eda86fe5e6c5fd67ca253a3b0a16d4901c283a7ca4bd656c45cb13f206e38ff4

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
Size

408KB
MD5

47b91a76cea3bac8a066cc7e8ebdd915
SHA1

e5bd8638ca8b8de9ca4f24d690bb6615611ddecf
SHA256

eda86fe5e6c5fd67ca253a3b0a16d4901c283a7ca4bd656c45cb13f206e38ff4
SHA512

3bac52ac9f176c4659c56319323a651d41ed8a36944f9cafb115267f461265909ad5c1ee8db09ce65bab58ac39c2878d6e2d22870caf0f26dc827c32adfc421a
SSDEEP

3072:CEGh0o6l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGgldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000126b7-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001b000000015c9d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126b7-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000126b7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000126b7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000126b7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000126b7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2464A8-4F2A-493d-AF09-85E91C30F50B}	{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69DE9124-96E3-4e48-8748-4BB48429489A}\stubpath = "C:\\Windows\\{69DE9124-96E3-4e48-8748-4BB48429489A}.exe"	{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A2F4D7A-9146-417e-81B6-7170A64E00DF}	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}\stubpath = "C:\\Windows\\{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe"	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CD6347A-57E6-4282-87EF-524EADCF7EA9}\stubpath = "C:\\Windows\\{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe"	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43A0F979-18EA-43b5-9FB0-6295748F7C39}	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2713DACB-20B9-4506-BD07-B90A8FF38D90}	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2713DACB-20B9-4506-BD07-B90A8FF38D90}\stubpath = "C:\\Windows\\{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe"	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69DE9124-96E3-4e48-8748-4BB48429489A}	{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A2F4D7A-9146-417e-81B6-7170A64E00DF}\stubpath = "C:\\Windows\\{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe"	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868AA62B-001D-46f9-A9B9-B5196B019928}\stubpath = "C:\\Windows\\{868AA62B-001D-46f9-A9B9-B5196B019928}.exe"	{80B78841-C378-4331-8F47-942EFE3543B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CD6347A-57E6-4282-87EF-524EADCF7EA9}	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2464A8-4F2A-493d-AF09-85E91C30F50B}\stubpath = "C:\\Windows\\{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe"	{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868AA62B-001D-46f9-A9B9-B5196B019928}	{80B78841-C378-4331-8F47-942EFE3543B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B78841-C378-4331-8F47-942EFE3543B0}\stubpath = "C:\\Windows\\{80B78841-C378-4331-8F47-942EFE3543B0}.exe"	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43A0F979-18EA-43b5-9FB0-6295748F7C39}\stubpath = "C:\\Windows\\{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe"	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}\stubpath = "C:\\Windows\\{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe"	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80CEEAFF-D16F-4998-80EF-9E2EAC573305}	{69DE9124-96E3-4e48-8748-4BB48429489A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80CEEAFF-D16F-4998-80EF-9E2EAC573305}\stubpath = "C:\\Windows\\{80CEEAFF-D16F-4998-80EF-9E2EAC573305}.exe"	{69DE9124-96E3-4e48-8748-4BB48429489A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80B78841-C378-4331-8F47-942EFE3543B0}	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2112	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe
2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe
2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe
2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe
2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe
2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe
1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe
1804	{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe
304	{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe
2020	{69DE9124-96E3-4e48-8748-4BB48429489A}.exe
2148	{80CEEAFF-D16F-4998-80EF-9E2EAC573305}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe
File created	C:\Windows\{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe
File created	C:\Windows\{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe	{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe
File created	C:\Windows\{80CEEAFF-D16F-4998-80EF-9E2EAC573305}.exe	{69DE9124-96E3-4e48-8748-4BB48429489A}.exe
File created	C:\Windows\{80B78841-C378-4331-8F47-942EFE3543B0}.exe	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
File created	C:\Windows\{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	{80B78841-C378-4331-8F47-942EFE3543B0}.exe
File created	C:\Windows\{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe
File created	C:\Windows\{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe
File created	C:\Windows\{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe
File created	C:\Windows\{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe
File created	C:\Windows\{69DE9124-96E3-4e48-8748-4BB48429489A}.exe	{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe
Token: SeIncBasePriorityPrivilege	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe
Token: SeIncBasePriorityPrivilege	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe
Token: SeIncBasePriorityPrivilege	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe
Token: SeIncBasePriorityPrivilege	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe
Token: SeIncBasePriorityPrivilege	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe
Token: SeIncBasePriorityPrivilege	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe
Token: SeIncBasePriorityPrivilege	1804	{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe
Token: SeIncBasePriorityPrivilege	304	{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe
Token: SeIncBasePriorityPrivilege	2020	{69DE9124-96E3-4e48-8748-4BB48429489A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1600	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	28
PID 2108 wrote to memory of 1600	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	28
PID 2108 wrote to memory of 1600	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	28
PID 2108 wrote to memory of 1600	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	28
PID 2108 wrote to memory of 2112	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	29
PID 2108 wrote to memory of 2112	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	29
PID 2108 wrote to memory of 2112	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	29
PID 2108 wrote to memory of 2112	2108	2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe	29
PID 1600 wrote to memory of 2616	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	30
PID 1600 wrote to memory of 2616	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	30
PID 1600 wrote to memory of 2616	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	30
PID 1600 wrote to memory of 2616	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	30
PID 1600 wrote to memory of 2700	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	31
PID 1600 wrote to memory of 2700	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	31
PID 1600 wrote to memory of 2700	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	31
PID 1600 wrote to memory of 2700	1600	{80B78841-C378-4331-8F47-942EFE3543B0}.exe	31
PID 2616 wrote to memory of 2732	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	32
PID 2616 wrote to memory of 2732	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	32
PID 2616 wrote to memory of 2732	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	32
PID 2616 wrote to memory of 2732	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	32
PID 2616 wrote to memory of 2456	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	33
PID 2616 wrote to memory of 2456	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	33
PID 2616 wrote to memory of 2456	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	33
PID 2616 wrote to memory of 2456	2616	{868AA62B-001D-46f9-A9B9-B5196B019928}.exe	33
PID 2732 wrote to memory of 2956	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	36
PID 2732 wrote to memory of 2956	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	36
PID 2732 wrote to memory of 2956	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	36
PID 2732 wrote to memory of 2956	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	36
PID 2732 wrote to memory of 1288	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	37
PID 2732 wrote to memory of 1288	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	37
PID 2732 wrote to memory of 1288	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	37
PID 2732 wrote to memory of 1288	2732	{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe	37
PID 2956 wrote to memory of 2520	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	38
PID 2956 wrote to memory of 2520	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	38
PID 2956 wrote to memory of 2520	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	38
PID 2956 wrote to memory of 2520	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	38
PID 2956 wrote to memory of 2012	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	39
PID 2956 wrote to memory of 2012	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	39
PID 2956 wrote to memory of 2012	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	39
PID 2956 wrote to memory of 2012	2956	{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe	39
PID 2520 wrote to memory of 2240	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	40
PID 2520 wrote to memory of 2240	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	40
PID 2520 wrote to memory of 2240	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	40
PID 2520 wrote to memory of 2240	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	40
PID 2520 wrote to memory of 668	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	41
PID 2520 wrote to memory of 668	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	41
PID 2520 wrote to memory of 668	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	41
PID 2520 wrote to memory of 668	2520	{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe	41
PID 2240 wrote to memory of 1044	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	42
PID 2240 wrote to memory of 1044	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	42
PID 2240 wrote to memory of 1044	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	42
PID 2240 wrote to memory of 1044	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	42
PID 2240 wrote to memory of 704	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	43
PID 2240 wrote to memory of 704	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	43
PID 2240 wrote to memory of 704	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	43
PID 2240 wrote to memory of 704	2240	{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe	43
PID 1044 wrote to memory of 1804	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	44
PID 1044 wrote to memory of 1804	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	44
PID 1044 wrote to memory of 1804	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	44
PID 1044 wrote to memory of 1804	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	44
PID 1044 wrote to memory of 580	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	45
PID 1044 wrote to memory of 580	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	45
PID 1044 wrote to memory of 580	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	45
PID 1044 wrote to memory of 580	1044	{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_47b91a76cea3bac8a066cc7e8ebdd915_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\{80B78841-C378-4331-8F47-942EFE3543B0}.exe
  C:\Windows\{80B78841-C378-4331-8F47-942EFE3543B0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\{868AA62B-001D-46f9-A9B9-B5196B019928}.exe
    C:\Windows\{868AA62B-001D-46f9-A9B9-B5196B019928}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe
      C:\Windows\{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe
        
        C:\Windows\{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe
        
        C:\Windows\{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe
        
        C:\Windows\{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe
        
        C:\Windows\{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe
        
        C:\Windows\{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe
        
        C:\Windows\{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\{69DE9124-96E3-4e48-8748-4BB48429489A}.exe
        
        C:\Windows\{69DE9124-96E3-4e48-8748-4BB48429489A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\{80CEEAFF-D16F-4998-80EF-9E2EAC573305}.exe
        
        C:\Windows\{80CEEAFF-D16F-4998-80EF-9E2EAC573305}.exe
        12⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69DE9~1.EXE > nul
        12⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B246~1.EXE > nul
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16BA1~1.EXE > nul
        10⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2713D~1.EXE > nul
        9⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43A0F~1.EXE > nul
        8⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD63~1.EXE > nul
        7⤵
        
        PID:668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A46CD~1.EXE > nul
        6⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A2F4~1.EXE > nul
        5⤵
        
        PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{868AA~1.EXE > nul
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80B78~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16BA13DC-9653-4a06-AF6B-D916D0E61BE5}.exe

Filesize
408KB

MD5
468eeb5a3c447c151d2b0d70ba89f18e

SHA1
11957ad446bf814e0af2d7096cd1e6a38d4fa62f

SHA256
ab34c1c64132f26bfc42e39570e11ea6af9929a20aab8bba7cf67c967d25378b

SHA512
d6072323d2170bc28ca715b04f073997352e1853b51ddca82fced7ce170710c2726bba947027fe6c87825a718dc5f8faadf272aa1200aa0c332e1f4598b8bf01

Download Submit
C:\Windows\{2713DACB-20B9-4506-BD07-B90A8FF38D90}.exe

Filesize
408KB

MD5
80b088f740e58f0c87d52a29831afa3a

SHA1
e14153a448fde4cca857d7c72f71d80462cc1573

SHA256
9dd2c5d847e1bdfb3a15efbfdb8439acba7297518f0021d406da82eae5ba2be3

SHA512
41532ab267b278b564474a316f785967c1c26047785cbc449aae6d76ac29c4a4b8bd2cfbcb2c8b950492d23bb0e903b5b87b9e51dfad0afcfd361fd8c02bb0b7

Download Submit
C:\Windows\{2A2F4D7A-9146-417e-81B6-7170A64E00DF}.exe

Filesize
408KB

MD5
6ead8cf626f1964f49edd30980da80a4

SHA1
7ba9ba0ccdf018779fe6da24a03c75fff2899cb0

SHA256
e7a0cb62454f98215d0b8c4d64629c8fd31b5d75fe04d2f57b04694387fecdbb

SHA512
7b65182d947ba22263e172c83e2b7383bbc0eadbda28b0de67c258d512e6a9c9f39df7d9cf7db12209bd11932678bb9efbd3aa332f485a695e98fa96dcf751f9

Download Submit
C:\Windows\{43A0F979-18EA-43b5-9FB0-6295748F7C39}.exe

Filesize
408KB

MD5
44947e9e1cca5f99f85be5f2e9997f82

SHA1
88e23cf1a9669312697e9195aed106055c30c497

SHA256
d6c99c17f951bd871ee1d48d88bbf9bb549b1392225ce7b3e404cf31aa3ff11e

SHA512
74e057eedd255a9d895add17294a77eee64f360b38135a83fbeef0b20f4c6910bbf6f29fdd2430ead8d0099fe75fe8d74d301f49ae8d526b8ef5758a5ff60b24

Download Submit
C:\Windows\{69DE9124-96E3-4e48-8748-4BB48429489A}.exe

Filesize
408KB

MD5
72f5b198105b877739d1f86b53ab9c1b

SHA1
baabd7d7f97a83ddc6d0c5c3d34b1dfd2e3d7110

SHA256
94f1810e38b76e08c396956909134fba3a4e0f880403c5871829fd545eda8d8e

SHA512
5d3111f7ae7cfb9c15455f0d99607d4ec3864141911768f5250f97bdb688175b42a0d9b97aff6e401cd04c704708e4c91e7667926b7f5c222f12250c11b2775e

Download Submit
C:\Windows\{7CD6347A-57E6-4282-87EF-524EADCF7EA9}.exe

Filesize
408KB

MD5
095b6eee9a0f9f0e463e245a2fb601a4

SHA1
e681bfe1e69e4427128261fa2c1341441efb4393

SHA256
632fef5b5b5ede05bc5b427cd22607771ab5dc8f52cd5b7fec4fbb084f2ecbc1

SHA512
e6f5cca8858821d7d653fd4f3ff4e294f3fec67ad360b95495874931299823b99e639c98df8f58d52d450c7a0ae84b39c514368a157fd008c1cea59be821c075

Download Submit
C:\Windows\{80B78841-C378-4331-8F47-942EFE3543B0}.exe

Filesize
408KB

MD5
b971363d39eaa240179cfcf1e3952d67

SHA1
07ffcbe8697ed04653f37ad2f741eb5903d4a0ca

SHA256
736d0869d1e325f20d350e7dfbba6580cf32ba293a51aac9d9c192a584a4d4ec

SHA512
b281562b90e914a6fb0ebd4cca5c4f587544b0e5ebf8beafae7b1c7ddb10f6077afcff51488ca5a6daeefb95ce67c64a5014319011419d65419737584f8252b0

Download Submit
C:\Windows\{80CEEAFF-D16F-4998-80EF-9E2EAC573305}.exe

Filesize
408KB

MD5
9235a36ab034f842bfee852efb220072

SHA1
2a1d5f569b3e86a744961c5e4c2afc872a69ae9a

SHA256
d43b44ce8a32398eb317c17e05dd0d7729840ae1ac2c57035a4cf51497a10aaf

SHA512
a544b88836fd56107a8d35888248dcf30ad5db3a5d75384e787c35a9ab913f94117773f0639da2a178bdb1176e74226f0e2b7f537f12eaa1ee2faf7d65f07f80

Download Submit
C:\Windows\{868AA62B-001D-46f9-A9B9-B5196B019928}.exe

Filesize
408KB

MD5
185334f461928073b32bf03550de492f

SHA1
c9a68ea6845cb0d9f20c507d5b70ab4ac9c244a5

SHA256
7d643014c0be2a534ab16e0fc5e6818499ca7faee3aab199ebd166d624ec9206

SHA512
528b5f10b38aa78c502d13f50cc4944fe47c8d4aa7d1660238479a62a924ccefbff763c84db75eb9c4eb772d87510ad1fe81158f8fdf7f8dc383383b1d211846

Download Submit
C:\Windows\{8B2464A8-4F2A-493d-AF09-85E91C30F50B}.exe

Filesize
408KB

MD5
aa5812828f0b8823c59c40f8213bd60a

SHA1
011e7e1325d51f3d1b3d873a187f4461c44dd01a

SHA256
f245ec3e8280b5601932e25d27d219bc190ea38ec38bbe551c6e9b5d6abba1a6

SHA512
33923125cecba407d160d818daa7ee0e2da779771bddc72df74b37f753f4da08179b5a9153a679444c94a0535706ef1d1d02d94aaa0b4e749c5eccf180d8d65f

Download Submit
C:\Windows\{A46CD030-B1FF-4ad9-9481-9F9281B3D0E9}.exe

Filesize
408KB

MD5
df383996cceb60a3f5af26e250dfa4e1

SHA1
4637c21110312f564d850a1e69a73a34e57193df

SHA256
fa87194b98c96455dc78f1c738404a090ff1d5fd5e9a5ee851a1e4b0cbe908aa

SHA512
92057dad752d19b43d7308d62461d9b876071fe9acd05b175ad10435eefa65b2b5cb7aadb220f2da75f779277d6c7ddc84a1cb00ef0e9a4845f083737e26cf94

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads