e54605d550298b60f5ce22ecfcbfb89474b540024c8233170667893d63b17566

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe
Size

408KB
MD5

d88c771e8b0eb26d9ee2c4e8722b3024
SHA1

70cabc624ab2f566f7a561887ef4b0e3b93663af
SHA256

e54605d550298b60f5ce22ecfcbfb89474b540024c8233170667893d63b17566
SHA512

d5b58d3fad16e8e530b8c9e87b6b4b2f4c6c1d443593cb4e3c9890b3aaa7791a221c7dca5b2484c2d6276bb9cf5d734e5e4b4a6e2a3c2df333568e8474fda97d
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGZldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013ab9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001654a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{302CCE17-3B6A-4f51-8F8B-C06099539BB8}\stubpath = "C:\\Windows\\{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe"	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F0C4D7-E20B-4efa-8842-E992A3527F24}\stubpath = "C:\\Windows\\{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe"	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7C77CED-E17A-4509-A8DB-0BD43928B046}	{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B992E921-9406-49e4-81A4-D9FA8E758FDC}\stubpath = "C:\\Windows\\{B992E921-9406-49e4-81A4-D9FA8E758FDC}.exe"	{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}\stubpath = "C:\\Windows\\{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe"	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F20075-863F-4339-8A2F-E373FEB3A5ED}\stubpath = "C:\\Windows\\{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe"	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8541B397-2994-4dfa-A505-1F8B40420F0E}	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}\stubpath = "C:\\Windows\\{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe"	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7C77CED-E17A-4509-A8DB-0BD43928B046}\stubpath = "C:\\Windows\\{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe"	{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}\stubpath = "C:\\Windows\\{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe"	{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{302CCE17-3B6A-4f51-8F8B-C06099539BB8}	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8541B397-2994-4dfa-A505-1F8B40420F0E}\stubpath = "C:\\Windows\\{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe"	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87D65B68-C3AB-412a-9589-DBBE8DB126E8}	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B95B6326-64DB-40c0-9463-1D427A7F98EA}\stubpath = "C:\\Windows\\{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe"	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87D65B68-C3AB-412a-9589-DBBE8DB126E8}\stubpath = "C:\\Windows\\{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe"	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}	{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B992E921-9406-49e4-81A4-D9FA8E758FDC}	{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F20075-863F-4339-8A2F-E373FEB3A5ED}	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6F0C4D7-E20B-4efa-8842-E992A3527F24}	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B95B6326-64DB-40c0-9463-1D427A7F98EA}	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe
2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe
2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe
2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe
2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe
2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe
2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe
1296	{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe
2292	{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe
688	{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe
2844	{B992E921-9406-49e4-81A4-D9FA8E758FDC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe
File created	C:\Windows\{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe	{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe
File created	C:\Windows\{B992E921-9406-49e4-81A4-D9FA8E758FDC}.exe	{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe
File created	C:\Windows\{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe
File created	C:\Windows\{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe
File created	C:\Windows\{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe
File created	C:\Windows\{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe
File created	C:\Windows\{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe	{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe
File created	C:\Windows\{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe
File created	C:\Windows\{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe
File created	C:\Windows\{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe
Token: SeIncBasePriorityPrivilege	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe
Token: SeIncBasePriorityPrivilege	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe
Token: SeIncBasePriorityPrivilege	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe
Token: SeIncBasePriorityPrivilege	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe
Token: SeIncBasePriorityPrivilege	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe
Token: SeIncBasePriorityPrivilege	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe
Token: SeIncBasePriorityPrivilege	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe
Token: SeIncBasePriorityPrivilege	1296	{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe
Token: SeIncBasePriorityPrivilege	2292	{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe
Token: SeIncBasePriorityPrivilege	688	{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 380	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	28
PID 2484 wrote to memory of 380	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	28
PID 2484 wrote to memory of 380	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	28
PID 2484 wrote to memory of 380	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	28
PID 2484 wrote to memory of 2548	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	29
PID 2484 wrote to memory of 2548	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	29
PID 2484 wrote to memory of 2548	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	29
PID 2484 wrote to memory of 2548	2484	2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe	29
PID 380 wrote to memory of 2648	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	30
PID 380 wrote to memory of 2648	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	30
PID 380 wrote to memory of 2648	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	30
PID 380 wrote to memory of 2648	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	30
PID 380 wrote to memory of 2720	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	31
PID 380 wrote to memory of 2720	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	31
PID 380 wrote to memory of 2720	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	31
PID 380 wrote to memory of 2720	380	{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe	31
PID 2648 wrote to memory of 2712	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	32
PID 2648 wrote to memory of 2712	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	32
PID 2648 wrote to memory of 2712	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	32
PID 2648 wrote to memory of 2712	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	32
PID 2648 wrote to memory of 2600	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	33
PID 2648 wrote to memory of 2600	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	33
PID 2648 wrote to memory of 2600	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	33
PID 2648 wrote to memory of 2600	2648	{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe	33
PID 2712 wrote to memory of 2636	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	36
PID 2712 wrote to memory of 2636	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	36
PID 2712 wrote to memory of 2636	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	36
PID 2712 wrote to memory of 2636	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	36
PID 2712 wrote to memory of 2660	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	37
PID 2712 wrote to memory of 2660	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	37
PID 2712 wrote to memory of 2660	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	37
PID 2712 wrote to memory of 2660	2712	{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe	37
PID 2636 wrote to memory of 2744	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	39
PID 2636 wrote to memory of 2744	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	39
PID 2636 wrote to memory of 2744	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	39
PID 2636 wrote to memory of 2744	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	39
PID 2636 wrote to memory of 2884	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	38
PID 2636 wrote to memory of 2884	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	38
PID 2636 wrote to memory of 2884	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	38
PID 2636 wrote to memory of 2884	2636	{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe	38
PID 2744 wrote to memory of 2296	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	40
PID 2744 wrote to memory of 2296	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	40
PID 2744 wrote to memory of 2296	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	40
PID 2744 wrote to memory of 2296	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	40
PID 2744 wrote to memory of 2152	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	41
PID 2744 wrote to memory of 2152	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	41
PID 2744 wrote to memory of 2152	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	41
PID 2744 wrote to memory of 2152	2744	{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe	41
PID 2296 wrote to memory of 2580	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	43
PID 2296 wrote to memory of 2580	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	43
PID 2296 wrote to memory of 2580	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	43
PID 2296 wrote to memory of 2580	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	43
PID 2296 wrote to memory of 2452	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	42
PID 2296 wrote to memory of 2452	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	42
PID 2296 wrote to memory of 2452	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	42
PID 2296 wrote to memory of 2452	2296	{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe	42
PID 2580 wrote to memory of 1296	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	45
PID 2580 wrote to memory of 1296	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	45
PID 2580 wrote to memory of 1296	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	45
PID 2580 wrote to memory of 1296	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	45
PID 2580 wrote to memory of 1700	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	44
PID 2580 wrote to memory of 1700	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	44
PID 2580 wrote to memory of 1700	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	44
PID 2580 wrote to memory of 1700	2580	{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_d88c771e8b0eb26d9ee2c4e8722b3024_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe
  C:\Windows\{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe
    C:\Windows\{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe
      C:\Windows\{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe
        
        C:\Windows\{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F0C~1.EXE > nul
        6⤵
        
        PID:2884
      - C:\Windows\{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe
        
        C:\Windows\{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe
        
        C:\Windows\{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F20D6~1.EXE > nul
        8⤵
        
        PID:2452
        
        C:\Windows\{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe
        
        C:\Windows\{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B95B6~1.EXE > nul
        9⤵
        
        PID:1700
        
        C:\Windows\{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe
        
        C:\Windows\{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe
        
        C:\Windows\{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe
        
        C:\Windows\{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\{B992E921-9406-49e4-81A4-D9FA8E758FDC}.exe
        
        C:\Windows\{B992E921-9406-49e4-81A4-D9FA8E758FDC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97BB5~1.EXE > nul
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7C77~1.EXE > nul
        11⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D65~1.EXE > nul
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8541B~1.EXE > nul
        7⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2F20~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1C666~1.EXE > nul
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{302CC~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C6661A9-C8B6-494a-8C83-A7277AAFEDA9}.exe

Filesize
408KB

MD5
6b3253c436f6ab16f45214aa69fc3448

SHA1
430f3011ef9330094d66380ca2b4ead6608e67fc

SHA256
3e2c4e84542068b799999df0c7b36b1b863b64751aef5f9ca203d54c5b2020eb

SHA512
ae1ee1d40badb6822f3fe911121152accc89ceddc0b354fd4f808e53be8cf4c407ec2cfce866ac72d6f627633eb4966fcf3a6d443cc199ff204fd80fcd5fad54

Download Submit
C:\Windows\{302CCE17-3B6A-4f51-8F8B-C06099539BB8}.exe

Filesize
408KB

MD5
713b07352dbe5285726b5f2d712db090

SHA1
069fb4a3b1375eb51395c4929e43bff09854ba79

SHA256
4cd09b4a33aa8a587448cba4a34423c78536bb227a9987c2df7d2b55311b6fbb

SHA512
8bdd0aaba0ec8da50838d67524739f78c827c8850b7af8dde119b1e344ca5d1a91f050c9dd874582f62ade8cffc3dbe1e455d676c65dc2ab2bc5b85f68e6fb56

Download Submit
C:\Windows\{8541B397-2994-4dfa-A505-1F8B40420F0E}.exe

Filesize
408KB

MD5
cb932e73c0d673ed337ecb6216410dbd

SHA1
1050c7c3c4e3b1be738dc3cd123b5ad734af2b02

SHA256
51c6447282d099b919f70d017c284314475b0df855900c8682478ed6f75d6a2e

SHA512
68dbcd35434d25f75bcc81c8bbde3827f4b2c0e24dd06ba5111fc46e85c6a3d8b162c0b17592d570c434e4c57d73ea43c9f485267a0e8f34b9217c0ba6e43447

Download Submit
C:\Windows\{87D65B68-C3AB-412a-9589-DBBE8DB126E8}.exe

Filesize
408KB

MD5
2fd2384b44c6cfdf53c5d9ac708bcf60

SHA1
94796b7c83412337a6df4acb91c73fae1ae2b9fd

SHA256
73839a29e749e28044584463c9f42e54416b29e3d3aacd0cab21d2a754c5d85f

SHA512
ad08c2d799ced30a783d453a6d0284d09612a187a938a0f48cb90a435410b33b112a8f70acf9ea2b65f26ef2f68a99fdbd385f6fa0b7f8a9858e7756578536f1

Download Submit
C:\Windows\{97BB53E1-4DB8-4fed-AE68-441DBA1F52C5}.exe

Filesize
408KB

MD5
b98c3905233c4fffb6df1eb1671a1843

SHA1
03246c1ae570458b044ce6d48c574015c5d0045d

SHA256
b4d06ffe8091896fee3460c43acd9a44342c0647675adf28e372f57a004fbfb7

SHA512
2cb8d134f5ed3b48ab07eb8cba6ad882e9b1cd72157d6719085a435eb8ceb232c862970ed05d981502a2f6230189c9d7341e8ce7ea4bc88ddb5029f09694a696

Download Submit
C:\Windows\{A6F0C4D7-E20B-4efa-8842-E992A3527F24}.exe

Filesize
408KB

MD5
f4857687cf5cb0652471ef43ccc2451e

SHA1
f3aa0238cceddc9dcafd9776babb9692dbb44cbd

SHA256
81e88d072279b92e61ae63ef7c0443ff82f014df217799cb5ea61a66738dc67f

SHA512
b31c7d9ab1d1aaf2ad48e86c2374b6840827f268bde1ede3e02c577f9136c9e35dac4232e6aff7454b2a1d2c9dd4a8eb9835dccf517a1d812d4ffa2ee4ac7d19

Download Submit
C:\Windows\{B95B6326-64DB-40c0-9463-1D427A7F98EA}.exe

Filesize
408KB

MD5
f62869dd1a593b15fd7a31b97c975de6

SHA1
9a4f313e2772009a025009a9a017caee367f32b4

SHA256
dd3320a4b6d4684640cf4c9ac6c7c0adbbaa0acfdd2ff154ec8891c584d08bb4

SHA512
bccc47ff40983632d42ec4ad260739583f0fed74a744fe2730e779cb4d6a4d4a81bffbd169ca2505babd2cdd1dd9435b2a5d0937e3754a6c95503344a995fd55

Download Submit
C:\Windows\{B992E921-9406-49e4-81A4-D9FA8E758FDC}.exe

Filesize
408KB

MD5
22b4d040bfbeb09433fe1d6d90a34125

SHA1
f0531a8b62d3df6515b2349a809916ef6472ba91

SHA256
c117cacf7bf9694d45d27f9a37170c6208710bb5ee1e0dacc0f23ba39be93864

SHA512
5f5c56a3f2ff1de9032f51b5cb51d5ed0a890d76d229674663068b1cb6469d95fabea0257e6ec7cee1dd944298db4adb2d11ea2439efa104d5db3f464fbe6b20

Download Submit
C:\Windows\{E2F20075-863F-4339-8A2F-E373FEB3A5ED}.exe

Filesize
408KB

MD5
28ff893793e81e5bfcc006966ca07caa

SHA1
0f0042d3eefe3bb3d382fcf7d98d0c19623d9685

SHA256
c018a12a452b36f5cf91adb574f4bbdc87f1c81911c4ebea14c199f5d9f8b81c

SHA512
4c1ab7ea603c6c7f89d3318a5f04f395d722fab6cdc5096cc97b2d2f319e4fc6d226acae683bd2afdb343da988ed99ee2c6512468c6658c553db17abe2cc0111

Download Submit
C:\Windows\{F20D6AF1-36EF-43f3-A26E-7A14D8B3DF09}.exe

Filesize
408KB

MD5
bdcdca4c71df374103ac76ab390a8855

SHA1
a2c3fd415774c6adeba466604426010f72f25a5e

SHA256
fd77e59c5d1edc63aef563c7dece1e57d3521abb59c5366cf7c2fb0ed45771d2

SHA512
b99d8ac3f6e78790161e657b1b57eae0fce763012848a2cf8c1e1c99a5afa06f1a9f11a0263de152ce9c6a07e8bbbf437ee84258c9f1c650637cacb41c2525ed

Download Submit
C:\Windows\{F7C77CED-E17A-4509-A8DB-0BD43928B046}.exe

Filesize
408KB

MD5
0a7e50bb6be6dbc4a593fd1c48b76182

SHA1
67713d9256e887ba00c74b77e3a2829b8fc835d0

SHA256
2acc7a9b24a119930e3122b1786a53db74d48906870dcc2d1684bed42aa3144c

SHA512
a1e9eeb4a0a3d304ecb45af1b50ccc88d1c6e48c87b055ef7e57c07eca79a3c5f1c4d67d2f3b961e14a48807bc813654d19cd806986b03cdfe94e118aadcb603

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads