9270eb9dfe25396822

SHA512
76f1b4bdba0d1584bcf0ca5839b5f4fc8d40971c405faff24cf041658ecc7319450b1f1951787067645f3fd6789ed1d74aad8e04fb270d8d5c3341fd228fa3d6

Download Submit
C:\Windows\{82D37051-0CB6-4a47-A0CC-550222601892}.exe

Filesize
344KB

MD5
1e654541e93a1b5fc7448ae22cd9acd8

SHA1
2f365f29be8ee56bd4f4851cb2b8a4f43602dbca

SHA256
ed9a56248b6f752d52bf257cd3b0c4d3f1ea9c8e5b109d6d3ae65131ad140142

SHA512
bd4366d3c109f70352fcd70af5435c7e9a16bb37058c3b4418f7cba1a496925a0359d9e399463c169ab7c5244bdbddf86ec609621a3e416e1344fbcc962abab9

Download Submit
C:\Windows\{B7CB6396-528F-4398-88F3-D5F2ADCDDA9E}.exe

Filesize
344KB

MD5
a849f4516cc00a6d6db8d0494ed94070

SHA1
d42261e36fb80153a6459f39586c50205fff6681

SHA256
5f399611b899c78188e7a975a0a9a4124bf73a82b2578419cc3c3418dced47a4

SHA512
dda5705e3a0b8e9145353577a5b822bdad727eca5e7fa4c60ae43878226eeab3f532932106b3cb9444fb752682621b9c98b790bcc0c2c8e73cc71bcd293f9bca

Download Submit
C:\Windows\{C2063650-C4A3-4f75-A896-495A26E4BEA1}.exe

Filesize
344KB

MD5
b624227f8db81965816cbdb66cc6b540

SHA1
f9a3ac075a232d7f99e9f140d68a892a3346994a

SHA256
0cbc6b3cfbf8a1a78a388197abfef93fa9ade89c16965160e88d2c1ec4d64504

SHA512
ddfff87c8175c81febfacc4ea75c955d4deff704181e37d8e6609ac4ffe5ffda78f6c07a36f801da3ef1fbe27ece577bd00a41971ae990e6b5b5aedc870e737a

Download Submit
C:\Windows\{D81FD8CD-C23C-4f5d-85B8-6BBD0D0B7C2B}.exe

Filesize
344KB

MD5
6140fc713a53d58f6f3cac9bf9f0dce4

SHA1
13528e4ce2c5aed7bad40e5a75582b2a2a0c1487

SHA256
8bc0e68e5ced6d8d7987eff22a4cca79187003cb7b83ef5a07370fe09014d7e0

SHA512
d02671cd1e6eb1760f9856c5f328a82fcdb1c9171ae2e03a9eff7803cff51e6b3036233c76e12acea69325f482e4b6e7610179cb7883abfcf70ccc5551ac9c47

Download Submit
C:\Windows\{E7B964AF-CBAB-47ec-B68E-A48092CED724}.exe

Filesize
344KB

MD5
ab7a346105d81fb3c81730fd9498791a

SHA1
b67820deaa826956b009c6a8bfa658544b382d46

SHA256
d57f5a94eaf3895ee61fb77d55893a40597aeca238727617d2ecaebb3405bf28

SHA512
cc8969bde9ac8be4e84c189da7bbba81e165a4ecb9d07f5dabe7026c9dad0f62849e584fcd3efba2056caa60b42c7c99df46c696a54c0a705a9733e39adb5e19

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads