ebc65d09888fa2a7477d93060ebaebb06fd8d6c46fe28c8377d3b61e33865e45

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 23:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe
Size

216KB
MD5

07c011af3b1d07b5f4356773f50897f1
SHA1

472f40d181bcae2d7da255abb5b7113eef626f83
SHA256

ebc65d09888fa2a7477d93060ebaebb06fd8d6c46fe28c8377d3b61e33865e45
SHA512

275ce71c8ef3958fabc66e5577b57983dab77ba5454082b59eb62cee4f15518abc034898aa882e4d4c806047b45c3e8d80cda942163f2a3246380d0f75381d59
SSDEEP

3072:jEGh0oul+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG0lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000143fa-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000167ef-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000143fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016cab-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016cab-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016cc9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016ce1-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016cc9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016cfe-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C94F2D-0369-4cdf-A458-922F55DDF279}\stubpath = "C:\\Windows\\{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe"	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{306DDC09-E942-4a6a-93FD-3A07A0104334}\stubpath = "C:\\Windows\\{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe"	{8204AF33-B44D-4072-B277-400FE22195E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}\stubpath = "C:\\Windows\\{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe"	{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62796103-67C3-449a-BB40-72F723549008}	{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6462AC9B-72DC-4208-A8F8-C6E4F695941C}	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{306DDC09-E942-4a6a-93FD-3A07A0104334}	{8204AF33-B44D-4072-B277-400FE22195E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}\stubpath = "C:\\Windows\\{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe"	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F24D9063-987F-458e-9568-C64027660552}\stubpath = "C:\\Windows\\{F24D9063-987F-458e-9568-C64027660552}.exe"	{62796103-67C3-449a-BB40-72F723549008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4CFA50-D606-4d40-B326-D7FCF73D9527}	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}\stubpath = "C:\\Windows\\{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe"	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8204AF33-B44D-4072-B277-400FE22195E4}	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8204AF33-B44D-4072-B277-400FE22195E4}\stubpath = "C:\\Windows\\{8204AF33-B44D-4072-B277-400FE22195E4}.exe"	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6462AC9B-72DC-4208-A8F8-C6E4F695941C}\stubpath = "C:\\Windows\\{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe"	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD300BC-A273-444f-B518-71E8DD9A7F6C}	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C94F2D-0369-4cdf-A458-922F55DDF279}	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}	{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62796103-67C3-449a-BB40-72F723549008}\stubpath = "C:\\Windows\\{62796103-67C3-449a-BB40-72F723549008}.exe"	{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F24D9063-987F-458e-9568-C64027660552}	{62796103-67C3-449a-BB40-72F723549008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4CFA50-D606-4d40-B326-D7FCF73D9527}\stubpath = "C:\\Windows\\{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe"	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD300BC-A273-444f-B518-71E8DD9A7F6C}\stubpath = "C:\\Windows\\{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe"	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe
2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe
2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe
304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe
2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe
1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe
1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe
296	{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe
2696	{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe
2028	{62796103-67C3-449a-BB40-72F723549008}.exe
1728	{F24D9063-987F-458e-9568-C64027660552}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe
File created	C:\Windows\{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe
File created	C:\Windows\{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe
File created	C:\Windows\{8204AF33-B44D-4072-B277-400FE22195E4}.exe	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe
File created	C:\Windows\{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	{8204AF33-B44D-4072-B277-400FE22195E4}.exe
File created	C:\Windows\{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe
File created	C:\Windows\{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe	{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe
File created	C:\Windows\{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe
File created	C:\Windows\{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe
File created	C:\Windows\{62796103-67C3-449a-BB40-72F723549008}.exe	{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe
File created	C:\Windows\{F24D9063-987F-458e-9568-C64027660552}.exe	{62796103-67C3-449a-BB40-72F723549008}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe
Token: SeIncBasePriorityPrivilege	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe
Token: SeIncBasePriorityPrivilege	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe
Token: SeIncBasePriorityPrivilege	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe
Token: SeIncBasePriorityPrivilege	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe
Token: SeIncBasePriorityPrivilege	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe
Token: SeIncBasePriorityPrivilege	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe
Token: SeIncBasePriorityPrivilege	296	{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe
Token: SeIncBasePriorityPrivilege	2696	{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe
Token: SeIncBasePriorityPrivilege	2028	{62796103-67C3-449a-BB40-72F723549008}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2456	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	28
PID 1640 wrote to memory of 2456	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	28
PID 1640 wrote to memory of 2456	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	28
PID 1640 wrote to memory of 2456	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	28
PID 1640 wrote to memory of 1928	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	29
PID 1640 wrote to memory of 1928	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	29
PID 1640 wrote to memory of 1928	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	29
PID 1640 wrote to memory of 1928	1640	2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe	29
PID 2456 wrote to memory of 2496	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	30
PID 2456 wrote to memory of 2496	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	30
PID 2456 wrote to memory of 2496	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	30
PID 2456 wrote to memory of 2496	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	30
PID 2456 wrote to memory of 2548	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	31
PID 2456 wrote to memory of 2548	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	31
PID 2456 wrote to memory of 2548	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	31
PID 2456 wrote to memory of 2548	2456	{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe	31
PID 2496 wrote to memory of 2384	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	32
PID 2496 wrote to memory of 2384	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	32
PID 2496 wrote to memory of 2384	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	32
PID 2496 wrote to memory of 2384	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	32
PID 2496 wrote to memory of 2536	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	33
PID 2496 wrote to memory of 2536	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	33
PID 2496 wrote to memory of 2536	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	33
PID 2496 wrote to memory of 2536	2496	{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe	33
PID 2384 wrote to memory of 304	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	36
PID 2384 wrote to memory of 304	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	36
PID 2384 wrote to memory of 304	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	36
PID 2384 wrote to memory of 304	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	36
PID 2384 wrote to memory of 1188	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	37
PID 2384 wrote to memory of 1188	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	37
PID 2384 wrote to memory of 1188	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	37
PID 2384 wrote to memory of 1188	2384	{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe	37
PID 304 wrote to memory of 2592	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	38
PID 304 wrote to memory of 2592	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	38
PID 304 wrote to memory of 2592	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	38
PID 304 wrote to memory of 2592	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	38
PID 304 wrote to memory of 1232	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	39
PID 304 wrote to memory of 1232	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	39
PID 304 wrote to memory of 1232	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	39
PID 304 wrote to memory of 1232	304	{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe	39
PID 2592 wrote to memory of 1468	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	40
PID 2592 wrote to memory of 1468	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	40
PID 2592 wrote to memory of 1468	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	40
PID 2592 wrote to memory of 1468	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	40
PID 2592 wrote to memory of 2144	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	41
PID 2592 wrote to memory of 2144	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	41
PID 2592 wrote to memory of 2144	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	41
PID 2592 wrote to memory of 2144	2592	{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe	41
PID 1468 wrote to memory of 1792	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	42
PID 1468 wrote to memory of 1792	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	42
PID 1468 wrote to memory of 1792	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	42
PID 1468 wrote to memory of 1792	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	42
PID 1468 wrote to memory of 2128	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	43
PID 1468 wrote to memory of 2128	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	43
PID 1468 wrote to memory of 2128	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	43
PID 1468 wrote to memory of 2128	1468	{8204AF33-B44D-4072-B277-400FE22195E4}.exe	43
PID 1792 wrote to memory of 296	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	44
PID 1792 wrote to memory of 296	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	44
PID 1792 wrote to memory of 296	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	44
PID 1792 wrote to memory of 296	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	44
PID 1792 wrote to memory of 1168	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	45
PID 1792 wrote to memory of 1168	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	45
PID 1792 wrote to memory of 1168	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	45
PID 1792 wrote to memory of 1168	1792	{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_07c011af3b1d07b5f4356773f50897f1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe
  C:\Windows\{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe
    C:\Windows\{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe
      C:\Windows\{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe
        
        C:\Windows\{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Windows\{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe
        
        C:\Windows\{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{8204AF33-B44D-4072-B277-400FE22195E4}.exe
        
        C:\Windows\{8204AF33-B44D-4072-B277-400FE22195E4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe
        
        C:\Windows\{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe
        
        C:\Windows\{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe
        
        C:\Windows\{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{62796103-67C3-449a-BB40-72F723549008}.exe
        
        C:\Windows\{62796103-67C3-449a-BB40-72F723549008}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{F24D9063-987F-458e-9568-C64027660552}.exe
        
        C:\Windows\{F24D9063-987F-458e-9568-C64027660552}.exe
        12⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62796~1.EXE > nul
        12⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9692F~1.EXE > nul
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E1F9~1.EXE > nul
        10⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{306DD~1.EXE > nul
        9⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8204A~1.EXE > nul
        8⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27C94~1.EXE > nul
        7⤵
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACD30~1.EXE > nul
        6⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5D7F~1.EXE > nul
        5⤵
        
        PID:1188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3C4CF~1.EXE > nul
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6462A~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27C94F2D-0369-4cdf-A458-922F55DDF279}.exe

Filesize
216KB

MD5
19fdbb7e8155be2fd7a18d7d359652f0

SHA1
fa5b4a9ee4b2093cf7c77cf4d61e9f41ad223c40

SHA256
a1c345efe915a9ea4850c67c55baedc9072daf16e292f33d62bd7fb5f7336df7

SHA512
f8f49b0168fcef82d6c3df3086e0a2da6d747a9564d624676d74e0af4f6b389436abe4ae2705d25388c31dbd0c5bf7ffddfce496bff68affae905105822b3858

Download Submit
C:\Windows\{306DDC09-E942-4a6a-93FD-3A07A0104334}.exe

Filesize
216KB

MD5
922104660d754860ec1ed706ad32c2e8

SHA1
deeb0d6826d1311c52b97854f2348fbb37ee78e6

SHA256
ee9b3be6f9462deab75b085ad363a73a4578bbf597b146e3fd6b36bb0c087af1

SHA512
ee12d590c282ac62b8b6fd4f615a2492aa7b57d2e87402de17a32f265556a5bb733c152806cb19285f7bb80eb6209cd814d2ff2bd867f705d660a3edfdee3779

Download Submit
C:\Windows\{3C4CFA50-D606-4d40-B326-D7FCF73D9527}.exe

Filesize
216KB

MD5
949bcf388e42eebc590800c483297f48

SHA1
e38cedd4d86d6480bd9daa8fb477a7f67790c5bf

SHA256
f96feb346f2626af682cbee85b332490a577e951a5cbc2c9d1b05833a924cf1a

SHA512
7a7eba2fd17d4a53b331ebdb870990dcd735512165b30d9daa166c4ce623ad9e362f6b212c1f0f996de44543bd624f14434947e74ec004809b4ca23204ee28b1

Download Submit
C:\Windows\{62796103-67C3-449a-BB40-72F723549008}.exe

Filesize
216KB

MD5
661a436493d939cf6e700b0407f6bfe4

SHA1
fc9ee9a4b8747b0b47c1652be7205d855fe89acd

SHA256
8efd3da1f82b961d0bbf7ddf19ec4bd60e85780458c5690a70234935cee9e3d5

SHA512
fcce5ec6733470e482628da0adb34fecc2c93fe5f30089ac34ad5cdace3ba0794c898a12feeb94995c1ad835811c77f165fee84b34644ce7ba1dd1f697ca3231

Download Submit
C:\Windows\{6462AC9B-72DC-4208-A8F8-C6E4F695941C}.exe

Filesize
216KB

MD5
0401f8694fb5dd5c76f47805525753b0

SHA1
f1ee41fdcde1af1169678b832faedb019c6c8bf3

SHA256
abad3e9e80393b484cc8f7fad52ba21c0e16561ba27252df7386c084d91fe6ca

SHA512
03cf4c86b370d069f095782011da7e2454c6ab76775ffe735d3d039556a5f988c34ee23fa85b936e8aa124f26116c6687c7d690b7996920328e2b3942e983149

Download Submit
C:\Windows\{7E1F9AA2-58E0-42aa-8F98-7B4B4E3B3BBE}.exe

Filesize
216KB

MD5
4c9d5d2ac5ea7d4b7c0ea9b7e8987d2a

SHA1
d3798e02b171c93999ccb5e2728326d3d33003c9

SHA256
baeec30538940fd00e8bcca2472ef74605978c6e68f5df573fb8642ed0608796

SHA512
d91a20645f908ca42ecc8d3e63f26b49dedb86896226231f862f06893e4cbb7d10af70b3f85e61d5a052e7e9ee9f48f329ee56f45dc8cead884680a0118ad366

Download Submit
C:\Windows\{8204AF33-B44D-4072-B277-400FE22195E4}.exe

Filesize
216KB

MD5
a1bc6f992c77d137faecf99b96a24759

SHA1
eb723a74acb02bbe60dbb2f49c6bcc6940f339b8

SHA256
8807d8a40f25ff5b1685dde89d688aac69ca4286fd342a5b54fbd722422d7c4d

SHA512
988d0d144575099852c6d24b42a4540d7c5315564d94202f9d56f5559aada1318327e5e19efb11540e74d2db3e33814ff887d93632b06d1a0755154b80dd3328

Download Submit
C:\Windows\{9692F596-FEC9-4cac-ADD5-52DDCAD6ACB3}.exe

Filesize
216KB

MD5
e3464043200a45c6226c1aa938296106

SHA1
e88a74b27a889b82ef3382a4f1ce4395446a890e

SHA256
8439bbe131d533cec25b39f74879e935ffa69768079e371e2f8d070a13f0dfc5

SHA512
f64af55417b107c6a27b44ba9d9efb5dca2aa8e2d73cb5de9d799fb2164d1a279d479d1ccf601713b9dab7b0c6a50a66e152ec8b422537b5eee2c580f3d546b0

Download Submit
C:\Windows\{ACD300BC-A273-444f-B518-71E8DD9A7F6C}.exe

Filesize
216KB

MD5
7b57b568c5a3c30a78bd41f417eb43ab

SHA1
c5245b433f075aabb008fe4bb8b0899d11ddfc0d

SHA256
8b71d40184d2382e7673e6e3ff85855f1fafb462966f0b8c2d93f91acf7741c5

SHA512
dc8c498af767b871c4e83dfef45034b5c2b6a48d495d3f9c89d5918f8653bb951f3ea42a40be52315cdf82f7b4e46494c3604f181f776e5de41c3f733297dbc8

Download Submit
C:\Windows\{D5D7F970-7CCE-4963-90B8-DB0AD2B42B5C}.exe

Filesize
216KB

MD5
78a23ba656cceeba17383cc91bb89dab

SHA1
755e987d22e5bf48171e5cfe5a4485b21244aba1

SHA256
c766cb2772e2cec9cd509b3ab2a20a7706b18ac4e091d02a71e987c59aab56a0

SHA512
43612bb07e0537774ba2e8b65572c14b63abd8ddf7f963b769396a82a7a2a5ccba2b9e2a41ccfbee0183356f6f24077cb10f56525cc7967d55f6eafaae8e3af5

Download Submit
C:\Windows\{F24D9063-987F-458e-9568-C64027660552}.exe

Filesize
216KB

MD5
889fb9386fa0ac6fb2c108dae5efdd2e

SHA1
eccf8be5ada9ad44006118bbbdb5eae7057993cd

SHA256
2258b4aadca43bb656ed21fb8c90a926492b7ebf30fa3ddef858ac3545689999

SHA512
666ba4336ffb2d9ed9471a781cbffac116152d3379d7fb0fb5c0bf1bc088c756cde32289eca0452213c1a3b614aa6414c54110ee346693b1c4347388f9dba11f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads